Lieberman is Not Proud of the Senate. But Is Any Cyber Security Bill Doomed?

After two years of work, and on the eve of a month-long election year recess, the U.S. Senate failed today to move forward a controversial cyber security bill.  S. 3414, the Cyber Security Act of 2012 introduced by Senator Joseph Lieberman (I-CT) and Senator Susan Collins (R-ME), was shot down in a maneuver by Senator Majority Leader Harry Reid (D-NV) to introduce a cloture motion, ending any further debate or amendments.  The final vote was 52 Senators in favor of cloture and 46 against it; Senate rules require at least 60 votes in favor of cloture.

Two things scuttled the bill's prospects in the Senate.  First, the emergence of partisanship on the previously non-partisan issue of cyber security pitted the Administration and Senate Democrats against Republicans, a newly formed rift heightened all the way around by the Supreme Court's decision to affirm Obama's health care law.  Secondly, private sector critical infrastructure entities covered by the bill, with particularly potent representation by the U.S. Chamber of Commerce, opposed what they perceived as unnecessary government regulation of their cyber security practices, even as Senate Democrats (with an assist by the Obama administration) watered down provisions in the bill regarding mandates on critical infrastructure industries into "voluntary" reporting procedures regarding discovered cyber security threats.

Speaking before the vote occurred, Lieberman said "this is one of those days that I fear for our country and I'm not proud of the United States Senate. It's not that there is a speculative threat to our country – it's real and it's here now."

Lieberman said that "when it comes to cyber war, we are where we were in 1993 with Islamic terrorism," quoting General Keith Alexander, Head of the National Security Agency and a proponent of the bill who helped the Obama Administration lobby for it during a last-minute push.  "We pretty much all agree on that here and yet we've descended once again into gridlock. The end result of that is a lot of sound and fury that will accomplish nothing and leave our country vulnerable."

Lieberman may be right that we're in the ignorance-is-bliss phase that precedes unexpected, impending disaster when it comes to cyber security, particularly security for our most critical infrastructures, such as the electric grid.  But, like the volatile, unpredictable set of forces that gave rise to 9/11, security in the cyber age  is an elusive, ever-changing target, which is why some experts favor flexible solutions as opposed to government-defined answers.

The inherently ungraspable nature of cyber security also leads to the confusing set of often contradictory rules under which most critical infrastructure providers operate.  Electric utilities, for example, try to abide by the fluid (and often unclear) set of requirements and recommendations that flow forth from at least 27 different bodies, from the Cross Sector Cyber Security Working Group at DHS to the Critical Infrastructure Protection requirements mandated by industry group North American Electric Reliability Corporation to U.S. Cyber Command at the Department of Defense to a host of industry technical standard setting bodies.

It's no surprise, then, that the Senate came close but failed to pass a cyber security bill.  Against the backdrop of partisan fighting and industry opposition and crazy quilt rules which attempt to make sense of a highly specialized and abstract topic, it's possible that any cyber security legislation is doomed at the outset.  Lieberman says he's not "going to be petulant" and is willing to continue trying to hammer out a compromise, so don't rule out a surprise rescue.

But, as Paul Rosenzweig points out, the more likely scenario is for the Obama Administration to simply chuck the Congress and adopt many of the bill's requirements through executive order.  Senator Dan Coats (R-IN) predicted as much before the cloture vote.

Read More

Was Google Fiber Not Able to Cut Deals with Time Warner, Fox or Disney?

Google's much-discussed big fiber project in Kansas City officially launched today and will no doubt be endlessly analyzed in the tech media and closely watched for innovations as the weeks and months progress. The big selling point of the search giant's experiment is the gigabit broadband service, which Google is touting as 100 times faster than what most Americans receive and is priced at a remarkably competitive $70/month.

The second biggest selling point is the "free" Internet 5 Mbps/download broadband service, available for a one-time fee of $300.  But the third biggest selling point, and the worst kept secret in the world, is Google's package of 159 cable channels, which is bundled together with the gigabit broadband service for a still-competitive $120/month.

