Communications Crucial to Critical Infrastructure Restoration After Cyber Events, Experts Say

(Washington, DC)  The National Association of State Energy Officials (NASEO) and the U.S. Department of Energy’s Office of Electricity Delivery and Energy Reliability held a two-day Energy Assurance and Interdependency Workshop here to examine the cascading impacts of energy systems on other critical infrastructure.  The workshop examined a number of potential emergency scenarios to role-play how interdependent essential services (such as food, water, finance, transportation) might prepare for a number of emergencies, including sophisticated cyber attacks.

During the second day of the workshop, moderator Jack Eisenhauer of Nexight Group laid out for a panel of experts a complex, fictitious cyber attack that cripples banking institutions, leaving users unable to conduct online financial transaction, while taking down the electric grid within large urban areas across the U.S. and consequently disrupting the delivery of natural gas to electric power plants.

On top of these disastrous impacts,  the scenario includes voltage surges in the electric transmission system which flow down to the distribution systems, causing damage to automatic transfer switches and backup generators at many residential and commercial facilities, including the Federal Reserve and banking institutions.  How, the panelists were asked, do you proceed under such a scenario?

Despite the severity of these events, as long as the communications systems still function, damage could be mitigated even under these extreme conditions, the panelists agreed.  "Electricity and communications are really not separate anymore," Patrick Miller, Partner and Managing Principal of the Anfield Group said. "It's a fabric really."

The electric systems can be run manually, particularly at generation facilities, while the cyber incident is investigated and redressed.  "As long as the communication failures didn't occur, they can resume operations," Miller said.

The same thing is true for the natural gas system, according to energy sector security expert Gary Forman. "The manual operation of the natural gas system depends on communications," specifically mobile telephones and land mobile radio.

Transportation also becomes crucial under the hypothetical scenario due to the surge-related physical damage, with particular need for quick delivery of replacement parts and expert personnel.  But, with an incapacitated financial system, transporting equipment and personnel could prove problematic. "Will they even be able to buy gas and swipe their cards?" Forman asked, referring to personnel who must travel in order to make repairs or implement manual operations.

Making repairs to capacitor banks damaged in voltage surges, for example, "requires heavy machinery and big trucks and folks with special training," Miller said.  It would be little surprise, then, if the military stepped in during such a scenario to facilitate restoration.

"We're pretty sure we're going to get the call for support" if the cyber events occur as described, Neil Holloran of the Naval Surface Warfare Center said, particularly if the power outages extend for days. "Beers, bros and barbecues for the first three days and on the fourth day the guns come out," he said.

It could take a week before power is back up, Miller said.  "Under the scenario as designed, [it] looks like we could get it back up within a week."

Coordination is key to restoring essential services, something the financial sector has worked out well through its Information Sharing and Analysis Center (ISAC), Karl Schimmeck, VP of Financial Services Operations, Securities Industry and Financial Markets Association, said.  "That doesn't solve everything, but helps you get the lay of the land," Sara Alexander, Deputy Director of ChicagoFIRST, a regional emergency preparedness organization, said.

The financial services ISAC works well on the national level for cyber incidents, but if physical damage or transportation complexities are involved, regional coordination becomes crucial.  Unfortunately, "if there is something that could replicate the value of the ISAC at the state and regional level, we haven't seen that," Alexander said.

Adoption and Privacy Issues Get Aired at NIST's Fifth Cybersecurity Framework Workshop

Last week in Raleigh, North Carolina, the National Institute of Standards and Technology (NIST) hosted a fifth and final workshop on the development of a comprehensive critical infrastructure cybersecurity framework as the February 2014 deadline for finalizing the ambitious effort draws near.  After an intensive amount of work on a complex and thorny subject, many of the participants, particularly those who participated in all five of the workshops, were in awe over how far NIST has come since it received its marching orders via President Obama's executive order last February.

But as could be expected, there are a lot of issues that have yet to be resolved.  As my latest piece for CSO Magazine spells out, one major question remains unanswered despite the prodigious work by NIST and industry collaborators:  what constitutes adoption of the framework?  Without really good answers to this question, the framework itself could become a hollow exercise that, while representing good thinking and practices, does very little in reality to raise the cybersecurity bar.  The definition of adoption as well as related issues (such as the incentives needed to adopt the framework) got a lot of airtime among the attendees in North Carolina.

A well-organized effort to get NIST to overhaul its latest attempt to incorporate privacy and civil liberty considerations into the framework was one of the more surprising aspects of the workshop.  The framework's privacy appendix is too broad and should be pared down to deal only with privacy matters as they relate to cybersecurity, a number of top infrastructure industry reps said.

NIST has some, but not much, time left to tinker further with the framework before it becomes final.  And the group is still fielding feedback during an open comment period that ends in December.

For more information on the latest workshop, check out my article in CSO.

U.S., Germany, Singapore, Australia, UK & China Top List of Apple Device Data Requests

Apple today released a report detailing, to the extent it can, the number of requests it receives from governments around the globe seeking information on individual users or devices.  Following in the footsteps of Google and other Internet companies, Apple's stated goal with the report is to be as transparent as possible. The timing of the report's release comes amidst growing concern as a result of the Snowden revelations over the degree to which U.S. companies share individual user data, communications and activities with the National Security Agency (NSA).

The Cupertino giant makes an effort to distinguish itself from Google and similar Internet services, noting that most of the government requests are device-related, and that only a small fraction of the requests seek information from online or mobile service accounts such as iTunes or iCloud.  In a statement widely viewed as a thinly veiled dig at the Internet search provider, the report states "our business does not depend on collecting personal data. We have no interest in amassing personal information about our customers."

Moreover, the data Apple does present on these "account" requests reveal little about NSA or national security requests because the U.S. government bars the company from presenting this information in anything other than consolidated ranges of 1000s.  The bulk of the account requests, however, do come from U.S. authorities, whether local or national law enforcement or intelligence agencies.  Very few come from other nations (perhaps because, as Apple notes, law enforcement agencies outside the U.S. must first go through U.S. legal channels before obtaining account information.)

Interestingly, Apple says it has not received any of the so-called 215 requests at the heart of so many of the NSA controversies.  Section 215 of the Patriot Act allows the U.S. government to petition the Foreign Intelligence Surveillance Court to issue demands for user data from service providers.  "Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us," the report notes.  (Some commenters are suggesting that this statement is Apple's "warrant canary," namely that Apple is going on the record to say that it has never received a Section 215 warrant only to remove such a statement in future reports in the event it does receive a warrant.  Apple, like other service providers, is legally barred from disclosing the receipt of these demands.)

The more interesting data are what Apple calls device information requests, none of which reflect national security-related requests and many of which originate with device owners themselves working in conjunction with local law enforcement.

The table below lays out these requests by country, in order of frequency.  The U.S. tops the list in terms of frequency of requests (3,542) followed by Germany (2,156), Singapore (1,498), Australia (1,178), United Kingdom (1,028) and China (585).  Typically Apple provides data in response to these requests most of the time -- but not always.

For example, in Japan there were 106 requests for device data during the first six months of 2013, but Apple only provided some data in 12 of those cases - a mere 11%.  In Taiwan, Apple received 81 government requests but only provided some data in 12% of those instances.

It's possible that in these situations the requests were related to mass device theft and thus data on the device owners was not relevant.  In Brazil, for example, Apple received 34 requests related to 5,057 devices but five of those 34 requests involved stolen cargo.  In Brazil, Apple provided data in only 6% of the cases.

