Cyber Round Up: Cybersecurity in Federal Procurement, FTC to Police Cybersecurity, NIST Cyber Standards Report
- Guidance Memorandum Drafted to Improve Cybersecurity (The National Law Review): The Office of Management and Budget (“OBM”) issued a draft memorandum aimed at improving cybersecurity protections in the Federal acquisitions sector. The proposed guidance imposes requirements on two types of systems: 1) systems “operated on behalf of the government” such as data processing services; and 2) “internal contractor systems” used to provide a product or service for the government where Controlled Unclassified Information (“UCI”) is processed incidental to the performance of the contract. The OBM advises the Federal Acquisition Regulatory Council to amend the Federal Acquisition Regulation (“FAR”) to include contract clauses that address five cyber-related areas: 1) security controls, 2) cyber incident reporting, 3) information system security assessments, 4) information security continuous monitoring, and 5) business due diligence. Read the full article here.
- Cybersecurity Within FTC’s Purview (Reuters.com): On August 24, a U.S. Circuit Court of Appeals in Philadelphia held that the FTC has the authority to regulate corporate cyber security. The ruling allows the FTC to pursue lawsuits against corporations for failing to properly protect consumers’ information. This case involves hackers that breached hotel operator Wyndham Worldwide Corp’s computer system stealing credit card and other customer information, leading to over $10.6 million in fraudulent charges. Read the full article here.
- NIST Publishes Cybersecurity Standards Objectives (The National Law Review): The National Institute of Standards and Technology (“NIST”) published a draft of its objectives for cybersecurity standardization. Instead of adopting government specific standards, the draft suggests that federal agencies should support development of international consensus standards in cybersecurity areas such as cryptographic techniques, IT system evaluation, identity management, network security, software assurance, and supply chain risk. The report includes a matrix that may be used by agencies and industries as a roadmap for developing cybersecurity standards. Read the report here.
FBI unable to hire number of computer scientists authorized, according to Inspector General program audit
The Federal Bureau of Investigation had only hired 52 of the 134 computer scientists it was authorized to employ under the Justice Department’s Next Generation Cyber Initiative launched in 2012, according to a report released today, July 30, 2015, by the Department of Justice Office of the Inspector General. Although the “audit found that the FBI has made considerable progress towards achieving the goals it established for the Next Gen Cyber Initiative,” it also concluded:
the NCIJTF [National Cyber Investigative Joint Task Force] did not have a process to measure the timeliness of information sharing among members;
recruitment and retention of qualified candidates remain a challenge for the FBI, as private sector entities are often able to offer higher salaries and typically have a less extensive background investigation process;
the FBI has encountered challenges in attracting external participants to its established Cyber Task Forces; the FBI did not hire 52 of the 134 computer scientists for which it was authorized; and
5 of the 56 field offices did not have a computer scientist assigned to that office’s Cyber Task Force.
Finally, although the FBI is working to develop strategies to enhance outreach to private sector entities, it continues to face challenges partnering and sharing information with these entities.
The editorial position of this blog is that it is critical for policy, law and investigations — both criminal and national security intelligence investigations — to be “tech informed.” The Cyber Task Forces all need a computer scientist. Additionally, it is no surprise that low pay and lengthy and intrusive background checks inhibit the Bureau’s hiring process, but we are confident that sufficient adequately trained personnel not motivated exclusively by pay and not deterred by the drug policy (p.8) can be found out of a nation of 320 million persons.
You can read the entire report by clicking here or on the image, below.
A response by the FBI to the Inspector General is on page 28 of the report.
Additional coverage of this story can be found, here.
[The opinions expressed in this post are those of the author and the blog editor and not necessarily those of Syracuse University, its College of Law, or of the Institute for National Security and Counterterrorism.]
Dark Web is a new report from the Congressional Research Service dated July 7, 2015. (Most of you are probably aware that CRS reports are not released to the public but tend to get linked and generally are pretty well done.) The report summarizes:
The layers of the Internet go far beyond the surface content that many can easily access in their daily searches. The other content is that of the Deep Web, content that has not been indexed by traditional search engines such as Google. The furthest corners of the Deep Web, segments known as the Dark Web, contain content that has been intentionally concealed. The Dark Web may be used for legitimate purposes as well as to conceal criminal or otherwise malicious activities. It is the exploitation of the Dark Web for illegal practices that has garnered the interest of officials and policy makers.
Just as criminals can rely upon the anonymity of the Dark Web, so too can the law enforcement, military, and intelligence communities. They may, for example, use it to conduct online surveillance and sting operations and to maintain anonymous tip lines. Anonymity in the Dark Web can be used to shield officials from identification and hacking by adversaries. It can also be used to conduct a clandestine or covert computer network operation such as taking down a website or a denial of service attack, or to intercept communications. Reportedly, officials are continuously working on expanding techniques to deanonymize activity on the Dark Web and identify malicious actors online.
