links North Korea to Sony hacking
The New York Times
American intelligence officials have concluded that the North Korean
government was “centrally involved” in the recent attacks on Sony Pictures’s
computers, a determination reached just as Sony canceled its release of the
"The Interview," which is based on a plot to assassinate Kim Jong-un,
the North Korean leader. Some within the administration argue that the North
Korean government must be directly confronted, but that raises the question of
what consequences the U.S. would threaten — or how much of its evidence it
could make public without revealing details of how the U.S. was able to
penetrate North Korean computer networks to trace the source of the hacking.
insurance might not cover losses at Sony Pictures
Documents leaked by the group claiming responsibility for the attack on
Sony Pictures show that the company has upwards of $60 million in cyber
insurance coverage after consolidating coverage with Sony Corporation of
America. The problem is, many cyber insurance experts feel that $60 million
isn't enough for a company Sony's size.
query banks about data security
In letters to 16 financial institutions, federal legislators requested
information about data security and whether the bank had been subjected to any
cyber attacks over the previous year. Sen. Elizabeth Warren (D-MA) and Rep.
Elijah Cummings (D-MD) asked entities detailed questions about the protections
in place for sensitive data and the scope and impact of any attacks they may
have suffered. In addition to answers, the lawmakers instructed the recipients
to provide a briefing from their chief IT security professional.
compromise ICANN, access zone files system
Unknown hackers were able to compromise vital systems belonging to ICANN,
the organization that manages the global top-level domain system, and had
access to the system that manages the files with data on resolving specific
domain names. The intrusion started with a spear phishing campaign that
targeted ICANN staffers and the email credentials of several staff members were
compromised. The attackers then were able to gain access to the Centralized
Zone Data System, which allows people to manage zone files. The zone files
contain quite bit of valuable information, including domain names, the name
server names associated with those domains and the IP addresses for the name
says wearables will be the next 'power' trend in the workplace
In a new trends report, Samsung says the next wave of "power
dressing" for workplace leaders will include wearable technology. That's
right — business professionals will be all about smartwatches and other
wearables in 2015, which will become a status symbol of savviness and
professionalism. The company outlined its top five trends for the new year,
with wearable technology topping the list.
Intelligence chairman warns of cyber vulnerabilities
Retiring House Intelligence Committee Chairman Mike Rogers said it might
take a catastrophic cyberattack on the nation's financial sector for Congress
to pass an information-sharing bill that died in the lame-duck session. Rogers
argued the importance of such a bill by saying that the National Security
Agency currently cannot share information on malicious source code it detects
on foreign networks with the private sector, leaving critical infrastructure
vulnerable to attacks.
predictions for cybersecurity in 2015
Security and forensics firm FireEye predicts that, 2015, mobile ransomware
will surge in popularity. It also forecasts that point-of-sale (PoS) attacks
will also become a more popular method of stealing data and money -- and PoS
attacks will strike a broader group of victims with increasing frequency. The
security firm believes that more creative targeting will evolve as retailers
strengthen their defenses and more criminals get into the game. As a result, cyberattacks
will spread to "middle layer" targets including payment processors
and PoS management firms.
division opens up on R&D
While the Department of Homeland Security regularly spins off other federal
agencies’ technologies into the private sector for further development, it has
also been doing the same – with less fanfare -- for DHS-developed cybersecurity
technologies.But that quiet approach is
changing. DHS' Science and Technology Directorate is hosting its first R&D
Showcase and Technical Workshop Dec. 16-18 for technologies developed and
fostered by the Cyber Security Division. The event in Washington, D.C., is
aimed at moving DHS-funded cyber projects out of the lab and into the
commercial marketplace, where companies can take them up and spread their use.
issue two-year FedRAMP road map
Two and a half years after launching the Federal Risk and Authorization
Management Program, which seeks to standardize agencies' approach to cloud
security, the General Services Administration is set to unveil its goals for
FedRAMP's next two years. GSA officials will release a "FedRAMP
Forward" road map on Dec. 17 to help agencies and vendors address the
growing ubiquity of the program.To
date, there are 27 FedRAMP-compliant cloud service providers and 313 accredited
third-party assessment organizations (3PAOs), according to GSA.
