Internet Security Alliance Daily Brief
** Your source for current and relevant cyber security issues **
** Your source for current and relevant cyber security issues **
***ONE week left of your FREE subscription, contact Tammi Boyce at tboyce@isalliance.org to find out how you can continue to receive ISA's Daily Brief after September 30, 2011***
For Your Immediate Attention NCCIC CA Trust Bulletin. The following NCCIC bulletin is regarding CA compromise and mitigation strategies. Please click here to view bulletin.
Track Cyber Security Legislation. ISA Sponsors are currently reviewing and sharing comments on cyber security legislation being drafted by the House Homeland Security Committee as well as the House Judiciary Committee and the Senate process being managed by Majority Leader Harry Reid. Sponsors also receive insider updates describing the political process affecting pending cyber security legislation. While this advanced service is available only to ISA sponsors, Daily Brief subscribers can track the public activities ongoing in the Congress through CipherLaw Group’s “Cybersecurity Legislation Tracker.” This blog is a valuable resource that provides notice and summaries of significant Cybersecurity developments on Capitol Hill, including postings with respect to hearings, proposed bills, and task force activities. Cybersecurity Legislation Tracker: https://www.cipherlawgroup.com/index.php/en/legislation-update
DHS Survey For Private Sector Infrastructure. Starting with testimony delivered in 2005, and every Congress since, the ISA has advocated that DHS cyber security programs designed to assist the private sector ought to be developed in collaboration with the private sector partnership and evaluated for cost effectiveness before being renewed or extended. To our knowledge the survey referenced below is the very first step in this direction. This need is especially pressing in the current environment where government resources are increasingly scarce and DHS is advocating to create a vast new regulatory structure with the power to mandate government determined infrastructure practices broadly upon the private sector. ISA strongly urges all our members and subscribers to answer this survey to provide our government partners with their candid assessment of the utility and value of current government programs to your enterprise infrastructure security.
Click here for the Office of Infrastructure Protection Stakeholder Input Questionnaire
ISA in the News
UC becomes partner in Protected Health Information project. September 20, uticaod.com – Utica College’s Center for Identity Management and Information Protection has become a partner sponsor of the Protected Health Information (PHI) project. The project will seek to enhance the nation’s ability to protect PHI from the cyber hackers and criminal insiders who have legitimate access to this information and use it for criminal purposes. The project is a joint venture of the American National Standards Institute (ANSI) Identity Theft Prevention and Identity Management Standards Panel, The Shared Assessments Program and Healthcare Working Group, and the Internet Security Alliance. “As partner sponsor, CIMIP executive and research staff are making special efforts to identify and analyze financial and technical obstacles that organizations entrusted with safeguarding PHI face in preventing information breaches, and how they presently attempt to circumvent such security breaches,” said Donald Rebovich, executive director of CIMIP. CIMIP staff will examine areas such as the precise identification of information system protection areas that have high potential for criminal exploitation and the legal and financial aspects of effectively protecting this information. The final report of this project will be presented at a news conference at the National Press Club in Washington DC and will subsequently be presented at a Congressional staff briefing on Capitol Hill.
August 22, C-SPAN – In this edition of the "The Communicators," cybersecurity experts Larry Clinton, President and CEO of the Internet Security Alliance, and Marc Rotenberg, Executive Director of the Electronic Privacy Information Center, discuss the Obama Administration's proposals for reducing cyber threats against the U.S.Source: http://www.youtube.com/watch?v=7u4YUpsGteQ
Trade group: Obama's cybersecurity plan won't protect networks. August 16, The HILL.com – The White House's cybersecurity plan is too focused on punishing companies that suffer attacks and does little to improve cybersecurity, said the head of an industry association representing firms that would be covered by the plan. Internet Security Alliance president and CEO Larry Clinton argued the White House's cybersecurity legislative proposal unveiled in May takes an antiquated approach to cybersecurity that fails to recognized how threats have evolved over the past several years.