Delivered today, July 08, 2015: Going Dark: Encryption, Technology, and the Balances Between Public Safety and Privacy
Joint Statement of James B. Comey, Director, Federal Bureau of Investigation, with Deputy Attorney General Sally Quillian Yates, Before the Senate Judiciary Committee in Washington, D.C.
Good morning, Chairman Grassley, Ranking Member Leahy, and members of the Judiciary Committee. Thank you for the opportunity to testify today about the growing challenges to public safety and national security that have eroded our ability to obtain electronic information and evidence pursuant to a court order or warrant. We in law enforcement often refer to this problem as “Going Dark.”
We would also like to thank this committee more generally for its continued support for the mission of the Department of Justice. We know that you, like us, take very seriously the role of the Department in protecting the public in a manner that upholds the Constitution and the rule of law.
In recent years, new methods of electronic communication have transformed our society, most visibly by enabling ubiquitous digital communications and facilitating broad e-commerce. As such, it is important for our global economy and our national security to have strong encryption standards. The development and robust adoption of strong encryption is a key tool to secure commerce and trade, safeguard private information, promote free expression and association, and strengthen cyber security. The Department is on the frontlines of the fight against cyber crime, and we know first-hand the damage that can be caused by those who exploit vulnerable and insecure systems. We support and encourage the use of secure networks to prevent cyber threats to our critical national infrastructure, our intellectual property, and our data so as to promote our overall safety.
Click on the thumbnail to read the actual text of the ‘‘Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015’’ or the ‘‘USA FREEDOM Act of 2015,” signed last evening by the President.
“The United States considers the promotion of an open and secure internet to be a key component of our foreign policy,” said Secretary of State John Kerry on May 18, 2015, in South Korea.
Although the July 2011 Department of Defense Strategy for Operating in Cyberspace has already been replaced by The DoD Cyber Strategy, the May 2011 International Strategy for Cyberspace has not been superseded and is not expected to be anytime soon. Thus, Kerry’s speech is our most current and comprehensive summary of the U.S. State Department’s positions on cybersecurity. (A writer at justsecurity.org called for a new international strategy for cyberspace last fall.)
Little is new in the speech. State still supports multistakeholderism and opposes multilateralism. (More on that over at nextgov.com.) It still considers access to the Internet, privacy, and censorship in cyberspace to be human rights issues. Review Secretary Kerry’s speech for yourself. Below is the official text, and between here and there is video of the actual speech.
An Open and Secure Internet: We Must Have Both
Secretary of State
Seoul, South Korea
May 18, 2015
SECRETARY KERRY: (Applause.) Well, good afternoon, President Yeom. Thank you very much for a generous introduction. Distinguished guests, all, I’m delighted to be here and I want to thank the university, and particularly Park No-young, the Director of the Cyber Law Center, for inviting me to be here today. Thank you very, very much.
“I’d say our [cyber] defense isn’t working” – Former Director of the National Security Agency Keith Alexander.
In a keynote address at the American Enterprise Institute, Alexander told the audience that “if everybody’s getting hacked … industry and government … the strategy that we’re working on is flawed.” Critical infrastructure is vulnerable to cyberattacks and several nation states have developed the necessary cyber arsenal to strike critical infrastructure. Yet, our cyber defense isn’t working. This is not the first time nations have developed weapons that break through defense systems. The nuclear terror of the Cold War presented a similar complication.
In cyber defense, can Cold War-style deterrence work? Relying primarily on the words of Keith Alexander, Eric Rosenbach (principal cyber advisor to the Secretary of Defense), and Scott Jasper (retired Navy captain and lecturer at the Naval Postgraduate School), Mark Pomerleau examines this question in an article for DefenseSystems.com.
Pomerleau first sets out Jasper’s definition for deterrence, breaking it down into potentially three components: deterrence by punishment (the threat of retaliation), deterrence by denial (the ability to prevent benefit), and deterrence by entanglement (mutual interests). According to Rosenbach, a cyber deterrence policy would require a “whole-of-government” approach, in which the Department of Defense would need to:
(1) develop the capabilities to deny a potential attack from achieving its desired effect
(2) increase the cost of executing a cyberattacks . . . DOD must be able to provide the president with options to respond to cyberattacks on the U.S., if required through cyber and other means,
(3) ensure that we are resilient, so if there is an attack that we can bounce back.
