Public-Private Partnership, Information Sharing Key to NIST Cybersecurity Framework Success


(Washington, DC)  Improving private sector relations with the government, particularly in the area of threat information, will be central to the future success of the cybersecurity framework issued last week by the National Institute of Standards and Technology (NIST), according to a panel of industry representatives speaking at a Bloomberg Government cybersecurity conference here today.  That framework was developed pursuant to an executive order signed by President Obama last February and is slated to be final under the order by February 2014.

When asked to rate the still-preliminary framework on a scale of one to ten in terms of how well the public-private partnership has worked so far in developing the framework, Dean Garfield, President and CEO of the Information Technology Industry Council, rate the effort an 8.5.  "What was surprising to me is that there is broad consensus on policy issues," he said.

"It's improving, it's moving toward the higher end" of the scale, Robert Mayer, Vice President of Industry and State Affairs at telecom trade association USTelecom said.  "The grade is obviously incomplete [but] I'm encouraged by the direction we're moving in," Internet Security Alliance CEO Larry Clinton said.

Jeremy Bash, Managing Director of  policy consulting firm Beacon Global Strategies, however, rated the effort as merely a three "because there is a huge disconnect with industries.  For the vast majority of enterprises, this issue is not yet on the radar screen." Most industries "fundamentally want one thing - they want the government to share sensitively derived threat [information], Bash said.

Incentives, which are also addressed separately in the executive order, are also key determinants of how well the framework will be adopted.  One important incentive is to improve information sharing between the government and private sector, Garfield said.  "Making sure we have the capacity and communication internally within the administration and the government to share and make use of the information that has been shared," is crucial.

The problem is going to be that many incentives, including some of the liability protections needed for effective information sharing, will require statutory authority, necessitating an act of Congress, Mayer said., a very difficult feat given the current legislative environment.  One big problem with threat information sharing is that "the government doesn't want to share data because they are afraid the source of the data will come out," Clinton said.  "The thing is industry doesn't care about the source.  So take the source data out."

NSA's Alexander: Infiltration of Yahoo, Google Data Centers 'Never Happened'


(Washington, DC)  Gen. Keith Alexander, Director of the National Security Agency (NSA), denied today a Washington Post report that the intelligence agency has secretly broken into communications links that connect Yahoo and Google data centers around the world.  Speaking at a Bloomberg Government cybersecurity conference, Alexander was--within minutes of the report's publication--asked about this latest bombshell revelation stemming from the documents obtained by former NSA contractor Edward Snowden.

"Not to my knowledge. That has never happened," Alexander said when asked if it's true that NSA secretly infiltrates the two Internet giant's networks.  Alexander's further denial seemed to be premised on the erroneous notion that this latest report dealt with court orders for surveillance data from the Foreign Intelligence Surveillance Court (FISC), an entirely different and legal, although murky, form of NSA data collection that came to light earlier this year.  "Those companies are compelled to work with us," he said. "These are specific requirements that come via court order....We go through a court order, we issue that order to them through the FBI."

Both the Washington Post and The Guardian began their series on the Snowden documents by revealing a "front door" NSA program called PRISM, under which NSA petitions the FISC to obtain user data from Internet companies, including Google and Yahoo.  However, today's Washington Post report reveals a secret initiative under which NSA uses a data extraction tool called MUSCULAR, which is operated jointly with GCHQ, the British intelligence agency.

Although Yahoo and Google are aware of and comply with the FISC orders, even while sometimes fighting them, both companies express in the Post article surprise and anger over the possible infiltration of their data communications links without their permission.  Those links are not encrypted (Google is in the process of putting that measure into place) but the NSA seemingly did have to infiltrate what the Post calls "gold standard" security measures to gain access to the companies' networks.

F-Secure CRO Urges EU Countries to Steer Away from U.S. Built Systems


Cybersecurity expert and Chief Research Officer for Finnish software company F-Secure Mikko Hyppönen today urged EU countries to steer clear of U.S. software and services in light of the ongoing revelations that the NSA engages in mass surveillance of EU citizens and officials.  Speaking at TEDx Brussels on a day when the latest Snowden disclosure revealed that the NSA collected data on 60 million phone calls in yet another European country, Spain, during a recent month, Hyppönen said EU countries should "try to steer away from systems built in the United States"

The big challenge is that "any single company in Europe cannot build replacements" that rival U.S. technology in terms of scope and utility.  The solution lies in EU countries banding together to build open source systems "then one country doesn't have to solve the problem by itself," Hyppönen suggested.

