Biggest Challenge for Cybersecurity Executive Order: Herding All the Cats

Department of Homeland Security Secretary Janet Napolitano is about to testify today before the Senate Committee on Homeland Security and Govermental Affairs regarding the President's February 12 cybersecurity executive order.  As I've mentioned in the past, the cybersecurity scene in Washington is a labyrinth and the recent EO only promises to make it much more so.

By my reckoning there are 15 government departments, agencies or offices responsible for implementing it, each to varying degrees.  They are:

1. Administrator of General Services
2. Attorney General
3. Department of Agriculture (Named via Sector Specific Agency references)
4. Department of Commerce's NIST
5. Department of Defense
6. Department of Energy (Named via Sector Specific Agency references)
7. Department of Health and Human Services (Named via Sector Specific Agency references)
8. Department of Homeland Security
9. Department of the Treasury (Named via Sector Specific Agency references)
10. Director of National Intelligence
11. Environmental Protection Agency (Named via Sector Specific Agency references)
12. Federal Acquisition Regulatory Council
13. National Security Agency
14. Office of Management and Budget
15. Privacy and Civil Liberties Oversight Board

And the order covers 16 critical infrastructure industries.  They are:

1. Chemical
2. Commercial Facilities
3. Communications
4. Critical Manufacturing
5. Dams
6. Defense Industrial Base
7. Emergency Services
8. Energy
9. Financial Services
10. Food and Agriculture
11. Government Facilities
12. Healthcare and Public Health
13. Information Technology
14. Nuclear Reactors, Materials, and Waste
15. Transportation Systems
16. Water and Wastewater Systems

If I were on the Homeland Security Committee, I'd be asking a lot of questions about how DHS plans to herd all these cats through the labyrinth on such a complex subject.  Stay tuned for an update on the hearing itself.

Image Courtesy of PublicDomainPictures.net.

Read More

Napolitano: We'll Try Voluntary Cybersecurity and See How It Goes

(Washington, DC)  Department of Homeland Security (DHS) Secretary Janet Napolitano today gave a lukewarm thumbs-up to President Obama's recently issued cybersecurity executive order, saying that the Administration will give the voluntary approach to critical infrastructure cybersecurity a chance but that, once again, Congress still needs to pass comprehensive cybersecurity legislation.

Following a State of Homeland Security address at the Brookings Institution here, Napolitano said during Q and A that she hopes Congress will pass a cybersecurity bill along the lines of what the Administration had been promoting last year because "the executive order can only go so far.  It’s not only standards, it’s information sharing.  It’s sharing information early enough so that we can all get in there, find out what the intrusion is and work to mitigate or minimize the harm and to share knowledge about it so others can protect themselves," Napolitano said.

"We can’t mandate that.  That will have to be done legislatively.  We’re going to try to do it with the voluntary adoption and sharing of standards.  We will see how that goes.  But there are areas in the cyber realm that only legislation will help."

Napolitano also addressed how it is that DHS, the primary government department through which the cybersecurity order will work, interacts with two other important cybersecurity federal players, the Department of Defense (DoD) and the FBI.  She said that DHS, the FBI and DoD have developed amongst themselves what they call the "troika" on cybersecurity, collaboratively sharing resources and information to combat cyber threats.  "Working together we have alighted upon a realistic and workable solution for how we organize in the federal government how to deal with cyber."

Napolitano began her talk with a description of what she calls DHS 3.0, which bases its approach to national security threats, including cyber threats, on a "risk-based" strategy.  Ironically, the Brookings Institution just released a paper by Ralph Langner and Perry Pederson concluding that a risk-based approach to cybersecurity, such as that outlined in the cybersecurity order, is doomed to fail. 

Citing the business-based foundation of a risk-based approach, which weighs the costs involved in implementing adequate security against the cost fallout of a cyber incident, the authors conclude:

Unfortunately, this new order is set up to fail. By promoting voluntary action by the private sector supported by information sharing on cyber threats and risk-based standards, the executive order doesn’t deliver on a fresh approach. Efforts to address the very same problem by similar means go back to the Clinton administration and have not resulted in any measurable improvements.