Public-Private Partnership, Information Sharing Key to NIST Cybersecurity Framework Success

(Washington, DC)  Improving private sector relations with the government, particularly in the area of threat information, will be central to the future success of the cybersecurity framework issued last week by the National Institute of Standards and Technology (NIST), according to a panel of industry representatives speaking at a Bloomberg Government cybersecurity conference here today.  That framework was developed pursuant to an executive order signed by President Obama last February and is slated to be final under the order by February 2014.

When asked to rate the still-preliminary framework on a scale of one to ten in terms of how well the public-private partnership has worked so far in developing the framework, Dean Garfield, President and CEO of the Information Technology Industry Council, rate the effort an 8.5.  "What was surprising to me is that there is broad consensus on policy issues," he said.

"It's improving, it's moving toward the higher end" of the scale, Robert Mayer, Vice President of Industry and State Affairs at telecom trade association USTelecom said.  "The grade is obviously incomplete [but] I'm encouraged by the direction we're moving in," Internet Security Alliance CEO Larry Clinton said.

Jeremy Bash, Managing Director of  policy consulting firm Beacon Global Strategies, however, rated the effort as merely a three "because there is a huge disconnect with industries.  For the vast majority of enterprises, this issue is not yet on the radar screen." Most industries "fundamentally want one thing - they want the government to share sensitively derived threat [information], Bash said.

Incentives, which are also addressed separately in the executive order, are also key determinants of how well the framework will be adopted.  One important incentive is to improve information sharing between the government and private sector, Garfield said.  "Making sure we have the capacity and communication internally within the administration and the government to share and make use of the information that has been shared," is crucial.

The problem is going to be that many incentives, including some of the liability protections needed for effective information sharing, will require statutory authority, necessitating an act of Congress, Mayer said., a very difficult feat given the current legislative environment.  One big problem with threat information sharing is that "the government doesn't want to share data because they are afraid the source of the data will come out," Clinton said.  "The thing is industry doesn't care about the source.  So take the source data out."

NSA's Alexander: Infiltration of Yahoo, Google Data Centers 'Never Happened'

(Washington, DC)  Gen. Keith Alexander, Director of the National Security Agency (NSA), denied today a Washington Post report that the intelligence agency has secretly broken into communications links that connect Yahoo and Google data centers around the world.  Speaking at a Bloomberg Government cybersecurity conference, Alexander was--within minutes of the report's publication--asked about this latest bombshell revelation stemming from the documents obtained by former NSA contractor Edward Snowden.

"Not to my knowledge. That has never happened," Alexander said when asked if it's true that NSA secretly infiltrates the two Internet giant's networks.  Alexander's further denial seemed to be premised on the erroneous notion that this latest report dealt with court orders for surveillance data from the Foreign Intelligence Surveillance Court (FISC), an entirely different and legal, although murky, form of NSA data collection that came to light earlier this year.  "Those companies are compelled to work with us," he said. "These are specific requirements that come via court order....We go through a court order, we issue that order to them through the FBI."

Both the Washington Post and The Guardian began their series on the Snowden documents by revealing a "front door" NSA program called PRISM, under which NSA petitions the FISC to obtain user data from Internet companies, including Google and Yahoo.  However, today's Washington Post report reveals a secret initiative under which NSA uses a data extraction tool called MUSCULAR, which is operated jointly with GCHQ, the British intelligence agency.

Although Yahoo and Google are aware of and comply with the FISC orders, even while sometimes fighting them, both companies express in the Post article surprise and anger over the possible infiltration of their data communications links without their permission.  Those links are not encrypted (Google is in the process of putting that measure into place) but the NSA seemingly did have to infiltrate what the Post calls "gold standard" security measures to gain access to the companies' networks.

F-Secure CRO Urges EU Countries to Steer Away from U.S. Built Systems

Cybersecurity expert and Chief Research Officer for Finnish software company F-Secure Mikko Hyppönen today urged EU countries to steer clear of U.S. software and services in light of the ongoing revelations that the NSA engages in mass surveillance of EU citizens and officials.  Speaking at TEDx Brussels on a day when the latest Snowden disclosure revealed that the NSA collected data on 60 million phone calls in yet another European country, Spain, during a recent month, Hyppönen said EU countries should "try to steer away from systems built in the United States"

The big challenge is that "any single company in Europe cannot build replacements" that rival U.S. technology in terms of scope and utility.  The solution lies in EU countries banding together to build open source systems "then one country doesn't have to solve the problem by itself," Hyppönen suggested.

Although all countries engage in surveillance, the real problem lies in the concentration of technological dominance in the United States.  "How many Swedish decision-makers use U.S.-based services" such as Windows or cloud-based services every day, he asked. Conversely, "how many American leaders use Swedish-based services?"

Even services developed outside the U.S., such as Skype, become subject to insecurity once they're acquired by American firms within the reach of the NSA, he said.  "Once again we take something that is secure and make it insecure on purpose."

Even though the NSA only has the legal right to monitor foreigners, "96% of the planet is foreigners.  It is wholesale surveillance of all of us," Hyppönen said.

Regarding the apparent discrepancy between leaked NSA slides that indicate U.S. technology companies, such as Microsoft and Google, cooperate with the intelligence agency via backdoors or some other means of secret access and those companies' denials that such cooperation exists, Hyppönen floated an alternative explanation.  "One explanation is that these parties or service providers are not cooperating but they've been hacked.  In this case they've been hacked by their own government."

Regarding the massive scale of NSA's surveillance activities, Hyppönen compared the new NSA data center under construction in Utah to IKEA stores, saying the new center is five times larger than the largest IKEA store. "How many hard drives could you fit into an IKEA store?" he asked.  "They can keep the data for decades."

The two biggest technological revolutions in recent history, the Internet and mobile communications, "turned out to be the most perfect tools for the surveillance state," Hyppönen said. "It turns out George Orwell was an optimist."

NIST Cybersecurity Framework Is Improved But Best Part Is the Community It Has Created

The National Institutes of Standards and Technology (NIST) released on Tuesday its "official" preliminary comprehensive critical infrastructure cybersecurity framework as required under President Obama's February executive order, and most people involved say it's an improvement over previous versions.

After talking to a number of the key participants in the framework process, I noticed that despite the varied and widespread critiquing of the framework from a diverse and often fractious bunch of cybersecurity specialists, lawyers and engineers, one thing stood out:  the framework has created a community of people willing to collaborate on cybersecurity for the common good.

As one participant noted, "what we've developed is a framework for people working together." Unfortunately the framework itself still falls short in terms of actually improving cybersecurity in the eyes of many participants.  But there's still time for more changes before the framework is finalized in February...and will probably continue changing well after that.

Here's my latest take in my ongoing series on the framework for CSO Magazine.  Check it out.

House Intel Committee Chairman Sees a Path Forward for CISPA

The controversial Cyber Intelligence Sharing and Protection Act (CISPA), which would pave a clear legal path for private companies to share more cyber information with the federal government, is a "little ill" but not "dead yet," House Intelligence Committee Chairman Mike Rogers (R-MI) said today. Speaking at an event hosted by the Center for Strategic and International Studies (CSIS), Rogers said that despite the "perception" damage caused by former NSA contractor Edward Snowden "we think there is some hope we can continue to move this particular piece of legislation."

The Senate is working on introducing a revised version of CISPA and Rogers said that he has been working on "confidence builders" to overcome some of what he characterized as misperceptions regarding some of the privacy concerns in previous bills.  "I do think there is a path forward on this.  I don’t believe we can walk away from this most [urgent] security threat to the United States that we are not prepared to handle."

