Posts Tagged ‘cyber security’
Tufts Democrats: What did you think?
The Tufts Democrats got an earful from me about how US foreign policy on cyberspace hasn’t advanced significantly in fifteen years. I complained that a whole lot of basic questions haven’t been settled, and drew on some key national documents to verify that is the case.
They were more impressed with my rapid-fire interactive summaries of Hollywood takes on cyberwar and cyber dystopia. Or so they tweeted.
Jumbos: what did you think? Please post in the comments. Thanks!
Current events for Beth’s class
Beth Chalecki asked me to give a talk on cyber security for her course at Boston College. While I won’t post the slide deck here, I will compile a reading list on the blog. I’d like to note that the blogroll at right includes several of the big names in the field: Bruce Schneier, C. Warren Axelrod, Ross Anderson, David Rice, Alessandro Acquisti, and others.
Documents
- National Strategy to Secure Cyberspace (US-CERT)
- Cyberspace Policy Review (White House Office of Cybersecurity)
- Presidential Decision Directive 63 (Clinton via FAS)
- US Cyber Command fact sheet and website
News items
- Stuxnet
- Ghostnet
- Estonia
- Georgia
- Rod Beckstrom
- Howard Schmidt
- William Lynn discusses the cyber domain in Foreign Affairs
Academic works
- Technology, Policy, Law and Ethics Regarding US Acquisition of Cyberattack Capabilities (Owens, Dam and Lin, eds.), full text at Macarthur Foundation
- Proceedings of a Workshop on Deterring Cyber Attacks (National Research Council Committee on Deterring Cyberattacks, Steinbruner, chair) *
- Building Security In (Gary McGraw and US-CERT)
- Cyber Warfare and Cyber Terrorism (Janczewski and Colarik, eds.)
- Cyberpower and National Security (Kramer, Starr and Wentz, eds.)
- Cyberpower (Nye)
- Cybersecurity Agenda (EastWest Institute)
- Commission on Cybersecurity for the 44th Presidency and their final report
- International Guide to Cyber Security (Westby)
* Beth: if you’d like to tackle cyber deterrence, Lukasik’s conference paper in these Proceedings (eds. Steinbruner et al., 2010, pp 99-111) is an interesting departure point for debate.
Cyber Shield newest mixed metaphor
This is the latest example of what’s wrong the metaphor of cyberspace for information security. Cyberspace isn’t a space. Cyber attacks don’t involve thrown projectiles or spears. A shield won’t bat them down. The meat of the policy is buried: look how little attention is devoted to the five points in the last paragraph quoted below.
If he had said that installing Norton Internet Security on every computer in America was the definition of a cyber shield, or ordering drone attacks against suspected zero-day-threat writers, or requiring American companies to write back doors for the feds into encryption, or mandating the use of federally issued firmware in critical industries….well, then that would be the definition of a cyber shield. It’s a completely empty term.
US urges NATO to build ‘cyber shield’
(AFP) – Sep 15, 2010BRUSSELS — NATO must build a “cyber shield” to protect the transatlantic alliance from any Internet threats to its military and economic infrastructures, a top US defence official said Wednesday.
Cyber security is a “critical element” for the 28-nation alliance to embrace at its summit of leaders in Lisbon on November 19-20, US Deputy Defence Secretary William Lynn said in Brussels.
“The alliance has a crucial role to play in extending a blanket of security over our networks,” Lynn said.
“NATO has a nuclear shield, it is building a stronger and stronger defence shield, it needs a cyber shield as well,” he said at a forum hosted by the Security & Defence Agenda think-tank. Read the rest of this entry »
Fuzzy Thinking on African Botnets
I call “bull.” African botnets are not WMD, and the solution to African botnets is not to prosecute the lucky few who have computers there. Franz-Stefan Gady is completely out of touch with the realities of IT in Africa. The last thing African governments need is shunt scarce resources into prosecuting cyber criminals, particularly within their own borders. Please do something more useful with whatever resources you have: support export industries, build infrastructure, build a call center or an export processing zone, make jobs, and provide education and health care.
Honestly. Beefed up law enforcement? Where does Gady think most infections in Africa originate? Why would he presume that the botnets are home-grown?
Governments should find ways to make legitimate software available at prices users can afford. That means not taxing software imports, encouraging the use of free and open source software, and ensuring broadband access. Yes, greater bandwidth, and not less bandwidth, is crucial to safer computing. Bandwidth will give end users access to security updates and current virus databases that are prohibitively difficult to download when connections are slow.