But a closer look at those 159 cable channels reveals something interesting:  not a single one is owned by top cable program network owners Time Warner, News Corp. or Disney-ABC Networks.  Time Warner owns CNN, HBO, Cartoon Network and a number of popular and, some would say, mandatory networks.  Disney-ABC Networks owns the Disney Channel and another mandatory cable network, ESPN (along with a host of ESPN-affiliated networks), plus a number of other popular cable channels.  News Corp. owns a host of channels under the Fox brand name, including a number of sports channels (Big Ten Network, Fox College Sports and more), FX Networks, Fox Reality Channel, the National Geographic Channel and the arguably mandatory channel, Fox News.

So why did Google launch a video programming package that is missing CNN, ESPN, HBO and Fox News?  In all likelihood, Google was unable to cut a deal with any of the three programming giants by the time of today's announcement.

Although Time Warner was obligated (until this very weekend in fact) to make its programming available to competitive multichannel video programming providers under program access requirements enacted by the Congress in 1992 and subsequently adopted by rulemaking at the FCC, those obligations no longer stand because Time Warner Cable, the operator in Kansas City, no longer has ownership ties with the programmer.  Neither News Corp. or Disney-ABC ever had any obligations to sell its programming to competitive providers.

The only cable programmer under the program access requirements (which apply only to vertically integrated programmers - i.e. companies that own both cable networks and cable systems) obligated to sell to Google is Comcast-NBC Universal and Google is carrying most of Comcast-NBC Universal's channels, including E! Entertainment, MLB Channel (jointly owned by Comcast-NBCU, MLB and others) and the Golf Channel.

Google is telling the world to stay tuned and watch for new announcements over the coming weeks.  Maybe some of those announcements will include the addition of new channels from Time Warner, News Corp. or Disney-ABC.

Read More

Information Sharing, Flexibility Are Key to Utility Cyber Security, Officials Tell Senate

Mechanisms should be put into place that allow for adequate, actionable information sharing among utility cyber security specialists and government agencies charged with monitoring security threats, a group of government and industry self-regulatory officials said today during a hearing held by the Senate Committee on Energy and Natural Resources.”There should be a mechanism in place for sharing that [cyber threat] information in a timely and effective manner,” Gregory Wilshusen, Director of Information and Technology at the General Accounting Office (GAO) said during his testimony.

The widely recognized problem in sharing information about cyber threats was documented in a GAO study, which found that sensitive national security-related cyber threat information wasn't being filtered down to electric utilities. “The information that DHS provided was not meeting the expectation of their private partners. The information was not actionable and timely,” Wilshusen said.

“The information is ad hoc across agencies,” Gerry Cauley, President and CEO of the North American Electric Reliablity Corporation (NERC) testified. “We have very limited access to clearances within the industry, particularly on the top secret side.”

“We hear from our utilities that it is a one-way information street,” Todd Snitchler, Chairman of the Ohio Public Utilities Commission said, referring to the frustration utilities experience in not gaining early knowledge about threats well-know among federal security organizations.  Also hindering the flow of two-way information is fear of liability or exposure when they do report threats to state or federal authorities. “Anonymous sharing would help,” Snitchler added.

Although minimum technical standards, such as those developed by NERC or under development by the National Institutes of Standards and Technology (NIST) are essential for maintaining adequate cyber security, flexibility to respond to unique threats in fluid situations is equally essential.

“Individual entities have to have the latitude to have the directive but not be so prescriptive as to tie them into a certain response,” Joseph McClelland, Director of the Office of Electric Reliability at the Federal Energy Regulatory Commission said. “The standard needs to compel action but provide latitude.”

Multiple layers of standards and instructions are needed to provide that flexibility, Wilshusen said. “You don't want to have to change the standard when a new threat comes along.”

Committee Chair Jeff Bingaman (D-NM) pressed the witnesses to address the threat of electromagnetic pulses (EMP) to the power grid from enemy attack or solar flares, an issue raised last week by former Republican Speaker of the House Newt Gingrich in a widely published op-ed piece following the Northeast storm-induced power outages. McClelland said that coordinated studies need to be done and standards need to be developed to address EMP threats. 

