National Cybersecurity
Baldor, L. C. (2011, November 7). Cyber weaknesses should deter US from waging war. Associated Press. Retrieved from goo.gl/uvudv
America's critical computer networks are so vulnerable to attack that
it should deter U.S. leaders from going to war with other nations, a
former top U.S. cybersecurity official said Monday. Richard
Clarke, a top adviser to three presidents, joined a number of U.S.
military and civilian experts in offering a dire assessment of America's
cybersecurity at a conference, saying the country simply can't protect
its critical networks.
Donovan, F. (2011, November 9). Obstacles facing the US cybersecurity initiatives. Infosecurity Magazine. Retrieved from http://www.infosecurity-magazine.com/view/21850/obstacles-facing-the-us-cybersecurity-initiatves-/ [Requires free registration.]
Although the US government is paying more
attention than ever to the issue of cybersecurity, the recent battles in
Washington over budgets and austerity measures mean that funding could
potentially dry up in an instant. Fred Donovan surveys the experts to
get their take on where the nation’s cybersecurity program is heading.
Hoover, J. N. (2011, November 7). DARPA boost cybersecurity research spending 50%. InformationWeek. Retrieved from http://www.informationweek.com/news/government/security/231902495
The Defense Advanced Projects Research Agency,
birthplace of the Internet, plans to increase its spending on cyber
research 50% over the next five years, and will increasingly focus on
offensive cyber capabilities as well as defensive capabilities, agency
director Regina Dugan said Monday.
"Modern warfare will demand the effective use of cyber, kinetic, and
combined cyber and kinetic means," Dugan said, speaking before the DARPA
Cyber Colloquium, a gathering of cyber professionals. "We need more
options, we need more speed, and we need more scale. We must both
protect its peaceful shared use as well as prepare for hostile cyber
acts that threaten our military capabilities." DARPA sought $208 million
in cyber spending in fiscal 2012, up from $120 million the year before,
and that's just the start of the jump in spending.
Rockwell, M. (2011, November 9). Interagency group defines common
cybersecurity language and skills. Government Security News. Retrieved
from http://www.gsnmagazine.com/node/24942?c=cyber_security [Related documents from the National Initiative for Cybersecurity Education.]
An interagency cyber security group has published a document aimed at
defining common terms, requirements and skill sets for those charged
with guarding against cyber attacks. The National Initiative on Cybersecurity Education (NICE) published a draft document
that classifies typical duties and skill requirements of cyber security
workers and has posted it for public review. The document is meant to
define professional requirements in cyber security, much as other
professions, such as medicine and law, have done, said the group in a
Nov. 8 statement.
Sternstein, A. (2011, November 3). Briefing: Corporate intelligence. Government Executive. Retrieved from http://www.govexec.com/story_page.cfm?articleID=49189
Businesses
operating critical infrastructure, such as the energy and
banking sectors, want to join a new government program that would give
them access to classified intelligence on cyber threats. The program,
which is currently restricted to certain defense contractors, is aimed
at strengthening commercial networks serving the military. The thinking
at the Pentagon is that power companies and other
businesses vital to troops should be privy to malware surveillance
collected by the National Security Agency,
the military's spy branch. The Defense Department does not have the
authority to guard civilian systems. That responsibility falls to the
Homeland Security Department, which would be a key player in any such
initiative.
Zhang, Z. (2011). NERC's cyber security
standards: Fulfilling its reliability day job and moonlighting as a
cyber security model. Environmental Practice, 13(3), 250-264 [in press]. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1622012
This
article gives an overview of the eight mandatory cyber security
standards by the North American Electric Reliability Corporation. As an
example of how standards are evolving it discusses CIP-002 – Critical
Cyber Asset Identification in depth because it establishes whether the
remaining seven standards apply. This article then compares the North
American Electric Reliability Corporation regulatory regime against
critical information infrastructure goals. The comparison finds that, at
least on a basic level, the electric industry’s mandatory cyber
security standards meet the critical information infrastructure goals
and work to secure information networks, resources, and systems from
cyber and physical threats. The mandatory cyber security standards
promote an increase in technological products, better security
management, personnel and public education and trust in the industry.