Rogers also said that Congress is working on a package that would reform the security clearance process in the wake of revelations that Edward Snowden, Chelsea Manning and the Navy Yard shooter all had high-level security clearances.  "We’re putting together a package now of changing from a 1950s style 'is candidate A a good American?' [to] a more dynamic review for individuals who are seeking security clearances."

On the other hand, expedited security clearances for the private sector are important given that most assets which need to be protected are in private hands, according to Michael Hayden, former NSA and CIA Director. "The private sector really needs to have clearances and it can’t be stingily metered out by ones and twos by a government that is thinking 'this is fundamentally our stuff,'" Hayden said.

Rogers also defended the NSA's interception of French citizens' phone calls, the latest bombshell report flowing from the Snowden leaks.  Terrorists and criminals "use French networks, they use U.S. networks. They don’t care about borders or treaties," he said. "They will use any and every network on the face of the earth.  It would be irresponsible for our agencies not to pursue them where they work."

Former Homeland Security Secretary Michael Chertoff echoed Rogers' comments.  "It shouldn't be surprising that that activity occurs.  You can move the electrons around the world multiple times and it’s always difficult to prove where something comes from."

The security threats in cyberspace are growing rapidly, with some nation-states, such as Iran and North Korea, gaining greater sophistication while the number of potent non-state actors continue to multiply, according to Senior CSIS Fellow James Lewis.  Citing an EU representative, Lewis said there are twenty to thirty high-end criminal groups that have the capabilities of nation-states.

"Most of them live in countries that begin with 'R', and it's not Romania," Lewis said. Moreover, "we’ve seen the commoditization of cyber attacks.  People will be able to go online and buy tools that let them go after targets."

Former DHS Deputy Secretary Lute: We're Not Prepared for an American Blackout

(Washington, DC)  Former Deputy Secretary of Homeland Security Jane Holl Lute said today that the country has a lot more work to do to prepare for the fallout of a catastrophic cybersecurity event, such as a widescale attack on the nation's power grid.  "We're not nearly as prepared as we need to be," she said during a panel discussion following the premiere of National Geographic's American Blackout, which grimly portrays the fictionalized aftermath of a major cyber attack on the U.S. electric system.

A complete breakdown in the U.S. power sector isn't a likely scenario though, according to Scott Aaronson, Security Director for EEI, a trade association for the electricity industry.  "We're the only sector with mandatory cybersecurity standards," he said, referring to the Critical Infrastructure Protection standards mandated by the North American Electric Reliability Corporation.

And the kind of social breakdown depicted in the film could occur if any one of a number of U.S. critical infrastructure sectors were crippled.  "Deprive of us of food, deprive us of water, deprive us of telecom and you're going to have the same impact," Aaronson said.

"If you would have asked me, can [a total American blackout] happen, I would have said 'not very likely,'" former CIA and NSA Director Michael Hayden said, referring to his years as the heads of those agencies. Hayden also discussed how there are a growing number of strategic weak points in the nation's defense capabilities because cyber technology has pushed the capability to inflict serious damage, a power once reserved for nation states only, down to individuals.

To survive a catastrophic event, whether triggered by a cyberattack or some other calamity, you have to create elasticity in the disaster recovery system, according to Richard Reed, SVP of Disaster Cycle Services for the Red Cross.  Reed too characterized the massive blackout of the film as unlikely but said "there is always an attraction to low probability, high consequent events."

Real recovery from any disaster lies at the community level, Robert Bristow, Medical Director of Emergency Management at New York Presbyterian Hospital said.  Many communities thrived in Japan following the Tohoku earthquake and tsunami, which triggered a subsequent nuclear disaster.  "In Japan, the communities had resilience."

Could Attackers Really Bring Down the Power Grid With This Widely Used Protocol?

Just in time for the premiere of a National Geographic movie that portends what might happen to the U.S. in the event of a widescale cybersecurity attack on the power grid, researchers are spreading the word regarding potentially devastating vulnerabilities in a communications protocol widely used in U.S. electric, water and other critical infrastructure.  These vulnerabilities could in theory disable control servers for major portions of the electric grid, leaving utility operators with little to no visibility into power delivery and allowing attackers to control the grid.

Vulnerabilities identified by researchers Chris Sistrunk and Adam Crain stem from the use of industrial control system protocols called DNP3, which enable SCADA (supervisory control and data acquisition) systems to communicate between master control centers and remote units, such as substations through which electric power flows.  By gaining access to the remote units, either physically through break-ins at the units or, less frequently, remotely through wireless technology, attackers can leverage buggy implementations of DNP3 to send bad data or messages back to the utility's control servers, potentially crippling electric utilities' control over their networks.

"You get one bad packet and you can’t talk to a hundred things," Crain, who is a software researcher and founder of consulting firm Automatak said.  "You can’t see what’s going on, you can’t do anything."

Crain concedes that most of the attacks enabled through the vulnerabilities that he and Sistrunk have identified are not likely to give the attackers actual control of the networks, but merely eliminate visibility from the control center into the network.  "The majority of them [are likely] to be DoS [denial of service attacks]," he said. "Honestly right now I think the risk [of attackers taking control of power networks] is pretty low but the bar is constantly dropping so people are taking more and more interest in this stuff."

However, he warns, "if you can get into the control center of a major investor owned utility, all bets are off. Some of them serve multiple states" and all an attacker has to do is exploit the vulnerabilities of a few major utilities to attack the bulk of the American electric grid.

Neither Crain nor Sistrunk, who is a utility telecommunications engineer, is a cybersecurity specialist. Crain discovered the vulnerabilities through serendipity last April when he was testing an open source implementation of DNP3 protocols that he wrote.

The researchers alerted DHS and the various industrial control security information sharing bodies about the vulnerabilities and have mounted a project called Robus to keep track of these and other potential areas of exploit.  It's not the protocol itself, which can be purchased off the Internet from the standards body for $500, that's the problem, Crain said.

The vendor implementations of DNP3 create the vulnerabilities. "In theory there is nothing wrong with the protocol.  There are just bugs in what vendors have implemented."

As of today, Robus notes that only nine of 25 vulnerabilities discovered have been patched by the vendors.  The original number of discovered vulnerabilities was sixteen and it's probable that more vulnerabilities are yet to be uncovered.

Crain and others don't believe critical infrastructure providers, particularly utilities, will move quickly to close these security holes until regulatory forces press them to do so.  Ironically, the main cybersecurity quasi-regulatory authority in the electric utility industry, NERC (North American Electric Reliability Corporation), which has a series of cybersecurity critical infrastructure protection (CIP) standards that utilities must follow, specifically excludes serial communications technology from its requirements, of which DNP3 is one.  "Until someone tells them, someone like NERC steps up, I don’t expect large industrial owned utilities to react," Crain said.

In the meantime, the number of remote units that are potentially vulnerable to this kind of attack could be staggering although no precise numbers are available.  Based on research I conducted in 2009 for a different purpose, there are an estimated 74,120 substations in the U.S. if the sample in my study, which represented utilities serving around a quarter of all U.S. electricity customers, is good.

Of these substations, around 51% were connected by some form of communications, a ratio likely to be far higher today.  But even assuming 51% connectivity, that's still around 37,800 potential threat vectors. No data exists on how many of these substations use DNP3, although one utility security expert suggested that the latest numbers he saw put the figure at 30%.

If that's a good number (and it's probably low because utilities tend to use the older communications technologies for which DNP3 is used, such as dial-up modems, microwave or 900 MHz platforms) that's 11,340 power grid substations through which attacks can be launched.

