Communications Crucial to Critical Infrastructure Restoration After Cyber Events, Experts Say

(Washington, DC)  The National Association of State Energy Officials (NASEO) and the U.S. Department of Energy’s Office of Electricity Delivery and Energy Reliability held a two-day Energy Assurance and Interdependency Workshop here to examine the cascading impacts of energy systems on other critical infrastructure.  The workshop examined a number of potential emergency scenarios to role-play how interdependent essential services (such as food, water, finance, transportation) might prepare for a number of emergencies, including sophisticated cyber attacks.

During the second day of the workshop, moderator Jack Eisenhauer of Nexight Group laid out for a panel of experts a complex, fictitious cyber attack that cripples banking institutions, leaving users unable to conduct online financial transaction, while taking down the electric grid within large urban areas across the U.S. and consequently disrupting the delivery of natural gas to electric power plants.

On top of these disastrous impacts,  the scenario includes voltage surges in the electric transmission system which flow down to the distribution systems, causing damage to automatic transfer switches and backup generators at many residential and commercial facilities, including the Federal Reserve and banking institutions.  How, the panelists were asked, do you proceed under such a scenario?

Despite the severity of these events, as long as the communications systems still function, damage could be mitigated even under these extreme conditions, the panelists agreed.  "Electricity and communications are really not separate anymore," Patrick Miller, Partner and Managing Principal of the Anfield Group said. "It's a fabric really."

The electric systems can be run manually, particularly at generation facilities, while the cyber incident is investigated and redressed.  "As long as the communication failures didn't occur, they can resume operations," Miller said.

The same thing is true for the natural gas system, according to energy sector security expert Gary Forman. "The manual operation of the natural gas system depends on communications," specifically mobile telephones and land mobile radio.

Transportation also becomes crucial under the hypothetical scenario due to the surge-related physical damage, with particular need for quick delivery of replacement parts and expert personnel.  But, with an incapacitated financial system, transporting equipment and personnel could prove problematic. "Will they even be able to buy gas and swipe their cards?" Forman asked, referring to personnel who must travel in order to make repairs or implement manual operations.

Making repairs to capacitor banks damaged in voltage surges, for example, "requires heavy machinery and big trucks and folks with special training," Miller said.  It would be little surprise, then, if the military stepped in during such a scenario to facilitate restoration.

"We're pretty sure we're going to get the call for support" if the cyber events occur as described, Neil Holloran of the Naval Surface Warfare Center said, particularly if the power outages extend for days. "Beers, bros and barbecues for the first three days and on the fourth day the guns come out," he said.

It could take a week before power is back up, Miller said.  "Under the scenario as designed, [it] looks like we could get it back up within a week."

Coordination is key to restoring essential services, something the financial sector has worked out well through its Information Sharing and Analysis Center (ISAC), Karl Schimmeck, VP of Financial Services Operations, Securities Industry and Financial Markets Association, said.  "That doesn't solve everything, but helps you get the lay of the land," Sara Alexander, Deputy Director of ChicagoFIRST, a regional emergency preparedness organization, said.

The financial services ISAC works well on the national level for cyber incidents, but if physical damage or transportation complexities are involved, regional coordination becomes crucial.  Unfortunately, "if there is something that could replicate the value of the ISAC at the state and regional level, we haven't seen that," Alexander said.

Read More

Adoption and Privacy Issues Get Aired at NIST's Fifth Cybersecurity Framework Workshop

Last week in Raleigh, North Carolina, the National Institute of Standards and Technology (NIST) hosted a fifth and final workshop on the development of a comprehensive critical infrastructure cybersecurity framework as the February 2014 deadline for finalizing the ambitious effort draws near.  After an intensive amount of work on a complex and thorny subject, many of the participants, particularly those who participated in all five of the workshops, were in awe over how far NIST has come since it received its marching orders via President Obama's executive order last February.

But as could be expected, there are a lot of issues that have yet to be resolved.  As my latest piece for CSO Magazine spells out, one major question remains unanswered despite the prodigious work by NIST and industry collaborators:  what constitutes adoption of the framework?  Without really good answers to this question, the framework itself could become a hollow exercise that, while representing good thinking and practices, does very little in reality to raise the cybersecurity bar.  The definition of adoption as well as related issues (such as the incentives needed to adopt the framework) got a lot of airtime among the attendees in North Carolina.

A well-organized effort to get NIST to overhaul its latest attempt to incorporate privacy and civil liberty considerations into the framework was one of the more surprising aspects of the workshop.  The framework's privacy appendix is too broad and should be pared down to deal only with privacy matters as they relate to cybersecurity, a number of top infrastructure industry reps said.

NIST has some, but not much, time left to tinker further with the framework before it becomes final.  And the group is still fielding feedback during an open comment period that ends in December.

For more information on the latest workshop, check out my article in CSO.