Although all countries engage in surveillance, the real problem lies in the concentration of technological dominance in the United States.  "How many Swedish decision-makers use U.S.-based services" such as Windows or cloud-based services every day, he asked. Conversely, "how many American leaders use Swedish-based services?"

Even services developed outside the U.S., such as Skype, become subject to insecurity once they're acquired by American firms within the reach of the NSA, he said.  "Once again we take something that is secure and make it insecure on purpose."

Even though the NSA only has the legal right to monitor foreigners, "96% of the planet is foreigners.  It is wholesale surveillance of all of us," Hyppönen said.

Regarding the apparent discrepancy between leaked NSA slides that indicate U.S. technology companies, such as Microsoft and Google, cooperate with the intelligence agency via backdoors or some other means of secret access and those companies' denials that such cooperation exists, Hyppönen floated an alternative explanation.  "One explanation is that these parties or service providers are not cooperating but they've been hacked.  In this case they've been hacked by their own government."

Regarding the massive scale of NSA's surveillance activities, Hyppönen compared the new NSA data center under construction in Utah to IKEA stores, saying the new center is five times larger than the largest IKEA store. "How many hard drives could you fit into an IKEA store?" he asked.  "They can keep the data for decades."

The two biggest technological revolutions in recent history, the Internet and mobile communications, "turned out to be the most perfect tools for the surveillance state," Hyppönen said. "It turns out George Orwell was an optimist."

NIST Cybersecurity Framework Is Improved But Best Part Is the Community It Has Created


The National Institutes of Standards and Technology (NIST) released on Tuesday its "official" preliminary comprehensive critical infrastructure cybersecurity framework as required under President Obama's February executive order, and most people involved say it's an improvement over previous versions.

After talking to a number of the key participants in the framework process, I noticed that despite the varied and widespread critiquing of the framework from a diverse and often fractious bunch of cybersecurity specialists, lawyers and engineers, one thing stood out:  the framework has created a community of people willing to collaborate on cybersecurity for the common good.

As one participant noted, "what we've developed is a framework for people working together." Unfortunately the framework itself still falls short in terms of actually improving cybersecurity in the eyes of many participants.  But there's still time for more changes before the framework is finalized in February...and will probably continue changing well after that.

Here's my latest take in my ongoing series on the framework for CSO Magazine.  Check it out.

House Intel Committee Chairman Sees a Path Forward for CISPA


The controversial Cyber Intelligence Sharing and Protection Act (CISPA), which would pave a clear legal path for private companies to share more cyber information with the federal government, is a "little ill" but not "dead yet," House Intelligence Committee Chairman Mike Rogers (R-MI) said today. Speaking at an event hosted by the Center for Strategic and International Studies (CSIS), Rogers said that despite the "perception" damage caused by former NSA contractor Edward Snowden "we think there is some hope we can continue to move this particular piece of legislation."

The Senate is working on introducing a revised version of CISPA and Rogers said that he has been working on "confidence builders" to overcome some of what he characterized as misperceptions regarding some of the privacy concerns in previous bills.  "I do think there is a path forward on this.  I don’t believe we can walk away from this most [urgent] security threat to the United States that we are not prepared to handle."

Rogers also said that Congress is working on a package that would reform the security clearance process in the wake of revelations that Edward Snowden, Chelsea Manning and the Navy Yard shooter all had high-level security clearances.  "We’re putting together a package now of changing from a 1950s style 'is candidate A a good American?' [to] a more dynamic review for individuals who are seeking security clearances."

On the other hand, expedited security clearances for the private sector are important given that most assets which need to be protected are in private hands, according to Michael Hayden, former NSA and CIA Director. "The private sector really needs to have clearances and it can’t be stingily metered out by ones and twos by a government that is thinking 'this is fundamentally our stuff,'" Hayden said.

Rogers also defended the NSA's interception of French citizens' phone calls, the latest bombshell report flowing from the Snowden leaks.  Terrorists and criminals "use French networks, they use U.S. networks. They don’t care about borders or treaties," he said. "They will use any and every network on the face of the earth.  It would be irresponsible for our agencies not to pursue them where they work."

Former Homeland Security Secretary Michael Chertoff echoed Rogers' comments.  "It shouldn't be surprising that that activity occurs.  You can move the electrons around the world multiple times and it’s always difficult to prove where something comes from."

The security threats in cyberspace are growing rapidly, with some nation-states, such as Iran and North Korea, gaining greater sophistication while the number of potent non-state actors continue to multiply, according to Senior CSIS Fellow James Lewis.  Citing an EU representative, Lewis said there are twenty to thirty high-end criminal groups that have the capabilities of nation-states.