Moreover, as the same utility security expert noted, there could be potentially thousands more remote units that aren't substations, such as devices atop poles, that use vulnerable DNP3 implementations.  On top of everything, water systems, oil and gas pipelines use the same implementations and aren't counted in this number.

All it takes is one vulnerable point in any utility's network to send bad data back to the control system and few utilities have robust physical protection of their substations or other remote units.  As one expert noted, unless the unit is a manned facility (generation or inspection station) or has been deemed a critical asset by NERC, the sole security is probably an easily climbed chain linked fence or quickly pickable locked equipment cabinet.

Video surveillance of remote sites, if any, is typically limited to equipment racks and frequently has blind spots.  Even the alarm systems on substations are controlled by DNP3-enabled technology, Crain said, so that attackers can block alerts to the control facility that a break-in has occurred.

Public domain image from Wikipedia.

Cybersecurity Leader Offers Alternative Version to NIST Framework

Phil Agcaoili (pronounced "Agg-Ca-Willy") is doing his best to push things forward with the cybersecurity framework process underway at the National Institute of Standards and Technology (NIST). The much-lauded cybersecurity leader, who sold his first cybersecurity company to Verisign for $70 million in 1998, making him a comfortable man in his mid-20s, has made a public shot across the bow of NIST's effort to craft a comprehensive cybersecurity framework for critical infrastructure as mandated under President Obama's February 2013 cybersecurity executive order (EO).

At midnight last night, Agcaoili posted on the Internet his own draft cybersecurity framework (download spreadsheets here) that he contends is a simpler, better version of the one that NIST has been working on since February.  He said that his framework, which he has vetted with the top cybersecurity professionals and standards-setting bodies in the world, actually meets the EO's goal, which is to produce a "prioritized, flexible, repeatable, performance based, and cost effective" scheme.

The timing of Agcaoili's is no coincidence - under the EO NIST was required to publish a draft of its framework in 240 days, or on October 10th, yesterday.  Due to the government shutdown, NIST has ceased all work on the framework, which must be finalized by February, and has shuttered its framework website (see image above).  If NIST aims to meet the February deadline despite the delay, as some reports indicate, there is little time to make effective changes in the framework, which, while currently voluntary, could ultimately become mandatory for many critical infrastructure industries through regulatory machinations.

"We're not shutting down on the Internet," Agcaoili said, referencing the fact that interested commenters no longer have access to the materials that NIST has developed and on which NIST is seeking public comment. Agcaoili said he released his alternative framework as a private citizen.

"I was making a statement on many levels on what a private citizen can do, what the government doesn't have to do," he said.

Agcaoili is echoing the view held by many cybersecurity practitioners inside critical infrastructure entities (as opposed to Washington representatives or Beltway consultants or government officials) that the NIST framework is simply "reinventing the wheel" and will make cybersecurity more, not less, difficult.  He said his framework consists of nothing more than well-honed cybersecurity components that already "exist in the wild" and for which most critical infrastructure entities already seek certification.

Specifically, Agcaoili's framework hinges on six core schemes:  ISO/IEC 27001-2005, COBIT 4.1, NIST SP800-53 R3, CCS CSC, NERC CIP and ISA 99.  In addition, he has factored in three key privacy standards -- GAPP (August 2009), AICPA TS Map, AICPA Trust Service Criteria (SOC 2SM Report). The latest version of the NIST framework is generic when it comes to privacy, despite the EO's requirement that NIST ensure privacy requirements are built into the framework.

"If you’re already following SANS, if you’re already following ISO, if you’re already following NERC-CIP you’re following the framework," he said.  "We've done it in the industry all along."

Much of Agcaoili's framework is based on technical "mapping" work performed by the Cloud Security Alliance (CSA), which has attempted to pull together the sometimes incoherent mass of cybersecurity standards into a comprehensible whole so that cybersecurity professionals can more easily know how to secure their networks and systems.  Agcaoili began to vociferously promote a CSA-type approach in San Diego in July at one of the four workshops NIST has held since the EO was signed.

He said he does have the support and backing from a host of cybersecurity luminaries and standards group. Agcaoili named these individuals and groups--and they are impressive--with the same rapid-fire and encyclopedic knowledge he uses to discuss the vast, arcane and complex world of cybersecurity standards and practices.

Asked why he has taken this bold step, Agcaoili said "so that people can pick it up and use it.  So we can actually defend our country and stop all the fracturing that’s going on."

Note:  This headline and some of the article text has been modified since its original publication.

Rogers, Hayden: NSA Does Not "Assassinate" People

(Washington, DC)  The National Security Agency (NSA) does not "assassinate" people, House Intelligence Committee Chairman Mike Rogers (R-MI) and former NSA and CIA Director Gen. Michael Hayden said today.  Addressing hints from journalists Glenn Greenwald and Jeremy Scahill that they are working on a new bombshell, based on documents obtained by former NSA contractor Edward Snowden, which seemingly implicate NSA in "assassination programs," Rogers said at a Washington Post Cybersecurity Summit today that "to say that the NSA is participating in assassination attempts is completely inaccurate and completely inflammatory."

"I saw Greenwald pushing his equivalent of a movie trailer and I said 'oh this must be interesting because I have no idea what he is talking about,'" Hayden said.  "Assassination is a technical term.  It is forbidden by executive order.  We do do targeted killings against enemy combatants because that is an act of war." Potentially leaving room for interpretation regarding NSA's role in either type of killing, Hayden added "I do hope we make full use of the NSA when we do that."

In terms of Snowden, Rogers said that the revelations flowing from the materials given to Greenwald and others have damaged U.S. security. "It is significant and in many cases irreversible...we have seen many Al Qaeda affiliates change how they do things."

Rogers was skeptical that Snowden could have obtained the extensive set of documents without help, strongly implying that Snowden had the backing of a foreign power, ostensibly China or Russia, two countries to which Snowden fled after leaving the U.S.  "I still think there is a lot of unanswered questions here--when you look at the kinds of information he had--there are some things in there that don't quite add up.  It sure raises more questions than it answers."

While not going as far as Rogers, Hayden said that Snowden was clearly methodical and calculating in his efforts.  "This was a sustained long term campaign that he had undertaken in order to take this information and in fact moved from job to job to facilitate taking this information."

Most governments engage in the kinds of digital intelligence activities that the Snowden documents have exposed but are far less likely to protect civil liberties, Craig Mundie, Senior Advisor to the CEO of Microsoft said.  "Virtually every kind of government in the world does the same kind of things [but] they do it with less discretion."

The motivations of the U.S. intelligence apparatus and the reasons other nations engage in digital spying also differ, according to Hayden.  "I ran NSA, we steal stuff.  We steal things to keep our nation free and our citizens safe.  We don't steal things to make people rich," he said.

Whatever the case may be, it's clear that cyberspace is becoming a more dangerous place all around.  "In the last twelve months there has been a qualitative change where the threats have become more destructive threats," Microsoft's Mundie said.

And U.S. companies are relatively defenseless.  "It's illegal to chase guys up the wire and certainly to shoot the U.S. there is no legal basis for self-defense on the net," Mundie said.

Rogers, however, quickly rebutted the idea that companies such as Microsoft should ever take things into their own hands.  "I am very concerned about getting into the notion that we should unleash companies who have the capabilities...because we can't deal with the consequences."

Alexander, Rogers Appeal for Cybersecurity Legislation While Lute Says It's a Sure Thing

(Washington, DC) National Cybersecurity Awareness Month is not even upon us yet but the DC hype meter tilted into the red today with three dueling cybersecurity events, each populated by prominent panelists who propounded on their pet topics and theories surrounding the state of systems security.  Some attendees moved from event to event throughout the day, catching one set of speakers and then moving on to the next venue.

