Today the U.S. House of Representatives voted nearly unanimously (422-5) to pass the Cybersecurity Enhancement Act of 2009, which becomes the first and only bill actually passed among the many security-related bills under consideration in both houses of Congress. Key provisions in the new legislation include:
A recent article in Washington Technology cites findings in forensic investigations by the Verizon Business Risk team to highlight the difficulty many organizations have in identifying — much less responding to — security intrusions and data breaches. It seems that while plenty of companies have appropriate tools and security measures in place to collect data that would, if analyzed thoroughly, provide evidence of incidents occurring, too little of that data is actually scrutinized until well after the events begin. Verizon’s forensic investigators more often than not find such evidence within the event logs maintained by the companies who call them in to investigate. The failure to achieve or maintain situational awareness in the face of increasingly common attacks can be attributed to multiple factors, including technical and analytic complexity, but all the industry experts quoted in the article point to insufficient focus on enforcement and awareness in security management. The all-too-common situation where technical or functional means of enforcement are lacking, even with appropriate security policies in place, is a recurring theme, and one we addressed a couple of months ago in the context of guarding against internal threats. The rise in interest in and use of security incident and event management (SIEM) provides some evidence that enterprises are becoming more aware of what they’re up against in terms of cyber threats, but the utility of these controls is tied directly to the level of organizational commitment to put the commensurate security practices in place, and to invest in (human) security analysts and not just in tools.
With a bit of a different take on the same sort of problem, in another article published by Washington Technology this week, Sentek Consulting founder Erik Basu suggests that the emphasis on attack attribution by some government security programs is a position more private sector entities should seek to emulate. Federal agencies have several reasons for pursuing this type of forensic investigation, from the simple attempt to gain a better understanding of how vulnerabilities are exploited and how similar incursions might be prevented in the future, to the political, practical, and diplomatic considerations that constrain potential responses, including retaliatory actions. In general, government agencies also seem less reluctant to disclose cybersecurity incidents, both within the government community (as required under OMB guidelines) and in public. The fact that Google actually went public with the details of the attacks against it in China is in some ways more notable than the specifics of the attacks themselves. The government doesn’t face the same competitive drivers that commercial enterprises do, but Google’s disclosure is leading some companies and lots of security analysts to suggest that the benefits of greater disclosure may outweigh any potential negative impact.
Security analysts reported yesterday a noticeable spike in network traffic associated with the Pushdo botnet, whose computers somewhat curiously are sending large numbers of fake SSL connections to lots of high-profile websites, including those of the CIA, FBI, PayPal, Yahoo, Mozilla, Google, SANS, and Twitter. The traffic is noteworthy both for its volume and for the lack of any obvious reason why it is occurring; one security expert suggested the botnet might be sending this sort of traffic absent a real attack to make its future traffic seem less anomalous, essentially to help hide the location of the botnet’s command and control center. While the observed traffic volume was high enough to be noticeable, it stops far short of the level necessary to effect a denial-of-service attack, so observers are left wondering just what the point of the activity is, and what might be coming next. The concept of “attack anticipation” has long been a goal of some types of intrusion detection systems and, more recently, of security information and event management (SIEM) tools. The idea here is that by looking at events observed and correlated over time, a potential attack victim can try to predict if something really significant is on the way. In this case, it’s pretty unusual for a botnet to draw a lot of attention for itself, so while the good news seems to be that those monitoring the network activity are aware of it, there little speculation, nevermind consensus, on what these initial observations mean.
In an op-ed piece in today’s Washington Post, Harvard Law professor Jack Goldsmith notes Secretary of State Hilary Clinton’s recent speech on Internet freedom and suggests that before the United States can credibly ask other countries to do more to limit cyber attacks and hold accountable individuals and organizations performing those attacks, we need to take steps to acknowledge our own country’s role in the global cybersecurity problem. Goldsmith points to the extensive use of botnets and botnet-based attacks originating from the U.S. as well as American activities in the area of “hactivism” as well as the U.S. government’s classified-yet-assumed capabilities to launch offensive cyberattacks if necessary (to say nothing of the NSA’s cyber intrusion and intelligence gathering expertise). With a line of reasoning consistent to one expressed in this space in the context of the Google-China hacking incident, Goldsmith notes that the U.S. performs many of the same actions we condemn elsewhere, largely because we consider the motives behind our actions to provide justification. Goldsmith goes one step further to argue that because cyberattack methods can in fact be used for positive purposes, it would be a mistake for the U.S. to suspend or prevent these domestic activities, and invokes the sentiments of the NSA’s Lt. Gen. Keith Alexander, nominated to be lead the newly-formed U.S. cyber command, who essentially says the best defense is a good offense. The relative merits of such arguments notwithstanding, Goldsmith is quite correct when he suggests that the U.S. cannot advocate the creation and enforcement of worldwide norms in cyberspace without including American operations and activities as part of the equation.
Whether it’s coincidence or intentional, with January 28 being Data Privacy Day in the U.S. and Data Protection Day in Europe, there was a lot going on in information privacy. The single most consistent focus of concern appears to be Facebook, a company mentioned by name by both European Commissioners and FTC Commissioners, and against which Canada’s privacy commissioner launched a new investigation this week.