"Most of them live in countries that begin with 'R', and it's not Romania," Lewis said. Moreover, "we’ve seen the commoditization of cyber attacks.  People will be able to go online and buy tools that let them go after targets."

Former DHS Deputy Secretary Lute: We're Not Prepared for an American Blackout


(Washington, DC)  Former Deputy Secretary of Homeland Security Jane Holl Lute said today that the country has a lot more work to do to prepare for the fallout of a catastrophic cybersecurity event, such as a widescale attack on the nation's power grid.  "We're not nearly as prepared as we need to be," she said during a panel discussion following the premiere of National Geographic's American Blackout, which grimly portrays the fictionalized aftermath of a major cyber attack on the U.S. electric system.

A complete breakdown in the U.S. power sector isn't a likely scenario though, according to Scott Aaronson, Security Director for EEI, a trade association for the electricity industry.  "We're the only sector with mandatory cybersecurity standards," he said, referring to the Critical Infrastructure Protection standards mandated by the North American Electric Reliability Corporation.

And the kind of social breakdown depicted in the film could occur if any one of a number of U.S. critical infrastructure sectors were crippled.  "Deprive of us of food, deprive us of water, deprive us of telecom and you're going to have the same impact," Aaronson said.

"If you would have asked me, can [a total American blackout] happen, I would have said 'not very likely,'" former CIA and NSA Director Michael Hayden said, referring to his years as the heads of those agencies. Hayden also discussed how there are a growing number of strategic weak points in the nation's defense capabilities because cyber technology has pushed the capability to inflict serious damage, a power once reserved for nation states only, down to individuals.

To survive a catastrophic event, whether triggered by a cyberattack or some other calamity, you have to create elasticity in the disaster recovery system, according to Richard Reed, SVP of Disaster Cycle Services for the Red Cross.  Reed too characterized the massive blackout of the film as unlikely but said "there is always an attraction to low probability, high consequent events."

Real recovery from any disaster lies at the community level, Robert Bristow, Medical Director of Emergency Management at New York Presbyterian Hospital said.  Many communities thrived in Japan following the Tohoku earthquake and tsunami, which triggered a subsequent nuclear disaster.  "In Japan, the communities had resilience."

Could Attackers Really Bring Down the Power Grid With This Widely Used Protocol?


Just in time for the premiere of a National Geographic movie that portends what might happen to the U.S. in the event of a widescale cybersecurity attack on the power grid, researchers are spreading the word regarding potentially devastating vulnerabilities in a communications protocol widely used in U.S. electric, water and other critical infrastructure.  These vulnerabilities could in theory disable control servers for major portions of the electric grid, leaving utility operators with little to no visibility into power delivery and allowing attackers to control the grid.

Vulnerabilities identified by researchers Chris Sistrunk and Adam Crain stem from the use of industrial control system protocols called DNP3, which enable SCADA (supervisory control and data acquisition) systems to communicate between master control centers and remote units, such as substations through which electric power flows.  By gaining access to the remote units, either physically through break-ins at the units or, less frequently, remotely through wireless technology, attackers can leverage buggy implementations of DNP3 to send bad data or messages back to the utility's control servers, potentially crippling electric utilities' control over their networks.

"You get one bad packet and you can’t talk to a hundred things," Crain, who is a software researcher and founder of consulting firm Automatak said.  "You can’t see what’s going on, you can’t do anything."

Crain concedes that most of the attacks enabled through the vulnerabilities that he and Sistrunk have identified are not likely to give the attackers actual control of the networks, but merely eliminate visibility from the control center into the network.  "The majority of them [are likely] to be DoS [denial of service attacks]," he said. "Honestly right now I think the risk [of attackers taking control of power networks] is pretty low but the bar is constantly dropping so people are taking more and more interest in this stuff."

However, he warns, "if you can get into the control center of a major investor owned utility, all bets are off. Some of them serve multiple states" and all an attacker has to do is exploit the vulnerabilities of a few major utilities to attack the bulk of the American electric grid.

Neither Crain nor Sistrunk, who is a utility telecommunications engineer, is a cybersecurity specialist. Crain discovered the vulnerabilities through serendipity last April when he was testing an open source implementation of DNP3 protocols that he wrote.

The researchers alerted DHS and the various industrial control security information sharing bodies about the vulnerabilities and have mounted a project called Robus to keep track of these and other potential areas of exploit.  It's not the protocol itself, which can be purchased off the Internet from the standards body for $500, that's the problem, Crain said.

