Governor Snyder releases new Cyber Initiative for next four years
At the North American International Cyber Summit held recently in Detroit,
Michigan Gov. Rick Snyder unveiled an updated 'Michigan Cyber Initiative 2015.'
While the strategy does not contain any entirely new security programs, it does
vastly expand upon his initial Michigan Cyber Initiative released in 2011 and
sets goals for the future. Here are some highlights of the summit and
Michigan's new cyber plan, which is a model for other states.
malware 'developed by Western intelligence agency' uncovered in Russia and
InfoSec Hot Spot
New malware dubbed "Regin", which has been likened to Stuxnet,
has been uncovered in Russia and Saudi Arabia, according to Symantec. The
security software maker believes that the malware was developed and run by a
Western intelligence agency, and that it might have taken years to develop. The
malware has been used in spying campaigns since at least 2008.
tool could have US, British origins
Researchers say a sophisticated cyberespionage tool has been stealing
information from governments and businesses since 2008, and one report linked
it to U.S. and British intelligence. The security firm Symantec
identified the malware, known as Regin, and said it was used "in
systematic spying campaigns against a range of international targets,"
including governments, businesses, researchers and private individuals. The
news website The Intercept reported that the malware appeared to be linked to
U.S. and British intelligence, and that it was used in attacks on EU government
networks and Belgium's telecom network.
disrupts some websites linked to US content delivery network
China has potentially cut access to scores of non-political sites with a
block on U.S. content delivery network EdgeCast Networks. The "Great
Firewall of China" has begun filtering out more sites and networks
connected to EdgeCast customers, preventing the services from appearing in the
country, the Verizon-owned company said in a blogpost.
stages its largest cyber exercise to date
NATO has conducted its largest cyber defense exercise to date, a three-day
multinational event designed to test defending networks through rapid sharing
of information on cyber incidents. The seventh annual exercise, dubbed Cyber
Coalition 2014, involves more than 400 technical, government and cyber experts
from more than 30 countries responding to simulated attacks. In addition to the
28 NATO countries, several non-member countries took part. Representatives from
industry and academia also were invited for the first time to take part as
of cyber-security jobs has doubled over past year
IT Pro Portal
The number of staff employed in the field of cyber-security is rapidly
multiplying as the threat from hackers and malware gets ever more serious and
high-profile. Indeed, according to the latest piece of research from tech job
site Technojobs, the number of permanent positions in cyber-security has risen
by over 100 per cent year-on-year as of October.
the point of wearables?
The wearables market, which has lurched in its marketing between the two
poles of health and fitness. Is a smart wristband designed to get couch potatoes
moving? Or will it help people who are already very active optimize their
bodies? A year ago, 1 in 10 Americans owned some kind of wearable device.
That's now up to 1 in 5, according to PwC, with half of the people who have a
wearable using it daily. The problem for people building apps and gadgets which
track our bodies and our movement is that the broadest possible market—and the
biggest gain to society—is on the health side of things.
grow of Iran cyber attack
Fears are growing that Iran will unleash cyber warfare on U.S. companies if
negotiators are unable to reach a nuclear deal by Monday that would require
Tehran to limit its nuclear program. Cyber-attacks from Tehran dropped after
the U.S., Iran and other countries agreed to an interim nuclear deal in 2013,
but observers expect a new offensive if discussions taking place in Vienna fall
apart before a Nov. 24 deadline. U.S. financial firms, oil and gas companies
and water filtration systems could be among the companies targeted.
security needs its Ralph Nader
The current data breach epidemic feeds off a delicious broth of consumer
apathy, corporate incrementalism, and flawed federal regulations -- exactly the
conditions that existed in 1965 with automobiles. Clearly, things need to
change if we are to curb the data breach epidemic… but who will be cyber security’s
Time to share cyberattack information
Government Health IT
Organizations of all kinds, including healthcare groups, are coming under
cyberattacks with increasing frequency, as bad actors, whether nation states or
thieves, are breaching security perimeters and stealing essential data.