Read More

Critical Infrastructure Providers Take Note: Key Deadlines in the Cybersecurity Executive Order

While I was completely off the grid last week, President Obama finally issued the much-anticipated cybersecurity executive order prior to his State of the Union address.  For those who followed the machinations surrounding the order, the contents of the final order contained no surprises.  In almost every respect, it tracked the publicly released draft executive order dated November 21, 2012, which was a very business-friendly modification of some of the early, more pro-regulatory draft orders.

The order, among other things, basically establishes a one-way information flow, ensuring that the government shares technical and cyber threat information with critical infrastructure providers.  Most of the tweaks to the earlier order underscore the importance of government agencies sharing information with critical infrastructure owners rather than the other way around.  Thus the final order is a far cry from the earliest versions, which proposed regulations of critical infrastructure owners to mitigate risks.

New language that emphasizes the importance of providing threat information (particularly classified threat information) to critical infrastructure owners is peppered throughout the order.  For example, Section 4 (a) of the order says "It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats."

Even if the order lacks true bite, a slew of government agencies, offices and departments will nevertheless quickly kick into gear to implement the order's directives.  And any industry or company that might end up categorized as "critical infrastructure" in the order had better get involved right now because the ball will roll very quickly.

The table above and the chart at the top of the article list the major tasks spelled out in the order, when those tasks begin, how much time is slated for completing the task based on its start date and when the task is ordered to be completed.  (Click on the images for clearer resolution).

As you can see, the deadlines are very tight.  NIST, for example, has only 240 days from the date of the order to develop a preliminary cybersecurity framework that includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.  NIST, therefore, must come up with a comprehensive technical, standards-based cybersecurity framework to cover all affected critical infrastructure industries by October 10, which is a very tall order indeed. (Update:  NIST has already issued its RFI for this framework at http://www.nist.gov/itl/cyberframework.cfm).

Congress hasn't been cut out of the cybersecurity maelstrom, not by a long shot.  The day after Obama issued the order, House Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA).  From a brief scan of the language, it's basically the same bill of the same name passed by the House last year and slammed by privacy advocates.  Not surprisingly, privacy advocates rushed in to slam this bill on the same grounds.

Moreover, the Obama Administration has said all along that even with this order, Congress must act to redress problems, particularly the lack of incentives for critical infrastructure providers to participate in a meaningful cybersecurity program, that the order cannot legally reach.  Even in his State of the Union address, President Obama reiterated the need for legislation.  "That's why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks," Obama said.

Read More

Mike Rogers: We're in a Cyberwar. Make No Mistake About It.

(Washington, DC) Mike Rogers (R-MI), House Intelligence Committee Chairman, today amped up the rhetoric on cybersecurity by out-and-out declaring that the U.S. is in a cyberwar.  "We're in  a cyberwar, make no mistake about it," he told attendees at the annual winter meeting of the National Association of Regulatory Utility Commissioners (NARUC) here.  "We are in a cyberwar and we're losing," he said.

Rogers said that the government, particularly the National Security Agency (NSA), does a good job of protecting government infrastructure, but that government infrastructure is a small slice of the national security pie.  "When you get over there [at the NSA] you see some big-brained cybersecurity work.  But that's only five percent of networks across America.  There is no government that doesn't use private networks."

He addressed the issue of Iran as a major cybersecurity threat.  "What about countries like Iran? Would they make a non-rational decision.  I argue absolutely.  Look at what they did to the Saudi Arabian oil company Aramco.  They actually broke the machines...you don't get to go reboot" something like that, Rogers said.

Rogers also said that the recent spate of announcements by American newspapers, including the New York Times and the Wall Street Journal, that they have been hacked is a strangely positive development from the perspective of awakening the public to the threat of cyberattacks. "In an odd way, the newspapers that came out and said they'd been hacked is a good thing."

The White House, for its part, still plans to issue an executive order, Dr. Andy Ozment, Senior Director for Cyber Security at the White House, told the NARUC audience, stressing, however, the continued need for the Congress to pass a cybersecurity bill.  "A cyber EO [executive order] would be a downpayment for legislation, not a substitute on it," Ozment said because of the many cybersecurity fixes that  an EO can't reach.