The vendor implementations of DNP3 create the vulnerabilities. "In theory there is nothing wrong with the protocol.  There are just bugs in what vendors have implemented."

As of today, Robus notes that only nine of 25 vulnerabilities discovered have been patched by the vendors.  The original number of discovered vulnerabilities was sixteen and it's probable that more vulnerabilities are yet to be uncovered.

Crain and others don't believe critical infrastructure providers, particularly utilities, will move quickly to close these security holes until regulatory forces press them to do so.  Ironically, the main cybersecurity quasi-regulatory authority in the electric utility industry, NERC (North American Electric Reliability Corporation), which has a series of cybersecurity critical infrastructure protection (CIP) standards that utilities must follow, specifically excludes serial communications technology from its requirements, of which DNP3 is one.  "Until someone tells them, someone like NERC steps up, I don’t expect large industrial owned utilities to react," Crain said.

In the meantime, the number of remote units that are potentially vulnerable to this kind of attack could be staggering although no precise numbers are available.  Based on research I conducted in 2009 for a different purpose, there are an estimated 74,120 substations in the U.S. if the sample in my study, which represented utilities serving around a quarter of all U.S. electricity customers, is good.

Of these substations, around 51% were connected by some form of communications, a ratio likely to be far higher today.  But even assuming 51% connectivity, that's still around 37,800 potential threat vectors. No data exists on how many of these substations use DNP3, although one utility security expert suggested that the latest numbers he saw put the figure at 30%.

If that's a good number (and it's probably low because utilities tend to use the older communications technologies for which DNP3 is used, such as dial-up modems, microwave or 900 MHz platforms) that's 11,340 power grid substations through which attacks can be launched.

Moreover, as the same utility security expert noted, there could be potentially thousands more remote units that aren't substations, such as devices atop poles, that use vulnerable DNP3 implementations.  On top of everything, water systems, oil and gas pipelines use the same implementations and aren't counted in this number.

All it takes is one vulnerable point in any utility's network to send bad data back to the control system and few utilities have robust physical protection of their substations or other remote units.  As one expert noted, unless the unit is a manned facility (generation or inspection station) or has been deemed a critical asset by NERC, the sole security is probably an easily climbed chain linked fence or quickly pickable locked equipment cabinet.

Video surveillance of remote sites, if any, is typically limited to equipment racks and frequently has blind spots.  Even the alarm systems on substations are controlled by DNP3-enabled technology, Crain said, so that attackers can block alerts to the control facility that a break-in has occurred.

Public domain image from Wikipedia.


Cybersecurity Leader Offers Alternative Version to NIST Framework



Phil Agcaoili (pronounced "Agg-Ca-Willy") is doing his best to push things forward with the cybersecurity framework process underway at the National Institute of Standards and Technology (NIST). The much-lauded cybersecurity leader, who sold his first cybersecurity company to Verisign for $70 million in 1998, making him a comfortable man in his mid-20s, has made a public shot across the bow of NIST's effort to craft a comprehensive cybersecurity framework for critical infrastructure as mandated under President Obama's February 2013 cybersecurity executive order (EO).

At midnight last night, Agcaoili posted on the Internet his own draft cybersecurity framework (download spreadsheets here) that he contends is a simpler, better version of the one that NIST has been working on since February.  He said that his framework, which he has vetted with the top cybersecurity professionals and standards-setting bodies in the world, actually meets the EO's goal, which is to produce a "prioritized, flexible, repeatable, performance based, and cost effective" scheme.

The timing of Agcaoili's is no coincidence - under the EO NIST was required to publish a draft of its framework in 240 days, or on October 10th, yesterday.  Due to the government shutdown, NIST has ceased all work on the framework, which must be finalized by February, and has shuttered its framework website (see image above).  If NIST aims to meet the February deadline despite the delay, as some reports indicate, there is little time to make effective changes in the framework, which, while currently voluntary, could ultimately become mandatory for many critical infrastructure industries through regulatory machinations.

"We're not shutting down on the Internet," Agcaoili said, referencing the fact that interested commenters no longer have access to the materials that NIST has developed and on which NIST is seeking public comment. Agcaoili said he released his alternative framework as a private citizen.

"I was making a statement on many levels on what a private citizen can do, what the government doesn't have to do," he said.

Agcaoili is echoing the view held by many cybersecurity practitioners inside critical infrastructure entities (as opposed to Washington representatives or Beltway consultants or government officials) that the NIST framework is simply "reinventing the wheel" and will make cybersecurity more, not less, difficult.  He said his framework consists of nothing more than well-honed cybersecurity components that already "exist in the wild" and for which most critical infrastructure entities already seek certification.