In response, the National Institute of Standards and Technology (NIST) is urging
organizations to share threat information before, during, and after an attack
with a trusted group of peers. In early November, NIST issued its Guide to
Cyber Threat Information Sharing, a draft report on practices organizations
should consider planning, implementing and maintaining information sharing
set to destroy governmentwide network surveillance records
The Department of Homeland Security is poised to ditch all records from a
controversial network monitoring system called Einstein that are at least three
years old, but not for security reasons. DHS reasons the files -- which include
data about traffic to government websites, agency network intrusions and
general vulnerabilities -- have no research significance. But some security
experts say, to the contrary, DHS would be deleting a treasure chest of
historical threat data.
might need to rethink telework security
Although the breaches remain under investigation and no official culprit
has been named, the hack at the U.S. Postal Service prompted the agency to
suspend its telework program. In light of this breach and others at the
White House and State Department, agencies might need to take a closer look at
the security of the virtual private networks (VPNs) their employees use while
draws ire of Congress over data breach response
The United States Postal Service (USPS) was scolded by members of a
congressional subcommittee Nov. 19 in a hearing over its response to the recent
data breach that impacted its network and employees. Members of the USPS
were questioned over its response and notification time related to the incident
which affected more than 800,000 USPS employees.
was missing in action on Election Day
The Hill (opinion)
The year was full of headlines detailing the latest cyber crimes, yet the
one area missing from the pre-election dialogue was a serious discussion about
cybersecurity. The failure of our candidates and political leaders to
clearly articulate the cyber threats facing the nation is practically a
dereliction of duty. The candidates had ample material to work with, yet they
chose not to use the material.
Ops wants next-gen device-cracking tools
When forces come across a PC, smartphone, tablet or other device while on a
mission, they want to extract as much information from it in a little time as
possible. That's why Special Operations Forces are looking for the next
generation of devices that allow them to quickly crack into computing devices
retrieved on the battlefield. In a request for information, the Special
Operations Command said it, along with other DoD and IC organizations, wants to
evaluate the latest tactical Document and Media Exploitation (DOMEX) tools, and
sets strict timeframes for what those tools can accomplish.
with government-issued mobile devices about to become fewer, prouder
Federal News Radio
Many members of the Marine Corps who currently have access to a government-
issued BlackBerry had better start weaning themselves off. The Marine Corps'
internal budget shakeout for 2015 was particularly unkind to Headquarters
Marine Corps' operating and maintenance budget for mobile devices, which pays
for not just the phones issued to the top brass, but for about one- fifth of
all of mobiles issued to Marines around the world. That budget had seven
figures in 2014, but it will be a five-figure budget in 2015.
security requirements drive commercial smartphone development
The Defense Department has long been the gold standard for securing and
adopting technology in the federal government. Companies know if their solution
is good enough for DOD, it’s likely to meet requirements set by civilian
agencies and even their commercial customers. In the mobility space, that’s a
winning value proposition for big-name companies such as Samsung and Apple.
While DOD may be only a small fraction of their customer base, the payoff for
catering to DOD could be huge. As part of this, the Marine Corps is partnering
with industry to adopt a BYOD solution that could also benefit other
Army cyber, it's on-the-job training
The command sergeant major helping the Army develop its new branch for
cybersecurity issues is confident that, despite the organizational challenges,
the command can meet Army leaders' expectations for improving the service's
cybersecurity capabilities. The other military services "don't have
the operational requirement to push cyber capabilities down to the tactical
level like the Army does," Cyber Command Sgt. Maj. Rodney Harris said in a
the grid needs CDM
A new study by the Chertoff Group "Addressing Dynamic Threats to the
Electric Power Grid Through Surveillance" outlines the measures underway
among providers and the U.S. government to share data in a risk management
approach to security and the role risk management procedures had in dealing
with hurricane Sandy and a 2013 attack on Pacific Gas and Electric's Metcalf
electrical substation. The study recommends additional investments in critical
infrastructure, including enhanced cross-sector security coordination, and
increased awareness and adoption of continuous diagnostics and mitigation
(CDM), which offers much-needed dynamic awareness and assessment of security control,
rather than annual or quarterly security review.
security needs big data
The traditional approach to network security, relying on perimeter-centric
strategies, is failing. Studies have shown that between 66% and 90% of data
breaches are identified, not by the organizations that are breached, but by
third parties. One alternative that is a strong candidate to improve the
security situation is the zero-trust model (ZTM). This aggressive approach to
network security monitors every piece of data possible, under the assumption
that every file is a potential threat.