Whatever cyber EO the White House issues, it will emphasis the need for not only information-sharing, but also collaboration.  "We will be very clear about how we will foster engagement.  If we don't have you all at the table, we're lost before we're begun," he said.

Correction:  An earlier version of this post misidentified Mike Roger's state and committee title.

Read More

Hagel: Cybersecurity is a Big, Insidious Threat

Defense Secretary nominee and former Republican Senator Chuck Hagel said during his Senate confirmation hearing this morning that cybersecurity is as dangerous a threat to the nation's defense as any other threat given cyber's ability to wreak havoc quickly and across a variety of crucial systems.  "Cyber, I believe, presents as big a threat to our country as any one specific threat.  It’s an insidious, quiet kind of a threat that we’ve never quite seen before."

In an exchange with Senator Mark Udall (D-CO), Hagel said the potential damage of a cybersecurity attack could be very wide-scale.   "It can paralyze a nation in just a second.  Not just the power grid or a banking system.  It can knock out satellites, it can take down computers on all our carrier battle ships.  It can do tremendous damage to our national security apparatus."

But, he said, it's not an easily tackled issue.  "This is law enforcement, this is privacy, this is business, so a lot of complications that we’ve  really never ever had to face before on national defense threats to this country."

Cybersecurity will be a top priority for the Defense Department, Hagel suggested.  "Cyber will be an area that we will continue to focus on and an area that I will put a high priority on if I’m confirmed to be Secretary of Defense."

Read More

Worldwide Government Requests for Google Data Jumped 70% from 2009 to 2012

Google released its bi-annual Transparency Report yesterday, one part of which is aimed at documenting the number of worldwide government and court requests it receives to hand over user data, usually (although not always) in criminal investigations.  The bad news:  the number of reported requests keeps rising - from 12,539 during the second half of 2009 to 21,389 during the second half of 2012, an increase of 70%.

The good news:  the percentage of requests where Google actually hands over the data is on the downswing, from 76% in the second half of 2010 (the earliest that Google began reporting this data) to 66% in the second half of 2012.  It's possible that Google is just getting better at deflecting these requests or it's also possible that governments are basing their requests on fewer and fewer justifiable reasons. Or some combination of both.

The more interesting question is what's happening over time in individual countries, whether authorities in some countries are stepping up or decreasing their demands for user data.  Although Google hasn't produced quite enough data yet to get a truly good look at the trends, the company has released enough data to tentatively talk about year-to-year trends in about twenty-two countries.

I've pasted at the end of this post a full table that contains my 2011 to 2012 analysis for all of these countries.  Based on this analysis, here are the top five and lowest five countries in terms of percentage growth for the number of data requests, data produced and accounts specified.



As you can see based on this breakdown, South Korea tops the list for the fastest growth rate in data requests, while Chile tops the list in terms of growth in the frequency of actual data produced.  South Korea also had the fastest growth rate in the number of accounts specified - the authorities there accessed almost double the number of accounts in 2012 that they did in 2011.

Singapore earns the distinction of having the lowest growth rate in terms of requests - the government authorities in Singapore made 11% fewer requests in 2012 than they did in 2011.  Portugal experienced a 44% drop in terms of how often actual data was produced and Singapore rounded out the bottom of the list in terms of the number of accounts specified, with a 44% decline from 2011 to 2012 in the number of Google accounts to which the authorities there gained access.

It's not clear that these trends mean much of anything at this point; a whole host of factors, such as a drop in the overall crime rates in any given country, shifts in government control, increased or decreased usage of Google services and many other variables can drive year-to-year changes.  And data can be cut a lot of ways - I've chosen percentage growth in data demands, which, although it equalizes the disparities among nations, can make things look bigger or smaller than they really are (after all, a jump from 1 to 2 is a 100% change, the same as an increase from 100 to 200).  Finally, Google itself is continually refining how it reports this difficult data and methodology changes could cause some of the data to be incomplete or incomparable for the purpose of this kind of analysis.  But even with these limitations, it might be useful to keep track of the changes over time to determine if some governments, some political regimes, are stepping up or easing back on their efforts to gain access to Internet data.

