developing sanctions against China over cyberthefts
The Obama administration is developing a package of unprecedented economic
sanctions against Chinese companies and individuals who have benefited from
their government’s cybertheft of valuable U.S. trade secrets. Issuing sanctions
would represent a significant expansion in the administration’s public response
to the rising wave of cyber-economic espionage initiated by Chinese hackers,
who officials say have stolen everything from nuclear power plant designs to
search engine source code to confidential negotiating positions of energy
industry groups are wary of stronger FTC cybersecurity oversight
The Christian Science Monitor –
With a federal appeals court reaffirming the Federal Trade Commission's
regulatory authority of data security practices, the question now becomes: Just
how powerful will the agency become in overseeing matters of privacy and
cybersecurity? Now, many industry groups
are worried that at a time when corporations are dedicating more money and
resources to protect data from criminal hackers, they'll also face more
regulatory oversight and hefty fines from the government for data security
than 80% of healthcare IT leaders say their systems have been compromised
Eighty-one percent of healthcare executives say their organizations have
been compromised by at least one malware, botnet or other kind of cyberattack
during the past two years, according to a survey by KPMG. The KPMG report also
states that only half of those executives feel that they are adequately
prepared to prevent future attacks. The attacks place sensitive patient data at
risk of exposure, KPMG said.
industry bands together to thwart hacking threats
The Alliance of Automobile Manufacturers and the Association of Global
Automakers have banded together to lay the groundwork for an industry-wide
Information Sharing and Analysis Center (ISAC) intended to share best practices
in mitigating automotive cybersecurity threats that enable attackers to gain
control of vehicle systems.Every major
car manufacturer will participate in the ISAC with suppliers and telecommunications
companies projected to join in later.
smart infrastructure be cyber-secure?
Many cities are rapidly deploying "smart" infrastructure
technologies. But this technology's growing presence is raising new questions
in a world in which cyber-breaches are beginning to seem like a daily
occurrence: Just how secure are these systems and the data they hold? In
response to this perceived threat, a group of experts recently launched a
not-for-profit global initiative called Securing Smart Cities to help
government leaders reduce the liabilities of implementing the technology.
is dumping anti-virus, presages death of an industry
Movie streaming titan Netflix is hammering a rather significant nail in the
anti-virus coffin, one that could well lead to the industry’s final interment.
Netflix, a well-known innovator in the tech sphere, is the first major web firm
to openly dump its anti-virus, and where Netflix goes, others often follow;
just look at the massive uptick of public cloud usage in recent years,
following the company’s major investment in Amazon Web Services. Also, in the
last 10 years, research has indicated AV is rarely successful in detecting
Scott says IT spending 'headed the wrong way'
The state of IT spending isn’t making Tony Scott happy. The federal CIO
spoke pessimistically of how much the government was spending to maintain old
systems, instead of investing in new ones, and he also dinged common acquisition
practice as part of the problem in recent remarks at an event organized around
that very acquisition practice.He
decried the "tons of year-end spending because it’s a ‘use it or lose it’
sort of proposition, and that’s just a really bad way to run IT.”
federal CIO Tony Scott hates the end-of-year IT spending spree
The end-of-the-year spending spree -- in which agencies cram contract
spending into the last quarter of the fiscal year -- is a time-honored
tradition in government contracting. And federal CIO Tony Scott hates the
"use-it-or-lose-it" nature of federal IT funding that fuels the
annual spending spike, saying recently, "That's just a really bad way to
run IT.” The end-of-the-year pressure drives agencies into “exactly the wrong
behavior,” Scott said: more short-term, even frivolous, spending and less of a
focus on longer-term investments.
outlook for OASIS
The General Services Administration’s $60 billion One Acquisition Solution
for Integrated Services (OASIS) contract was one of the most anticipated
agreements the agency has produced in the past decade. And despite being barely
a year old, the service-oriented acquisition vehicle is already reshaping the
way GSA handles other massive multiple-source procurements.
urge energy companies to ramp up cyber protections
The federal government wants utilities companies to keep people from
gaining unauthorized access to buildings, networks, data and control systems
and potentially triggering power outages. In a new guide, Identity and Access
Management for Electric Utilities, the National Institutes of Standards and
Technology aims to teach energy companies to protect their digital and physical
assets by using a platform that could let them see who has access to any part
of a system at any time.