Read More

U.S., Germany, Singapore, Australia, UK & China Top List of Apple Device Data Requests

Apple today released a report detailing, to the extent it can, the number of requests it receives from governments around the globe seeking information on individual users or devices.  Following in the footsteps of Google and other Internet companies, Apple's stated goal with the report is to be as transparent as possible. The timing of the report's release comes amidst growing concern as a result of the Snowden revelations over the degree to which U.S. companies share individual user data, communications and activities with the National Security Agency (NSA).

The Cupertino giant makes an effort to distinguish itself from Google and similar Internet services, noting that most of the government requests are device-related, and that only a small fraction of the requests seek information from online or mobile service accounts such as iTunes or iCloud.  In a statement widely viewed as a thinly veiled dig at the Internet search provider, the report states "our business does not depend on collecting personal data. We have no interest in amassing personal information about our customers."

Moreover, the data Apple does present on these "account" requests reveal little about NSA or national security requests because the U.S. government bars the company from presenting this information in anything other than consolidated ranges of 1000s.  The bulk of the account requests, however, do come from U.S. authorities, whether local or national law enforcement or intelligence agencies.  Very few come from other nations (perhaps because, as Apple notes, law enforcement agencies outside the U.S. must first go through U.S. legal channels before obtaining account information.)

Interestingly, Apple says it has not received any of the so-called 215 requests at the heart of so many of the NSA controversies.  Section 215 of the Patriot Act allows the U.S. government to petition the Foreign Intelligence Surveillance Court to issue demands for user data from service providers.  "Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us," the report notes.  (Some commenters are suggesting that this statement is Apple's "warrant canary," namely that Apple is going on the record to say that it has never received a Section 215 warrant only to remove such a statement in future reports in the event it does receive a warrant.  Apple, like other service providers, is legally barred from disclosing the receipt of these demands.)

The more interesting data are what Apple calls device information requests, none of which reflect national security-related requests and many of which originate with device owners themselves working in conjunction with local law enforcement.

The table below lays out these requests by country, in order of frequency.  The U.S. tops the list in terms of frequency of requests (3,542) followed by Germany (2,156), Singapore (1,498), Australia (1,178), United Kingdom (1,028) and China (585).  Typically Apple provides data in response to these requests most of the time -- but not always.

For example, in Japan there were 106 requests for device data during the first six months of 2013, but Apple only provided some data in 12 of those cases - a mere 11%.  In Taiwan, Apple received 81 government requests but only provided some data in 12% of those instances.

It's possible that in these situations the requests were related to mass device theft and thus data on the device owners was not relevant.  In Brazil, for example, Apple received 34 requests related to 5,057 devices but five of those 34 requests involved stolen cargo.  In Brazil, Apple provided data in only 6% of the cases.

Read More

Public-Private Partnership, Information Sharing Key to NIST Cybersecurity Framework Success

(Washington, DC)  Improving private sector relations with the government, particularly in the area of threat information, will be central to the future success of the cybersecurity framework issued last week by the National Institute of Standards and Technology (NIST), according to a panel of industry representatives speaking at a Bloomberg Government cybersecurity conference here today.  That framework was developed pursuant to an executive order signed by President Obama last February and is slated to be final under the order by February 2014.

When asked to rate the still-preliminary framework on a scale of one to ten in terms of how well the public-private partnership has worked so far in developing the framework, Dean Garfield, President and CEO of the Information Technology Industry Council, rate the effort an 8.5.  "What was surprising to me is that there is broad consensus on policy issues," he said.

"It's improving, it's moving toward the higher end" of the scale, Robert Mayer, Vice President of Industry and State Affairs at telecom trade association USTelecom said.  "The grade is obviously incomplete [but] I'm encouraged by the direction we're moving in," Internet Security Alliance CEO Larry Clinton said.

Jeremy Bash, Managing Director of  policy consulting firm Beacon Global Strategies, however, rated the effort as merely a three "because there is a huge disconnect with industries.  For the vast majority of enterprises, this issue is not yet on the radar screen." Most industries "fundamentally want one thing - they want the government to share sensitively derived threat [information], Bash said.

Incentives, which are also addressed separately in the executive order, are also key determinants of how well the framework will be adopted.  One important incentive is to improve information sharing between the government and private sector, Garfield said.  "Making sure we have the capacity and communication internally within the administration and the government to share and make use of the information that has been shared," is crucial.

The problem is going to be that many incentives, including some of the liability protections needed for effective information sharing, will require statutory authority, necessitating an act of Congress, Mayer said., a very difficult feat given the current legislative environment.  One big problem with threat information sharing is that "the government doesn't want to share data because they are afraid the source of the data will come out," Clinton said.  "The thing is industry doesn't care about the source.  So take the source data out."