credentials to roll out across DoD by July 2015
C4ISR & Networks
Personnel in the DoD Office of the Chief Information Officer are piloting
the use of derived credentials to send secure emails on their mobile devices
without having to go through the added steps of plugging in an authorized
common access card (CAC). Employees began using this system at the end of
September and the DoD plans to expand utilization across the department’s
agencies and services by July 2015.
kills dreaded biometric deportation program
As part of broad Obama administration executive action to fix the
immigration system, the Department of Homeland Security will abandon a
controversial deportation program that relied on biometric identification and
replace it with a more targeted extradition approach. In the past, under the
Secure Communities program, immigration authorities would cross-check
foreigners’ fingerprints against prints in the FBI's criminal database to
identify criminals. The new approach, called the Priority Enforcement Program, shares
the same databases and the same goal -- removing the most dangerous immigrants,
but it narrows the scope of criminal activities that would be grounds for
attacked the U.S. energy grid 79 times this year
In FY 2014, there were 79 hacking incidents at energy companies that were
investigated by DHS's Computer Emergency Readiness Team, compared to 145
incidents the previous year. But the outermost defenses aren't holding up, as between
April 2013 and 2014, hackers managed to break into 37% of energy companies,
according to a survey. One cybersecurity firm identified nearly 50 types of
malware that specifically target energy companies in 2013, and another firm
said energy firms get hit with more spy malware than other industries.
U.S. government thinks China could take down the power grid
China and "probably one or two other" countries have the capacity
to shut down the nation's power grid and other critical infrastructure through
a cyber attack, says Adm. Michael Rogers, the head of the NSA, who also warns
such attacks are part of the "coming trends" he sees based on
"reconnaissance" currently taking place that nation-states, or other
actors may use to exploit vulnerabilities in U.S. cyber systems. A recent
report by Mandiant found that hackers working on behalf of the Chinese
government were able to penetrate American public utility systems that service
everything from power generation, to the movement of water and fuel across the
powers steal data on critical U.S. infrastructure, NSA chief says
The Washington Post
Several foreign countries, including China, have infiltrated the computers
of critical industries in the United States to steal information that could be
used in the planning of a destructive attack, the director of the National
Security Agency said Nov. 20.That was
one of the cyberthreats outlined at a congressional hearing by Adm. Michael S.
Rogers, who also said he expects that criminal gangs may become proxies for
nations carrying out attacks on other nations.
chief worries most about cyberattacks on industrial systems
Multiple nation-states are investing in their capabilities to hack critical
U.S. infrastructure, making defense of those networks a top priority, U.S.
National Security Agency chief Admiral Mike Rogers said Nov. 20 at a
congressional hearing.Attackers are
seeking detailed information on how industrial control systems work, and Rogers
warned industrial control systems are "big growth areas of vulnerability
and action that we are going to see in the coming 12 months and it's among the
things that concern me the most."
cyber espionage under the microscope
A study of published intelligence on three major malware families used in
Russia's cyber espionage operations shows a highly coordinated, targeted, and
stealthy strategy.Russia mostly has
been known for its notorious cybercrime underground, but its cyber espionage
activity over the past year has come into sharper focus after a wave of
publicized targeted cyberspying campaigns. China, meanwhile, has been spotted
operating pervasive cyber espionage to pilfer intellectual property.
experts talk cybersecurity at NVTC panel
Loudoun (Virginia) Times
To deal with cybercrime, government agencies and the private sector need
consistent and cooperative collaboration, the intelligence community needs more
staffing and the U.S. must play both “offense and defense” to combat threats
and attacks, said homeland security experts at a Northern Virginia Technology
Council event Nov. 18.Key themes
consistently touched on during the discussion were opening up communication
between agencies and the private sector and pressing Congress to update
adds schools to its first responder communication system
In Ohio, the state government has expanded its wireless emergency communications
by offering radios for schools to communicate directly with local law
enforcement during a life-threatening situation.The system's special school radios include
an orange emergency button that, when pressed, connects schools with a local
dispatcher. The dispatcher hears what's happening and pages law enforcement and
other first responders, who are immediately deployed to the scene.
