Is government doing too much on cyber-response?
Large, private-sector firms would be better first responders than government agencies in the event of a systemic cyberattack, according to a report released April 16 by the Atlantic Council. The report says "Governments...cannot scale as easily as the private sector, and lack agility and subject matter expertise." As such, federal resources are best spent funding private-sector R&D, rather than the government itself trying to keep pace with advances in cybersecurity.
The secrets behind the undisclosed Chinese cyber threat
IT Governance (U.K.)
A number of major western companies and government agencies have been attacked by hackers in recent years, but many organizations choose to remain silent about the attacks. Many attacks are believed to have originated in China, but that remains difficult to prove so victims are hesitant to point the finger. Also, blaming China could make it difficult for large organizations to do business with the world's second largest economy.
Federal CIOs moving cybersecurity beyond compliance
As federal agencies struggle to keep pace with the mounting threats to their far-flung digital systems, IT professionals must move away from treating security as a compliance exercise and adopt dynamic, real-time (continuous) monitoring, government CIOs said in a recent panel discussion.
U.S. SEC releases cyber security examination blueprint
The Securities and Exchange Commission (SEC) has unveiled a road map that lays out how they plan to make sure Wall Street firms are prepared to detect and prevent cyber security attacks. The nine-page document, posted April 15, contains examples of the questions SEC examiners might ask brokerages and asset managers during inspections and puts firms on alert to also be prepared to provide information about past breaches.
GAO report knocks SEC for cybersecurity failings
A GAO report criticizes the Securities and Exchange Commission (SEC) for failing to consistently identify and authenticate users and encrypt sensitive data, and to apply software patches intended to fix vulnerabilities to servers and databases in a "timely manner," permitting an inadequate segregation of duties in its development and production environments, and failing to develop a disaster recovery plan that ensured the redundancy of a critical server.
Long: NGA is moving toward 'immersive intelligence'
Of the 17 U.S. intelligence agencies, the National Geospatial-Intelligence Agency is best suited to turn big data into actionable intelligence, NGA Director Letitia Long said. She said in an April 14 interview that mapping is what her 14,500-person agency does, and every iota of intelligence can be attributed to some physical point on Earth.
States advance breach notification laws
Gov Info Security
As Congress dawdles over enactment of a national data breach notification law, several states are taking steps to strengthen consumers' rights and require notification when breaches occur. The actions by the various states - and the failure of Congress to act - further muddles matters for businesses and other organizations that must comply with 47 different state breach notification laws.
Northrop CEO urges Congress to pass cybersecurity legislation
Northrop Grumman Corp is urging Congress to enact cybersecurity legislation that would limit the liability of U.S. companies to allow better information sharing between industry and government, and enable them to take more decisive action to protect their computer networks. Disagreements over liability and other issues have thwarted passage of any cyber security bills thus far.
Cyber warriors fought between the government and the security industry
In an effort to attract cybersecurity experts, a government program started in 2000, codenamed CyberCorps, promotes a series of activities to develop cyber security capabilities within universities.Despite these and other initiatives, the government has to face with another serious problem, the migration of highest cyber skills from government agencies to private industries, attracted by higher earnings in the private sector.
DoD reshapes R&D, betting on future technology
Overall, DoD wants to keep spending on RDT&E — research, development, test and evaluation — relatively close to the $63 billion the department will spend in 2014. That's about $36 billion less than the amount that will be spent on procurement in 2014, but under the president's 2015 budget proposal, that gap would close to about $26 billion next year, as leaders are trying to protect research and development funding. But within that flat RDT&E budget, a radical shift is underway.
Global privileged identity management market 2014-2018
PR Newswire (news release)
Research and Markets has released its "Global Privileged Identity Management Market 2014-2018" report. The analysts forecast the Global Privileged Identity Management market to grow at a CAGR of 26.6 percent over the period 2014-2018, due in large part to the growing compliance requirement. The market has been witnessing the availability of cloud-based solutions, but the increasing complexity of network infrastructure could pose a challenge to the growth of this market.