Full hearing: US Senate on Cyber War Readiness
Highlights from the US Senate panel on cybersecurity 23 February 2010.
Mary Ann Davidson, CSO (Oracle). Required reading! Ms. Davidson masters the subject in bright prose. This is an excellent indictment of the rush deploy smart grid technologies before we’ve had time to harden them from the types of attacks that routinely take computers off line. Thought experiment: what level of unplanned downtime would you be comfortable with for your house’s electrical power? water? energy? Would you try to save 10% on your electric bill if for a system that you couldn’t be sure would work more than 99.9% of the time?
Even better, Ms. Davidson points out a crucial flaw in education. Computer science is applied mathematics, and few departments teach young programmers how to write secure software. If university departments don’t teach secure programming, we will need professional certifications to substitute, as with medical residencies, CFA exams for financial analysts, and professional societies for engineers and architects.
Vice Admiral Mike McConnell (Booz Allen Hamilton). Sound byte: “If there were a cyber war today, the United States would lose.” Some excellent recommendations for training a new class of software engineers, security professionals, and managers. Don’t be distracted by the salacious and unwarranted assertion at the outset. The rest of the testimony is good, and nobody is better informed than the Admiral.
Dr. James A. Lewis (CSIS). A couple of interesting metaphors. He compares cyberspace to a condominium and to a shopping mall, meaning that the space is all privately owned, and that neighbors have a compelling interest in one another’s behavior. Therefore all should be willing to submit to greater regulation. I’m inclined to agree with Borg’s statement (below) that government regulations are unlikely to keep pace with the rate of innovation. Rather than ask the government to certify that buildings are safe, wouldn’t we be better off with private certification of a standard of risk, as we currently do with automobiles, houses, and financial management? Computers and especially software are endlessly complicated, and don’t lend themselves well to the same type of governance as broadcast media and airplane safety.
Lewis also makes a crucial overstatement when he says that there are no rules on the Internet or that the Internet is a wild west. Actually many national and state authorities have control over Internet commerce, fraud, and even transborder crimes. At a more fundamental level, Lewis’ lawless vision of the Internet is fundamentally at odds with Internet governance over every layer of the Internet, from the development of hardware standards and Internet protocol, to the assignment of names and numbers, to the software that runs servers and home desktops. Re-read Lessig, and see if you can imagine the Internet truly without rules.
Scott Borg (US-CCU). Focuses on 3 central problems: (1) the conflict is already here; (2) cyber conflict threatens future American prosperity; (3) fixing markets is the key to improving cyber security. I agree with Borg, but then I’m biased.
Rear Admiral James Arden Barnett, Jr., Ret. (FCC). An interesting point of view. I don’t have any problem with DHS assisting the country with situational awareness, but the philosophy of defense is extremely centralized. The greatest specific policy errors of homeland security in the last ten years have been efforts to provide one-size-fits-all information and requirements from a central national office: the national threat level scale, vastly increased expenditures on passenger screening at airports, and advice on creating a safe room for chemical gas attacks inside your home. There are too many computers, and too many businesses to expect that federal marshals can secure their IT infrastructure for them. Effective homeland defense will require businesses and individuals to have cheap, effective, and secure choices to accomplish the things they already know how to do: run their businesses and their households.
BBC: Obama begins cyber security review
Full story here.
A review of how well the US thwarts spies and malicious hackers has been started by President Barack Obama.
The wide-ranging review is set to last 60 days and takes in all the “plans, programs and activities” of official US cyber security efforts.
The end result will be a strategy to improve the way the US defends itself against net-borne threats. While campaigning, President Obama likened net risks to the threat of nuclear or biological attack.
National security
“The national security and economic health of the United States depend on the security, stability, and integrity of our nation’s cyberspace, both in the public and private sectors,” said John Brennan, assistant to the president for counterterrorism and homeland security, in a statement….
The BBC reporter notes that the Commission on Cybersecurity (CSIS) previously produced a report entitled Securing Cyberspace for the 44th Presidency in December 2008.
What would a strategy for securing cyberspace look like? Recall John Bumgarner’s recent talk at the Fletcher School, entitled Policy Voides of Cyber Conflicts, February 3, 2009. At present, there are too many competing civilian and military agencies for the country to have a cohesive policy, and no clear definition of what securing cyberspace would entail. Preparing for war? Stamping out credit fraud? Hardening the nation’s civilian infrastructure? Mandating national quality standards for computer programming? None of these definitions fits the bill. I’ll be very interested to see what Obama’s team comes up with.