your pacemaker can get hacked
Concern about the vulnerability of medical devices like insulin pumps,
defibrillators, fetal monitors, and scanners is growing as healthcare
facilities increasingly rely on devices that connect with each other, with
hospital medical-record systems, and—directly or not—with the Internet. While
there have been no confirmed reports of cyber criminals gaining access to a
medical device and harming patients, DHS is investigating potential
vulnerabilities in about two dozen devices.
needed to spur cyber skills development
The United States needs a "cyber-Sputnik" incident to jumpstart
the nation’s development of the cybersecurity analyst workforce and regulations
it needs, according to Mike McConnell, a former top military and intelligence
official. He warned U.S. dependence on
its digital infrastructure has introduced into the nation’s critical
infrastructure a level of vulnerability to cyberattacks, which could disrupting
delivery of water, food, money and electric power, and could cause strategic
damage, particularly for the oil and gas industry.
fed cybersecurity plan stalls
The latest phase of DHS's $3 billion Einstein cybersecurity program
designed to protect federal computer networks from hackers is stalled because
of a dispute about who will be legally liable if the system goes wrong. Two major
providers of Internet service to the U.S. government — CenturyLink and Verizon
— have each signed a contract to operate Einstein, but AT&T won’t sign
until it gets a formal guarantee of liability protection — an assurance the
other companies didn’t ask for or get.
delivering IT capabilities 20 days faster by using agile, OMB says
Federal News Radio
There is clear evidence that the agile software development concept is
leading to more successful federal technology projects. Lisa Schlosser, the acting federal chief
information officer, said data the Office of Management and Budget has
collected over the last year prove agile or modular development makes sense for
and can work well in the government.
chief: Damaging cyber-attack coming
Gov Info Security
The director of the National Security Agency, Navy Admiral Michael Rogers,
says he expects to see adversaries launch a cyber-attack in the next few years
aimed at severely damaging America's critical infrastructure.Rogers, who also serves as commander of the
U.S. Cyber Command, said the government is better prepared to defend against
those attacks than it was two years ago. Although he wouldn't provide details publicly,
Rogers said he's confident about the processes established to mount a
cyber-defense of the nation's critical infrastructure.
NARA move to secure federal data on outside systems
The National Institute of Standards and Technology has new recommendations
for securing sensitive data on IT systems at companies that work for the
government. The draft standards, released Nov. 18, are aimed at contractors and
other nonfederal organizations that store federal controlled but unclassified
information (CUI) in the course of their work.
issues FISMA-based data security guidance for non-federal entities
Fierce Government IT
Non-federal organizations such as contractors, state governments and
academic institutions often handle controlled unclassified information, and NIST
is offering specific FISMA-based guidance on protecting that information. The
guidance will help ensure that consistent and substantive security requirements
are applied to controlled unclassified information as it passes from public to
private sector, according to a draft publication issued by NIST Nov. 18.
cloud spending projected to soar -- just not quite yet
New projections from Deltek's Federal Industry Analysis team predict that
spending on federal cloud computing services will climb rapidly over the next
five years, hitting $6.5 billion in fiscal year 2019. The report projects a
compound annual growth rate of 21 percent, even with an initial dip in spending
due to cloud-adoption challenges.Deltek
also identified seven trends shaping many agencies' cloud investment decisions.
public cloud for NOAA
The National Oceanic and Atmospheric Administration has issued a request
for information on an infrastructure-as-a-service (Iaas) cloud, part of its
ongoing efforts to drive down IT costs and meet parameters set by the Federal
Data Center Consolidation Initiative, the cloud-first policy, and the 25-Point
Implementation Plan to Reform Federal IT. The IaaS-based
public cloud would provide virtualization, storage services, network bandwidth,
and management tools and capabilities.
Dept. restores email after cyber attack
The State Department said its external email system was back up Nov. 18 following
a cyber breach. The department had taken the system offline Nov. 14 in order to
bolster security measures following a breach discovered in late October.It called the move then an update that was
part of a "scheduled outage."
demand answers in State Dept. cyber-attack
Democrats on the House Government Oversight Committee are demanding answers
about a suspected cyber-attack that shut down the State Department's
unclassified email system. In a letter to Secretary of State John Kerry, lawmakers
requested details about the data breach -- including when it was first
discovered -- and also what steps the State Department has taken to protect its
information systems since the attack.
