Top general says U.S. under constant cyber attack threat
Reuters
05/14/13
The top U.S. general in charge of cyber security warned May 14 that the nation is increasingly vulnerable to attacks like those that destroyed data on tens of thousands of computers in Saudi Arabia and South Korea in the past year. Army General Keith Alexander, who heads the NSA and U.S. Cyber Command, told a cybersecurity summit that U.S. networks were already under constant attack and billions of dollars worth of intellectual property were flowing out of the country each year.
Chinese military unit said to resume cyber spying
Los Angeles Times
05/15/13
The Chinese military unit that Mandiant recently accused of launching more than 115 cyber attacks against U.S. companies over seven years has resumed hacking after a three-month hiatus, the firm's chief security officer said. Mandiant did not previously identify the companies targeted by China, citing confidentiality agreements, and the official did not say where the unit has resumed its attacks but said other China-based groups never stopped stealing Western intellectual property.
Researchers develop industrial systems that watch for breaches
CSO
05/15/13
North Carolina State University researchers have developed a methodology for enabling networked devices in an industrial control system (ICS) to police each other for abnormal behavior that would indicate a compromise. The idea is to make it possible for devices to spot the problem unit and then isolate it from the network before it can do any damage. The security mechanism would be used in SCADA) systems and programmable logic controllers.
Study: Application vulnerabilities are No. 1 threat
Dark Reading
05/16/13
Application vulnerabilities are the top concern of security professionals, but development teams still are not well-trained in security issues, the security industry's largest professional association, (ISC)2, warned in a new report. Citing data from its 2013 Global Information Security Workforce Study, in which 69 percent of security pros rated application vulnerabilities as a high concern - the highest rating of any threat in the survey.
Many state and local networks unprepared for cyberattacks
GCN - Cybereye (blog)
05/15/13
The results of a recent survey by Consero of chief information officers of states, counties, cities and towns are hardly surprising, but hardly comforting, either. Many state and local networks and IT systems are unprepared for cyberattacks, as the CIOs overseeing them struggle to make do with strained budgets and static or shrinking staffs.
Cybersecurity starts in high school with tomorrow's hires
Bloomberg
05/16/13
To prepare the next generation of cyber specialists and meet their own needs for a skilled technical workforce, the government and private sector companies are working to get teenagers interested early in science, technology, engineering and math, and in cybersecurity competitions and programs.
How can we keep infosec pros a step ahead of the bad guys?
Computer World (opinion)
05/16/13
Attacks on individual and corporate digital assets are on the rise, and the black hats get more ingenious every day. Infosec professionals have to stay one step ahead, and that requires that they be well educated and as thoroughly trained in the dark art of network security as the bad guys. So how should educators prepare tomorrow's information security gurus?
Syria's Internet is offline again
Next Gov
05/15/13
For the second time in as many weeks, the Internet usage in Syria disappeared mysteriously on May 15 with little to no warning. So, is it another case of the Assad regime trying to disrupt rebel communications or are they really having technical difficulties?
Continuous monitoring as a service award on the horizon
Gov Win Network (blog)
05/14/13
Improved cybersecurity is an Obama administration priority for FY 2014. Agencies have been inching towards cybersecurity targets, and an upcoming award may ease agency pains of implementing continuous monitoring solutions. In December 2012, DHS released a request for quote that covers both the Continuous Monitoring as a Service (CMaaS) and tools portions of Continuous Diagnostics and Mitigation (CDM), and announcement of the awards could come in June.
How to customize IT security controls
Gov Info Security
05/25/13
Organizations in and out of government can more easily tailor their information security plans to fit their specific business missions and operational environments by using overlays, new tools introduced in the latest revision of the National Institute of Standards and Technology's information security controls guidance. NIST Fellow Ron Ross, who oversaw the drafting of the latest catalogue of IT security and privacy controls, discusses how the new tools can help.