Bingaman was not, however, satisfied with this reponse. “I get this feeling we might be studying this issue while the electric grid collapses,” he said.

Senator Al Franken (D-MN) probed the issue of supply chain threats given that many of the components, such as semiconductors, that make up the new digital grid are manufactured in countries, such as China or North Korea, which may have a vested interested in monitoring or controlling the U.S. Grid. Wilshusen conceded that supply chain threats are real. “IT supply chain is a vulnerability. We looked at several agencies, DHS, Energy and Department of Defense and we found that agencies haven't adequately developed mechanism to address that vulnerability.”

The hearing took place in advance of a compromise cyber security bill that the Senate will likely begin considering by the end of next week. Championed by Joseph Lieberman (I-CT), the legislation will focus on information sharing among critical infrastructure industries and federal agencies. Lieberman and the Obama Administration have been pushing for legislation that allows the Department of Homeland Security to impose minimum, mandated security requirements on critical infrastructure, including utilities.

Read More

What Smart Meter Activists Lack in Science, They Make Up for in Effectiveness

Today's pace of increasingly rapid technological change fosters all kinds of psychological and social dislocations and nowhere is this more true than with the advent of the smart grid, which requires digital smart meters to be installed at every customer's location. The worries spawned by the devices, which feature two-way radio or RF communication features, seem to be growing, with dozens of campaigns underway to block or at the minimum allow customers to opt-out out of the meter installations.

Over the past month, developments have pushed the issue of smart meter threats more clearly onto the national radar screen. Last week, Maine's highest court ruled that the state's public utility commission failed to adequately address potential health risks associated with the meters and urged the regulatory authority to give smart meter detractors an opportunity to air their concerns.

At the end of June, staff at the Michigan Public Service Commission issued a report concluding that although they believe smart meters do not pose health risks, ratepayers should be given the right to opt-out of the devices. And from Vermont to Texas to Maryland to Hawaii, anti-smart meter groups are pushing to get mandatory smart meter installations overturned or modified to allow for opt-outs.

Three fears are fueling the smart meter fire: fear over purported health risks, fear over potential privacy invasion and fear of increased cyber security threats. While everyone agrees that smart meters do in fact raise legitimate privacy concerns due to the increased data generated by the devices, and no one doubts that the nation's electrical infrastructure is more vulnerable to cyber threats now that digital technology is part of the power grid, the issue of health risks caused by meters is hopelessly muddled.

Scientific Researchers Can Find No Evidence of RF Risks But Won't Rule Them Out

On the one hand, industry groups, engineers and mainstream scientists make a solid case that no scientific evidence exists that smart meters cause any of the health problems attributable to RF “radiation,” from cancer to neurological conditions such as depression to heart disease to ocular burning. Virtually all of the commonly accepted scientific research cited by anti-smart meter advocates ties back to research on cell phones and the potential of these mobile devices to cause electromagnetic illnesses.

But even here the evidence is weak and can't be applied to smart meters. The amount of RF radiation from cell phones dwarfs any possible exposure from smart meters and can't be used as a comparison, experts say, adding that few people plan to hold their smart meters against their heads or near their bodies anyway, as they do with cell phones.  Virtually all generally accepted scientific research on cell phone radiation concludes that insufficient evidence exists to link electromagnetic illnesses with the devices.

However, a few generally accepted scientific studies have been unable to rule out the adverse effects of cell phones, using careful and qualifying language that anti-smart meter advocates have pointed to as “proof” of the potential problems that could be caused by smart meters. A widely reported and respected study conducted by the World Health Organization concluded that no evidence exists that mobile phones cause certain kinds of brain cancer, as has been alleged. But, this same study did conclude that there were “suggestions” that the incidence of a particular kind of brain tumor, glioma, increases with mobile phone use. “The possible effects of long-term, heavy use of mobile phones require further investigation,” the report concluded.