How the Postal Service data breach went down
U.S. Postal Service officials are revealing more about the cyber intrusion
at the agency that exposed the personal data of about 800,000 USPS employees.The incident commander on the case gave a
congressional committee Nov. 19 a nearly day-by-day timeline of the incident --
from the time DHS first notified the agency of suspicious network activity to
when postal officials first notified employees of the breach nearly two months
vote to rein in NSA spying falls short
Senate Republicans blocked legislation Nov. 18 that would limit the
government's sweeping domestic spying powers, dealing a massive blow to the
post-Snowden efforts to reform the U.S. surveillance state. The bill, which
first emerged in Congress in the months following former NSA contractor Edward
Snowden's leaks, was widely supported by the tech industry, privacy and
civil-liberties advocates, the Obama administration, and even senior members of
the intelligence community.
biggest IT initiatives focus on securing DoD networks
C4ISR & Networks
It’s been a busy year at DISA, where the military saw significant changes
in how DoD handles major IT initiatives including cloud computing, mobility,
joint regional security stacks and the Joint Information Environment (JIE). These
changes are still taking shape against a backdrop of institutional shifts at
DISA, where a reorganization is restructuring some of the agency’s functions
and officials are preparing to play a key role in a new joint force headquarters
dedicated to DoD network defenses.
mobility trump bureaucracy at DOD?
The Defense Department's goal of efficiently deploying commercially
available mobile devices may be up against bureaucratic inertia, but the director
of C4 and information infrastructure in the DOD CIO's office sees the upside of
mobile technology for soldiers as too big for the status quo to hold. The
defense mobility landscape has shifted at least somewhat in recent years as DOD
carried out a range of non-BlackBerry mobile pilot programs.
launches largest cyber exercise to test its network security
In an effort to test its defenses against cyberattacks and ensure it keeps
pace with evolving threats, NATO has launched a multinational cybersecurity
exercise on its networks. On Nov. 18, the organization went live with the exercise,
dubbed "Cyber Coalition 2014," to test its systems and gauge whether
the security specialists on its team "are fully up to the task."
State Department hit in cyberattack that also compromised White House
The State Department is the most recent federal agency to admit to a breach of its cyber networks, reportedly shutting down its email systems to remediate an intrusion into its unclassified network that was part of the same attack on the White House’s unclassified systems in October, widely attributed to Russian state actors.One expert speculated the attack was likely in the form of spear-phishing.
Is State’s reluctance to disclose hack a double standard?
After a hack on State Department networks detected at least a month ago but only revealed Nov. 16, U.S. officials aren't sharing much information about the potential ramifications for the agency and its employees, and lawmakers on both sides of the aisle are demanding answers. State’s silence is somewhat at odds with the Obama administration's insistence that critical sectors, which include banking, energy and government, share information about threats and timely disclose breaches of personal information.
NOAA blames China in hack, breaks disclosure rules
The National Oceanic and Atmospheric Administration finally confirms that four National Weather Service websites were attacked and taken down in September, but details are sketchy and officials want answers. Rep. Frank R. Wolf (R-VA) says NOAA told him that China was behind the attacks, but no evidence has been released to support that theory.
Safe tether: Wearables
For today's warfighters, no longer armed just with a laptop but also with mobile phones, tablets and a growing array of personal “smart” technology, the threats can be hard to detect, harder to anticipate and nearly impossible to completely fend off. Indeed, experts paint a grim picture of potentially expanding vulnerabilities, as wearable devices efficiently monitor user activity, but also open new targets for malware authors.
Why cyber took a back seat in Beijing
In advance of President Barack Obama's Nov. 11 meeting with Chinese President Xi Jinping, a White House official implied that Obama would be blunt with Xi on what the U.S. sees as China's transgressions in cyberspace, and also try to revive a bilateral working group on the issue. Obama may well have pushed for a breakthrough on cybersecurity in his five-hour meeting with Xi, but one was not forthcoming, and there are various possible explanations.
CDM confusion offers sales opportunities
Washington Technology (op-ed)
The Homeland Security Department needs to improve outreach to other organizations about the cybersecurity contract known as Continuous Diagnostics and Mitigation (CDM), and the word especially needs to reach contracting officials. Without better information from DHS, we’ll continue to see confusion as to the extent that agencies are able to make use of this security vehicle. Even more importantly for government contractors, industry must help spread the message of CDM.