Forward' plans next two years of cloud authorization
More than two and a half years into the Federal Risk Authorization and
Management Program (FedRAMP), program managers are calling the initiative a
success but looking forward toward significant improvements. To do this, the
FedRAMP office has put together a roadmap for the next two years and released
the “FedRAMP Forward” document. The roadmap with timetable includes a number of
key initiatives centered on increasing awareness of the program’s core
components, improving efficiencies in authorizations and implementation and continuing
to adapt to the ever-changing world of cyber.
plan hub for risk info on IT supply chain, contractors
A new request for information put out by the General Services
Administration seeks ideas on arming federal acquisitions personnel with tools
to perform due diligence assessments of technology and services, as required
under federal law and regulations. The plan is to develop a service to give
government buyers a window into supply chain vulnerabilities, financial red
flags, potential insider threats, and other factors that might cast doubt on a
proposal for a federal IT contract.
drafts new cloud metrics guide
The National Institute of Standards and Technology (NIST) has drafted a new
guide aimed at helping organizations find the right cloud service. Announced
Dec. 15, the publication, called "Cloud Computing Service Metrics
Description," is currently in a public comment phase. According to NIST,
the 25-page guide "discusses the basic nature of the problem of measuring
cloud services and offers a model and method for developing appropriate cloud
revises guide on security controls
Gov Info Security
New guidance published by the National Institute of Standards and
Technology is aimed at helping federal agencies and other organizations in and
out of government assess proper security and privacy controls, especially those
tied to the continuous monitoring of IT systems for vulnerabilities.NIST unveiled on Dec. 15 Special Publication
800-53A Revision 4, "Assessing Security and Privacy Controls in Federal
Information Systems and Organizations," which supplements SP 800-53 Rev.
4, "Security and Privacy Controls for Federal Information Systems and
Organizations," published in April 2013.
mold regulations around ‘voluntary’ cyber standards
Federal regulators are adapting voluntary cybersecurity standards to suit
industries they oversee, and boat owners are the latest "critical
infrastructure" industry that might be obliged to follow certain steps for
identifying, thwarting and recovering from a network breach. The voluntary
"Framework for Improving Critical Infrastructure Cybersecurity” was
released by the NIST almost a year ago. In general, the business community
objects to mandatory cyber standards, and the Obama administration, responsive
to these concerns, has not pushed for requiring enforcement. Most of the
guidelines regulators are putting out only advise following the framework, but
agencies are developing protocols around it, too.
years of waiting, cyber bills abound
Federal News Radio
The five cybersecurity bills passed by Congress before adjourning signal a
long-coming and much needed change to how agencies defend their computer
networks and hire the people to do that critical work. Of these, the FISMA
reform bill has been 10 years in the making and the lack of action by Congress
forced OMB and DHS to act in the interim to find workarounds — most prominently
the move to continuous diagnostics and mitigation (CDM) and changes to the
FISMA guidance.But the other measures
cleared by Congress also address important cybersecurity workforce and other
passes five bills to transform federal cybersecurity
Congress has pass long-awaited legislation to update federal information
security management and improve the DHS cyber workforce.President Obama is expected to sign the
legislation and four other cyber bills into law, but those measures stop short
of supporting robust information sharing between intelligence agencies and the
private sector. They also do not provide legal protections for companies that
voluntarily share data cyberthreat information.
passes cybersecurity bill
The Senate passed Dec. 11 a cybersecurity bill designed to protect critical
infrastructure. The legislation permits the Secretary of Commerce to develop
voluntary standards to reduce cyber risks to critical infrastructure, such as
power grids.The measure was sent to the
House for possible action prior to Congress adjourning for the year.
calls for law facilitating security information sharing
FBI officials are calling for updates to the US Computer Frau d and Abuse
Act (CFAA) and for new legislation that encourages threat data information
sharing and establishes a uniform federal standard for data breach
notification.The federal government has
been banging that drum for several years, urging the private sector to pass on
threat intelligence voluntarily, and promising to reciprocate.
take cyber warfare to the front lines
It’s been over three years since the Pentagon formally declared cyberspace
a domain of warfare, but the typical image of a cyber warrior usually involves
an operator sitting in front of a monitor in a network command center. The
Marines, however, recently demonstrated cyber war on the battlefield, with a
mix of technologies that includes Google Glass-like augmented reality glasses
and other systems to conduct cyber and electronic warfare in parallel with
physical military operations.