The speakers across all three events ranged from the highly technical to the highly political, with most emphasizing the need for better cybersecurity policy and practices.  If one common theme emerged across the two dozen-plus speakers and panelists it is the need for a cyber bill which, at the minimum, facilitates information sharing and encourages better conformance to good cyber schemes.

One day-long event was hosted at the National Press Club (keynote videos here) and generated the most buzz due to its opening keynote speaker, embattled National Security Agency (NSA) Director Keith Alexander.  Alexander first castigated what he considered the media leaks flowing from former contractor Edward Snowden and then shifted into a plaintive plea for help from the public and private industry in maintaining the vast electronic intelligence apparatus his agency has built.

"We first have to address media leaks," Alexander said.  Speaking of the call records collection authorized by the Foreign Intelligence Surveillance Court, Alexander attempted again to explain, as he has many times over the past several months, that media coverage has distorted the kinds of information NSA collects, reiterating that the bulk of the collection focuses on metadata, comprising call details such as date, time, length of call, and not on the content of the calls.  "It’s been sensationalized and inflamed in much of the reporting that we’re listening to people’s calls and reading their emails.  That’s flat wrong."

Alexander frequently asked for help and support in maintaining NSA's activities, saying that the security of the nation depends on the efforts of his and other intelligence groups.  "Our mission is to have to defend this country," he said.  "We can’t do it without your help and without the tools that the nation needs."

He also appealed on behalf of those Internet and technology companies that supply data to NSA, stressing that they only do so under court order.  "Industry isn't driving up to NSA, dumping off U.S. persons' or foreign person's data to us," he said.  "What they’re doing is they’re providing what the courts have directed for them to provide."

He walked through a series of statistics about the "incidents" or "violations" that have occurred with the data NSA collects, saying that only 5% involve U.S. persons, and even then mostly involve typos and not deliberate privacy invasions.  Most of the NSA personnel engaged in the violations either retired, resigned or were appropriately admonished.  "What that means for you and the American people is that you are guaranteed that we will do everything we can to protect your civil liberties and your privacy and defend this country," he said.

At one other big cybersecurity event, hosted by the U.S. Chamber of Commerce, House Intelligence Committee Chairman Mike Rogers (R-MI), bemoaned how much more difficult it now is to pass cybersecurity legislation due to the controversy triggered by the Snowden leaks.  Rogers, like Alexander, hopes that Congress can move past the drama and enact effective cybersecurity legislation.

He was specifically referring to a bill he co-sponsored, the Cyber Intelligence Sharing and Protection Act (CISPA), which would facilitate cyber threat information sharing.  "I haven't given up on CISPA," Rogers said.

At the third cybersecurity event of the day, hosted by DC lobbying and law firm Venable, Jane Holl Lute, CEO of the Council on CyberSecurity and former Deputy Secretary of the Department of Homeland Security (DHS), said that cybersecurity legislation is practically a sure thing.  "I think it's a near certainty that there will be legislation regarding cybersecurity," she said.

A big factor that will drive Congress is the failure of the marketplace to provide adequate security in the cyber realm.  "Of those who say they want to keep government out, government will step in...because frankly we're at an unacceptable level of vulnerability and the market is not taking care of that," Lute said.

NIST Cybersecurity Framework Subject to Major Work Ahead of Public Comment

The National Institute of Standards and Technology (NIST) is racing the clock to whip into shape the comprehensive cybersecurity framework mandated by President Obama's February executive order.  As my most recent piece for CSO Magazine highlights, critical infrastructure providers say there is a lot of work to get done before the framework, a first-time government effort to bolster better cybersecurity across all critical infrastructure, is published in the Federal Register on October 10 and put out for public comment.

The final framework is due in February, but when it comes to the constantly changing world of cybersecurity, the framework could keep evolving indefinitely.  As Patrick Gallagher, the head of NIST, saiid, "in my view the framework is never finished."

Check out the full article here.

NIST's Latest Draft Cybersecurity Framework: Not Yet Ready for Primetime

The National Institute of Standards and Technology (NIST) released the latest version of its draft cybersecurity framework on August 28 and the reviews are...mixed.  The voluntary framework, mandated under President Obama's February executive order and intended to help critical infrastructure providers establish better cybersecurity programs, needs a lot more work, experts say, despite the greater detail NIST provided between versions one and two of the document.

But little time remains between a final workshop on the framework that NIST will host in Dallas next week and the October 10th deadline for publishing the preliminary framework in the Federal Register.  Read my latest take on the framework in this article commissioned by CSO Magazine.

Image from the August 28th document released by NIST.

China Not Out to Destroy the Electric Grid or Other Networks, Former NSA, CIA Director Hayden Says

U.S. networks, including the electric grid, are less threatened by cyber attacks from nation-states than from damage inflicted by rogue entities such as web activists, former CIA and NSA Director Michael Hayden said today.  And although China is a major cyber threat from an economic perspective, it does not seem a likely source of destruction to U.S. networks.

"Without question the country that is out there stealing most of our stuff is China," Hayden said at a Bipartisan Policy Center conference on protecting the electric grid from cyber threats.  "There is evidence that they are out there on SCADA networks as well as just penetrating networks just to steal our stuff."

But, Hayden said, "frankly I find it hard to imagine circumstances where China would want to do something incredibly destructive to any American network, the grid, absent a far more problematic international environment in which the cyber attack itself is part of a larger package of really, really bad things."

The real threat to the grid and other networks may not be nation-states such as China or criminals out to make a buck but unpredictable rogue players, including terrorist groups and web transparency activists. "Sooner or later governments can be held to account.  Fundamentally criminals want to make money and they enter into a symbiotic relation with the host," Hayden said.

Those loosely defined players, though, are "beginning to acquire capacities that a year or two or three ago we equated with the more competent groups" and their "demands may be unsatisfiable," according to Hayden. "This is going to get worse before it gets better."

The philosophy embedded in the U.S. Constitution makes it hard to create adequate cyber defenses because "we have not yet created a consensus as to what we want our government to do..or what we will let our government do," Hayden said.  "I’m willing to accept the proposition that forever the United States will have one of the least well-defended networks on this planet because of James Madison and Alexander Hamilton and all of those good folks who wrote the Federalist papers."

Addressing the revelations flowing from the leaks of former NSA contractor Edward Snowden, Hayden said that the ensuing fears of an overly aggressive government will "freeze" the government's ability to protect private industry and that private industry must learn to protect itself.  "The next sound you hear will not be a bugle and the sound of pounding hoofs as the federal cavalry comes over the ridge line to your rescue," he said. "To the degree that you never expected it down here in the physical domain, you are responsible for your safety in the digital domain personally and corporately."

The federal government, though, needs to step up its cybersecurity efforts, particularly in the arena of information sharing, electric industry representatives speaking at the same event said.  Speaking of state regulator capabilities for addressing cybersecurity issues, Doug Myers, CIO of Pepco Holdings, said "if the conversation at the state level could be informed by a clear and compelling federal vision…I think would be very helpful."

"The issue has to be addressed at the federal level," Ed Goetz, VP of Corporate and Information Security at Exelon said. "I think the president’s executive order opened the door to this possibility."

However, information sharing works best as a two-way street, Scott Saunders, Information Security Officer at Sacramento Municipal Utility District said.  "if we pull together in a more cohesive manner we can provide information back to the government about what is happening to us."

Is it “Cybersecurity,” “Cyber Security” or (Please No) “Cyber-Security?" I Asked the Experts.

