National Cybersecurity
Leiberthal, K., & Singer, P. W. (2012, February). Cybersecurity and U.S.-China relations. Retrieved from http://www.brookings.edu/~/media/Files/rc/papers/2012/0223_cybersecurity_china_us_lieberthal_singer/0223_cybersecurity_china_us_lieberthal_singer_pdf_english.pdf
This is not a technical paper for cyber specialists, but rather is intended to be read by a wider audience. Our goal was to craft a work that will be useful to both American and Chinese readers who are interested in the cyber security issue but are not technical specialists in it. We have written this to be of interest to people in the policy world and in the private sector, as well as the wider public. We have drawn from both Chinese and U.S. sources, and we have deliberately sought to avoid finger pointing. Our hope is that this paper—which is being published in both English and Chinese—will help shape useful discussions in the U.S. and China about a dialogue on cyber issues and, most importantly, to encourage both sides to move forward on this critical effort.
Martin, P. K. (2012, February 29). NASA cybersecurity: An examination of the agency’s information security. Retrieved from http://oig.nasa.gov/congressional/FINAL_written_statement_for_%20IT_%20hearing_February_26_edit_v2.pdf
Report of NASA's inspector general on an investigation that followed the November 2011 attack by hackers on the agency's Jet Propulsion Laboratory.
National Institute of Standards a Technology. Computer Security Division. (2012, February 28). Security and privacy controls for federal information systems
and organizations (NIST Special Publication 800-53, Revision 4). Retrieved from http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
and organizations (NIST Special Publication 800-53, Revision 4). Retrieved from http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
NIST announces the Initial Public Draft of Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 4, represents the culmination of a year-long initiative to update the content of the security controls catalog and the guidance for selecting and specifying security controls for federal information systems and organizations. The project was conducted as part of the Joint Task Force Transformation Initiative in cooperation and collaboration with the Department of Defense, the Intelligence Community, the Committee on National Security Systems, and the Department of Homeland Security. The proposed changes included in Revision 4 are directly linked to the current state of the threat space (i.e., capabilities, intentions, and targeting activities of adversaries) and the attack data collected and analyzed over a substantial time period.
Norton, Q. (2012, February 26). Wikileaks pairs with Anonymous to publish intelligency firm's dirty laundry. Wired. Retrieved from http://www.wired.com/threatlevel/2012/02/wikileaks-anonymous-partners/http://www.wired.com/threatlevel/2012/02/wikileaks-anonymous-partners/
The first batch of leaked e-mails [Wikileaks site] purport to show that Stratfor monitored the political prankster group known as The Yes Men on behalf of Dow Chemical, which has been targeted by The Yes Men over the company’s handling of the Bhopal disaster. The e-mails also purport to show Stratfor’s attempt to set up an investment fund with a Goldman Sachs director to trade on the intelligence Stratfor collects, as well as give insight into how the private intelligence firm acquires, and sometimes pays for, information. Stratfor, which bills itself as a private intelligence organization, sells its analyses of global politics to major corporations and government agencies.
United States. Defense Advanced Research Projects Agency. (2012, February 23). High-assurance cyber military systems. Retrieved from http://cryptome.org/2012/03/darpa-hacms.pdf
The Defense Advanced Research Projects Agency is soliciting innovative research proposals in the area of the clean-slate development of software for high-assurance cyber-physical systems. Proposed research should investigate innovative approaches that enable revolutionary advances in science or systems. Specifically excluded is research that primarily results in evolutionary improvements to the existing state of practice.