Even though the electric industry’s mandatory standards are imperfect,
the fact it satisfies the goals of the cross sector critical information
infrastructure indicates that the framework is sound. The electric
industry’s experience with mandatory cyber security standards is a
valuable source of information and the regulatory regime itself can be a
helpful model for other industries looking to develop their own
security protection systems.
Enterprise Cybersecurity
Schwartz, M. J. (2011, November 8). Apple excommunicates iOS cracker. Information Week. Retrieved from http://www.informationweek.com/news/security/mobile/231902576
Apple has given security researcher Charlie
Miller the boot from its iOS developer program after he publicly
demonstrated a proof-of-concept attack that would enable an app creator
to execute arbitrary code on any iPhone, iPad, or iPod Touch running iOS
version 4.3 or later. Miller has been suspended from the developer
program--which allows people to develop, test, and distribute iOS
applications--for one year. "First they give researcher's (sic) access
to developer programs, (although I paid for mine) then they kick them
out.. for doing research. Me angry," said Miller
in a tweet posted Tuesday. In a letter, Apple told Miller that it was
kicking him out of the program for breaking its terms of service.
Global Cybersecurity
Estonia takes down massive cybercriminal net. (2011, November 10). Infosecurity Magazine. Retrieved from http://www.infosecurity-magazine.com/view/21937/estonia-takes-down-massive-cybercriminal-net/
Reports are coming in that officials in
Estonia – arguably one of the most internet-savvy governments in the
world – have taken down a massive DNS-changing cybercrime operation
involving a click-fraud program that infected more than four million
computers in over 100 countries. Security researcher Brian Krebs
has observed that the police action – against the gang that raked in at
least $14 million – is possibly the “biggest cybercriminal takedown in
history.”
Ionnadis, C., Pym., D., & Williams, J. (2011). Information
security trade-offs and optimal patching policies. European Journal of
Operational Research, 216(2), 434-444. doi:10.1016/j.ejor.2011.05.050 [Full text available in the ScienceDirect database.]
We develop and simulate a basic mathematical model of the costly
deployment of software patches in the presence of trade-offs between
confidentiality and availability. The model incorporates representations
of the key aspects of the system architecture, the managers’
preferences, and the stochastic nature of the threat environment. Using
the model, we compute the optimal frequencies for regular and irregular
patching, for both networks and clients, for two example types of
organization, military and financial. Such examples are characterized by
their constellations of parameters. Military organizations, being
relatively less cost-sensitive, tend to apply network patches upon their
arrival. The relatively high cost of applying irregular client patches
leads both types of organization to avoid deployment upon arrival.
Melzer, N. (2011, November). Cyberwarfare and international law. Retrieved from http://www.unidir.org/pdf/ouvrages/pdf-1-92-9045-011-L-en.pdf
It
is the purpose of this paper to provide an overview: (a) of the
potential restraints imposed on cyberwarfare by existing international
law, (b) of the most important difficulties and controversies raised in
the interpretation and application of international law to cyberwarfare,
and (c) of the potential humanitarian impacts of cyberwarfare. In view
of the constraints in terms of time and space, the envisaged overview
cannot be exhaustive but will have to remain selective, focusing on
providing a general understanding of the issues most relevant to
contemporary state practice. Moreover, in view of the technical and
legal complexity of the matter and the still rudimentary state of legal
research, the ambition of this paper must remain limited to
identifying issues and putting them into context, but cannot be to
authoritatively resolve them.
Smith, J. (2011, November 7). Unresolved questions dog international cybersecurity policies. National Journal. Retrieved from http://www.nextgov.com/nextgov/ng_20111107_6951.php [related report from the U.S. Office of the National Counterintelligence Executive.]
Cyberspace
presents international security threats, many that can
only be adequately met through international cooperation. But experts
say countries around the world are just beginning to work out the
complicated questions surrounding international responses to
cybersecurity. In the United States, businesses and government agencies
have reported a growing number of sophisticated cyberattacks. In a
report
to Congress released on Friday, U.S. intelligence agencies said hackers
in China and Russia are stealing large amounts of U.S. technological
and trade secrets.