begins to embrace ICITE capabilities, Haith says
Federal News Radio
The Defense Department has been taking baby-steps over the last year toward
deploying the intelligence community's shared services plan — the Intelligence
Community Information Technology Environment (ICITE) — to its components.As line with this, Janice Haith, the deputy
chief information officer for the Navy Department, said the Navy is making
strides in leveraging ICITE.
drafts new cloud security requirements
The Defense Information Systems Agency released a draft of a security
requirements guide for cloud computing across the Defense Department. When
finalized, this SRG will supersede and rescind current guidance under the Cloud
Security Model. The SRG addresses processes for authorizing a particular cloud
service provider’s offerings and outlines security requirements to be addressed
in authorizing and operating cloud capabilities, such as information
identification and authentication. It also provides guidance on computer
network defense and incident response.
formalizes new DOD cloud procurement policy
Acting Defense Department CIO Terry Halvorsen has issued a memo outlining
the Pentagon’s new cloud procurement policy, formally allowing the military
services and other DoD agencies to procure commercial cloud services rather
than leaving that authority to the Defense Information Systems Agency. The Dec.
15 memo codifies a long-expected policy change and marks a significant break
from DoD's previous approach.It is
meant to hasten DoD’s move to the commercial cloud while also retaining control
of important security requirements for sensitive information.
new policy, DOD components won’t need DISA to buy cloud services
New Defense Department guidance issued Dec. 17 by Acting Chief Information
Officer Terry Halvorsen allows DoD components to acquire commercial cloud
services without the Defense Information Systems Agency acting as a broker. The
new policy overrides two previous memorandums that charged DISA with assessing
the security of commercial cloud service offerings and cataloging them – a
process that caused a bottleneck between potential DOD customers and providers.
hospital unveils new identification technology
As the rate of medical identity theft continues to increase, Wayne Memorial
Hospital in rural Pennsylvania is installing new biometric technology, which
officials say adds another layer of security to the patient identification
process. The technology will be available at all hospital registration points,
allowing patients the option to scan their fingers and create their own unique
code in addition to showing photo identification and providing their date of
birth and Social Security number. Wayne Memorial joins a list of more than 60
hospitals nationwide to install the system.
Why the Sony hack should scare feds
As the fallout from the unprecedented electronic attack on Sony Pictures Entertainment continues, cybersecurity experts said federal IT managers should be paying close attention.The attack marks the first time in the U.S. when an attacker has so blatantly damaged a corporate network and targeted and destroyed data in that system. On expert warns "copycats are inevitable" and agencies that are increasingly amassing vast stores of critical data, as well as critical infrastructure providers could be targets.
FBI: Cyber attack against Sony would have bested most federal defenses too
Federal News Radio
The cyber attack that hit Sony Pictures two weeks ago was a sophisticated operation — so sophisticated, officials say, that the same attack could have made it through the defenses of almost any large organization, including the ones currently deployed by federal agencies. But even if no one was able to prevent the attack, federal law enforcement officials say its severity has made for a nearly unprecedented level of cooperation between the government and a corporate hacking victim.
FBI calls Sony hack 'organized' but declines to name source or finger North Korea
The FBI declined to name the source of the Sony Pictures hack during a U.S. Senate hearing Dec. 10, saying the bureau is still investigating.Even though much of the public speculation has been focus has been on North Korea, some security professionals have said it's unlikely the rogue nation's fingerprints are on the attack.One expert noted that North Korea's "capabilities are just not that great," and that almost all of the known hacks launched by North Korea have been denial-of-service attacks.
Audit shows University of Maryland security flaws remain
It's been almost a year since a huge data breach exposed the Social Security numbers of students, staff and faculty, both present and former at the University of Maryland College Park (UMCP), but a state audit has revealed that flaws in the university's network security, many identified by an audit five years ago, still exist.
Tech explosion makes cybercrooks harder to catch
In the U.S., conventional law enforcement policies and tactics do a decent job catching conventional criminals, but in cyberspace, those same policies are outdated and don’t keep pace with the technology evolution, according to some law enforcement experts.