The couched, careful language of science, which rarely wanders far from the evidence, doesn't help quell fears when it comes to proving that smart meters pose no health risks. As another example, in a presentation to the Michigan PSC earlier this year, researchers at the Lawrence Berkeley National Laboratory kicked off their talk with the following double-edged conclusion:

While scientific evidence overwhelmingly concludes there are no problems related to smart meter RF exposure, health science cannot conclude that individuals will not experience negative side effects.

Smart Meter Opponents Don't Necessarily Have Science on Their Side...But They're Effective

Smart meter opponents often rely on research, or sometimes just arguments and assertions, that don't hold water among traditional scientists. A frequent source of substantiation on the adverse effects of smart meters is the American Academy of Environmental Medicine (AAEM), an organization backed by doctors concerned about environmental illnesses.

In April, The AAEM released a position paper, one of many, that called for “immediate caution regarding smart meter installations,” saying that “significant harmful biological effects occur from non‐thermal RF exposure.” Although impressive sounding, the AAEM is not recognized by traditional medicine organizations and has been labeled a “questionable” organization by Quackwatch for often venturing into unchartered alternative therapy territory.

What smart meter opponents lack in hard science, however, they make up for in energy and passion. And thus far they have been very effective in changing how smart meters get deployed.

Smart meter opponents were a driving force behind the California' PUC's decision earlier this year to give PG&E customers opt-out rights, which has sparked a chain reaction of opt-out requirements throughout the state. In May, Vermont took the issue a step forward and eliminated utility-requested fees that customers had to pay in order to opt out. The Maine court decision last week stemmed from appeal efforts mounted by smart meter opponents.

From Arizona to Wisconsin, there are 48 separate and active stop-metering groups bird-dogging smart meter roll-outs. Anti-smart meter organizations are in Canada, Australia, Europe and Japan. There are anti-smart metering consultants, experts (many of whom have scientific credentials), websites, videos and even feature films. Including independent groups that are concerned about "electrosmog" problems generally, at least 70 active groups are writing, advocating against or organizing against smart meters globally.

For reasons having to do more with privacy and cyber security than health risks, Tea Party activists are taking up the anti-smart meter flag in many areas of the country, applying the political skills learned during the heyday of that movement to advance another agenda.  Aggressive Tea Party efforts have stoked such fervent concerns in Nevada that the Public Utility Commission felt it had to hire armed guards for a smart meter hearing.

Even if some of the smart meter opponents have political smarts, most seem to be genuinely concerned about the ramifications of having so many electromagnetic waves buzzing around us and through us, particularly those among us who are “electromagnetically sensitive.” They intuitively and strongly believe that the smart meter is very much an unwelcome visitor into their homes, and are even concerned about being surrounding by homes served by smart meters.

Utilities, which seem surprised by the fervor of the anti-meter groups, worry that if too many people opt out of smart meters, the scale economics dictate higher deployment costs, and potentially higher costs for manually reading the old analog meters. Opt-out rates in California were initially below 1%, although PG&E believes that ultimately 150,000 of its 5 million customers, or around 3%, may opt out of the meters.

Utilities are trying to hold back the tide of concern through various individual consumer outreach efforts. The industry-backed Smart Grid Consumer Collaborative is trying to serve as a broader clearinghouse for listening to consumer and advocate issues and disseminating what information it can.

But at this point, the passion of smart meter opponents is unwavering and unresponsive to the somewhat traditional, rational responses these industry efforts put forth.  In a way it almost resembles the irresolvable debate between faith and science, with one side rooted in passionate belief and the other reliant on cold, hard scientific facts, baffled by the believers.

Read More

DHS: Most Critical Infrastructure Orgs We Respond to Lack Adequate Cyber Security Detection

The Department of Homeland Security's Industrial Control Systems Computer Emergency Readiness Team (ICS-CERT), issued a report last week documenting how the number of cyber threats involving protected critical infrastructure control systems has skyrocketed over the past two years, from 9 reported incidents in 2009 to 198 in 2011.  The report, which summarizes and offers intriguing but vague details on cyber incidents and onsite investigations it has been involved with since the founding of ICS-CERT in 2009, concludes that most of the organizations to which ICS-CERT responded over the time period "were not prepared with adequate detection techniques."

