Adfero Group HSPI

I spoke to students at the Naval Postgraduate School Center for Homeland Defense and Security. The school helps military officers get their master’s degrees, but mine was not a military audience at all – many were homeland leaders from throughout the public and private sectors. To be sure, America has gained a lot since the 9/11 attacks, part of which is a brotherhood shared by all homeland professionals..

By Michael Balboni
In an op-ed for Newsday, I examined Secretary Napolitano’s announcement of a National Strategy for Supply Chain Security, noting that it only mentioned the importance of physical security. Surprisingly, cyber threats were left completely off the table, though it is crucial to recognize that both these threats are actually inexorably intertwined.

Security Debrief contributor Steve Bucci spoke to Federal News Radio’s Francis Rose about things to watch in the cyber realm in 2012. Check out Steve’s interview on In Depth with Francis Rose to learn more about progress in deciphering Stuxnet an Duqu, as well as cloud computing and other cyber issues.

It was a busy year in cyber, and there were a lot of interesting developments. From Stuxnet to social media revolution in the Middle East to smart grid security, 2011 was a challenging year. Looking ahead, we need to continue securing our networks and developing awareness and education programs.

The Israeli media has been awash in reports of an alleged Saudi hacker that goes by the online name of OxOmar and has posted the credit card information, national ID numbers and addresses of thousands of Israelis. According to recent reports, that person may turn out to be nineteen-year-old Omar Habib, who resides in Mexico. Some others, though less convincingly, have alleged that the origin of the attack lies in Iran. Ultimately, the origin and motivations of the cyber attack are less interesting than the nature of the vulnerability that it exposes.

I have opined on the growing threat to the security of mobile computing before. Most people use some sort of mobile device, but how many of them do you think have security measures loaded on them, or even have passwords? We need to get people cognizant of their mobile security requirements, so they stop “walking about naked” from a technological stand point.

America’s intelligence community finds itself pressed to deal with the “Wild West” frontier of an ever-expanding cyber space. From Twitter to blogs to e-mail, the changes are coming hard and fast for governments, businesses and individuals worldwide. The challenges for the American policy maker and the intelligence community are simple and yet hugely complex. So far, by our own admission, we appear not to be passing the grade.

One of the keynote speakers at last week’s Cyber Conference at the Walter Washington Center was Ed Amoroso, the CTO of AT&T. Ed is brilliant, well spoken, and as funny as any speaker I have heard lately. He also has a practical and accurate view of the challenges we are facing in the cyber realm – including LAN protection, botnets and mobile security. He raised lots of great issues and challenged the audience to work out the solutions.

Following the recent attention given to the water sector’s vulnerability to cyber intrusion, there’s been a lot of talk about what went wrong, whose fault it was and why changes need to be made in the sector. However, the challenge in addressing the water sector’s cyber security posture isn’t in outlining existing problems, but rather in generating realistic, affordable and timely solutions to mitigate them. My concern is that we may just keep talking about the problem without actually doing anything about it.

Since news broke last week about a suspected cyber attack on an Illinois water utility, media, government and industry have probed the ramifications for U.S. critical infrastructure protection (CIP). Though DHS and FBI later found no attack had occurred, the incident does highlight vulnerabilities in the way utilities are secured against cyber threats. To understand these complex issues, reporters turned to water security expert, Catalyst Partners principal and Security Debrief contributor Vance Taylor.

By Rob Strayer
It is an unfortunate modern reality that cyber attacks are commonly used to steal money from businesses and individuals. Cyber attacks that disrupt or destroy physical assets, on the other hand, have been rare up to this time. The news over the weekend that a terrorist organization was able to finance its activities by hacking AT&T business customers’ telecommunications accounts represents a new and disturbing development in the use of cyber attacks by terrorists.

As happy/relieved as I am to know that the Russians aren’t out to disrupt our water services, it is important to note that a water system in South Houston was the victim of a real cyber attack. (You’ll recall it occurred in direct response to DHS downplaying of the reported situation in Illinois).The would-be attack, and the actual one, are stark reminders that the threat of cyber attacks are real.

I have read several articles on the recent water plant cyber intrusion that damaged a pump in a small utility firm’s facility in Illinois. I am not a digital forensics analyst, but I do find the reactions very interesting. Frankly, I don’t know what the Water Plant incident really means, but at this point neither does anyone else. Can we afford to dismiss it, even if it turns out to be amateur hackers? I have said this before; the sky is not falling! However, we still need to up our vigilance and recognize that we have enormous vulnerabilities and competent adversaries.

The last several months in D.C. have witnessed a series of Executive Orders, proposed legislation, bureaucratic action and public bickering over how to “defend” cyberspace. This dividing up of provinces of responsibility in cyberspace is interesting. It is a lovely 20th century way of dealing with a 21st century problem. Setting boundaries in the boundless frontier. Those seeking to harm cyberspace must be laughing up their collective sleeves or Guy Fawkes masks.

Richard Clarke is at it again. In a conference this week, he stridently appealed to the audience. He warned that the President aught not consider going to war any time in the near future. This because our cyber capabilities are so weak and America’s enemies are sure to use cyber attacks against us. Dick Clarke is a competent and farsighted man who has served this Nation long and well. Why does he seem to relish wallowing in hyperbole? We are NOT boxed in by our cyber insecurities to the point of having no options.

The recently identified “Duqu” worm has raised a whole new set of issues. Seemingly a variant of the Stuxnet malware that got so much of the world’s attention, everyone is trying to figure out what it “means.” Stuxnet opened a new window, and Duqu is only the first of many. The rub is, unlike Stuxnet, which targeted Iranian centrifuges, Duqu may be coming directly at you and your systems.

In this era of budget austerity, telework is an effective way to reduce agency costs and increase productivity. Recognizing these benefits, federal agencies have implemented telework policies and an increasing number of employees are taking advantage of the option. At the same time, however, teleworking presents significant security challenges. Agencies can reduce telework risks through the use of Trusted Computing.

I teach an online Master’s Level course in cybersecurity policy Issues. As part of one of my lessons, I asked students the following question: Can the principles of public health be applied to help understand cybersecurity, or should we stick with a military/defense metaphor? A student offered 10 core functions of public health entities, a stark contrast to traditional law enforcement and security premises centered on enforcement, detection, and deterrence. It is a better fit.

A lot of factors can lay claim to being a “key” to cybersecurity. I would offer another: agility. Presently, agility is the best friend of the Bad Guys. On the defensive side, we labor under a great disadvantage. Development of defensive means is slow and reactive; we have to follow strict rules for commercial deployment of products, and beyond the technical procedures, we have huge hurdles on the legal, policy and regulatory sides. In short, the good guys are anything BUT agile.

Again the other day, another of our government cyber leaders delivered the usual canned speech about how we must increase our defenses – read expand budgets/personnel – to defend ourselves against an “electronic Pearl Harbor.” And so, once again, the muscles in the back of my neck begin to stiffen wondering when they are going to stop saying this and if, some day, they will arrive in the 21st century. Cyber attacks – they are not wars – are not about total destruction but death by a thousand cuts.