issues draft guidance for bolstering cybersecurity at utilities
Fierce Government IT
The National Cybersecurity Center of Excellence is urging utility companies
to change decentralized identity management practices at their facilities to
shore up a weak link against online attack. The NCCoE, which is a partnership
of the National Institute of Standards and Technology (NIST), the State of Maryland
and Montgomery County (MD), has released a draft guide to walk utility
companies through the process of setting up a single identity management system
that can work for employees no matter which department they work under.
agency tells electric utilities to shore up authentication
U.S. electric utilities should pay close attention to their authentication
systems and access controls to reduce data breaches, NIST says in a new
cybersecurity guide. About five percent of all cybersecurity incidents that
DHS' industrial control cyber team responded to in 2014 were tied to weak
authentication, said NIST, and another four percent of industrial control
incidents were related to abuses of access authority. The new cybersecurity
guide, released in draft form by NIST's National Cybersecurity Center of
Excellence (NCCoE), focuses on helping energy companies reduce their
cybersecurity risks by showing them how they can control access to facilities
and devices from a single console.
under FTC authority: What does it mean?
Dark Reading (commentary)
A U.S. appellate court has granted the Federal Trade Commission (FTC)
authority to regulate corporate cybersecurity. While this isn’t the first time
the U.S. government has stepped in to mend the issues overlapping several
industries, this is significant progress.
CIO: Cybersecurity policies lacked ‘urgency’ before OPM hack
Shortly after Tony Scott became the federal government’s chief information
officer in February, some of the Obama administration’s keystone tech policies
-- including cybersecurity and cloud computing -- “felt like they were
languishing a little bit and maybe had lost a sense of urgency,” the former corporate
IT executive says. With cybersecurity, “What we didn't have was, I think, any
kind of good cadence and sort of sense of urgency about that,” Scott said
recently. “And so, even prior to OPM, I was thinking about: What are the things
that we could do to sort of accelerate our progress on this?"
Internet of Things: What’s Washington’s role?
Every second, 127 items are added to the Internet. Wired toasters and heart
monitors; trucking fleets and individual cows. The business opportunities are
vast: a report from the McKinsey Global Institute estimated that the Internet
of Things could add as much as $11 trillion per year to the global economy by
2025.POLITICO and McKinsey &
Company recent convened a working group of high-level voices to determine
how—or if—Washington is likely to become involved. The group discussed policy
options for addressing the privacy and security issues raised by the
proliferation of networked objects.
amendments that could determine the fate of Senate's cyber bill
After a brief but heated battle, senators left for summer recess without
voting on a key cybersecurity bill that sets up incentives for businesses to
share cyberthreat information with the government, with the goal of supplying
both with the tools and data they need to bolster their defenses. The measure
could come up again when the Senate reconvenes in September, with the Senate
leadership having announced that 22 amendments will be voted on that could make
or break the bill.
unveils new rules requiring contractors to disclose data breaches
New sweeping defense contractor rules on hack notifications took effect
August 26, adding to a flurry of Pentagon IT security policies issued in recent
years. Industry, which is already concerned about overlapping and burdensome
cyber rules, worries the Pentagon will go back and retroactively change
contracts, after the White House draft is finalized.
Signal Corps undergoing cyber review
C4ISR & Networks
As part of a sweeping, end-to-end review by the Army CIO/G6, the service's
signal corps are facing a hard look at the skills, requirements and military
operational specialties (MOSes) that comprise the corps. The review, which
started back in December, is happening as the Army looks to streamline and
sharpen its forces dedicated to cyber operations. Already, integration between
signal and cyber are happening in the schoolhouses and at Fort Gordon, Georgia,
home to the 7th Signal Command, the Army Cyber Center of Excellence and eventually
Army Cyber Command. As that integration gains momentum, Army leaders are
looking at the best ways to bring the organizations together while still
focusing on each side's core competencies.
tries to speed cyber acquisition process
The Army is trying to speed cyber-related acquisition by using a template
known as the Information Technology Box. Officials said the goal is to quickly
supply soldiers with IT tools such as sensors, forensics and "insider
threat discovery capabilities" in a matter of weeks rather than the months
or years a traditional acquisition might take.