However, Pomerleau goes on to describe a number of issues in the cyber realm that differentiate the cyber defense situation from the Cold War nuclear defense situation. First of all, attribution is difficult in the cyber realm due to the ability of adversaries to re-route the source to a different location providing plausible deniability. Second, deterrence will not be as effective with the numerous criminal non-state actors involved in cyber attacks. Finally, traditional nuclear deterrence relies on an adversary having knowledge of the destruction that will result if they make a move, whereas in the cyber realm the effectiveness of a cyber threat depends in part on the secrecy of weapons.
While Pomerleau also describes potential solutions, they are couched in vague terminology, providing little reassurance. For instance, Rosenbach addresses the attribution problem by suggesting that the government reduce anonymity in cyberspace, without providing any information as to how the government would be able to accomplish that objective. Pomerleau also stresses the importance of international frameworks, a view shared by most, but despite numerous international conferences the vulnerabilities in cyberspace are still on the rise.
After finishing Pomerleau’s article, I pulled out a book of essays on cyber deterrence compiled by the National Research Council of the National Academies*. In one of the essays** in the book, Stephen J. Lukasik compared the nuclear deterrence policy to deterrence issues in the cyber realm. While Lukasik described many of the same issues in Pomerleau’s article, he noted the three aspects of deterrence that remain invariant:
(1) A defender’s response must be seen as technically feasible. In the nuclear case, very visible weapon tests and well publicized images of nuclear detonations and measured global radioactive fallout provided convincing demonstrations of feasibility.
(2) [T]he defender must be seen as credible, willing as well as able to respond. U.S. nuclear weapon use in WWII established that, and equivalent Soviet nuclear capabilities left little doubt what its respond to a nuclear attack would be.
(3) [D]efense through deterrence requires being able to respond, with in-being offensive capability. While response to a cyber attack need not be a cyber counter-attack, international principles of armed conflict speak to proportionality of response and escalation control favors responding in kind. Thus cyber offense is a component of cyber deterrence.
I agree with Lukasik that feasibility, credibility, and ability are the cornerstones to a successful deterrence policy, but can this work in cyber defense? It seems like all three of those objectives suggest some sort of a demonstration to the world that it is feasible, we are able to strike, and our threats should be taken seriously.
While Lukasik argues that the response to a cyber attack should be limited to cyber offense, Rosenbach is cited in Pomerleau’s article advocating for a response policy that uses all the tools of foreign policy and military options.
This is a global issue, and everyone will be watching what policy the United States ultimately follows to fix the flaws in their cyber defense. If we continue to limit offensive actions, we limit deterrence by punishment. On the other hand, if we are too aggressive, we could open the door to more attacks. I agree with Rosenbach:
“The U.S. is a glass house when it comes to cyber.”
To read the full DefenseSystems.com article by Mark Pomerleau, click here.
*Proceedings of a Workshop on Deterring Cyberattacks – Informing Strategies and Developing Options for U.S. Policy, compiled by the National Research Council of the National Academies
We’ll have lots of analysis and commentary over time, no doubt, but we just want to make sure you all have a copy of the actual [U.S.] Department of Defense Cyber Strategy of April 2015 by posting it here:
Of course, it is always better to read the actual source document for yourself before reading what the reporters, pundits, analysts and experts have to say about it.
- Russian Hackers Used Two Unknown Flaws (Reuters Reports): A recent report by security firm FireEye determined that Russian hackers had been using flaws in Adobe’s Flash and Microsoft’s Windows operating system to try to get information about diplomatic targets in the United States and elsewhere. Adobe issued a fix for the breach on Tuesday, and while Microsoft is still working on a fix, Reuters reports that the Microsoft problem by itself is less dangerous. Read the full article here. To read the FireEye report, click here: FireEye – Russia’s Cyber Espionage Report
- Army and DEA Buying Remote Access Hacking Tools (Arstechnica.com Reports): An Italian company called Hacking Team sells a piece of malware remotely installed on a target’s computer or smartphone which collects data, and then transmits that data to an encrypted and untraceable server. According to Arstechnica.com, both the DEA and the US Army have been buying what the article calls a “questionable” remote access hacking tool for years. The article also notes that according to experts, it’s only a matter of time before these surveillance tools turn up in the hands of local law enforcement, if they haven’t already. Read the full article here.
- Pentagon’s “Blunt Force Trauma” Cyber Weapons (Politico Reports): Military services are looking to move beyond developing defense cyber capabilities to pursuing offensive “cyber weapons they could wield the way they now deploy fighter squadrons or infantry battalions.” The goal is to create weapons that have the same large-scale effect as conventional weapons. An example: turning an enemy surface to surface missile around and sending it home. To read more about these plans, read the full article here.