Shops launch effort to fight cyberattacks
The Hill - Hillicon Valley (blog) 04/14/14
Retailers are creating a new system to share information and help fight cyber threats. The National Retail Federation says the new platform, modeled after a financial industry forum, is scheduled to be up and running in June. Establishing the information-sharing and analysis center to help stores beef up their defenses against hackers follows a recent decision by the Justice Department and the FTC that businesses can share cyberthreats information without violating antitrust laws.
Major cyber attack on electric, gas, water distribution systems in U.S.
Cyber War Zone
Electric, natural gas and major water companies and regional distribution systems in Connecticut have been penetrated by hackers and other cyber attackers, but defenses have prevented interruption, state utility regulators said April 14.. Security challenges are constantly evolving and "becoming more sophisticated and nefarious" and the ability of utilities to detect and stop penetration must constantly improve, the Public Utilities Regulatory Authority said in its report.
Google knew about Heartbleed and didn't tell the government
Google reportedly knew about the Heartbleed Internet security flaw for some time and alert anyone in the government. A Google engineer first discovered the bug, which undermines the widely used encryption technology OpenSSL, sometime in March and was able to patch most of its services before publicizing the bug on April 7. But the White House says that no one in the federal government knew about the problem until April.
When governments attack — online
Some nations are using hackers to conduct malware attacks to watch over activists and even to acquire intellectual property to support businesses on their own turf, whilst hoping to gather data related to national security (like military secrets), and a broad range of industries fall into the bull's-eye of such attacks.
DHS plans for single awards under $6B cyber contract
Competition under the Homeland Security Department's $6 billion cyber contract will be especially fierce over the coming months, with fewer than expected awards for continuous monitoring products and services. Rather than selecting multiple winners for its upcoming string of task orders, DHS is expected to make single awards. The next six task orders will cover products and services needs for multiple agencies, which will mean big business for the winning vendors.
Is your agency ready for the cloud security deadline in June?
The June 5 deadline for federal agencies to adhere to the government's baseline cloud security standards -- the Federal Risk and Authorization Management Program (FedRAMP), and those that fail to do so risk falling in the crosshairs of oversight bodies like inspectors general or the GAO. And around the same time, the GSA is expected to update FedRAMP's baseline security controls, which will be based on NIST's fourth revision to SP 800-53 issued a year ago.
Study says national cyber plan hurts US
The Hill - Hillicon Valley (blog)
A new report from George Mason University's Mercatus Center claims that NIST's voluntary cybersecurty framework could end up undermining the online protections it seeks. The report claims the plan amounts to "opaque control" of the Internet, which could undermine the "spontaneous, creative sources of experimentation and feedback that drive Internet innovation." The authors say industry norms and market trends "are more robust, effective, and affordable than state-directed alternatives."
'Baby teeth' in infrastructure cyber security framework
NIST's Cybersecurity Framework to improve security at IT infrastructure in airports, utilities, and other critical areas is a modest effort. There is no teeth as compliance is voluntary -- in fact, it's not even clear what compliance would be, which makes this document a relatively small step in the direction of improved security. But if it can provide a common way of characterizing security programs, it could be a big enabler.
Federal IT security policies must be user friendly
Preventing and containing data breaches has proven to be a difficult, ongoing undertaking for federal agencies and a significant drain on resources. Considering the public sector's strict IT budget, getting out ahead of security issues before they occur is no small task. Given these challenges, agencies should choose security tools and policies that suit the productivity needs of their employees.
The U.S. Government wants 6,000 new 'cyber warriors' by 2016
Bloomberg Business Week
The Pentagon plans to triple its cybersecurity staff by 2016, U.S. Secretary of Defense Chuck Hagel announced recently, and a few days later, an FBI official said that his agency's cyber division plans to hire 1,000 agents and 1,000 analysts in the coming year. Just those two agencies are looking for 6,000 people with cybersecurity skills in the next two years. That's a very tall order, and a look at one way the government has tried to build and recruit such talent shows why.