Spreading the word about cybersecurity
FCW
05/15/13
Those in charge of implementing IT security into daily operations, usually chief information security officers (CISOs) are finding it is difficult to catch up with threats, let alone get ahead of the curve. Once CISO says it's a process where you have to evangelize what you're after, and that evangelization includes showing agency officials how cybersecurity relates to their agency mission and building networks of teams.
Public says critical infrastructure cybersecurity framework should be risk-based, says NIST
Fierce Government It
05/16/13
An analysis of comments received so far by the National Institute of Standards and Technology to the cybersecurity framework called for by President Obama's February cybersecurity executive order shows respondents so far show risk management approaches to be a matter of nearly universal concern, with 81 percent of all comments touching on risk management approaches.
GSA to provide help choosing between contracts
FCW
05/14/13
Technology specialists at the GSA will soon roll out a Web-based tool to help government users navigate the increasingly dense forest of federal IT contracts. GSA's IT Solutions Navigator Tool will help federal data center and technology managers winnow down their product and service choices in the growing forest of large IT contracts, sorting the offerings into seven broad categories: cloud computing, communications, networking, data center, hardware, security, and software.
OMB fuels the passion, synergy between mobile, open data
Federal News Radio
05/16/13
In the year since OMB released the Digital Government Strategy, agencies have slowly begun to change. Topping that effort was the new open government executive order and memo released last week, and federal CIO Steven VanRoekel said the government is ready to unleash the potential of data. VanRoekel said measuring wholesale change is slow, and the administration hasn't done an official assessment of the impact.
Executive order, NIST initiatives may help electric providers get ahead of the threat
SC Magazine
05/15/13
President Obama's recent cyber security executive order caused waves in the critical infrastructure space when it turned a spotlight on energy suppliers. But in a good initial step, the executive order taps NIST to lead the development of a cyber security framework to reduce the risk of attacks. Furthermore, sector-specific agencies, such as the Department of Energy, have reacted quickly to the administration's and NIST's calls for increased cyber security safeguards.
Government to share cyber security information with private sector
Reuters
05/15/13
The U.S. government will use classified information about software vulnerabilities for the first time to protect companies outside of the military industrial complex, top officials told Reuters. Secretary of Homeland Security Janet Napolitano said that a system being developed to scan Internet traffic headed toward critical businesses would block attacks on software programs that the general population does not realize are possible.
Beware the coming SEC regulations on cybersecurity
Forbes (op-ed)
05/15/13
For public company CEOs, the list of items under SEC purview seems to grow overnight. One item that has potential to be added to that list is the reporting on cyber security risk to shareholders. Activists and public officials are pressing the SEC to elevate its guidance to companies on the disclosure of actual breaches.
GAO: Metrics, leadership leave savings unclear in data center consolidation
FCW
05/14/13
The Federal Data Center Consolidation Initiative was supposed to save billions of taxpayer dollars through optimized IT efforts and reduced redundancy. A new Government Accountability Office report, however, warns that poor leadership and a lack of metrics mean the total savings over the past three are almost impossible to measure.
House spending panel backs joint Defense-VA electronic health record
Next Gov
05/15/13
In its FY 14 VA funding bill, the House Appropriations Committee is looking to back development of a single, joint electronic health record for the Defense and Veterans Affairs departments. The panel provided $344 million in development funds, $92 million more than requested. The committee also said it will require DoD and VA to provide it with a defined iEHR budget and timeline for deployment, and require it to be an open architecture system that serves both DoD and VA.
U.S. cyber bill proponents hope second time's a charm
Reuters
05/16/13
Six months after a comprehensive cybersecurity bill died in the Senate, some Obama administration officials and lawmakers are optimistic they can get a new law passed amid heightened public awareness of hacking attacks and cyber espionage. An updated cyber threat information sharing bill and other proposals are the subject of behind-the-scenes discussions, and White House officials are hopeful a compromise can be reached, despite skepticism from some quarters.
