House passes new cybersecurity legislation

Today the U.S. House of Representatives voted nearly unanimously (422-5) to pass the Cybersecurity Enhancement Act of 2009, which becomes the first and only bill actually passed among the many security-related bills under consideration in both houses of Congress. Key provisions in the new legislation include:

  • Increased coordination of cybersecurity research and development efforts through a National Coordination Office for the Networking and Information Technology Research and Development, which would be tasked with producing a strategic plan for cybersecurity research and development;
  • Significant increases in the amount (rising to $90 million in fiscal 2014) of annual research funding for computer and network security research grants administered by the National Science Foundation;
  • The creation of a federal Cyber Scholarship for Service Program, which would pay for two years of educational studies towards a bachelor’s or master’s degree and three years towards a doctoral degree in “a cybersecurity field, ” conditioned on scholarship recipients serving in the government for as many years as they received the scholarship;
  • Directing NIST to advance cybersecurity technical standards through means including representing the U.S. government in international technical development of cybersecurity standards; promoting cybersecurity awareness and education; and creating a dedicated research program related to identity management.

Focus on forensics looks like an early trend for 2010

A recent article in Washington Technology cites findings in forensic investigations by the Verizon Business Risk team to highlight the difficulty many organizations have in identifying — much less responding to — security intrusions and data breaches. It seems that while plenty of companies have appropriate tools and security measures in place to collect data that would, if analyzed thoroughly, provide evidence of incidents occurring, too little of that data is actually scrutinized until well after the events begin. Verizon’s forensic investigators more often than not find such evidence within the event logs maintained by the companies who call them in to investigate. The failure to achieve or maintain situational awareness in the face of increasingly common attacks can be attributed to multiple factors, including technical and analytic complexity, but all the industry experts quoted in the article point to insufficient focus on enforcement and awareness in security management. The all-too-common situation where technical or functional means of enforcement are lacking, even with appropriate security policies in place, is a recurring theme, and one we addressed a couple of months ago in the context of guarding against internal threats. The rise in interest in and use of security incident and event management (SIEM) provides some evidence that enterprises are becoming more aware of what they’re up against in terms of cyber threats, but the utility of these controls is tied directly to the level of organizational commitment to put the commensurate security practices in place, and to invest in (human) security analysts and not just in tools.

With a bit of a different take on the same sort of problem, in another article published by Washington Technology this week, Sentek Consulting founder Erik Basu suggests that the emphasis on attack attribution by some government security programs is a position more private sector entities should seek to emulate. Federal agencies have several reasons for pursuing this type of forensic investigation, from the simple attempt to gain a better understanding of how vulnerabilities are exploited and how similar incursions might be prevented in the future, to the political, practical, and diplomatic considerations that constrain potential responses, including retaliatory actions. In general, government agencies also seem less reluctant to disclose cybersecurity incidents, both within the government community (as required under OMB guidelines) and in public. The fact that Google actually went public with the details of the attacks against it in China is in some ways more notable than the specifics of the attacks themselves. The government doesn’t face the same competitive drivers that commercial enterprises do, but Google’s disclosure is leading some companies and lots of security analysts to suggest that the benefits of greater disclosure may outweigh any potential negative impact.

Security monitoring essential to attack anticipation, even if the nature of the attack is unclear

Security analysts reported yesterday a noticeable spike in network traffic associated with the Pushdo botnet, whose computers somewhat curiously are sending large numbers of fake SSL connections to lots of high-profile websites, including those of the CIA, FBI, PayPal, Yahoo, Mozilla, Google, SANS, and Twitter. The traffic is noteworthy both for its volume and for the lack of any obvious reason why it is occurring; one security expert suggested the botnet might be sending this sort of traffic absent a real attack to make its future traffic seem less anomalous, essentially to help hide the location of the botnet’s command and control center. While the observed traffic volume was high enough to be noticeable, it stops far short of the level necessary to effect a denial-of-service attack, so observers are left wondering just what the point of the activity is, and what might be coming next. The concept of “attack anticipation” has long been a goal of some types of intrusion detection systems and, more recently, of security information and event management (SIEM) tools. The idea here is that by looking at events observed and correlated over time, a potential attack victim can try to predict if something really significant is on the way. In this case, it’s pretty unusual for a botnet to draw a lot of attention for itself, so while the good news seems to be that those monitoring the network activity are aware of it, there little speculation, nevermind consensus, on what these initial observations mean.

International cybersecurity begins at home

In an op-ed piece in today’s Washington Post, Harvard Law professor Jack Goldsmith notes Secretary of State Hilary Clinton’s recent speech on Internet freedom and suggests that before the United States can credibly ask other countries to do more to limit cyber attacks and hold accountable individuals and organizations performing those attacks, we need to take steps to acknowledge our own country’s role in the global cybersecurity problem. Goldsmith points to the extensive use of botnets and botnet-based attacks originating from the U.S. as well as American activities in the area of “hactivism” as well as the U.S. government’s classified-yet-assumed capabilities to launch offensive cyberattacks if necessary (to say nothing of the NSA’s cyber intrusion and intelligence gathering expertise). With a line of reasoning consistent to one expressed in this space in the context of the Google-China hacking incident, Goldsmith notes that the U.S. performs many of the same actions we condemn elsewhere, largely because we consider the motives behind our actions to provide justification. Goldsmith goes one step further to argue that because cyberattack methods can in fact be used for positive purposes, it would be a mistake for the U.S. to suspend or prevent these domestic activities, and invokes the sentiments of the NSA’s Lt. Gen. Keith Alexander, nominated to be lead the newly-formed U.S. cyber command, who essentially says the best defense is a good offense. The relative merits of such arguments notwithstanding, Goldsmith is quite correct when he suggests that the U.S. cannot advocate the creation and enforcement of worldwide norms in cyberspace without including American operations and activities as part of the equation.

A sampling of privacy news from Data Privacy Day

Whether it’s coincidence or intentional, with January 28 being Data Privacy Day in the U.S. and Data Protection Day in Europe, there was a lot going on in information privacy. The single most consistent focus of concern appears to be Facebook, a company mentioned by name by both European Commissioners and FTC Commissioners, and against which Canada’s privacy commissioner launched a new investigation this week.

  • During her keynote speech at Data Protection Day, European Commissioner for Information and Society Viviane Reding called for a new approach of “privacy by design,” in which organizations “to improve the protection of privacy and personal data from the very beginning of the development cycle.” Reding also indicated that the European Commission would plan to move forward with a proposal on ways to reform the General Data Protection Directive to strengthen data protection laws and make them more consistent across Europe.
  • The European Commission also formally initiated legal action against Italy for violating EU privacy rules, specifically the Directive on Privacy and Electronic Communications, stemming from a practice where information taken from public directories is being used to create telemarketing databases, without the consent of the individuals whose information is being aggregated and used for this purpose.
  • The Federal Trade Commission held its second of three planned round table discussions on Exploring Privacy in California, where FTC Commissioner Pamela Jones Harbour also advocated privacy by design, particularly in the context of online privacy protections. Panelists at the event raised concerns about the apparent ease with which online data can be matched, so that supposedly anonymous data can be accurately associated with individuals.
  • As reported by eSecurity Planet, U.S. Representative Rick Boucher, chairman of the House Subcommittee on Communications, Technology and the Internet, said publicly at a Congressional Internet Caucus event on Wednesday that he is nearly finished drafting new online privacy legislation, to address data collection and consumer protection practices, particularly for online marketing such as targeted advertising.