Rep. Mike Rogers: Chinese Indictments Are 'Glitz and Glamour' But Legislation More Important


(Washington, DC)  House Intelligence Committee Chairman Mike Rogers (R-MI) said yesterday that the Justice Department's high-profile indictment of Chinese military officials for cyber theft of U.S. business secrets is "great for glitz and glamour" but it's more important that Congress act on cyber legislation by August if the government wants to ensure true cybersecurity. Speaking at an event hosted by the George Washington University Cybersecurity Initiative, Rogers said "I agree with the indictments and I agree with certain visa restrictions [b]ut it can't be done in isolation."

The Obama administration's largely symbolic move is "great for glitz and glamour but nothing followed," Rogers said. "It's the right idea but the wrong execution.  If only we could get the second piece of this, which allows the private sector to defend itself," Rogers said, referring to the Cyber Intelligence Sharing and Protection Act, which would facilitate the sharing of cybersecurity information between the private sector and the government.

Although the House has passed the bill, it's stalled in the Senate, a situation that Rogers thinks is improving and believes has to be resolved by August or else prospects for near-term cybersecurity legislation will die. "I think we've made tremendous progress in the last few months. I hate to say it but if we don't get something moving in August, it will get lost in the haze."

Rogers is cautiously optimistic that a bill could move in the next thirty days, with the contentious issues narrowed down to a "few short issues," particularly the question of how a portal for sharing information with the government gets structured. "We've narrowed down the issues on the portal," Rogers said.

Speaking at the same event, Toomas Hendrik Ilves, President of Estonia, a country widely considered to be home to the first true cyber warfare attack, said that new intellectual concepts are needed to successfully battle cyber threats given the radically novel dangers posed by the modern connected era. "We have major intellectual tasks ahead of us," he said. We are facing the modern equivalent of Thomas Hobbes' "war of all against all"  and "we need our Jeffersons, our Voltaires in this area."

Estonia is at the forefront of protecting individual online identities as a key strategy for ensuring security, with everyone using two-factor public key infrastructure using RSA 2048 encryption. "We have come to the conclusion that you cannot have any genuine security without a secure online identity," Hendrik said.  "That is the dilemma of all Internet relations.  You don't know who's who."

Government Cybersec Leaders: Just Patch Your System, Do Strong Passwords


(Washington, DC)  Despite vulnerabilities such as Heartbleed grabbing headlines, the best methods for ensuring adequate system security are often the most basic forms of cyber hygiene, such as patching systems and ensuring strong passwords, a group of government cybersecurity experts agreed today. Speaking at the GovSec conference here, Ron Layton, Deputy Chief Information Officer, U.S. Secret Service said "what's the best investment for our resource dollar?  Patch your system.  The vast majority of successful breaches use very low-level techniques."

"We are still at the precipice of one of the most disruptive forces in our society [b]ut just do a strong password and you're good," he added.

"You don't necessarily need to worry about the most recent APT [advanced persistent threat] if you have 20% of your computers that are unpatched that can be had by a hacker with no skill whatsoever," Patrick Morrissey, Former Director of Investigations and Protective Operations, Blackberry, and Former CISO, U.S. Secret Service, said. "That is where the bad guys are going to come in. The sophisticated hacker is not going to waste his technique on you.  Don't worry so much about being exploited by the latest and greatest.  Just stay up to date on your patches."

The best method for ensuring adequate cybersecurity within the federal government is information sharing and collaboration, something that is bolstered by trust but hampered when no crisis is pressing on the nation. "Trust and relationships is what it’s all about," Dave Pekoske, Chairman of the FBI-private sector partnership InfraGard National, said.

However, "the agencies are not going to be giving up the keys to the kingdom" to other agencies, Morrissey said, particularly if a truly collaborative relationship is absent. "People are going to be reluctant to share information with those agencies if they don't believe the agencies are going to protect them as they should."

Information sharing among government agencies is problematic for a number of reasons, not the least of which are the varying definitions of  security clearance and "need to know" statuses across agencies.  But agencies do collaborate better in the midst of a crisis.  "The government does work well in crises but the farther we get away from 9/11 it becomes a problem," Morrissey said.