DOD works to fortify cloud, acquisition, data processes
American Forces Press Service
05/17/13
The Defense Department is taking bold steps to provide sound information and proper analysis as it fortifies its cloud computing, acquisition and data processes, according to Mark Krzysko, DoD's deputy director for acquisition resource analysis and enterprise information. Krzysko said cloud computing is among several new ways to provide decision-makers timely access to accurate, authoritative and reliable information.
2014 budget request: DoD IT and DISA
Fierce Government IT
05/12/13
The Defense Department's fiscal 2014 budget proposal includes $39.6 billion for information technology, according to an overview from the DoD CIO. That amount includes both unclassified ($34.1 billion) and classified ($5.5 billion) spending and is $800 million more than the enacted fiscal 2013 amount, but when adjusted for inflation the request is a decrease of approximately.08 percent. Cyberspace operations account for 18 percent of the fiscal 2014 request for military IT.
DISA/NSA move to address insider threats to enterprise networks
Defense Systems
05/15/13
Insider threats will become more acute as military organizations transition to wide-scale enterprise architecture, hastening the need to block and uncover them quickly. As such, the Defense Information Systems Agency (DISA) has issued a solicitation for enterprise services attack analysis capabilities to address such threats. DISA and the National Security Agency want to develop an information assurance (IA) audit management system that has the multiple capabilities.
Benefits of brandishing cyber weapons not obvious, says Rand paper
Fierce Government IT
05/15/13
The Cold War staple of deterrence through brandishing weapon capabilities is far more complex when it comes to the cyber domain, notes a Rand scientist in a paper commissioned by the Office of the Secretary of Defense. Brandishing cyber weapons depends on flaws in target systems, and "to reveal which flaws enable attack is to inform others how to fix the flaws and hence neutralize them." Cyber brandishing is possible, but difficult.
Measuring what never happened
FCW
05/16/13
It's hard to measure the impact of something that never happened, but that is exactly what federal agencies and private companies must do in risk management, and in determining the return on investment in IT security. That challenge is something organizations increasingly struggle with as investing in IT security becomes more commonplace, more of a requirement and more of a prominent line item in tightening budgets.
Chertoff: Real-time tracking key to better network defense
FCW
05/16/13
Michael Chertoff, former Secretary of Homeland Security, says the cyber threat from outside actors on defense, federal U.S. and critical infrastructure networks is higher than ever and growing increasingly complicated. With increasing volumes of data and an ever-expanding array of entry points on networks, the opportunity to hack into them is also at its height, but within the information is a human trail that can be exploited to deter or prevent other incursions.
Cyber protection and defense still poses thorny questions
Signal Online
05/13/13
A panel on the first day of AFCEA East: Joint Warfighting 2013 discussed a variety of cybersecurity topics, including the militarization of cyber and cyber vulnerabilities. While participants agreed additional protection and defense is needed, not all concurred on what organization should have the power or responsibility.
Traditional IT security measures becoming ineffective
Security Info Watch
05/08/13
The public learned last month about a series of high-profile security breaches that were attributed to the Chinese military, and hit more than 100 U.S. companies. Compound that with the over 120 million Dedicated Denial-of-Service (DDoS) attacks in 2012, up from nearly 1.5 million in 2011, and wherever you look there is evidence that the traditional approaches to information security are no longer effective.
Companies, government unprepared for new wave of cybersabotage
CSO
05/14/13
The New York Times reported May 12 that a new wave of cyberattacks have been aimed mostly at U.S. energy companies with an eye toward seizing control of processing plants. The fact that senior government officials were unable to pinpoint the source of the attacks indicates a lapse in the work of the intelligence community, said a former DHS official. Also, for some companies, a cultural change to achieve greater collaboration may be necessary to shore up cyber defenses.
Cyberattacks against U.S. corporations are on the rise
The New York Times
05/12/13
A new wave of cyberattacks is striking U.S. corporations, prompting warnings from federal officials, including a vague one from the Department of Homeland Security which says this time the attackers' aim is not espionage but sabotage, and the source seems to be somewhere in the Middle East But two senior administration officials said they were still not certain exactly where the attacks were coming from, or whether they were state-sponsored, or the work of hackers or criminals.