In fact, the report notes that in 3 of the 17 onsite visits it made, the asset owners had to be notified by outside parties that an intrusion had taken place at their facilities.  In two additional cases, the cyber incident had been discovered by a hired third party, an outside consultant or integrator.

The failure by these asset owners (which could be energy -- utilities or oil and gas companies, for example -- water, nuclear, government or cross-sector organizations) to put into place adequate cyber detection programs is crucial because, as the report notes, "properly developed and implemented detection methods are the best strategy to quickly identify intrusions and implement mitigation and recovery procedures."

The protection methods needed appear to be simple ones.  The report says that "ten organizations could have detected the intrusion by using ingress/egress filtering of known bad IP addresses or domain names."

Another simple cyber security risk mitigation technique, keeping external thumb drives away from protected control systems, popped up in the report regarding an intrusion that took place on the enterprise network of an unnamed nuclear sector organizations.  In that situation, which required an onsite visit from the ICS-CERT team, an employee uploaded from a USB drive onto the organization's computer presentations from an industry event.  

The drive was infected by the Mariposa botnet, a piece of malware used in cyberscamming and denial of service attacks.  The virus ultimately infected 100 computers on the network.  (Interestingly, the instructor involved in that particular industry event refused to give ICS-CERT the names of the event's attendees or their companies so that DHS could follow up, vowing to instead contact the attendees himself or herself. "Unfortunately, ICS-CERT was not able to verify if the companies were ever contacted and to what extent they may have been impacted.")

The report is also notable for documenting the first verified instance of a U.S. control system being infected with the Stuxnet virus, a cyber weapon said to be developed by the U.S. to interfere with Iran's nuclear program.  Although the report offers few details about this Stuxnet infection, it does say a critical manufacturing facility was involved.

ICS-CERT deployed an incident response and analysis team to a critical manufacturing facility infected with the Stuxnet malware. ICS-CERT deployed a team of analysts to the facility and confirmed the presence of Stuxnet on all their engineering workstations as well as several other machines connected to their manufacturing control systems network.

Read More

U.K. to Allow Extradition of Web Entrepreneur to U.S....For Something That's Probably Not Illegal

An unprecedented intellectual property fight is underway involving a British university student who is under extradition order from the U.K .to the U.S. to face charges that could land him in prison in a country he has never visited.  Richard O'Dwyer, a U.K. citizen and an interactive media student at Sheffield Hallam University, is under extradition order to the U.S.t o stand trial for criminal infringement of copyright and conspiracy to commit copyright infringement.  If convicted, he could wind up in a U.S. prison for ten years for a crime that would carry only a five-year sentence in the U.K.

In 2007, as a 19 year-old student, O'Dwyer founded a website, TVShack.net, which offered links to online TV shows, both legal and unauthorized.  O'Dwyer had no control over the links that TVShack.net's search engine produced and responded to requests by copyright holders to remove any offending links. TVShack.net hosted no content of its own. 

In 2010, under a program operated by the U.S.Immigration and Customs Enforcement (ICE), O'Dwyer's domain was seized.  In May 2011, the U.S. Justice Department asked for O'Dwyer to be extradited to the U.S. under a controversial 2003 US-UK extradition treaty, which makes it easier for either country to honor extradition requests from the other in criminal cases.  In January 2012, a UK judge granted the U.S. request and in March Conservative Party member and Home Secretary Theresa May granted the request. O'Dwyer immediately appealed May's ruling, but for now the extradition order stands.

Along the way, O'Dwyer has become something of a cause célèbre in the U.K., highlighting what many of the country's political observers believe is an overly solicitous attitude by the British government toward the U.S. and its military and commercial interests.  And it's clear that U.S. commercial interests, very specifically the Hollywood studios, are behind ICE's push to make an intellectual property poster child out of O'Dwyer.

Hollywood, which has backed stern and often harshly punitive legislative, legal and international treaty efforts to strike at individuals whom the studios believe to be content pirates, has managed to keep a relatively low profile in the O'Dwyer fray.  Part of the reason could be the public drubbing the studios experienced earlier this year,when Hollywood so riled the Internet and human rights communities that a Hollywood-backed bill, the Stop Online Privacy Act (SOPA), was defeated following massive international and web-based protests by leading Internet companies, including Google, Facebook, Twitter, LinkedIn and others.