DARPA calls for new cutting-edge technologies
The Defense Advanced Research Projects Agency's Tactical Technology Office is looking for some of the next groundbreaking technologies for land, sea, air and space forces. The agency is calling for executive summaries, proposals, and white papers for advanced research of innovative systems, according to a DARPA announcement, focusing on agile systems development, collaborative autonomy and reducing costs in specified areas.
DARPA explores drone-powered Wi-Fi
Defense Department technology researchers are putting high-speed mobile hotspots on drones to carry long-range, high-capacity wireless hotspots over places where network access is scarce or absent. The Defense Advanced Research Project Agency (DARPA) said in early April that it is making progress in providing 1 GB, 4G-like wireless millimeter wave backbone communications links to military units by mounting advanced hotspot gear to small unmanned aerial drones.
Why too many technology solutions fall short
Maj. Gen. Brett T. Williams, director of operations at U.S Cyber Command, writes that IT acquisition is hard as the delivered solution frequently falls short in one, if not all three, of the following areas: it is over budget; it does not satisfy the end user; or it is a cybersecurity challenge. He says solutions fail because we haven't balanced risk among three groups that have competing equities in IT acquisition - those controlling the money; those operating and defending the DoD information network; and operators down the line.
DOD, intell community push forward on joint IT environment
C4ISR & Networks
DoD and the intelligence community have been working for five years on a joint information-sharing framework designed to connect the most remote corners of military operations.The Defense Intelligence Information Enterprise (DI2E) aims to bridge disconnected DoD and intelligence community information, teams, tools and technologies. The effort continues to evolve, and the need for DI2E is only growing in urgency as wartime operations increasingly hinge on data.
From the cloud to your Pentagon-issued phone
Defense officials are in the process of figuring out how to adapt Web-based collaboration tools into apps that can be accessed from any computer, including tablets and smartphones. DoD is partnering with vendors so that as they develop cloud services, those programs can be accessed from mobile devices. For example, DISA has begun to merge cloud and mobile with a cloud-based email service that can be accessed from smartphones. An app store in the works is expected to propel the convergence.
Navy committed, but cautious, on Joint Information Environment
The Navy is on board with the Defense Department's Joint Information Environment (JIE), but does want to address concerns over security, cost and standards, Navy IT leaders said April 8.JIE is the Pentagon's initiative to converge DoD networks into a common, global, cloud-based system that shares services such as email, Internet access and applications across the services. While the Navy agrees with the concept of JIE, its leaders just want to ensure that the transition "works for the Navy and Marine Corps."
Qualifying Cyber Command staff is harder than you think
The Coast Guard Cyber Command aims to qualify a couple of service members for what Pentagon officials have said will be a 2,000-member force within the next two years. It will take all the military services a lot of time and money to get their members qualified for the force, but for the Coast Guard, the task is even harder because it has no dedicated cyber school and splits its activities between defense and homeland security.
Details emerge on scope of FBI's identification system
By the end of next year, the FBI's Next Generation Identification system will contain as many as 52 million searchable facial images and offer new ways to link images to other data. The FBI has not previously linked its criminal and non-criminal databases, but with NGI every search will be run against all records in the database. Also, a new "biometric set identifier" field on the Identity History Summary will provide pointers for all biometric types associated with an identity search.
DHS puts critical infrastructure on 'Heartbleed Bug' alert
Critical infrastructure operators are now being alerted to the far reaching impact of a critical OpenSSL flaw, dubbed the "Heartbleed Bug." On April 11, the Department of Homeland Security warned of attackers potentially exploiting critical, unpatched systems impacted by the vulnerability. DHS' Industrial Control System-Cyber Emergency Response Team (ICS-CERT) reached out to vendors and asset owners to determine the potential vulnerabilities to computer systems that control essential systems – like critical infrastructure, user-facing, and financial systems.
DHS alert: Heartbleed may have been used against industrial control systems
The Christian Science Monitor
The threat from the Heartbleed cyber vulnerability could reach into the industrial systems that power the US economy, apparently including those used to operate the power grid.Unconfirmed reports that Heartbleed has already been used to attack encrypted communications systems of US industrial control systems are being investigated, the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced in an alert April 11.