Symantec advises Senate on complexity of cyber threats
USA Today
05/08/13
A Symantec official discussed the intensity and pervasive nature of daily cyber attacks at a May 8 Senate hearing called to hear how law enforcement and the privacy sector responds to cyber threats. The official said the hearing "highlighted the increasingly complex nature of the cyber threat landscape and the need to bolster law enforcement and judicial resources and training."
Cyber attacks against FederalNewsRadio.com, WTOP.com part of growing trend
Federal News Radio
05/13/13
The cyber attacks recently suffered by FederalNewsRadio.com and WTOP.com are part of a growing trend of breaches that take advantage of network weaknesses to indiscriminately go after visitors of popular websites. Indication point to the breach as being a "drive-by" attack, which are becoming more popular, according to the Symantec 2013 Internet Security Threat Report.
Demand for IT grads is driving up supply, study finds
Next Gov - Wired Workplace
05/14/13
The high demand for information technology professionals is driving up the number of college students pursuing IT-related degrees, according to a new report. It appears that one trend in IT-related degrees is an increasing emphasis on two-year degrees, particularly as more businesses and schools provide an "open door" to recent graduates eager to start their careers.
On cybersecurity, nation needs 'meta-leadership'
Politico (op-ed)
05/13/13
Former Director of National Intelligence Mike McConnell writes about the critical role information sharing must play to prevent cyberattacks and cyberespionage that could lead to devastation. He cites the need for cooperation and compromise to ensure sensitive information is shared between the government and private sector, to determine standards for cybersecurity protection and provide liability protection for industry, and to do all this before it's too late.
Consolidating IT cuts costs and makes agencies more efficient, Interior CIO says
Fierce Government IT
05/13/13
Consolidating online services and integrating IT sytems not only cut costs, but also made the Interior Department more efficient, according to Interior CFO Rhea Suh. At the Homeland Security Department, similar consolidation was made to integrate IT systems, and DHS also encouraged employees to use their own devices. Another federal CIO said enabling employees to do their jobs better with more forward thinking IT results in efficiency and lower costs.
GAO, OMB spar over whether to measure data center cost savings
Federal News Radio
05/15/13
Agencies are on track to close almost 1,000 data centers by December 2013 through the Federal Data Center Consolidation Initiative. But whether or not agencies achieve the estimated $3 billion in savings that the Office of Management and Budget initially said would come from these efforts is unclear. The Government Accountability Office told a congressional hearing it found OMB's course change may be missing the real benefits of this initiative.
Data center consolidation savings 'minimal' so far
Next Gov
05/14/13
An initiative to consolidate federal data centers has yielded minimal savings so far and the government is unlikely to meet its goal of $3 billion in savings by 2015, the Government Accountability Office said in a report May 14. Agencies have also failed to adequately report on their data center cost savings and officials at the White House's Office of Management and Budget and the General Services Administration have done too little to force that reporting
DHS coming up short on Einstein deployment
GCN
05/13/13
Deploying the government-wide intrusion detection system known as Einstein is taking longer than expected, and development of the next stage of the system, scheduled for completion in 2015, is costing more than expected. Einstein now serves 17 of 18 major agencies, according to a DHS official, but there are more than 100 departments and independent agencies in the .gov domain which means a number of agencies are still not covered.
FBI trains bank executives on cyberattack threats
ZDNet
05/14/13
The FBI says that more cooperation between governmental agencies and the financial industry is necessary to combat cybercrime. In order to promote better understanding, the FBI gave banking executives clearance last month to brief them on the current cybercrime environment, so financial management could grasp "who is behind the keyboard" that can attack them.