Wearables go mass market in 2015: Forrester
New research from Forrester suggests that the industry is just weeks away from a watershed year for wearables, issuing a new report, Five Urgent Truths About The Future Of Wearables That Every Leader Should Know. The company joins other tech industry watchers in proclaiming 2015 the year that wearables come into their own. In October, Gartner named wearables among the top trends IT managers will have to contend with next year, along with Big Data and the Internet of Things.
GSA lands $35M for 'civilian cyber campus' in massive spending bill
Washington Business Journal
The massive omnibus spending bill includes $35 million requested by the General Services Administration to plan and design a civilian cyber campus at a site to be determined somewhere in the Greater Washington area. The campus will house federal employees and contractors dedicated to the civilian cyber security mission. It will be separate from the military's U.S. Cyber Command, based at Fort Meade, and it will be large enough to accommodate future expansion and/or co-location with private sector partners. It is likely to be an economic driver, drawing cyber partners not only to the campus but also to corporate spaces nearby.
6 tech takeaways in the new spending bill
A $1.1 trillion spending bill that will fund most of the government through Sept. 30 is chock-full of provisions related to federal technology. The measure provides $20 million for IT oversight activities at OMB, which includes fully funding the new federal fix-it squad, the U.S. Digital Service, launched in August. It provides NIST with about $675 million for its “core” scientific and technical core programs, and clears the way for a new Washington, D.C.-area cybersecurity campus to house federal employees and contractors working on the government’s civilian cybersecurity efforts. It also directs DoD's CIO to report to Congress “on the status of expanding the adoption of cloud computing” within DoD.
7 things the 'cromnibus' means for IT
In finalizing the omnibus final FY 2015 funding bill for the federal government, IT spending was not a sticking point among lawmakers, but there were some developments worth noting, including: 1) current rules on supply chain risk management for the acquisition of IT systems by the departments of Commerce and Justice will remain in place; 2) IT oversight at OMB will be funded at $20 million, including funding for the new U.S. Digital Service; and 3) IT takes a hit as part of more than $345 million in cuts to IRS funding.
Major IT reform to have 'immediate effect' on feds
Included in the 2015 National Defense Authorization Act (NDAA) recently approved by Congress is a technology reform package designed to significantly change the way federal agencies manage IT. The Federal Information Technology Acquisition Reform Act (FITARA) has many components, all aimed at centralizing authority with the top department CIOs and increasing accountability over IT procurement and projects. One government official says that, of all the cyber and technology legislation considered on the Hill this year, FITARA is “nearest to [federal employees] and going to have the most immediate effect.”
FITARA analysis: Will CIOs use their new powers for good?
The government spends some $80 billion on IT, while just a fleeting few agencies give their CIOs so-called budget authority.But now legislation has passed Congress to give CIOs the power of the purse over their agencies’ IT investments. One analyst says that while the new legislation definitely empowers agency CIOs, she questions what are they going to do with it, and are department-level CIOs truly prepared to use this power?
DHS big winner in congressional cybersec vote
Gov Info Security
When the Heartbleed bug threatened IT systems in and out of government earlier this year, the Department of Homeland Security's cybersecurity team had to go to other federal civilian agencies to get permission for DHS to scan their IT systems to determine if vulnerabilities existed that exploited weaknesses in their OpenSSL software. But under the FISMA reform bill just passed, DHS would have the authority to conduct such scans without agencies' permission.The FISMA bill fine-tunes the law that governs federal government information security, and was one of four cybersecurity bills Congress passed, and all four play a role in strengthening DHS as a cybersecurity force within the federal government.
FISMA, TSA IT measures on way to president
Congress has passed legislation that will affect cybersecurity on federal networks and IT acquisition at the Transportation Security Administration.A bill to update FISMA codifies the existing division of labor on protecting federal networks, with OMB responsible for policy and DHS focusing on implementation. It also requires OMB and DHS to report on adoption of continuous monitoring technologies, including commercial products offered under the Continuous Diagnostics and Mitigation (CDM) program run by DHS. A second measure aims to improve technology acquisition at TSA by requiring top agency officials to analyze proposed acquisitions and provide Congress with a justification of the security benefits of awards of more than $30 million 30 days before an award is made.