While conducting a search of a government database, I encountered a problem all too common for those interested in the topic of security in the digital realm.  Namely, the frequency with which the topic is spelled and written in three different ways –  “cybersecurity,” or “cyber security” or, far less frequently, “cyber-security.”

In conducting my search, I realized that my analysis would be inaccurate and incomplete if I didn’t search at least three different ways using the three different spellings.  Frustrated, I tweeted that we should all settle on one common spelling and I picked cybersecurity for ease of use.

That was not the right answer it seems. One immediate response I received, from Jeffrey Carr, CEO of Security Firm Taia Global and author of Inside Cyber Warfare:  Mapping the Cyber Underworld, is to stop making up words.
The problem is that the world is making up words, not me, and there is almost no consistency among writers, scientists, official government usage, corporations or anybody else about the proper spelling for a word or phrase that everyone is using a lot these days.   While it might seem merely annoying and trivial, the answers you receive when searching for information on this topic can vary depending on how you spell the term.  In my case, the data I was compiling told me something completely different if I only used one or the other phrase – I would have reached the wrong conclusion if I didn’t take the extra steps to conduct three different searches.

It really doesn’t matter which resource you turn to, Google or scientific or engineering or government databases, the variation in spelling poses problems.  Searches on Google produce different, and differently ranked, results depending on how you spell it.  Here’s what you might think the top news items were this morning if you conducted a Google search for “cybersecurity:”

Here’s what you might think the top news items were this morning if you conducted a Google search for “cyber security:”
And forget searching on “cyber-security.”  Here's a search I conducted yesterday which features in the top three news items all three variants of spelling and usage.
But what if you’re searching for technical information on the topic, where the difference in results might matter more?  The same annoying outcome occurs – what you see depends on how you spell it.  Here are the top three search results from the IEEE database using “cybersecurity.”

Here are the top three search results from the same database using “cyber security.”  No overlap at all and differently prioritized answers.
Hoping to contribute to clarity on this problem and advocate a single solution, I polled some of the top experts on neologisms, the creation of new words, to see if there is a correct usage that we can huddle around over time.  Here are the answers I received:

Suzanne Kemmer, Associate Professor of Linguistics at Rice University:
From the standpoint of the usual lexical conventions, cybersecurity is better, because 'cyber' is not a free-standing word but instead what linguists call a bound morpheme - a combining form used to form new words. It is of Classical Greek origin like many of our scientific and technical vocabulary elements-- and the usual pattern for such borrowings is to combine them with other elements into one word. Bio, neo, photo are all parallel examples - when made into new compounds they are written together with the element following: not bio informatics but bioinformatics, etc.

Sometimes a group of specialists will make their own convention, but the language at large typically doesn't follow it because there are so many instances of the more general pattern. It looks like that has happened in the technical community in this case . They probably don't know the general lexical patterns of English and just have made their own specialists' convention. I predict that for this word the general (one-word) pattern will win out in the language at large.

David K. Barnhart, Editor, The Barnhart DICTIONARY COMPANION:
The search of Nexis [which Barnhart prefers when searching for usage frequency] suggests that the usage of these terms in the United States is dominated by cybersecurity while British and World English usage appears to prefer cyber security.  Cyber-security is the least prominent of the possibilities.  So, I guess, this has been a long-winded way of getting around to saying: It may depend on where you live.

Wayne Glowka, Professor of English and Dean of the School of Arts and Humanities, Reinhardt University:
You have come across a common occurrence with compound words. Typically, they start as two-word phrases. In time, you will see them as hyphenated words and then as compound words written as one word. Different dictionaries will offer different ways of spelling them, often noting that all three forms are acceptable.

Normally, a good linguistic sign that we have a compound word in American English is stress on the first syllable. So the phrase "black bird" (as in "I see some kind of black bird over there") has its strongest stress on "bird." The compound word "blackbird" has its strongest stress on "black."

The big exception to the congruence of spelling and pronunciation is the compound word "White House" (the house with the POTUS lives). It is stressed like a compound word (WHITE house), but it is spelled like a phrase.

Figuring out the most strongly stressed syllable of "cybersecurity" vs. "cyber security" would be a challenge akin to pronouncing the difference between "a light housekeeper" and "a lighthouse keeper." And where is the stress in "an elevator operator"?

Ben Zimmer, Executive Producer of and the Visual Thesaurus, language columnist for The Wall Street Journal, and former language columnist for The Boston Globe and The New York Times Magazine:
As it happens, I recently wrote about "cyber-" and "cyber" in my Wall Street Journal column.

Historically, "cybersecurity" has been the standard form, since "cyber-" has been understood as a combining form, not a standalone word. But as I describe in the column, "cyber" is increasingly being viewed as a word on its own, either as an adjective or a noun. So the fact that we now have phrases like "Cyber Monday" encourages people to think of "cyber" as an adjective (or possibly an attributive noun) modifying the noun it precedes.

So while I would personally prefer "cybersecurity," I can see how "cyber security" could eventually displace it.


So, with all that, here’s what we know about which term is more correct:  not much.  While the preference leans toward “cybersecurity,” it might depend on where you live, what you’re trying to emphasize or whether you’re part of a technical community that for its own reasons prefers to use one or the other term. But seriously it would be great if we all just agreed on one form over the other.

I vote for cybersecurity.

NIST Cybersecurity Framework Gets a Lot of Love from Congress in Oversight Hearings

Over the past eight days both the House of Representatives and the Senate have held oversight hearings on the voluntary critical infrastructure cybersecurity framework that the National Institute of Standards and Technology (NIST) is developing pursuant to President Obama’s February 12, 2013 executive order.   On July 18, the House Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing on the development of the framework, which was followed by a Senate Commerce Committee hearing yesterday on the partnership between NIST and the private sector to hammer out the framework.

Little in the way of controversy or news emerged during either hearing, with both arms of Congress expressing strong support for the NIST initiative, which will appear in preliminary form in October and final form in February 2014.  “I believe that the outline of NIST’s framework provides an important step to increasing our nation’s awareness and ability to protect our networks from crippling cyber attacks,” House Subcommittee Chairman Patrick Meehan (R-PA) said.

“Getting NIST involved in cybersecurity makes a lot of sense, because NIST already has decades of experience working with the private sector on computer security issues,” Senator Jay Rockefeller (D-WV), Chairman of the Senate Commerce Committee said.  Rockefeller along with Ranking Member John Thune (R-SD) have introduced a bill, The Cybersecurity Act of 2013, that will codify into law the voluntary framework that NIST produces, legislation that Rockefeller said yesterday will go to mark-up before Congress recesses in August.

All of the witnesses at both hearings said that the framework process is humming along nicely.  “I’m actually quite excited by the progress we have made and the response we’ve got from the private sector,” Charles Romine, Director of NIST’s Information Technology Laboratory told the House Subcommittee, referring to the three workshops NIST has held with the private sector in developing the framework. “We’ve achieved over the course of a relatively short time a consensus on the framework.”

And all of the witnesses said that the framework is an excellent initiative to tackle the cybersecurity challenges that industry and government face.  “The approach to the cybersecurity framework set out in the executive order will allow  industry to protect our nation from the growing cybersecurity threat while enhancing America’s ability to innovate and compete in a global market,” NIST Director Patrick Gallagher told the Senate Committee.

A few interesting points were briefly touch upon in both hearings.  The first is whether Congress should recommit to passing comprehensive cybersecurity legislation.  During the waning days of the last Congress, efforts to pass tougher cybersecurity legislation were derailed in the face of opposition by both industry interests and privacy advocates, prompting President Obama to issue his executive order to compensate for the failure.