United States. Government Accountability Office. (2012, February 28). Challenges in securing the modernized electricity grid (GAO-12-50-7T). Retrieved from http://www.gao.gov/assets/590/588913.pdf
The electric power industry is increasingly incorporating information technology (IT) systems and networks into its existing infrastructure as part of nationwide efforts—commonly referred to as the “smart grid”—aimed at improving reliability and efficiency and facilitating the use of alternative energy sources such as wind and solar. Smart grid technologies include metering infrastructure (“smart meters”) that enable two-way communication between customers and electricity utilities, smart components that provide system operators with detailed data on the conditions of transmission and distribution systems, and advanced methods for controlling equipment. The use of these systems can bring a number of benefits, such as fewer and shorter outages, lower electricity rates, and an improved ability to respond to attacks on the electric grid. However, this increased reliance on IT systems and networks also exposes the grid to cybersecurity vulnerabilities, which can be exploited by attackers. Moreover, for nearly a decade, GAO has identified the protection of systems supporting our nation’s critical infrastructure—which include the electric grid—as a governmentwide high-risk area. GAO is providing a statement describing (1) cyber threats facing cyber-reliant critical infrastructures and (2) key challenges to securing smart grid systems and networks. In preparing this statement, GAO relied on its previously published work in this area.
Global Cybersecurity
& broadly applicable items
Balwin, A., Gheyas, I., Ioannidis, C., Pym, D., & Williams, J. (2012). Contagion in cybersecurity attacks [preprint]. Retrieved from http://www.abdn.ac.uk/~csc335/contagion.pdf
We develop and estimate a vector equation system of threats to ten important IP services, using SANS-reported data over the period January 2003 to February 2011. Our results reveal strong evidence of contagion between such attacks, with attacks on ssh and Secure Web Server indicating increased attack activity on other ports. Security managers who ignore such contagious inter-relationships may underestimate the underlying risk to their systems’ defence of sensitivity and criticality and thus delay appropriate information security investments.
Bradbury, D. (2012, February). When borders collide: Legislating against cybercrime. Computer Fraud and Security, 11-15. doi:10.1016/S1361-3723(12)70019-2 [Full text available in ScienceDirect database.]
It may be relatively easy to legislate against cybercrime inside a nation's borders, but how can legislation be enforced when criminals can simply move their activities across the globe?Why can hackers hide in Russia, China, and even Switzerland, happily launching cyber assaults in other countries, safe in the knowledge that it will be difficult for law enforcement in the target countries to take action against them? Have we failed in the creation of international legal standards to solve the problem?
Cavelty, M. D. (2012). The militarization of cyber security as a source of global tension [preprint]. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2007043
Cyber security is seen as one of the most pressing national security issues of our time. Due to sophisticated and highly publicized cyber attacks, most prominently among them the sabotaging computer worm Stuxnet, it is increasingly framed as a strategic-military concern. The result of this perception is too much attention on the low probability of a large scale cyber attack, a focus on the wrong policy solutions, and a detrimental atmosphere of insecurity and tension in the international system. Though cyber operations will be a significant component of future conflicts, the role of the military in cyber security will be limited and needs to be carefully defined [to be published in the Swiss Federal Institute of Technology Center for Security Studies' Strategic Trends Analysis, 2012.]
Charette, R. (2012, February 24). Smartphones becoming gateways to identity theft. IEEE Risk Factor. Retrieved from http://spectrum.ieee.org/riskfactor/telecom/wireless/smartphones-becoming-gateways-to-identity-theft
There were two stories this week that highlight the need for smartphone owners to look at security on their phones like they do on their other personal computing devices. The first was from Reuters, which on Wednesday reported that about 7 percent of all smartphone owners were victims of identity fraud in 2011. The statistic came the research firm Javelin Strategy & Research, which also stated that its study indicated some 12 million Americans were victims of identity theft last year, a jump of 13 percent from 2011.
European Network and Information Security Agency. (2012, February 28). Cooperation between CERTs and law enforcement agencies in the fight against cybercrime: A first collection of practices. Retrieved from http://www.enisa.europa.eu/act/cert/support/supporting-fight-against-cybercrime/cooperation-between-certs-and-law-enforcement-agencies-in-the-fight-against-cybercrime-a-first-collection-of-practices/at_download/fullReport
The essential aim of this report is to improve the capability of CERTs, with a focus on the national/governmental CERTs (n/g CERTs), to address the network and information security (NIS) aspects of cybercrime. It focuses particularly on supporting n/g CERTs and their hosting organisations in the European Union (EU) Member States in their collaboration with the LEAs. It also intends to be a first collection of practices collected from mature CERTs in Europe, including among other things workflows and collaboration with other key players, in particular different law enforcement authorities, in the fight against cybercrime.