looks in-house for cyberwarriors
The Army has turned to its own ranks in hopes of satisfying its growing
need for talented cybersecurity professionals. In June, the agency announced
that all E-1 through E-8 ranked soldiers, regardless of their technical
background, could apply to participate in a yearlong cyber training program,
according to a recent Army press release. Those successful candidates who
complete the program would then be reclassified into the 17C military
occupational specialty – also known as cyber operations specialist.
key takeaways from AFCEA TechNet: Day 2
C4ISR & Networks
Day 2 of AFCEA's TechNet Augusta, held in the Georgia hometown of Fort
Gordon, the 7th Signal Command and the Army Cyber Center of Excellence, saw a
drill-down on the topics at hand. That included frank discussions on
intelligence staffing and operations, the evolution of radio communications in
the theater and dominance in cyberspace. The central tie between all of those
themes? The dire need for joint communications. Here are five key snippets from
Day 2's discussions that centered on solving the military's problems in cyber
operations and communications on the move.
outlines biometric future
The Department of Homeland Security has released its vision for how
enhanced biometrics capabilities will transform the agency’s operations over
the next 10 years. DHS has several biometric-based programs underway, including
the Automated Biometrics Identification System as well as various research and
development activities within its Science and Technology Directorate and
operational components. This DHS strategic framework, released Aug. 26, will be
used to identify and align DHS initiatives to meet strategic goals and
objectives, the agency said, as well as identify gaps where action plans must
attacks against banks increasing
Three years after leading U.S. banking institutions were targeted by waves
of distributed denial-of-service attacks waged against them by a hacktivist
group, DDoS attacks have continued to grow in number and magnitude.And while banking institutions have made
improvements in their abilities to mitigate the effects of DDoS strikes against
them, institutions are still struggling to keep up.
Feeling the pain of cybersecurity in healthcare
To see why medical records are increasingly a target of hackers, just thumb
through all the personal identifiable information stored in your cell phones,
fitness trackers, social media, the cloud, and in service provider databases.
There are lots of reasons why medical data is so vulnerable – a fragmented
industry, the explosion of electronic health records spurred by the Affordable
Care Act, and medical PII's increasing value to hackers. But the sheer numbers
at risk speaks volumes about the scale of the problem.
The OPM breach details you haven't seen
An official timeline of the Office of Personnel Management breach pinpoints
the hackers' calibrated extraction of data and the government's step-by-step
response. The timeline makes clear that the heist of data on 22 million current
and former federal employees was one sustained assault rather than two separate
intrusions to steal background investigation data and personnel records.The July 14 document was prepared by federal
investigators for the office of U.S. CIO Tony Scott, and the detailed timeline
corroborates administration officials' public testimony but is unique in its
comprehensiveness and specificity.
The unbundling of networks and servers by government owned and operated
infrastructure is just the beginning of what the Center for Digital Government
is seeing as a significant transformation towards Everything-as-a-Service that
will sweep through states and localities in the years to come. Here's how the
unbundling of technology will impact the future of state and local government,
and what you need to know and how you can be a part of it.
Of Virginia Breach targeted two individuals with China links
Earlier this month, University of Virginia officials disclosed that federal
authorities had informed the university of a potential intrusion into its
networks originating from China. The university confirmed the breach June 21
but did not immediately disclose the incident until last week while it worked
to remediate the issue. Security firm Mandiant, which was hired to investigate
the intrusion, has confirmed that the attack appears to have been targeted at
two specific employees whose work has a connection to China.
observations about cybersecurity based on two new surveys
Cybersecurity incidents and attacks have become almost daily news, and two
new surveys give voice to the executives and cybersecurity professionals
struggling to defend their organizations.A record 79% of executives said they detected a security incident in the
past 12 months, while 73% of security professionals say it is likely that they
will have to respond to a significant compromise in the coming year.
sprint’s before and after picture gives reasons for hope, fear
Federal News Radio
There has been plenty of discussion in the federal community about the
Office of Management and Budget’s 30-day cyber sprint and whether it made any
difference or not. Some experts say the cyber sprint was just window dressing
on long-standing problems. Others pointed to finally forcing agencies to use
their smart identity cards to log-on to their networks and computers, and that
was, at least, the type of difference maker that had been missing over the last
decade. A new document shows just how bad a shape agencies were in as of June,
including how many critical vulnerabilities that existed for more than 30 days
and how many potential holes in individual agency networks, and just how far
they’ve come over the summer.
to get ahead of 2016: Ensuring federal IT can adapt to leadership transitions
As government agencies turn their attention to planning for 2016, one thing
is clear: Most political appointees in agency leadership positions today will
not be in seat 18 months from now and many may start their transitions early.