FISMA reform heading to the White House
Gov Info Security
The last time Congress enacted significant cybersecurity legislation was the passage of the Federal Information Security Management Act (FISMA) in 2002.But on Dec. 10 and 11, the House approved four Senate-passed cybersecurity-related bills - one to reform and update FISMA, another to help the Department of Homeland Security recruit and retain qualified IT security personnel and a third to codify an existing cybersecurity and communications operations center at DHS, and a fourth, the Cybersecurity Workforce Assessment Act which would assess the future DHS cybersecurity workforce.
Congress strengthens Homeland Security's cyber role with FISMA reform, other bills
Lawmakers have sent a raft of cyber legislation to President Obama's desk, breaking through a six-year logjam spurred on in part by escalating intrusions into government and contractor networks.In a move backed by the White House, but not necessarily all Pentagon hawks, each of the measures positions the Department of Homeland Security as head of governmentwide cyber operations.
Bill OK'd to enhance NIST cybersecurity role
Gov Info Security
On Dec. 11, nearly six years after proposing the legislation, both houses of Congress passed on voice votes the Cybersecurity Enhancement Act of 2014. That bill, expected to be signed by President Obama, would formalize cybersecurity as one of the National Institute of Standards and Technology's priority areas of focus. The bill would direct NIST to continue to facilitate industry-driven processes for developing voluntary cybersecurity standards for critical infrastructure as it did when it created the cybersecurity framework.
DISA releases draft of new cloud security requirements
The Defense Information Systems Agency has released a draft of a security requirements guide for cloud computing across the Defense Department. When finalized, the SRG would supersede and rescind current guidance under the Cloud Security Model, and cloud providers being assessed against the CSM requirements must comply with the new SRG "in coordination" with their next annual FedRAMP reauthorization. Comments from industry and others interested in the draft SRG are due Dec. 29.
Cyber Command trying to get running start, add staff
Stars and Stripes
The fledgling U.S. Cyber Command is trying to hit the ground running, aware that it’s playing catchup with often archaic equipment, dealing with constantly evolving threats and trying to justify its existence amid budget cuts and force reductions. The cyber force is expected to be fully in place by the end of 2016 with a staff of 6,000, said Lt. Gen. James McLaughlin, deputy commander of U.S. Cyber Command. About 2,400 have been hired since fiscal year 2013 began, and they are now in teams that have at least “initial operating capability.”
Army's new Cyber branch looking to recruit talent
All of the military services’ cyber divisions, along with U.S. Cyber Command, plan to steadily increase their number of cyber warriors over the next two years, but the problem is in finding and retaining enough skilled cyber operators. The Army, for its part, is looking develop talent from within its own ranks, creating a new Cyber Branch and developing incentives to attract and retain those who want to pursue cyber defense and cyber warfare as a military career. Since early September, the Army has activated a Cyber Protection Brigade, established the Cyber Branch, and created a new 17-series cyber career field for managing the professional careers of officers.
JIE security components set for January deployment
The cornerstone of the military's top IT initiative, the Joint Information Environment, is expected to be deployed in early January 2015, according to DoD's acting chief information officer. Terry Halverson said recent testing of JIE's Joint Regional Security Stacks at Joint Base San Antonio (TX) and in Europe has paved the way for deployment of the initial components. The JRSS consist of servers and network switches that limit the number of network access points. The security stacks will be used to improve DOD network security by the end of 2016, Halverson said, and a full JIE security capability could be ready by the end of 2017.
Pentagon tests first network hub
Tests of the first hub in the Pentagon’s network consolidation effort, at Joint Base San Antonio-Lackland, Texas, have thus far been successful, Acting DoD Chief Information Officer Terry Halvorsen said recently. This amounts to a step forward as the Pentagon collapses its sprawling, disparate networks into a more streamlined, standardized, defendable and cost-effective structure. Each network hub, called a joint regional security stack (JRSS), is essentially a collection of servers, switches and software tools to provide better network traffic visibility and analysis.
The military is becoming immersed in virtual training
Military leaders are looking to make even greater use of large-scale immersive simulations in training exercises, as the quality of those simulations continues to improve. Simulations have always had advantages in cost and safety over live training, but the immersive systems today can also make warfighters familiar with environments—even people—they might encounter, before they ever encounter them.