Wikipedia co-founder Jimmy Wales is doing his part to elevate O'Dwyer's cause by launching a petition to stop his extradition.  Wales points out "that no US citizen has ever been brought to the UK for alleged criminal activity on US soil" and Britain's own Crown Prosecution investigated O'Dwyer and chose to bring no charges against him.  Moreover, "America is trying to prosecute a UK citizen for an alleged crime which took place on UK soil," an absurdity which would few Americans would tolerate if the UK tried to prosecute an American for a crime that took place on American soil.

Another salient aspect of the case:  O'Dwyer's efforts are likely not even illegal in the U.S.  O'Dwyer hosted no content himself; he merely provided the links to TV content available on the web, only a portion of which was infringing content.  U.S. law permits content linking and O'Dwyer responded to take-down requests from copyright holders.  All of which is permitted under U.S. law.  At most O'Dwyer might have encouraged others to post links to unauthorized content (the conspiracy charge).

But as the UK's Guardian newspaper put it in an editorial, let's keep things in perspective.

To understand the absurdities of the case to extradite Sheffield undergraduate Richard O'Dwyer to the US, you can do one of two things. The first is to study internet and copyright law (on both sides of the Atlantic), and extradition precedent. The somewhat easier alternative is to imagine a giant sledgehammer hovering over a walnut, because what this case is really about is proportionality.

(Image from CinemaBlend.com)

Read More

Growth in Google User Data Requests Jumps in Germany, Turkey, Australia, South Korea and U.S.

Internet giant Google released its twice yearly Global Transparency Report over the weekend and the big news coming out of this treasure trove of data is that government censorship, measured as government requests to Google for content take-downs, is on the rise, with surprising growth in Western and democratic nations such as the U.S., Spain and Poland.  

Google also released twice yearly data on the number of  requests from government agencies and courts to hand over user data in what are presumed to be criminal investigations (Google notes in its FAQ section that it really isn't sure all the requests are truly pursuant to criminal investigations; some requests, for example, may reflect emergency situations where a life is at stake).  These requests can include access to GMail accounts, Google Documents,  identification of YouTube video posters or information related to any Google product.

Google doesn't offer much detail about the kinds of data turned over to the government, saying that different kinds of requests come from different government agencies with different legal authorities.  The company says it may in the future offer greater transparency regarding exactly what kinds of information is given to which governments' agencies and for what kinds of reasons.

For the first time, the data released with the Global Transparency Report permits analysis of trends on an annual basis, with seemingly good data available for 2010 and 2011 for the bulk of countries for which Google tracks this information.  Based on our analysis, requests by governments for user data from Google grew the fastest in Germany, with the number of requests jumping 73.5% year-over-year, from 1,436 to 2,491.

Turkey came in second with an increase of 67.7% (growing from 96 in 2010 to 161 in 2011), followed by Australia with an increase of 47.7% (545 to 805) and South Korea, with an increase of 43.3% (360 to 516).  Although topping the list in terms of sheer number of requests, probably indicative of the wider user of Google products in the U.S., the U.S. ranked fifth in terms of user data request growth, with the number of requests increasing by 38.06%, from 8,888 in 2010 to 12,271 in 2011.

Overall growth for user data requests for the countries analyzed (sufficient data for annual growth analysis was not available for a number of countries) was 19.3%.

The U.S., though, did rank first in terms of the number of such requests fulfilled by Google for the second half of 2010 and the two halves of 2011, with Google complying with these requests 94%, 93% and 93% of the time, respectively.

Of the countries analyzed, Argentina ranked last in terms of how often Google complied with the government requests - Google responded to the requests only about a third of the time during the first half and second half of 2011.  It's not surprising, then, that Argentina ranked dead last in terms of user request growth, with the number of such government requests in Argentina dropping by 46% from 2010 to 2011, sliding from 261 to 141.

Read More