Regardless of which party takes office, the new administration will bring its
own set of priorities and most will be dependent on a strong digital
nation’s 24-hour cyber watch center still has some empty seats
The watch floor of the National Cybersecurity and Communications
Integration Center (NCCIC), which monitors hack attacks aimed at 16 critical
U.S. industries, is still missing analysts from 75 percent of those sectors.
The reasons for low attendance have little to do with controversies over
sharing customer and business-sensitive information. The main problem is
insufficient capital to put boots on the ground there.
pushes back against critical IG report
The top tech official at the Labor Department said officials have made
progress in remediating information security weaknesses, and she raised
concerns about the "completeness and accuracy" of a critical report
released by the Office of Inspector General at the end of July. The report,
which was a roundup of previous probes by Labor's OIG, asserted that the
department only recently turned its attention to implementing two-factor
authentication agency-wide in response to data breaches at the Office of
Personnel Management. It also detailed lingering problems with privileged
access to government systems by former employees and contractors.
Election Commission refuses to release computer security study
The Center for Public Integrity
The Federal Election Commission is refusing to uncloak a pricey,
taxpayer-funded study that details decay in the security and management of its
computer systems and networks, which the Center for Public Integrity revealed
had been successfully infiltrated by Chinese hackers in October 2013. The
report — known within the FEC as the “NIST study” — also provides
recommendations on how to fix the FEC’s problems and bring its computer systems
in line with specific National Institute of Standards and Technology computer
a growing topic in vehicle security
When security flaws allowed a Jeep Cherokee to be hacked and remotely
controlled earlier this month, the US Army took notice, according to a lead
acquisitions official. Kevin Fahey, director of system of systems engineering
and integration in the Office of the Assistant Secretary of the Army for
Acquisition, Logistics and Technology, told the National Defense Industrial
Association's tactical wheeled vehicle conference they must be concerned about
cyber, particularly the security of the systems they manufacture. Fahey has
been directed to incorporate system security into the formal defense
Defense can’t buy cyber stuff fast enough
The Defense Department is under attack in cyber space, and national security is
at stake. Yet in a field defined by rapid growth, DoD arms itself at the same
pace with which it buys major weapons, an acquisition cycle of seven to 10
years. The “arsenal of democracy” has already provided the tools for hastening
this process in the form of agile methods. The Pentagon has been reluctant to
adopt different methods for software than it uses for other acquisitions. But
unless it does so, it will lose its edge.
Command looks to private sector for joint cyber planning
In an effort to shore up cyber defenses across government, a cross-agency
effort is interested in procuring joint cyber planning services for the U.S.
Central Command. In a recently published synopsis/solicitation, Centcom looks
to further its efforts to integrate theater-level campaign constructs with the
Defense Department and other agencies—the solicitation, in fact, was issued by
the General Services Administration, along with the Joint Cyber Planning
Services, which is tasked with leading the charge toward full-spectrum cyber
operations. The solicitation is looking for contractors with expertise in the
full range of cyber defense, offense and operations, everything from preparing
policies to carrying out cyber responses to attacks.
things to know from AFCEA TechNet: Day 1
C4ISR & Networks
The theme for this year's TechNet event in Augusta, Georgia, is "cyber
convergence," an idea hit on many times throughout the first day of the
event. Here are six key takeaways attendees heard the first day, at TechNet
Augusta: 1. Cyber is a team sport; 2. We need cyber schools; 3. Those new ways
of doing things won't be easy; 4. Convergence is more than just lip service
about collaboration; 5. collaboration -- within the Army, but also across DoD,
the intelligence community and the broader government -- is "the challenge
and opportunity we face together"; and 6. "Hyper-asymmetric war"
is upon us.
issues Pentagon-friendly cloud computing guide
The Defense Department’s information technology arm has unveiled a guide for IT
shops in the defense and military space planning a move to the cloud. Released
by the Defense Information Systems Agency, the guide is aimed at DOD “mission
owners” wanting to migrate an existing information system from a physical
environment to a virtualized cloud environment. The framework is based on
real-world cloud pilot efforts within DoD.
best practices for cloud migration
The Defense Information Systems Agency recently released “Best Practices Guide
for Department of Defense Cloud Mission Owners” for those planning to migrate
existing systems from physical environments to the cloud. The new best
practices guide provides knowledge gained from DoD cloud pilots, specifically,
DISA’s Information Assurance Support Environment and the Army’s DOD
Environment, Safety and Occupational Health Network and Information Exchange.