DoD wants to know real costs of IT business systems
Federal News Radio
05/15/13
Through its Better Buying Power initiative, the Pentagon is expanding its focus on the cost of goods and services beyond the "should-cost" concept and contracting to the entire DoD business process in order to understand how much military services and agencies spend on people, technology and processes, and then use that to improve decision making and to become more efficient. The "should-cost" concept mainly focuses on the fair and reasonable price of a product or service.
The imperative for device management is key to the DOD's mobility plan
Defense Systems
05/13/13
In the wake of a scathing internal Defense Department review of the Army's commercial mobile device use, pressure is mounting on the Defense Information Systems Agency to find solid footing for mobile device management that will allow military personnel secure access to defense applications and data over government-issued devices.
Army backs battlefield network despite budget shift
DoD Buzz
05/10/13
U.S. Army officials said they support further development of the Warfighter Information Network — Tactical (WIN-T) battlefield communications network even as the service seeks to transfer funding from the program this year to pay for more urgent needs. The Army wants to transfer $128 million from the program as part of a larger DoD reprogramming request to shift money for the remainder of fiscal 2013, mostly to pay for higher-than-expected war costs.
The Army lays out its objectives for this month's NIE 13.2
Defense Systems
05/13/13
The Army is testing how its forces stay connected and aware of their surroundings while they maneuver on the battlefield. A fully equipped brigade is conducting operations in New Mexico's White Sands Missile Range as part of the service's bi-annual Network Integration Evaluation 13.2, which runs throughout the month of May. The unit will try out new communications and networking equipment to see how they work while on the move in the field.
U.S. admiral puts cyber security on the radar
Reuters
05/13/13
Cyber security and warfare are on par with a credible nuclear deterrent in the defense priorities of the United States, the U.S. Navy's top admiral said May 12. Adm. Jonathan Greenert, the chief of naval operations, told Reuters the Defense Department's cyber program had continued unabated despite the political gridlock about the U.S. budget deficit and enforced spending cuts in other areas.
TSA defends TWIC pilot testing
Fierce Homeland Security
05/12/13
Disagreeing with recent criticism by the GAO, a Transportation Security Administration official told a congressional panel May 9 that pilot testing of Transportation Worker Identification Credential (TWIC) readers generated enough reliable data to support a conclusion that they contribute to port security.
GAO calls for halt to TWIC readers
Fierce Homeland Security
05/08/13
Pilot testing of Transportation Worker Identification Credential (TWIC) readers was so flawed Congress should require the Homeland Security Department to back off implementation until it conducts a proper test, says a GAO report. That new assessment of readers should also revisit the question of whether a more decentralized approach toward maritime identity cards might be better, GAO auditors said in the report that extensively criticizes TWIC management.
FEMA seeks identity verification services for disaster assistance applicants
HS Today
05/13/13
The Federal Emergency Management Agency (FEMA) has announced a re-compete of contractor assistance to its identity verification program for disaster assistance. FEMA's National Emergency Management Information System/Integrated Security and Access Control (NEMIS/ISAAC) verifies an applicant's identity and homeowner status to determine eligibility for disaster assistance. To fulfill these requirements, FEMA has issued an RFP to hire an identity management firm.
Can collaboration defend U.S. critical infrastructure?
FCW
05/10/13
Vulnerabilities in critical infrastructure, particularly through cybersecurity gaps, are a top concern for government officials and lawmakers. Legislation to address those gaps so far has failed, and key partnerships are crucial to shoring up weaknesses as best as possible until a bill passes, officials say.
Supply chain risks go far beyond fake parts
FCW
05/09/13
There's a "soft underbelly" to supply chain vulnerabilities that is becoming more critical as agencies increasingly purchase managed services often delivered via software. Officials warn that this risk is especially acute in critical infrastructure, where there is growing and interconnected reliance on cyber.
Researchers find hundreds of insecure building control systems
CIO
05/08/13
Using the Internet to manage buildings is convenient, but it may come at a steep price, presenting new opportunities for hackers. Hundreds of organizations across Australia are using out-of-date industrial control systems (ICS) to control the lights, heating and cooling, access controls and even the elevators.
