Cybersecurity Act of 2012 Puts Focus on the Shadow Wars

On February 14, 2012, a 205 page comprehensive new Cybersecurity Act of 2012was introduced in the Senate to address the growing concerns about cyber-warfare, cybersecurity, and cyber-terrorism. The bipartisan Cybersecurity Act of 2012 is co-sponsored by Senators Joe Lieberman (I-Ct), Susan Collins, (R-Maine) Jay Rockefeller (D-WV) and Diane Feinstein (D-Cal) to address the potential gaps in the critical U.S. infrastructure. As defined in the USA Patriot Act,

[T]he term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

The proposed law expands on the USA Patriot Act and existing presidential directives to provide sector-by-sector assessment, standards and regulations to improve these assets. Presently, the DHS provides utterly circular guidance on the existing directives. Hopefully, the new proposal will at least increase the awareness within these sectors for comprehensive security.

The proposed legislation defines ‘‘cyber risk’’ as “any risk to information infrastructure, including physical or personnel risks and security vulnerabilities, that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure.” The information infrastructure is the privately owned communications systems located in the U.S., presumably including everything from telephones and cable to Facebook and Google.

 Howard Waltzman suggests that a critical infrastructure system or asset may be deemed “covered” only if damage or unauthorized access to the infrastructure could lead to:

  • The interruption of life-sustaining services (e.g. food, energy, or emergency services) sufficient to cause a mass casualty event or mass evacuations;
  • Catastrophic economic damage to the United States, including failure or disruption of a US financial market or sustained disruption of a transportation system; or
  • Severe degradation of national security capabilities.

Ninety days following the passing of the legislation, a sector-by-sector review of the critical infrastructure will provide a prioritized list of the most at-risk systems.

There are significant exemptions in the law to protect private vendors (perhaps security software companies, search engine providers, and social media networks) so that particular products cannot be singled out. Similarly, there is a weak attempt to provide free speech protections to the system and to protect technologies based solely on their ability to be used in critical infrastructure.

The timing of the legislation is particularly interesting in light of the recent cyber attack in Israel by a Saudi Arabian hacker and retaliatory credit card hacking by an Israeli against the Saudi banks.  Attacks against Google and US defense contractors allegedly by Chinese sponsored hackers raised similar concerns.

Moreover, a stealth war with Iran appears to be heating up, including the assassinations of government scientists and public officials, increased sponsorship of terrorism targeting soft targets, and heightened war rhetoric.

As with the SOPA and PROTECT IP Act, the critical issue will be focus on the primary risks rather than political maneuvering for legislators to prove who is the toughest on the perceived threat. The costs for upgrading critical infrastructure will likely be immense; the complexity will be monumental; and the challenges significant. Where our nation is at risk, these steps must be taken. But the process must include some caution and common sense so that the process is moderated and proportional to the outstanding threats.

Advertisements

Rethinking Terrorism in the Informatics Age

Terrorism cannot be far from American’s minds this week as we commemorate the September 11th attacks, memorialize the heroes who gave their life, and mourn both the lives of those lost and the end of the peace dividend we had hoped to enjoy following the end of the Soviet Union and the wave of democracy that swept through Eastern Europe.

In cyberspace, analysts vacillate between Cold War concerns from China and Russia (and their satellite nations) involving state-sponsored, non-border attacks on the U.S. and the West and terrorist attacks from non-state actors and self-proclaimed freedom fighters.

At the Reuters Aerospace and Defense Summit, defense industry analysts discussed these attacks, many of which “appeared to be state-sponsored and came from multiple countries.” The speakers did not identify any particular government. As reported by Reuters, “every defense company is constantly under attack. If anybody tells you they’re not, it just means they don’t know,” said Northrop Grumman Chief Executive Wes Bush. “It is a threat that is broad-based. It’s not just from one source … and it’s just unceasing.”

In March 2011, a foreign intelligence service stole 24,000 computer files in March from a defense contractor developing systems for the U.S. military. The breach was acknowledged in July. “This was significant,” Deputy Defense Secretary William Lynn told reporters.

Lynn said the attackers swiped “data related to systems that are being developed for the Department of Defense. … It was done, we think, by a foreign intelligence service. In other words a nation state was behind it,” he added. Lynn declined to identify the likely suspected nation involved in the theft.

Earlier in the year, credible evidence pointed to China for attacks on Google and dozens of military defense contractors. Again, the DoD has not officially named the country or countries involved in the attack, but because Chinese dissidents were specifically targeted as well as other evidence, China’s involvement has been widely reported.

Perhaps one of the most damaging of these attacks was to RSA, the security division of EMC. In an comprehensive expose in Vanity Fair, the RSA attacks are explained.  “RSA is the security division of the high-tech company EMC. Its products protect computer networks at the White House, the Central Intelligence Agency, the National Security Agency, the Pentagon, the Department of Homeland Security, most top defense contractors, and a majority of Fortune 500 corporations.”

The RSA and defense-contractor hacks are among the latest battles in a decade-long spy war. Hackers from many countries have been exfiltrating—that is, stealing—intellectual property from American corporations and the U.S. government on a massive scale, and Chinese hackers are among the main culprits. Because virtual attacks can be routed through computer servers anywhere in the world, it is almost impossible to attribute any hack with total certainty.

The DoD is responding. “The new Social Media in Strategic Communication (SMISC) program was submitted under the Defense Advanced Research Projects Agency (DARPA), an arm of the Department of Defense. The goal is to “develop a new science of social networks built on an emerging technology base” to help the agency keep abreast with communication technologies, namely Twitter. This is just one counter-insurgency activity being pursued.

The world is a very different place than it was a decade ago. We are only beginning to understand how much we have lost.

 

Special thanks to Vince Polley this (and so many other topics). Follow him at KnowConnect PLLC (supplemented by related Tweets: http://twitter.com/vpolley #mirln).