Another interesting point:  Google has for the first time released for the U.S. the kinds of legal processes that the authorities use when requesting data.  Around 68% of the requests are subpoenas, 22% are search warrants with the remaining 10% mostly court orders or other processes.  As I mentioned in a blog post two days ago, Google and other Internet companies are pushing to change the law, primarily the Electronic Communications Privacy Act (ECPA), so that law enforcement and other government requests for data meet the more stringent legal requirements that warrants require.



Image Source:  Google.

Read More

Google Exec: Data Privacy Laws Violate the Fourth Amendment

(Washington, DC) The main existing law that limits the scope of law enforcement electronic snooping violates the Fourth Amendment to the Constitution when it comes to Internet communications, a top Google expert said here today.  Speaking at the Congressional Internet Caucus' Annual State of the Internet Conference, Google's Director of Law Enforcement and Information Security Richard Salgado said that "our view is that the statute [the Electronic Communications Privacy Actor ECPA] is out of compliance with the Fourth Amendment because the government can call for the production of your data without a search warrant."  The Fourth Amendment guards against unreasonable searches and seizures by the government.

ECPA, drafted in the 1980s when telephones were the primary mode of electronic communications, does not extend to email or other forms of Internet communication.  Under ECPA, government authorities can and do request user information records with either commonplace, easy-to-issue subpoenas or with little more than written notices stating that the data are pertinent to an investigation.  Telephone wiretaps, on the other hand, are usually subject to more stringent requirements for search warrants, which are issued by courts and judges and are based on the legal standard of probable cause.

The failure of the law to keep pace with Internet privacy issues is the main reason Google backs the Digital Due Process Coalition and publishes a bi-annual transparency report, which documents the government data requests received by the Internet giant.  Although Google does not break down the kinds of law enforcement requests it receives -- warrants, subpoenas or just informal letters -- Salgado said that about 70% of the requests it receives are subpoenas. (Update:  On 1/23, Google released its latest transparency report which documents for the first time the kinds of government requests it receives.  Of the total requests received during the second half of 2012, 68% were subpoenas, 22% were search warrants and the remaining 10% were court orders or other or other processes that are difficult to categorize.)

"What we hear anecdotally is that the government asks [Internet companies] 'give us everything you can.'  The vast majority of that email is not going to be relevant," Kevin Bankston, Senior Counsel, Center for Democracy and Technology said.  "There is no minimization requirement when it comes to email."

The so-called scoping problem with Internet communications, namely that the government can request massive amounts of data without narrowing the scope of its requests, is likely the basis for the oft-reported allegation that Jill Kelley, a central figure in the Petraeus scandal, had exchanged 30,000 emails with General John Allen, the U.S. Commander in Afghanistan.  The true number of emails is likely in the hundreds, according to Kelley, but it's possible that the FBI did indeed examine 30,000 of her emails in their hunt for relevant communiques.

How the FBI got access to the email accounts in the Petraeus scandal is unclear, according to Julian Sanchez, Research Fellow at the Cato Institute.  "One site reported that the FBI used subpoenas.  That's a little weird if true because the FBI does not have administrative subpoena authority," he said. [Clarification: Julian was speaking about the FBI's administrative subpoena authority in cyberstalking investigations.]

No good remedies to this problem are on the horizon either.  To fix ECPA or enact new laws would require an act of Congress.  But, "realistically I don't think anything has a legislative solution anymore," Mike Vatis, a long-time government cyber security and digital data protection expert, now a partner at Steptoe & Johnston, said.  [Clarification:  Michael Vatis says he was speaking about the prospect of a legislation solution to the question of minimizing the scope of law enforcement requests because minimization becomes too complicated to address in legislation, with courts ending up deciding the matter on a case-by-case basis.  He later said that a legislative solution is possible through a simpler amendment to require a warrant to obtain the content of any communications].

Read More