Google. (2012, February 27). Pwnium: Rewards for exploits. Retrieved from http://blog.chromium.org/2012/02/pwnium-rewards-for-exploits.html
This year at the CanSecWest security conference, we will once again sponsor rewards for Google Chrome exploits. This complements and extends our Chromium Security Rewards program by recognizing that developing a fully functional exploit is significantly more work than finding and reporting a potential security bug. The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.
Kim, S. H., Wang, W., & Ullrich, J. B. (2012). A comparative study of cyberattacks. Communications of the ACM, 55(3), 66-73. doi:10.1145/2093548.2093568 [Full text available in ACM Computer Science Digital Library database.]
Cyber attacks are computer-to-computer attacks undermining the confidentiality, integrity, and/or availability of computers and/or the information they hold. The importance of securing cyberspace is increasing, along with the sophistication and potential significance of the results of the attacks. Moreover, attacks involve increasingly sophisticated coordination among multiple hackers across international boundaries, where the aim has shifted from fun and self-satisfaction to financial or military gain, with clear and self-reinforcing motivation.
Nicholson, A., Webber, S., Dyer, S., Patel, T., & Janicke, H. (2012). SCADA security in light of cyber-warfare. Computers & Security [preprint]. doi:10.1016/j.cose.2012.02.009 [Full text available in ScienceDirect database.]
Supervisory Control and Data Acquisition (SCADA) systems are deployed worldwide in many critical infrastructures ranging from power generation, over public transport to industrial manufacturing systems. Whilst contemporary research has identified the need for protecting SCADA systems, these information are disparate and do not provide a coherent view of the threats and the risks resulting from the tendency to integrate these once isolated systems into corporate networks that are prone to cyber attacks. This paper surveys ongoing research and provides a coherent overview of the threats, risks and mitigation strategies in the area of SCADA security.
Palmer, M. (2012, February 22). GPS jammers threaten ships in Channel. Financial Times. [Full text available in ABI/INFORM Complete database.]
The illegal use of devices that block global positioning system signals is likely to cause a serious shipping accident in the English Channel within 10 years, senior academics will warn on Wednesday. The dependence on GPS is increasing across industry, in everything from aviation, financial-securities transactions and mining to road tolls, weather forecasting and synchronising the time in mobile base stations. The European Commission estimated last year that about EUR800bn of the EU economy depends on satellite navigation. But experts warn that this dependence is a vulnerability, as the system relies on weak satellite signals from 20,000km away in space, which can be easily interfered with, either accidentally or maliciously.
Perlroth, N., & Markoff, J. (2012, February 26). In attack on Vatican web site, a glimpse of hackers' tactics. New York Times. Retrieved from
Anonymous, which first gained widespread notice with an attack on the Church of Scientology in 2008, has since carried out hundreds of increasingly bold strikes, taking aim at perceived enemies including law enforcement agencies, Internet security companies and opponents of the whistle-blower site WikiLeaks. The group’s attack on the Vatican was confirmed by the hackers and is detailed in a report that Imperva, a computer security company based in Redwood City, Calif., plans to release ahead of a computer security conference here this week. It may be the first end-to-end record of a full Anonymous attack. [Wired on Monday's arrest by INTERPOL of twenty-five alleged members of Anonymous.]
RSA 2012: Firms spend more on encryption to thwart attacks, comply with regs. Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/24268/rsa-2012-firms-spend-more-on-encryption-to-thwart-attacks-comply-with-regs/
Organizations are increasing their investment in encryption across the enterprise in response to compliance regulations and cyberattacks, according to a survey by the Ponemon Institute for Thales that was released this week at RSA. The main drivers for deploying encryption are to protect brand reputation (45%), lessen the impact of data breaches (40%), and comply with privacy or data security regulations (39%), according to the survey of 4,000 business and IT managers in the US, UK, Germany, France, Australia, Japan, and Brazil.
More from RSA 2012: Hacking, external actors dominate 2011 data breaches / Cybersecurity certification groups form industry collaborative