Another perennial problem that hampers work across agencies is the lack of qualified cybersecurity personnel, who tend to steer clear of the government or bolt for the higher paid private sector after relatively short stints.  "It's a huge challenge for us right now," Eric Strom, Unit Chief, Cyber Initiative and Resource Fusion, NCFTA, FBI, said. "It's hard to take an investigator and teach them cyber skills."

GE Acquires Wurldtech as Cybersecurity Acquisition Deals Hum Along


GE announced today a deal to buy privately-held Vancouver-based cybersecurity firm Wurldtech, underscoring the increasingly hot market for cybersecurity tech firm acquisitions.  Wurldtech specializes in cybersecurity technologies for critical infrastructure industries and big industrial concerns including power plants, oil refineries and other key providers.

This deal follows FireEye's $70 mil. announced acuqisition of nPulse technologies earlier this week and caps a string of at least 26 cybersecurity acquisition deals over the past year.  (See table below.)  Clearly it's a good time to be a cybersecurity tech start-up or well-respected small solutions supplier.


FTC to Snapchat: If You Promise Security, You'd Better Deliver It


(Washington, DC)  In a move that could have wide-ranging effects on how Internet and mobile application providers approach both privacy and data security, the Federal Trade Commission (FTC) today entered into a consent order with mobile messaging app provider Snapchat, subjecting the company to a series of requirements aimed at ensuring that Snapchat maintains and protects the privacy, security and confidentiality of any consumer information.  The action, which officials labeled as a "significant" move by the agency, follows a complaint issued by the FTC that despite Snapchat's claims, images and videos transmitted via the application did not completely self-destruct and that adequate security of the service was not in place.

In announcing the consent order here at a Media Institute luncheon, FTC Chairwoman Edith Ramirez stressed not only the deceptive claims regarding content self-destruction (recipients could use tools outside of the application to save both photo and video messages), but also the need to maintain strict security practices, particularly when those practices are promoted as part of a product's appeal.  "The Snapchat case vividly illustrates that there is no data privacy without data security," she said.

Pointing to the high-profile data breaches over the past year, Ramirez said "despite the threats posed by data breaches, I am concerned that many companies continue to underinvest in data security and make fundamental mistakes when it comes to protecting sensitive consumer information."  Hinting at increased action by the FTC when promoted security fails to materialize, Ramirez noted that "the FTC’s enforcement work in this area has shown that some companies fail to take even the most basic security precautions, such  as failing to update antivirus software or to require network administrators to use strong passwords."

In making its original complaint against Snapchat, the FTC alleged that despite its claims of implementing adequate security measures, SnapChat "did not employ reasonable security measures to protect personal information from misuse and unauthorized disclosure." It alleged that Snapchat failed to implement proper identity verification upon sign-up, allowing users to send personal images to complete strangers who had registered with false phone numbers.  Moreover, the complaint alleges, Snapchat failed to secure its "Find Friends" feature, which resulted in a security breach permitting attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.

In discussing the order with reporters following its release, Chris Olsen, Assistant Director, Division of Privacy and Identity Protection at the FTC said the case is a "new statement in our body of cases" because it tackles "a major player on many platforms with many users" and because Snapchat made "unequivocal express claims about the privacy of its service."

Although the FTC has brought a number of cases against individual apps for deceptive privacy practices and last year sued HTC America for negligently injecting security vulnerabilities in its devices that put sensitive consumer information at risk, the Snapchat case appears to reflect a new direction by the agency in holding companies responsible for failing to meet promised security protections.  "If you are making promises about security, privacy or anonymity, you have to keep those promises," Olsen said.

In its complaint, the FTC pointed to specific security promises that it contends Snapchat did not uphold, including "boilerplate" statements in its privacy policy.  For example, in its policy Snapchat said "[Parent company] Toyopa Group, LLC is dedicated to securing customer data and, to that end, employs the best security practices to keep your data protected" and "We take reasonable measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction."

Under the order, which will be put out for 30 days for public comment before it becomes final, Snapchat will have to cease any misrepresentation, establish, implement and maintain a comprehensive privacy program and conduct initial and biennial assessments of and reports on that program from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.  Those assessments and reports will continue for twenty years. Any violation of the order will cost Snapchat $16,000 per day per new violation or $16,000 per day for a continuing violation.

Twitter Delicious Facebook Digg Stumbleupon Favorites More