“I have concerns that a self-assessment may not be sufficient to incentivize action to bolster cyber defenses,” Rep. Meehan said during the Subcommittee hearing, referring to the public-private partnership underlying the voluntary standards. “Ultimately, I believe it is the consensus of this committee that Congress must pass legislation, in order to address many of these outstanding issues.”

Meehan was specifically referring to cyberthreat information-sharing among private sector and government entities which most experts believe requires an act of Congress.  Rockefeller, who is also a member of the Senate Intelligence Committee, said during yesterday’s hearing that the Intelligence Committee plans to introduce a bill that would permit and facilitate information sharing.

A related issue is the degree to which the voluntary standards should ever become mandatory requirements either through legislation or existing or new regulatory authorities.   “If we can create confidence in the marketplace [with the framework] then I don’t think government needs to get involved,” Robert Kolasky, Director of the Integrated Task Force assigned with implementing the executive order at the Department of Homeland Security, told the House Subcommittee.

As to whether regulatory or other government agencies can enforce the framework in some fashion through their existing authorities, a subject of examination under the executive order, “until the agency actually tries to create regulations one doesn’t really know what’s going to happen,” Eric Fischer, Senior Specialist at the Congressional Research Service told the House Subcommittee.  “If they do have the authority they may do it anyway.”

NIST Closer to Solidifying Critical Infrastructure Cybersecurity Framework

The National Institute of Standards and Technology (NIST) held in San Diego last week the third of four workshops to develop a comprehensive cybersecurity framework for critical infrastructure as required under an executive order signed by President Obama on February 12, 2013.  As my latest piece for CSO discusses, it won't be clear what the 500 participants produced until NIST releases its summary document later this month.

But several cracks in the process continued to emerge during the workshop, including doubts about whether NIST is trying to recreate the wheel, whether enough critical infrastructure sectors are actually participating in the process, whether DHS and NIST are coordinating well enough and whether this whole thing might slip from the voluntary to the mandatory category.

Check out the piece here.

DHS Official: Napolitano Departure Won't Delay Cybersecurity EO or PPDTasks

(La Jolla, CA)  A top Department of Homeland Security (DHS) official involved in a number of initiatives flowing from President Obama's February 12 cybersecurity executive order (EO) and Presidential Policy Directive (PPD) said today that the impending departure of DHS Secretary Janet Napolitano shouldn't delay any of the time-sensitive and crucial tasks assigned to DHS under the EO and PPD.  

At a workshop hosted here at the University of California, San Diego (UCSD),  Robert Kolasky, Director of the DHS Integrated Task Force, said in an interview that (acting) DHS Deputy Secretary Rand Beers "is well familiar with the work involved.  I don't anticipate any delays."  The workshop, run by the National Institute of Standards and Technology, was a key event in the development of a voluntary critical infrastructure cybersecurity framework. Napolitano is leaving DHS in September to run the University of California system (UCSD is part of that system although the NIST workshop and Napolitano's new role are unrelated).

As the table below highlights, not only has DHS been assigned a central coordinating role in both the the EO and PPD, it also has a number of fast-track tasks that must be completed prior to Napolitano's departure.  DHS officials say that the agency has fulfilled its obligations on all of the tasks in that it has submitted to either the President or the Office of Management and Budget (OMB) required reports and materials by the specified deadlines that have occurred to date.  None of the reports listed in the table below have been made public yet, although Kolasky said that at least one of the reports, recommendations on the incentives critical asset owners need to participate in the new wide-ranging security efforts, will be made public by the end of July.

NIST Gets Down to Brass Tacks on Cybersecurity Framework in San Diego

Starting tomorrow in San Diego, the National Institute of Standards and Technology (NIST) will host the third, and perhaps most important, in a series of workshops aimed at developing a voluntary comprehensive cybersecurity framework that will apply across sixteen critical infrastructure sectors.

As the first in a series of articles I've been commissioned to write for CSO Magazine discusses, the NIST process faces a host of challenges, including CEO apathy, government agency rivalry and asset owner fear of vendor dominance.  Still, most of the major players say everything is on track and proceeding as expected.

Check out the article here.

Napolitano: Voluntary Cybersecurity Framework is "An Experiment" At This Point

Department of Homeland Security (DHS) Secretary Janet Napolitano said today that the voluntary cybersecurity framework outlined in President Obama's February 2013 executive order (EO) and public policy directive is at this point "an experiment" because it grants major responsibility for the nation's security to the private sector, an arguable first in the history of national defense.  Speaking at an event at the Wilson Center in Washington, DC, Napolitano said "the voluntary program…is going to be at this point an experiment and a very important one.  Where security is concerned, we don’t normally depend on the private sector.  We inherently view that as an inherently government function."

Napolitano was specifically referring to the development of a cybersecurity framework taking place under the auspices of the National Institute of Standards and Technology (NIST) pursuant to the EO, which is premised on the idea that a public-private partnership can create cybersecurity rules of the road that minimize cybersecurity breaches across 16 critical infrastructure industries.  "If we can make this work and show that there is a vital ongoing strong partnership…we will have succeeded in this experiment," she said .  

But, "I don’t think we have yet come to closure whether this is an appropriate thing to have shared responsibility as opposed to an inherently governmental responsibility," she stressed.  "This is really the first time in our nation’s history that we’ve approached a major security problem in this way."

Other speakers at the event echoed Napolitano's skepticism.  Former DHS Secretary Michael Chertoff, now Chairman of the Chertoff Group, said "it is kind of a novelty…we don’t really expect the private sector to defend itself against attacks."  The only other alternative is for the federal government to step in which would "put the government into everybody’s computers and everybody’s networks," he said. Speaking about Napolitano's emphasis on how experimental the framework is, Chertoff said "I do think her message is that at the end of the day if it’s not done and the private sector doesn’t step up…the public will demand mandates."

It won't be easy for the private sector to implement the right cybersecurity measures needed, according to Steve Flynn, Founding Co-Director of the George J. Kostas Research Institute for Homeland Security and Professor of Political Science at Northeastern University.  "An element of the challenge here is that we’re kind of late to the game and kind of boilerplate on security safeguards for systems that were not built to be made essentially safe, certainly  for the threats we have," he said.  "It’s a bit like trying to take a raised ranch home and make it handicapped accessible.  It’s going to be expensive, ugly and not work well."

DHS Advisor: There Is a Really Short List of Potential Cybersecurity Catastrophes

(Washington, DC)  One of the Department of Homeland Security (DHS) officials in charge of executing on the key tasks outlined in President Obama's February 2013 cybersecurity executive order (EO) and public policy directive said yesterday that his agency has found few situations that can cause a catastrophe.  "Our critical infrastructure is pretty resilient and we do not see a long list of things that can cause catastrophe," Robert Kolasky, Co-Chair of the DHS Integrated Task Force said during a panel discussing at The Cable Show, the cable industry's big annual conference held here.

Kolasky was mainly referring to the process outlined in the EO whereby DHS is obligated to identify what constitutes critical infrastructure, a controversial task that has to be completed by July 12 of this year. Presumably in developing the list or inventory or identification of critical infrastructure, DHS has examined where potential cyber harm can cause the greatest damage.  "It's going to be a really short list of potential catastrophes," he said, noting that communications and electricity are the top two critical infrastructure sectors under examination.  "We still come at it from the perspective that communications and electricity are critical."

The communications sector may be in better shape than electricity.  "A lot of what we've seen is that there is redundancy and resiliency with communications service," Kolasky said.  The situation is different for the electric sector he said later in an interview because of the various structural and geographic factors that make it difficult to build redundancy and resiliency into the electric grid.