Preventing a ‘cyber Pearl Harbor’ will require innovative thinking from the military
The Washington Post (op-ed)
Whether you believe in the threat of cyber Pearl Harbor or not, it’s clear that innovative thinking will be required to address emerging new cyber threats — and soon. In order to prevent a cyber Pearl Harbor, we’ll need fewer military guys and more cyber guys. Right now, there are about 4,000 members of the U.S. Cyber Command. These are the people who will be forced to make a judgment call when an attack has taken place, estimate the full extent of the damage and then figure out how to retaliate using the types of new offensive capabilities that have emerged in just the last few years.
BYOD is everywhere: Wear your own device is next
Everyone is bringing their own devices to work. But is sensitive data being secured properly on our smartphones and tablets? Soon, new technology will be worn wherever we go. Are enterprises preparing for "wear your own device" (WYOD)?
Striking a balance with mobile device security
Agencies face a delicate balancing act when it comes to providing security to a growing population of mobile devices. Smartphones can go missing along with agency data, and mobile devices in general can introduce malware to enterprise networks. But employees want the ease of use of consumer technology, and agency managers covet the potential productivity boost.A too-stringent mobile security policy will discourage smartphone and tablet use, especially in BYOD programs, and thereby eliminate the productivity benefit. But a policy that goes too light on security could invite trouble in the form of lost data and business disruption. Federal information security specialists are tackling the dilemma in various ways.
Biometric verification software used by colleges to prevent cheating
Two biometric verification products top the list of tech solutions universities should keep an eye on in 2015. Biometric Signature ID is a system that verifies the student’s identity before taking a quiz or exam by analyzing the way he or she moves a mouse or finger to draw certain characters. Verificient Technologies’ Proctortrack uses facial recognition technology, biometrics and machine learning to generate scans of the student’s face, knuckles and ID.It also continuously monitors the user’s mouse, keyboard, monitor, browser, webcam and microphone to detect if someone else is taking the test in place of the student or if the student is using any unauthorized resources to cheat.
Cyber attack could cost Sony Studio as much as $100 million: Experts
It typically takes at least six months after a breach to determine the full financial impact, but CSIS' Jim Lewis estimates that costs for the recent massive computer hack of Sony Corp's movie studio could stretch to $100 million.Major costs for the attack by unidentified hackers include the investigation into what happened, computer repair or replacement, and steps to prevent a future attack. Lost productivity while operations were disrupted will also add to the price tag.
Mandiant to Sony Pictures: Nothing could have prepared you for this
In a letter to Sony Pictures' top executive Dec. 6, Kevin Mandia, the CEO of Mandiant, said that the company's recent security problems were a well-planned crime that is unparalleled to anything his company has seen in recent years. Nothing, his note said, could have prepared Sony for what has happened.
FBI official says 'no attribution' to North Korea in Sony hack probe
A senior FBI official said Dec. 9 the agency has not confirmed widely held suspicions that North Korea is behind the unprecedented cyber attack on Sony's Hollywood studio. The comment casts at least some doubt on the widely held belief that North Korea has definitely been determined to be the culprit in the massive attack on the Hollywood studio, leaving room for other theories to emerge.Cybersecurity researchers who have analyzed the malicious software used in the attack say that technical indicators suggest North Korean hackers launched the attack, and people close to separate investigations being conducted by Sony and the government have told Reuters that North Korea is a principal suspect.
DOJ: 'Increase the cost' for nation-state hackers
A top FBI cybersecurity official said the agency has yet to attribute a recent large-scale hack of Sony Pictures to North Korea. In the meantime, an assistant attorney general involved in the investigation is playing the long game, hoping that a potentially months-long probe and possible indictment by the Department of Justice would deter other cyberattackers.
Cyber-espionage expected to surge in 2015: McAfee Labs
Cyber-espionage and attacks on connected devices are expected to surge in 2015, according to McAfee Labs' annual threats predictions report for the coming new year. Cyber-warfare has been batted around everywhere from IT circles to popular culture, almost reaching a fever pitch recently surrounding suspicion and reports regarding the breach at Sony Pictures.Nevertheless, cyber-warfare is expected to become a regular tactic - especially for "small nation states and terror groups" - in 2015, with a focus on gathering valuable intel on both high-profile people and intellectual property as well as operational intelligence.