Auditors: State Department has history of poor cybersecurity
The State Department, which shut down its unclassified email system and cut off Internet access to deal with a suspected online attack, has a history of weak cybersecurity, and it grew worse over the last four years, according to auditors. More than 100 different systems at State have shown consistently similar problems since September 2009, auditors said recently, and ineffective cyber risk management is “undoubtedly systemic in nature, requiring global measures in attempt to remedy this deficiency.” The department’s annual FISMA compliance score went from 79.4 percent in FY 2010, to 51 percent in FY 2013. Compliance scores went down each year, and OMB rates State as the fourth worst agency in cybersecurity among the 23 major civilian departments and agencies.
VA fails cybersecurity audit for 16th straight year
Federal News Radio
Despite what Veterans Affairs leaders said was progress toward shoring up their IT security processes, the department will receive a failing grade on a key annual cybersecurity audit — the 16th consecutive year in which it's fallen short.The VA inspector general has reportedly concluded, once again, that VA has significant material weaknesses with its compliance with the Federal Information Security Management Act, (FISMA).
VA misses targets for fixing IT security risks
The Department of Veterans Affairs did not pass its fiscal 2014 IT security audit, conducted by the agency inspector general's office. The not-yet-released audit, which determines compliance with the Federal Information Security Management Act, found unremediated security risks in VA's sprawling network of systems and connected devices.
Former DHS official: Response to USIS hack could have been better coordinated
A former Department of Homeland Security official thinks DHS's response to the large-scale hack of U.S. Investigations Services could have been more coordinated.USIS notified OPM of the breach in early June, and the firm then sent a memo June 17 notifying the procurement shops of "15 large [federal] agencies."DHS' procurement office relayed news of the breach to its main security office, which then contacted the department’s U.S. Computer Emergency Readiness Team, but it took some time for U.S. CERT, which is responsible for alerting industry and other government agencies to cyberattacks, to determine the nature and scope of the breach.
The enemy who is us: DoD puts contractors on notice for insider threats
Despite the prevalence and potential consequences of cyber attacks originating from insider threats, there have been few, if any, regulatory attempts to mitigate the problem within the national security space. But that is about to change with the upcoming issuance of Conforming Change 2 of the National Industrial Security Program Operating Manual (NISPOM) by the US Department of Defense through the Defense Security Service (DSS). The NISPOM establishes standards, procedures, and requirements for all government contractors who have access to or manage classified information.
Pentagon integrates technology with wearable equipment
The Department of Defense wants to give airmen and soldiers an advantage in combat by integrating technology with lightweight wearable equipment. The Pentagon has invested millions of dollars to make the size, weight and power of wearable technology and equipment smaller and easier for troops to carry, and DoD needs have prompted defense contractors to develop wearable technologies in the hopes of tapping into a new market.
Air Force getting a grip on its cyber weapons
In 2013, the Air Force classified six of its cyber capabilities as weapons systems, a designation that underscored the importance of IT systems and security to military operations.
For the Air Force, managing those systems involves a global approach to cyber defense, applying the same systems, standards and practices to all bases and the Air Force Information Network infrastructure.The center for this approach is Hanscom AFB, where all six of the cyber weapons systems aremanaged by the Command, Control, Communications, Intelligence and Networks Directorate, although three of the program offices are located at Joint Base San Antonio-Lackland, Texas.
Senators push state cyber plan
The four U.S. Senators from New York and New Jersey are getting behind an Army National Guard effort to form a joint cyber protection team, telling the acting director of the Army National Guard that state National Guards have “positioned themselves well for success” in protecting the region. The Army National Guard is currently in the process of selecting units from throughout the country to form multi-state cyber protection teams. The National Defense Authorization Act currently pending in Congress would require the Pentagon to begin planning for a cyber team in each state’s reserve forces.
NSA turns to the cloud to help manage data deluge
As private sector companies were beginning to turn to the cloud for cheaper, scalable on-demand computing, the NSA came to consider the approach as its best bet to manage its deluge of data. In 2010, NSA decided to pursue cloud as its “repository of choice”—a common space where all analysts could look across the agency’s entire river of collected information.