Another task in the EO, the development of a comprehensive cybersecurity framework that covers 16 designated critical infrastructure sectors, is well underway with a third workshop on that framework to be hosted in San Diego during the second week of July.  Critical infrastructure representatives should be really prepped for that meeting, Donna Dodson, Chief of Cybersecurity for the National Institute of Standards and Technology (NIST), the government arm in charge of developing the framework, told the cable group.  "I think it's important from our perspective that people come in to the next workshop with a strong understanding of the executive order and the framework process," she said.

One question dogging the President's EO and policy directive mandates is whether the various agencies involved can meet what some consider to be extraordinarily tight deadlines for a host of difficult tasks on such a complex subject.  "With the executive order, we have really stepped it up," Samara Moore, White House Director for Cybersecurity and Critical Infrastructure said.  Through an active interagency process, "we've been working together to meet the deadlines."

NIST Cybersecurity Workshop: Well-Organized but Concerns Crop Up

(Pittsburgh, PA)  Hundreds of top cybersecurity professionals gathered here at Carnegie Mellon University on May 29 for the second Cybersecurity Framework Workshop hosted by the National Institute of Standards and Technology (NIST) to help develop a comprehensive framework for critical infrastructure industries, as mandated under President Obama's February 2013 Executive Order.  With the goal of producing a framework that can adequately stretch across 16 critical infrastructure sectors by October of this year, NIST hired facilitators to lead three days of discussions across eight break-out groups along four tracks, which NIST says are the areas where "gaps" were identified based on a review of the comments filed by numerous parties in response to an RFI issued by NIST.

The four tracks are the "Business of Cyber Risk," "Threat Management," "Cybersecurity Dependencies and Resiliency" and "Progressive Cybersecurity:  From Basics to Advanced Cybersecurity."  I participated in the first three of the tracks and spent some time talking to my fellow break-out group members, other break-out group attendees as well as some of the NIST organizers and track facilitators.  Based on all this, here are the top takeaways so far:

1.  The process is well-organized although the substance seems to be lacking:   although the NIST organizers get high marks for a well-coordinated workshop, a recurring comment is whether the open-ended nature of the break-out sessions has achieved anything so far.  One of the facilitators told me that the soft nature of this first roll-up-your-sleeves workshop is intentional in order to give all parties an opportunity to provide input - the next workshop in California will present an actual straw-man framework for the attendees to address.

2.  Asset owners need to have a stronger representation:  although a good chunk of the 300 to 400 attendees are asset owners (mostly utilities and telcos with a sprinkling of cable companies and financial institutions), the majority appear to be either consultants or vendors.  Several of the asset owner attendees have remarked that the break-out sessions are heavily tilted toward vendors and that in the smaller groups within those sessions, the ratio of vendors/consultants to asset owners can be five to one.  This criticism harkens back to the process that NIST undertook when it developed interoperability standards for the smart grid, which is an oft-cited model for the current cybersecurity framework process.  During the development of the smart grid standards, several utility representatives remarked that the process was vendor-driven and therefore of lower value to them as a consequence.

3.  Some of the topics veer outside the scope of cybersecurity:  during my break-out session on dependencies and reliabilities, for example, the facilitators widened the scope of the discussion to include all possible dependencies (including human capital, legal and contract-related requirements and other issues). Some of the asset owners in the room balked at this wide scope, arguing that the process should stay narrowly focused on pure cybersecurity matters. As one of these participants said during my session, business practices should be outside the scope of NIST's investigations.  A fear among some critical infrastructure owners is that the NIST process might lay the foundation for regulatory action someday despite its current voluntary and public-private partnership approach.  Thus the further the process strays from the topic of cybersecurity, the wider the potential regulatory field, or so some fear.

Whether NIST can develop a comprehensive framework that addresses cybersecurity in a meaningful way while setting aside too many business practices is an open question at this point. During the plenary session on the second day of the workshop, Bruce McConnell, Acting Deputy Under Secretary of DHS said one of the goals of the framework is to "raise the level of conversation about cybersecurity...The conversation we've been having over the past 25 years has been a technical conversation. There is a gap between information technology risk and enterprise risk management."

Who's Paying for Huawei's Cybersecurity Evaluation? Not Huawei, Apparently.

Under tough questioning yesterday from Silicon Valley-area U.S. Representative Anna Eshoo (D-CA), John Lindquist, the CEO of highly regarded defense contractor and security firm Electronic Warfare Associates (EWA), said that a major American telecommunications company paid for a recent cybersecurity audit of technology from controversial Chinese telecom equipment supply giant Huawei.  Speaking at a hearing on supply chain cybersecurity issues before the the House Energy and Commerce Committee's Subcommittee on Communications and Technology, John Lindquist, President and CEO of EWA was asked by Eshoo who paid for the cybersecurity "seal of approval" that she assumes EWA gave to Huawei.

Eshoo had presumed that Huawei had paid for the evaluation given that Huawei itself has said on several occasions that it has "hired" EWA "to audit our products in order to certify the safety and reliability of the products at the source code."  If that were the case, Eshoo said, it could be the "equivalent of what happened on Wall Street" when the ratings agencies gave glowing marks to some unstable financial institutions that paid the agencies.

To Eshoo's surprise, Lindquist said that in fact Huawei didn't pay for the evaluation but that an unnamed major American telecommunications company did instead.  Lindquist said that an NDA barred him from naming the company.  In his written testimony, Lindquist did note that EWA's business practices, as is the case with many technology evaluation firms, call for the telecommunications company, as the primary beneficiary, to pay for security evaluations of vendor products.

It wouldn't be surprising, then, that a major U.S. telecom company would pay for an evaluation of Huawei's products.  A number of U.S. telecom companies do business with Huawei, including Cricket Communications, Clearwire, Cox and Level 3/BTW, according to a report by Chairman Mike Rogers (R-MI) and Ranking Member C.A. Dutch Ruppersberger (D-MD) of the Permanent Select Committee on Intelligence.  In addition, a number of other Tier 1 telecom providers, such as Verizon, are clearly evaluating if not currently using Huawei technology.

Whichever telco it is, "they are in the process" of contemplating a purchase and "we are in the process of evaluating their system.  The evaluation is by no means complete and we’re only evaluating the radio area network portion," Lindquist said.

Lindquist stressed, however, that "we do not give a seal of approval.  What we do is take known threats and we have very good access in the government to the agreed list of cyberthreats...what we do say is what we looked at and what we found and if we found things, what corrections were made."

Huawei, an equipment and networking giant whose global sales of gear and software skyrocketed over the past ten years, topping $30 bil. in annual revenue, is viewed by some military and cybersecurity specialists as a threat to the security of critical telecommunications infrastructure.  Some Huawei opponents believe that the company is bankrolled and controlled by the Chinese government, which is arguably the most active nation-state engaged in cyber espionage and hacking.  They further suspect the motives of Huawei's founder, Ren Zhengfei, who formed the company after leaving a civilian-ranked engineering post in the Chinese military.

As a consequence, Huawei has the capability of introducing, and incentive to introduce, undetectable backdoors and other vulnerabilities in the products it sells to telecom companies, for the benefit of China's economic and military interests, detractors argue.  Other experts, however, contend that the focus on Huawei, and to a lesser extent another telecom tech giant, ZTE, is a form of paranoia inappropriately focused on Chinese companies due to the often overheated and sometimes nationalistic rhetoric surrounding cybersecurity matters.

Twitter Delicious Facebook Digg Stumbleupon Favorites More