Specifically, Agcaoili's framework hinges on six core schemes:  ISO/IEC 27001-2005, COBIT 4.1, NIST SP800-53 R3, CCS CSC, NERC CIP and ISA 99.  In addition, he has factored in three key privacy standards -- GAPP (August 2009), AICPA TS Map, AICPA Trust Service Criteria (SOC 2SM Report). The latest version of the NIST framework is generic when it comes to privacy, despite the EO's requirement that NIST ensure privacy requirements are built into the framework.

"If you’re already following SANS, if you’re already following ISO, if you’re already following NERC-CIP you’re following the framework," he said.  "We've done it in the industry all along."

Much of Agcaoili's framework is based on technical "mapping" work performed by the Cloud Security Alliance (CSA), which has attempted to pull together the sometimes incoherent mass of cybersecurity standards into a comprehensible whole so that cybersecurity professionals can more easily know how to secure their networks and systems.  Agcaoili began to vociferously promote a CSA-type approach in San Diego in July at one of the four workshops NIST has held since the EO was signed.

He said he does have the support and backing from a host of cybersecurity luminaries and standards group. Agcaoili named these individuals and groups--and they are impressive--with the same rapid-fire and encyclopedic knowledge he uses to discuss the vast, arcane and complex world of cybersecurity standards and practices.

Asked why he has taken this bold step, Agcaoili said "so that people can pick it up and use it.  So we can actually defend our country and stop all the fracturing that’s going on."

Note:  This headline and some of the article text has been modified since its original publication.

Rogers, Hayden: NSA Does Not "Assassinate" People


(Washington, DC)  The National Security Agency (NSA) does not "assassinate" people, House Intelligence Committee Chairman Mike Rogers (R-MI) and former NSA and CIA Director Gen. Michael Hayden said today.  Addressing hints from journalists Glenn Greenwald and Jeremy Scahill that they are working on a new bombshell, based on documents obtained by former NSA contractor Edward Snowden, which seemingly implicate NSA in "assassination programs," Rogers said at a Washington Post Cybersecurity Summit today that "to say that the NSA is participating in assassination attempts is completely inaccurate and completely inflammatory."

"I saw Greenwald pushing his equivalent of a movie trailer and I said 'oh this must be interesting because I have no idea what he is talking about,'" Hayden said.  "Assassination is a technical term.  It is forbidden by executive order.  We do do targeted killings against enemy combatants because that is an act of war." Potentially leaving room for interpretation regarding NSA's role in either type of killing, Hayden added "I do hope we make full use of the NSA when we do that."

In terms of Snowden, Rogers said that the revelations flowing from the materials given to Greenwald and others have damaged U.S. security. "It is significant and in many cases irreversible...we have seen many Al Qaeda affiliates change how they do things."

Rogers was skeptical that Snowden could have obtained the extensive set of documents without help, strongly implying that Snowden had the backing of a foreign power, ostensibly China or Russia, two countries to which Snowden fled after leaving the U.S.  "I still think there is a lot of unanswered questions here--when you look at the kinds of information he had--there are some things in there that don't quite add up.  It sure raises more questions than it answers."

While not going as far as Rogers, Hayden said that Snowden was clearly methodical and calculating in his efforts.  "This was a sustained long term campaign that he had undertaken in order to take this information and in fact moved from job to job to facilitate taking this information."

Most governments engage in the kinds of digital intelligence activities that the Snowden documents have exposed but are far less likely to protect civil liberties, Craig Mundie, Senior Advisor to the CEO of Microsoft said.  "Virtually every kind of government in the world does the same kind of things [but] they do it with less discretion."

The motivations of the U.S. intelligence apparatus and the reasons other nations engage in digital spying also differ, according to Hayden.  "I ran NSA, we steal stuff.  We steal things to keep our nation free and our citizens safe.  We don't steal things to make people rich," he said.

Whatever the case may be, it's clear that cyberspace is becoming a more dangerous place all around.  "In the last twelve months there has been a qualitative change where the threats have become more destructive threats," Microsoft's Mundie said.

And U.S. companies are relatively defenseless.  "It's illegal to chase guys up the wire and certainly to shoot back...in the U.S. there is no legal basis for self-defense on the net," Mundie said.

Rogers, however, quickly rebutted the idea that companies such as Microsoft should ever take things into their own hands.  "I am very concerned about getting into the notion that we should unleash companies who have the capabilities...because we can't deal with the consequences."

Twitter Delicious Facebook Digg Stumbleupon Favorites More