DHS putting post-FISMA approach to cyber through a trial run
Federal News Radio
05/08/13
OMB is drafting a memo to move agencies out of the once every three-year process under FISMA in order to implement the concept of ongoing authorizations as outlined in the fiscal 2012 FISMA guidance sent to agencies in September, which OMB expects agencies to achieve through implementation of continuous monitoring programs, and the Homeland Security Department is the first out of the gate in starting to put this into place.
Is an emphasis on compliance hampering IT security?
FCW
05/10/13
Security pros, system administrators and agency executives have been fighting a battle over IT security vs. regulatory compliance since passage of FISMA in 2002. Critics of the act, or of how it has been implemented, say the emphasis on grading agency performance based on compliance scores has undermined efforts to improve security. But with tools to monitor systems, respond to incidents and report on status, there is a chance to tip the battle in favor of security.
White House orders agencies to follow new open data standards
Next Gov
05/09/13
Government agencies must collect and publish new information in open, machine-readable and, if possible, non-proprietary formats, according to a White House executive order and open data policy published May 9. The new policy also gives agencies six months to create an inventory of all the datasets they collect and maintain; an updated list of datasets open to the public; and an online system to gather feedback from users about how they'd like such information to be presented.
Executive order makes open data the new normal
FCW
05/09/13
President Obama issued an executive order May 9 to require civilian agencies to produce data in open, machine-readable form to promote public access and commercial use. The presidential order and an accompanying implementation memo from OMB puts teeth behind a policy launched almost one year ago with the release of the administration's Digital Government strategy, which touted open data as a potential engine of economic growth.
Special Report: U.S. cyberwar strategy stokes fear of blowback
Reuters
05/10/13
The U.S. government has become the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers, spurring concern that Washington is encouraging hacking and failing to disclose to software companies and customers the vulnerabilities exploited by the purchased hacks. U.S. intelligence and military agencies are using the tools to infiltrate computer networks overseas, leaving behind spy programs and cyber-weapons.
Time to take a stand against state-sponsored cyber attacks
Security Info Watch
05/10/13
A former FCC cybersecurity official believes the federal government will have to go beyond just intelligence sharing and actually provide private industry with incentives to bolster their cybersecurity posture. If we don't wake up to the current dangers posed by state-sponsored cyber attacks, be it from China or some other nation, we will likely be reorganizing the government again and creating another bureaucracy to deal with the threat.
Investing in science to focus on innovation
Armed With Science
05/12/13
Alan Shaffer, the acting assistant secretary of defense for research and engineering, says that to meet the Defense Department's 21st century security objectives, its science and technology funding will focus on innovation and industry. Shaffer said in cyberspace, research and resilience of data are key, and that the U.S. needs "robustness and … the ability to operate through any type of cyberattacks."
Can mobile devices be more secure than PCs?
Help Net Security
05/13/13
Despite the growing reliance on mobility, IT decision-makers still incorrectly believe traditional PCs are more secure than mobile devices. Entrust believes that mobile devices, when properly managed and protected, can be a highly secure platform for digital identities and online transactions.
4 ways to defend against nation-state attacks
Gov Info Security
05/10/13
Security experts agree the best defense against nation-state attacks needn't be tailored to a specific attacker, and no one solution will help organizations to defend against nation-state attacks. Still, knowing who's attacking IT systems and implementing fundamental cybersecurity and risk management practices can help organizations better plan their defenses and reduce the damage done from attackers, including nation-states. Here are four steps organizations can take.
Ten emerging threats your company may not know about
Dark Reading
05/13/13
In a new report, Dark Reading examines the cybersecurity threats that are lying in wait - the ones that are especially dangerous because there are unknown or little understood. Some have been around for some time but are growing in the risk they present to businesses; others are newly emerging, often on the heels of new products or practices being adopted by the enterprise.