Read More

NSA's Alexander: Infiltration of Yahoo, Google Data Centers 'Never Happened'

(Washington, DC)  Gen. Keith Alexander, Director of the National Security Agency (NSA), denied today a Washington Post report that the intelligence agency has secretly broken into communications links that connect Yahoo and Google data centers around the world.  Speaking at a Bloomberg Government cybersecurity conference, Alexander was--within minutes of the report's publication--asked about this latest bombshell revelation stemming from the documents obtained by former NSA contractor Edward Snowden.

"Not to my knowledge. That has never happened," Alexander said when asked if it's true that NSA secretly infiltrates the two Internet giant's networks.  Alexander's further denial seemed to be premised on the erroneous notion that this latest report dealt with court orders for surveillance data from the Foreign Intelligence Surveillance Court (FISC), an entirely different and legal, although murky, form of NSA data collection that came to light earlier this year.  "Those companies are compelled to work with us," he said. "These are specific requirements that come via court order....We go through a court order, we issue that order to them through the FBI."

Both the Washington Post and The Guardian began their series on the Snowden documents by revealing a "front door" NSA program called PRISM, under which NSA petitions the FISC to obtain user data from Internet companies, including Google and Yahoo.  However, today's Washington Post report reveals a secret initiative under which NSA uses a data extraction tool called MUSCULAR, which is operated jointly with GCHQ, the British intelligence agency.

Although Yahoo and Google are aware of and comply with the FISC orders, even while sometimes fighting them, both companies express in the Post article surprise and anger over the possible infiltration of their data communications links without their permission.  Those links are not encrypted (Google is in the process of putting that measure into place) but the NSA seemingly did have to infiltrate what the Post calls "gold standard" security measures to gain access to the companies' networks.

Read More

F-Secure CRO Urges EU Countries to Steer Away from U.S. Built Systems

Cybersecurity expert and Chief Research Officer for Finnish software company F-Secure Mikko Hyppönen today urged EU countries to steer clear of U.S. software and services in light of the ongoing revelations that the NSA engages in mass surveillance of EU citizens and officials.  Speaking at TEDx Brussels on a day when the latest Snowden disclosure revealed that the NSA collected data on 60 million phone calls in yet another European country, Spain, during a recent month, Hyppönen said EU countries should "try to steer away from systems built in the United States"

The big challenge is that "any single company in Europe cannot build replacements" that rival U.S. technology in terms of scope and utility.  The solution lies in EU countries banding together to build open source systems "then one country doesn't have to solve the problem by itself," Hyppönen suggested.

Although all countries engage in surveillance, the real problem lies in the concentration of technological dominance in the United States.  "How many Swedish decision-makers use U.S.-based services" such as Windows or cloud-based services every day, he asked. Conversely, "how many American leaders use Swedish-based services?"

Even services developed outside the U.S., such as Skype, become subject to insecurity once they're acquired by American firms within the reach of the NSA, he said.  "Once again we take something that is secure and make it insecure on purpose."

Even though the NSA only has the legal right to monitor foreigners, "96% of the planet is foreigners.  It is wholesale surveillance of all of us," Hyppönen said.

Regarding the apparent discrepancy between leaked NSA slides that indicate U.S. technology companies, such as Microsoft and Google, cooperate with the intelligence agency via backdoors or some other means of secret access and those companies' denials that such cooperation exists, Hyppönen floated an alternative explanation.  "One explanation is that these parties or service providers are not cooperating but they've been hacked.  In this case they've been hacked by their own government."

Regarding the massive scale of NSA's surveillance activities, Hyppönen compared the new NSA data center under construction in Utah to IKEA stores, saying the new center is five times larger than the largest IKEA store. "How many hard drives could you fit into an IKEA store?" he asked.  "They can keep the data for decades."

The two biggest technological revolutions in recent history, the Internet and mobile communications, "turned out to be the most perfect tools for the surveillance state," Hyppönen said. "It turns out George Orwell was an optimist."

Read More

NIST Cybersecurity Framework Is Improved But Best Part Is the Community It Has Created

The National Institutes of Standards and Technology (NIST) released on Tuesday its "official" preliminary comprehensive critical infrastructure cybersecurity framework as required under President Obama's February executive order, and most people involved say it's an improvement over previous versions.

After talking to a number of the key participants in the framework process, I noticed that despite the varied and widespread critiquing of the framework from a diverse and often fractious bunch of cybersecurity specialists, lawyers and engineers, one thing stood out:  the framework has created a community of people willing to collaborate on cybersecurity for the common good.

As one participant noted, "what we've developed is a framework for people working together." Unfortunately the framework itself still falls short in terms of actually improving cybersecurity in the eyes of many participants.  But there's still time for more changes before the framework is finalized in February...and will probably continue changing well after that.

Here's my latest take in my ongoing series on the framework for CSO Magazine.  Check it out.

Read More