National Cybersecurity
In a 17-1 vote, the Permanent Select Committee
on Intelligence approved the legislation that would expand a pilot
Pentagon program for sharing classified and sensitive threat information
with defense contractors and their Internet service providers. Under
the measure, a longer list of companies would be eligible for access to
classified data from the National Security Agency and other agencies.
The Cyber Intelligence Sharing and Protection Act of 2011
(HR 3523) was introduced Nov. 30 by committee Chairman Mike Rogers
(R-Mich.) and Ranking Member Dutch Ruppersberger (D-Md.) and would
require the intelligence community to establish procedures for sharing
classified cybersecurity intelligence with the private sector, and would
provide incentives for private entities to share information with the
government. But for the moment at least, it contains no privacy safeguards for personal information.
New reports on Nov. 28 backed initial DHS skepticism that the failure
of a pump at an Illinois water utility was a foreign cyber attack on
the system’s supervisory control and acquisition system. The Washington Post
reported on Nov. 28 that the failure of a water pump was the result of
an error by one of the utility’s contractors who was travelling in
Russia at the time and accessing the SCADA system remotely. The report
backs earlier conclusions by DHS cyber security teams that the failure
of the pump at Curran-Gardner Public Water District in Springfield, IL,
wasn’t the work of Russian cyber criminals or agents. [Related article from Infosecurity. More from Wired.]
United States. Government Accountability Office. (2011, November). Cybersecurity human capital: Initiatives need better planning and coordination. (GAO 12-8). Retrieved from http://www.gao.gov/new.items/d128.pdf
Federal agencies have taken varied steps to implement workforce planning practices for cybersecurity personnel. Five of eight agencies, including the largest, the Department of Defense, have established cybersecurity workforce plans or other agencywide activities addressing cybersecurity workforce planning. However, all of the agencies GAO reviewed faced challenges determining the size of their cybersecurity workforce because of variations in how work is defined and the lack of an occupational series specific to cybersecurity. With respect to other workforce planning practices, all agencies had defined roles and responsibilities for their cybersecurity workforce, but these roles did not always align with guidelines issued by the federal Chief Information Officers Council and National Institute of Standards and Technology (NIST). Agencies reported challenges in filling highly technical positions, challenges due to the length and complexity of the federal hiring process, and discrepancies in compensation across agencies. Although most agencies used some form of incentives to support their cybersecurity workforce, none of the eight agencies had metrics to measure the effectiveness of these incentives. Finally, the robustness and availability of cybersecurity training and development programs varied significantly among the agencies. For example, the Departments of Commerce and Defense required cybersecurity personnel to obtain certifications and fulfill continuing education requirements. Other agencies used an informal or ad hoc approach to identifying required training. [Related article from Government Computer News.]
Enterprise Cybersecurity
Boldea, C. (2012). SCADA security in the context of corporate network integration. Constanta Maritime University Annals,12(15), 159-164 [in press]. Retrieved from http://www.cmu-edu.eu/anale/anale_engleza/anale.html [Full text available via UMUC Library OneSearch.]
The paper presents some considerations regarding
security management of Supervisory Control and Data Acquisition (SCADA)
networks. Control systems are potential targets of attack from hackers, cyber
terrorists, others who want to disrupt the critical infrastructure,
disgruntled or former employees and various collaborators which have
worked within the organization. SCADA networks are usually seen as industrial equipment, not affected by cyber threats.
Starting from the design of such a network the focus is on
functionality, seldom the security not even being taken into
consideration. Since the SCADA networks tends
to became more and more integrated with enterprise business networks the
risks are more and more similar and this paper empathies the idea to
have a unified perspective over the security. There is presented a software solution for security monitoring and management integration.
& broadly applicable items
Cyber crimes and Cyber terrorism are becoming increasingly menacing and the latter has been identified as a distinct threat requiring attention. At the 21st Aviation Security Panel Meeting of ICAO (AVSECP/21, 22 to 26 March 2010) a new Recommended Practice related to cyber threats was proposed for adoption by the Council as part of amendment
12 to Annex 17 (Security) to the Convention on International Civil
Aviation (Chicago Convention). It was adopted on 17 November 2010, will become effective on 26 March 2011 and applicable on 1 July 2011.
This Recommended Practice suggests that each Contracting State develop
measures in order to protect information and communication technology
systems used for civil aviation purposes from interference that may
jeopardize the safety of civil aviation At the 22nd Meeting of the Panel, conducted by ICAO from 21 to 25 March
2011, the Panel noted the value of vulnerability assessments pertaining
to cyber security in
aviation whose objectives are to evaluate the efficiency of existing
mitigation measures and identify any vulnerabilities from a threat-based
perspective and further noted that better understanding of residual
risks will support a State’s efforts to refine its risk response. This article contains an analysis of what cyber crimes are as against cyber terrorism, measures taken to counter the threat along with a legal analysis of the
threat as it affects aviation and addresses several issues, including a
discussion on some national efforts at curbing the problem in some
prominent jurisdictions.
The latest round of documents published by Wikileaks offers a rare
glimpse into the world of surveillance products. The collection — which
Wikileaks calls the Spy Files — includes confidential brochures and slide
presentations that companies use to market intrusive surveillance tools
to governments and law enforcement agencies. A report that Wikileaks published alongside the documents raises
concern about the growing use of mass surveillance tools that
indiscriminately monitor and analyze entire populations. The group also
points out that some of the products described in the documents are sold
to authoritarian regimes, which use them to hunt and track political
dissidents. The details revealed by Wikileaks echo a recent report by The Wall Street Journal (WSJ)
that discussed the surveillance industry. The publication analyzed
approximately 200 documents from 36 separate companies as part of a
special investigative project called The Surveillance Catalog. The material released by Wikileaks corroborates much of what the WSJ reported, but includes a broader range of material. [Related article from Infosecurity.]
Can you crack the code? That's the question Britain's electronic listening agency, GCHQ, is asking in an online campaign to find the next generation of cyber specialists. GCHQ quietly launched a cryptic
website last month featuring a box of code made up of numbers and
letters. There is no branding on the site, only the phrase "Can you
crack it?" The agency has now
revealed it is behind the campaign, and said Friday it's trying to reach
individuals with "a keen interest in code breaking and ethical hacking"
for careers at GCHQ. [http://www.canyoucrackit.co.uk/]