Federal websites avoid Heartbleed risks, DHS says
The government's main public websites are not at risk from the security vulnerability Heartbleed, the Homeland Security Department said April 11, although many of the sites -- including HealthCare.gov -- were built on systems that were susceptible. Officials declined to provide details on how sites hosted by compromised systems were immune from the possibility of hacks exploiting the Heartbleed bug.
Govs run the Heartbleed bug test
Governments at all levels in the U.S. are not immune from the Heartbleed bug's impact, and public sector agencies that host sites containing citizen data are absolutely worried about the newly discovered vulnerability. One state security official said "public agencies are scrambling to test their sites, and if they determine they are vulnerable, they are working to immediately put in place compensating controls and ultimately fix the problem."
NSA reportedly exploited Heartbleed for spying—But strongly denies the allegation
The National Security Agency reportedly knew of and exploited the massive Internet bug recently revealed to the public and known now as "Heartbleed" in order to gather intelligence information on targets.Instead of trying to repair that flaw--which has potentially impacted countless people--the NSA reportedly manipulated it in secret. In a statement April 11, the NSA denied the report.
Website admins will be busy dealing with Heartbleed
Website and server administrators will have to spend considerable time, effort and money to mitigate all the security risks associated with the Heartbleed vulnerability. The flaw is not the result of a cryptographic weakness in the widely used TLS (Transport Layer Security) or SSL (Secure Sockets Layer) communication protocols, but stems from a rather mundane programming error in OpenSSL, used by various operating systems, Web server software, browsers, mobile applications and even hardware appliances and embedded systems.
HHS CISO on healthcare cybersecurity
Gov Info Security
Many healthcare organizations need to improve their basic cybersecurity "blocking and tackling," and most also need to improve their willingness to share cyber-security information, says Kevin Charest, chief information security officer at the U.S. Department of Health and Human Services.In this interview, Charest also discusses emerging cybersecurity threats facing the healthcare sector and ongoing security efforts of HealthCare.gov.
Iranian-based cyberattack activity on the rise, Mandiant report says
The worlds of politics and business often intersect in the physical world and in cyberspace, and 2013 saw a number of politically motivated attacks against companies across the world. In a new report from Mandiant, now part of FireEye, researchers describe a threat landscape where political conflicts have spurred hackers into action in attacks against the private sector. But while much attention has focused on Chinese cyberespionage and attacks, increased activity by attackers with suspected links to Iran and Syria is increasingly catching the attention of security experts.
Could Russia use cyberwarfare to further destabilize Ukraine?
Eastern Ukraine is full of rioters ready to separate from their nation's government in Kiev — at least, that's the message the Russian government may want to project to the world. And analysts believe the Kremlin could use cyberattacks to create more chaos and support its objectives.The Kremlin is pushing that there is a widespread separatist movement in the eastern part of Ukraine that the government in Kiev cannot control, and experts think the Russian government could up its game with a subtle cyber strategy.
Malware found on computers of Germany's space center, evidence points to China
The German Aerospace Center (DLR), the country's national center for aerospace, energy and transportation research, has been reportedly targeted in a cyberattack apparently launched by a Chinese intelligence agency. According to Der Spiegel, computers used by administrators and scientists have been found to be infected with Trojans and spyware, and the cyberattacks appear to be sophisticated. The attacks are said to impact all operating systems used by the DLR.
Wearables sales tripled in a year—and will grow 500 percent by 2018, study says
Research firm IDC says sales of wearables have more than tripled in one year's time, and will grow about 500 percent in the next four years. In its just-released forecast analysis, IDC reports that total global wearables sales will exceed 19 million units this year and will hit 111.9 million units in 2018, resulting in compound annual growth rate of 78.4 percent and a total sales increase of just under 500 percent.
Wearables market to take off, hit 112M devices in 2018
Wearable computers "took a huge step forward" in the last year and shipments of smartwatches and related devices will grow by 78% a year until 2018, IDC said in a report issued April 10.IDC for the first time issued a wearables forecast that divides the market into three categories ranging from low-cost, simple devices to higher-cost products with expanded capabilities. The three categories are dubbed complex accessories, smart accessories and smart wearables.