Cost of cybersecurity and risk management to double
Help Net Security
Security firm Coalfire has made a number of predictions for 2015 including: the number and sophistication of cyber threats will continue to increase exponentially; international (and often state-sponsored) criminal organizations will escalate their development of offensive cyber capabilities; the cost of cybersecurity and risk management will remain on track to double over three years; every organization will be using some form of continuous monitoring service; there will be an increased use of crowdsourcing, machine intelligence, and cognitive/advanced analytics to detect and stay ahead of threats; and we will see the beginnings of a shift from cyber-defense to cyber-offense.
Can Iran turn off your lights?
Online security company Cylance released a report recently showing that an Iranian cyber-espionage operation had successfully breached U.S. and foreign military, infrastructure and transportation targets. The report claimed to confirm widely-suspected Iranian hacks of the unclassified Navy Marine Corps Intranet system, NMCI, in 2013. It describes more than 50 targets around the world, including players in energy and transportation. The tactics detailed in the report show an escalation of Iranian hacking activity, which the report’s writers, in several instances, refer to as rapid.
What’s next in cybersecurity automation
The automation of computer security, including patch management, intrusion detection and various forms of continuous monitoring, has become a requirement of cybersecurity tools and practices in the last couple of years. The Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, which provides agencies with tools that help identify and mitigate cybersecurity risks, has been an important factor in bringing awareness of those technologies to government. Now DHS is looking beyond the status quo and into the next generation of cyber defense systems, issuing a call for ideas on developing what it calls the Enterprise Automated Security Environment or EASE.
FBI tackles growing cybersecurity caseload
The FBI has its hands full with cyber-related investigations stemming from domestic and international threats. The Bureau says cybersecurity is one of its top priorities and robust communication with private companies is key to fighting cybercrime. An official with the FBI’s Cyber Division estimates about 20 percent of the bureau’s workload is focused on cybersecurity, and that percentage is growing. More than 1,200 individuals currently work in the Cyber Division.
7 things the 'cromnibus' means for IT
Congressional negotiators have released a $1.1 trillion appropriations bill that would fund most of the government through the end of fiscal 2015. The bill, dubbed the "cromnibus" to capture its mix of omnibus appropriations and a continuing resolution to cover DHS, contains a number of information technology provisions of note.
FISMA reform heading to the White House
Gov Info Security
Congress has passed and sent to the White House legislation to update the Federal Information Security Management Act (FISMA), the 12-year-old law that governs federal government information security. The bill will replace the requirement that federal agencies must file annual checklists that show the steps they've taken to secure their IT systems, with a new requirement that they automatically continuously monitor their systems to assure their security. The legislation also would codify the Obama administration action that elevated DHS' role in getting other civilian federal agencies to comply with cybersecurity standards, while retaining OMB's overall jurisdiction over federal government IT security.
Congress moves cyber-hiring, FISMA measures
In its rush to adjournment, Congress approved legislation to speed the Department of Homeland Security’s hiring of cybersecurity professionals and allow DHS to pay them more in an effort to bring DHS' ability to hire cyber talent on par with that of DoD and the NSA. The Senate also approved a bill similar to an earlier House-passed measure to codify an existing cybersecurity center at DHS, the National Cybersecurity and Communications Integration Center, which is DHS’ 24/7 hub for monitoring cyber threats and sharing information with the private sector.
White House weighs options for advancing cybersecurity
In the absence of comprehensive cybersecurity legislation, the White House is once again considering what more it can accomplish to secure critical systems through the executive branch. Specifically, the Obama administration is considering how it can encourage the creation of information sharing organizations similar to the Information Sharing and Analysis Centers, which were established to improve the security of U.S. infrastructure by enhancing interaction among various sectors and with the government.
Cybersecurity’s not done until the paperwork is finished
GCN - Cybereye (blog)
The Veterans Affairs Department has been dinged once again by the Government Accountability Office forlack of follow-through in its cybersecurity operations. In a recent report, the GAO warned that unless VA’s security weaknesses are fully addressed, “its information is at heightened risk of unauthorized access, modification and disclosure, and its systems at risk of disruption.” The problem cited in the report is not so much that VA is doing a bad job securing its networks and systems, but that it has not properly documented security activities and has not developed action plans and milestones for correcting problems.