It includes information on IP standards, domain name servers, to storage
capacity to assessment and authorization.
debunks DOD-VA interoperability myth
For years, the Pentagon and the Department of Veterans Affairs struggled to
integrate their electronic health records systems, spending upward of a billion
dollars on an effort that was ultimately scrapped. Ultimately, the Pentagon bid
out and awarded a massive contract valued at up to $9 billion to Leidos to
upgrade its health records system. Much of the build-up during the bid time
frame centered on the Pentagon’s wish for interoperability between health
systems. Yet, Pentagon officials, briefing reporters July 30 before the Leidos
award, contended that interoperability between VA and the Defense Department
was actually far less of an issue than it was made out to be.
vs. FTC: Corporate security pros need to lawyer up about data breach
protection, experts say
Corporate security executives need to meet with their legal teams to find out
whether the way they protect customer data will keep them out of trouble with
the Federal Trade Commission should that information be compromised in a data
breach. Based on a U.S. Circuit Court of Appeals decision August 24, the best
course of action is to learn what kinds of actions the FTC has taken in the
past – and why - against companies whose defenses are cracked and whose
customer data is stolen.
Big data and the importance of identity
IT Pro Portal
When it comes to big data, many companies are now adept at collecting it, but
the harder part is knowing how to organize it and what to do with the data once
you have it. The idea of identity is a vital one, as marketers can transformed
this data into an actual representation of their current and potential
customers, therefore providing valuable and actionable insight. To shed more
light on the subject, Richard Lack, the Director of Sales in Northern Europe at
Gigya was interviewed and discussed how to define big data, what mistakes are
companies making when it comes to big data, and how companies can classify data
to make it more effective.
a major cybersecurity job shortage, we must act like we are at war
Next Gov - Tech Insider (opnion)
We are in the midst of a cyberwar and the bad guys are winning, but our “quick
fixes” haven’t yet addressed the larger problem. We live in a world with
hackers who are capable of breaking into all but the most highly sophisticated
systems, yet the U.S. government is undermanned against hackers and can’t
afford to wait for natural market forces to eventually increase the supply of
skilled cyber warriors. Here are three critical things that need to happen to
address the cyber workforce shortage.
NCCoE seeks comments on Identity & Access Mgmt Guide for energy sector
The National Institute of Standards and Technology‘s National Cybersecurity
Center of Excellence has opened the comment period for a draft guide on access
control measures for energy companies to reduce cyber risk. The draft guide
provides end-to-end identity management solutions and a use-case scenario of a
security challenge encountered in day-to-day operations. The agency will accept
public comments on the guide through Oct. 23.
management underpins security in application economy
Applications have become important points of engagement for many businesses and
can be accessed across different types of devices, including notebooks,
tablets, smartphones and desktop PCs.The application economy is identity-centric and device-agnostic, which
is why identity management is critical. In a world with no perimeter and with
fewer security anchor points, identity and authentication matter now more than
ever. The abuse of identity is a common vector for many successful attacks.
With the digital transformation underway globally, the application economy is
forcing security leaders to change their mindsets.
health care market worth $3.5 billion by 2024
Secure ID News
Health care could be one of the best opportunities for biometric vendors,
according to a report from consultancy Tractica. Starting from a base of $250
million in 2015, the firm forecasts that global health care biometrics revenue
will reach $3.5 billion by 2024, with cumulative revenue for the 10-year period
totaling $12.5 billion.
microwaving, boiling ID cards
Secure ID News
Germany has a national identity card that uses contactless smart card
technology to communicate via short-range RFID signals. And if there’s one
thing about contactless smart cards is that they are widely misunderstood.Some Germans (and others) have taken to
disabling contactless chips in payments cards, national IDs or electronic
passports via either microwaving or boiling the documents.