Feds are OK with cyberthreat info sharing, say it's not an antitrust violation
U.S. businesses can share most cyberthreat information with competitors without facing antitrust enforcement action, two U.S. enforcement agencies said April 10.The policy statement came from the Department of Justice and the Federal Trade Commission.White House cybersecurity coordinator Michael Daniels added that the U.S. government wants companies to share threat information with each other and with government agencies focused on cybersecurity.
US says cybersecurity sharing not an antitrust issue
Amid heightened concerns about data breaches and malware that can foil online encryption to allow hackers to steal passwords or other personal data, US officials announced April 10 that companies sharing information about cybersecurity would not face prosecution on antitrust grounds. The Justice Department and Federal Trade Commission said they have issued formal guidance telling companies that there would be no antitrust issues from the sharing of technical information about cyberattacks, malware or similar threats.
U.S. rallied 120 nations in response to 2012 cyberattack on American banks
The Washington Post
In 2012, some of the largest U.S. banks were under cyberattack, with hackers commandeering servers around the world to direct a barrage of Internet traffic toward the banks' Web sites and bringing the sites down for hours at a time. Wary of provoking even more intense attacks, the Obama administration rejected an option to hack into the adversary's network in Iran and squelch the problem at its source, and instead appealed to more than 100 countries to choke off the debilitating computer traffic at nodes around the world.
Obama lets N.S.A. exploit some Internet flaws, officials say
The New York Times
President Obama decided in January that when the NSA discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks. But he carved a broad exception for "a clear national security or law enforcement need," a loophole that is likely to allow the NSA to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.
Obama backs disclosure of most software flaws
According to the Office of the Director of National Intelligence, the Obama administration favors disclosing to the public vulnerabilities in commercial and open source software in the national interest, unless there is a national security or law enforcement need. This statement also denied a report that said the NSA knew about the recently identified Heartbleed vulnerability for at least two years and had used it for surveillance purposes.
DoD to scrutinize GSA prices
The GSA promotes its supply schedules as offering agencies the lowest prices for commercial products and services, but the Defense Department believes it doesn't always get the best deals on GSA schedules. A DoD class deviation policy dated March 13 requires contracting officers to determine whether GSA's prices are in fact fair and reasonable, and a Pentagon official said DoD is working to address the variable pricing on its schedules and has taken several steps to lower prices.
Marines test mobile tablets
C4ISR & Networks
The Marine Corps is testing hand-held tablet computers designed to give ground troops real-time target intelligence, and officials say this technological development will change how the service carries out crisis-response missions in hostile parts of the world.
Army intelligence system gets new geospatial tools
As an improvement for the Army's Distributed Common Ground System-Army (DCGS-A), the service's common system for gathering, analyzing and sharing intelligence information from different echelons, Esri has provided a revised set of customized templates that include maps, analytic capabilities and other visualization tools.DCGS-A is capable of providing planning and direction, collection, processing/exploitation, analysis, prediction and production, battlespace awareness data dissemination, and relay capabilities.
Navy struggles to streamline IT
C4ISR & Networks
Across the Defense Department, IT consolidation serves as a prime way to achieve cost efficiencies in the search for savings. Indeed, data center consolidation a high priority across the government, not just for DoD. But just because it's widespread doesn't mean it's easy. The Navy has been on a multi-year mission to pare down its duplicative networks, data centers and business systems, achieving savings along the way, but the process remains difficult and rife with challenges, according to officials.
DOD expands use of IT Dashboard
In its fiscal 2015 submission to the federal IT Dashboard, the Defense Department has reported more than $2.5 billion in ongoing IT projects that were not listed last year, raising the number of DoD IT projects from 93 to 118.Those are not new projects, but rather an update that reflects the increasing pressure to get DoD to comply with OMB's IT reporting requirements. Congress hopes uniform reporting will give a more accurate picture of the department's $31 billion worth of non-classified IT spending.