Will government regulation kill the Internet of Things?
The government needs to update laws and regulations to accommodate the explosive growth of Internet-connected smart devices or risk falling behind the global technology curve. That's the view of a few tech-minded lawmakers who have turned their focus to the expanding web of objects and sensors that make up the so-called Internet of Things.
DARPA sees future of cybersecurity in transparent computing
The Defense Advanced Research Projects Agency (DARPA) is trying to get ahead of the sneakiest and most persistent threats in cyberspace and is putting up $60 million to find truly innovative ideas. The research agency posted a request for proposals for a Transparent Computing program designed to shine a light on malware hiding in the depths of complex computer systems and actively adapt to new threats.
The 'way forward' to the cloud
The US Defense Department’s is poised to release a new cloud computing policy, opens the door for commercial firms to host military data and applications, and allows the services and combat support agencies to procure cloud services themselves. Commercial data storage giants Amazon and Google are considered contenders for the business, alongside Microsoft and IBM.
Defining cyber roles at DOD
A Nov. 21 Defense Department directive updates and clarifies the different roles played by the Pentagon's CIO, principal cyber advisor and other officials in setting the department’s cybersecurity policy. The creation of a principal cyber advisor and the maturation of U.S. Cyber Command made greater intra-departmental clarity on cybersecurity necessary, according to DoD's action CIO.The directive charges the CIO with advising the National Security Agency director on cybersecurity policy, and with prescribing cyber-related standards, but gives the CIO no operational authority when it comes to offensive or defensive cyber maneuvers. That authority lies with the U.S. Cyber Commander.
U.S. Cyber Command grants DISA head directive authority
Secretary of Defense Hagel recently approved a Department of Defense Information Network (DODIN) concept and Joint Force Headquarters DODIN Operations within the U.S. Cyber Command (CYBERCOM) headed by the director of the DISA, Lt. Gen. Ronnie Hawkins.Gen. Hawkins has been given directive authority over the entire organization. His authority extends over all of DODIN for operations guidance and defense, and he has the ability to issue orders to anyone in the DODIN, including elements such as the services.
Moving mountains in cyber war: Automated virtual ‘maneuver’
In the looking-glass world of cyberspace and cyber warfare, there are lots of options — too many, in fact, for the human brain to track of all of them, let alone decide which one is best, the Pentagon’s chief cybersecurity officer said recently.That's why DoD needs some kind of automated software tool that understands not only what all the different settings in are currently in cyberspace but how they interact and what the impact would be of changing them.
Most U.S. companies under cyberattack
A computer security company has written a report concluding that 82 percent of U.S. companies have experienced at least one online attack in the last year and 46 percent have experienced three or more attacks.According to the report, 72 percent of the respondents said that the “number of exploitable browser vulnerabilities” was the most pressing security issue for their company, exceeding concerns about mobile security.
Iowa’s going to have smartphone driver’s licenses
The Washington Post
The Iowa Department of Transportation said it plans to pilot a smartphone driver’s license program that could one day make plastic licenses a thing of the past. A state official said the concept is to not only host the license in an app, but to also be able to send push notifications about, say, traffic, or if a user’s license is about to expire. He said he is “not aware” of any other state that has a similar program.
NIST experts discuss how biometric devices are helping law enforcement
A number of scientists, engineers and program managers discussed the many ways the agency is helping law enforcement improve investigations that depend on collecting biometric data from digital devices, at the recent National Institute of Standards and Technology (NIST) forensics conference. Though the majority of the presentations focused on digital forensics, NIST scientists also discussed the recent technological advancements in human forensics, especially involving biometrics.
New York City to use facial recognition software for municipal ID program
New York City officials announced it will use face recognition software to curb identity fraud regarding the city’s new municipal ID program. There are some concerns regarding the potential for identity fraud, along with security issues involved with private information being stored in government databases. As a result, security measures will include mirroring the document requirements to initially prove identification and residency used by the state Department of Motor Vehicles. The ID card will feature an embedded hologram, city seal and black-and-white “ghost” photo to further prevent identity fraud, and access to the full database of applicant information will be limited to only high-level employees.