- Hackers Could Kill You With Your Oven (TheRegister.com Reports): As technology continues to improve, consumers are expecting more consumer goods to utilize the advantages that come with technological innovations. TheRegister.com provides the example of the simple iron to explain the ramifications of this trend. An iron has many setting for steam, so how would you as a consumer feel about creating an iphone application that keeps track of each item of clothing you own and the setting required for each item, and then automatically applies that setting to your clothes? How about an oven you can set with your iphone? According to TheRegister.com, “if something uses electricity, it will be connected.” If it is connected, a hacker can access it. What started as a neat way to set your oven from your living room, results, potentially, in a hacker turning your gas on, then your pilot, and leaving you breathing deadly fumes in your sleep. According to the article, we need to find a solution which provides security to these connected devices before we begin integrating this type of technology into our consumer goods. Read the full article here.
- Wi-Fi Increases Hacking Risks on Airplanes (Wired.com Reports): A new government report suggests that hackers could take advantage of Wi-Fi on planes in order to hijack the navigation system or commandeer the plane through the in-plane network. In order for a hacker to gain access, a passenger need only visit a website with a virus or malware embedded. For the full article, click here. For a summary of which changes the report recommends for the Federal Aviation Administration, read an article by Threatpost.com, here. Read the full report here: GAO: Air Traffic Control Report
In 2010, the United States and Israel reportedly attacked Iran’s nuclear enrichment center using a computer worm that caused about 1,000 centrifuges to self-destruct. From recent reports by cybersecurity firms Norse and Cylance*, it appears that Iranians have begun a cycle of cyber retaliation. Unlike nuclear technology, cyber tools provide Iran with a usable weapon with the added bonus of plausible deniability.
The New York Times examined the Norse and Cylance* reports, as well as information gathered from American intelligence officials, and detailed their findings in an article on Iran’s recent cyber developments. According to the article, despite international sanctions, Iran has greatly increased the frequency and skill of its cyberattacks.
American intelligence officials are concerned about Iran’s cyber capabilities, but according to the article, the concern has nothing to do with sophistication. While Iran’s cyber capabilities are not as advanced as Russia or China, their attacks are the most concerning because they are aimed more at destruction. The destructive cyber attacks are the category of attacks that could escalate into attacks on critical infrastructure.
Norse and Cylance* report the same thing: Iran’s cyber attacks are politically motivated with a focus on retaliation. Iran is believed by many to have attacked American banks in retaliation for sanctions. Iran has also been identified as the source of the 2012 attack on Saudi Aramco, in which hackers wiped out data on 30,000 computers, replacing it with an image of a burning American flag.
However, the reports also indicate a move away from ostentatious attacks toward quieter reconnaissance. As for the degree of escalation, the reports are mixed. Cylance* reports that in the recent months (potentially due to the recent nuclear negotiation talks) there has been a notable drop in cyber activity. On the other hand, Norse (“which says it maintains thousands of sensors across the Internet to collect intelligence on attackers’ methods”) detected more than 900 attacks, on average, every day in the first half of March, showing no signs of Iran slowing down.
There is also evidence in the reports supporting the fear that Iran will escalate cyber attacks by targeting critical infrastructure: From the NYTimes article:
In some cases, they appear to be probing for critical infrastructure systems that could provide opportunities for more dangerous and destructive attacks. . . . Cylance researchers, for example, noted that Iranian hackers were using tools to spy on and potentially shut down critical control systems and computer networks in the United States, as well as in Canada, Israel, Saudi Arabia, the United Arab Emirates and a handful of other countries. . . . Norse says it saw evidence that Iranian hackers probed the network of Telvent, a company now owned by Schneider Electric that designs software to allow energy companies and power grid operators to control their valves and switches from afar.
In 2010 the Stuxnet worm proved to be a cyber “win” for the United States, but just as in non-cyber warfare, winning the battle is not the same as winning the war. To read the full New York Times article, click here.
For the full Norse report, click here: Norse: The Growing Cyber Threat from Iran
*It is unclear which Cylance report NYTimes is referring to, as they do not link any report to their article. The most recent report concerning Iran is the Operation Cleaver report. The Crossroads Blog posted an in-depth discussion of this report, accessible here: For the report itself, click here: Cylance – Operation Cleaver Report
Professor William Snyder
is a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.
Jennifer A. Camillo
is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.
holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington.
- Cyber Round Up: Cybersecurity in Federal Procurement, FTC to Police Cybersecurity, NIST Cyber Standards Report
- FBI unable to hire number of computer scientists authorized, according to Inspector General program audit
- Dark Web: A new CRS Report
- FBI’s Comey Today on Going Dark, Encryption
- Actual text of USA FREEDOM Act of 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010