Source: http://thehill.com/blogs/hillicon-valley/technology/177071-trade-group-blasts-white-house-cybersecurity-plan
In Today's News
Microsoft Security Chief Says Every Business Needs a Security Plan. September 27, Businessnewsdaily - Too many businesses wait until it's too late to think about their company's physical security and cybersecurity issues. That's not good for business, according to Mike Howard, chief security officer for Microsoft. Howard, an ex-CIA officer who handles all physical security for the company's worldwide operations, says that integrating a security team or plan into your company's day-to-day operations is the key to getting the most value from it. "Security is not something that should be thought of as 'break glass only in times of emergency,'" he told BusinessNewsDaily in an exclusive interview. "It affects a brand's reputation, can result in lawsuits, and requires initial investments up front." If you don't want to spend money on security now, you'll surely pay more later, he said. Howard should know. His security team is ultimately responsible for the safety and security of Microsoft's entire executive team, its 90,000 employees, roughly 90,000 contractors, 700 facilities in more than 100 countries worldwide and all of the visitors to those facilities. He's also responsible, of course, for all of their computers and hardware and the information it they contain. Source: http://www.businessnewsdaily.com/microsoft-business-security-plan-advice-1827/
In China, business travelers take extreme precautions to avoid cyber-espionage. September 26, Washington Post - Packing for business in China? Bring your passport and business cards, but maybe not that laptop loaded with contacts and corporate memos. China’s massive market beckons to American businesses — the nation is the United States’ second-largest trading partner — but many are increasingly concerned about working amid electronic surveillance that is sophisticated and pervasive. Security experts also warn about Russia, Israel and even France, which in the 1990s reportedly bugged first-class airplane cabins to capture business travelers’ conversations. Many other countries, including the United States, spy on one another for national security purposes. But China’s brazen use of cyber-espionage stands out because the focus is often corporate, part of a broader government strategy to help develop the country’s economy, according to experts who advise American businesses and government agencies. Source: http://www.washingtonpost.com/world/national-security/in-china-business-travelers-take-extreme-precautions-to-avoid-cyber-espionage/2011/09/20/gIQAM6cR0K_story.html
Pentagon Extends Program to Defend Cyber Networks. September 26, ABC - The Pentagon is extending a pilot program to help protect its prime defense contractors, an effort the Obama administration can use as a model to prevent hackers and hostile nations from breaching networks and stealing sensitive data. The move comes as cybersecurity officials warn of increasingly sophisticated cyberattacks against U.S. defense companies, including data related to critical Pentagon weapons systems and aircraft. Officials at the Department of Homeland Security are reviewing the program, with an eye toward extending similar protections to power plants, the electric grid and other critical infrastructure. Efforts to better harden the networks of defense contractors come as Pentagon analysts investigate a growing number of cases involving the mishandling or removal of classified data from military and corporate systems. Intrusions into defense networks are now close to 30 percent of the Pentagon's Cyber Crime Center's workload, according to senior defense officials. And they say it continues to increase. Source: http://abcnews.go.com/Politics/wireStory/pentagon-extends-program-defend-cyber-networks-14605098
Security Expert: U.S. 'Leading Force' Behind Stuxnet. September 26, NPR - One year ago, German cybersecurity expert Ralph Langner announced that he had found a computer worm designed to sabotage a nuclear facility in Iran. It's called Stuxnet, and it was the most sophisticated worm Langner had ever seen. In the year since, Stuxnet has been analyzed as a cyber-superweapon, one so dangerous it might even harm those who created it. In the summer of 2010, Langner and his partners went to work analyzing a malicious software program that was turning up in some equipment. Langner Communications is a small firm in Hamburg, Germany, but Langner and the two engineers with whom he works know a lot about industrial control systems. What they found in Stuxnet left them flabbergasted. "I'm in this business for 20 years, and what we saw in the lab when analyzing Stuxnet was far beyond everything we had ever imagined," Langner says. It was a worm that could burrow its way into an industrial control system, the kind of system used in power plants, refineries and nuclear stations. Amazingly, it ignored everything it found except the one piece of equipment it was seeking; when the worm reached its target, it would destroy it. Langner says that the more his team analyzed the Stuxnet worm, the more they knew they were onto something big. Source: http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force-behind-stuxnet
Homeland Security Revamps Cyber Arm. September 26, InformationWeek - The National Protection and Programs Directorate, the Department of Homeland Security agency that handles many of the government's cybersecurity responsibilities is about to get a makeover in the wake of the departure of former deputy undersecretary Phil Reitinger. The directorate, among other things, is in works to secure federal civilian agency networks and coordinate cybersecurity with the private sector. In an email obtained by InformationWeek, DHS undersecretary Rand Beers announced to staff that, in response to "the growing importance of cybersecurity to DHS and the nation as a whole," DHS is splitting Reitinger's former job in two. DHS will now have one new deputy undersecretary position that exclusively deals with cybersecurity and another that helps protect critical infrastructure, secures federal facilities, and the manages the US-VISIT biometric identity management system used to identify and track foreign visitors. Source: http://www.informationweek.com/news/government/security/231602168
Upcoming Events
October 3 at 5:00pm: IT-Sector Coordinating Council Executive Committee Conference Call
October 4: Larry Clinton speaking on the “Current Policy Impacts on Innovation in the Cybersecurity Domain” panel at MIT
October 5: Larry Clinton speaking on "Cyber Security and Critical Energy Infrastructure: Its Importance, Challenges and Solutions" in Washington, DC
October 6: DHS Critical Infrastructure Partnership Advisory Council Plenary
October 7 at 1:00pm: IT-Sector Coordinating Council – Risk Assessment Committee Working Group Meeting
October 10 at 5:00pm: Partnership for Critical Infrastructure Security Conference Call
October 11 at 3:00pm: IT-Sector Coordinating Council International Committee
October 17: Larry Clinton giving the Keynote Speech at the Joint AIA/NDIA Industrial Security Committee Meeting in Orlando, FL
October 17: Larry Clinton speaking at the 5th Transatlantic Market Conference: "Transatlantic Cooperation for Growth and Security - Protecting Critical Technology and Infrastructure" in Washington, DC
October 17 at 1:00pm: Cross Sector Cyber Security Working Group Meeting
October 17 at 5:00pm: IT-Sector Coordinating Council Executive Committee Conference Call
October 18 at 2:00pm: IT-Sector Coordinating Council Plans Working Group Meeting
October 21 - 22: NSA: Maryland Cyber Challenge and Conference (MDC3) in Baltimore, MD
October 21: Larry Clinton speaking at the Maryland Cyber Challenge and Conference (MDC3) in Baltimore, MD
In Case You Missed It
ISA to Appear on C-SPAN
C-SPAN, the official, but independently operated, network of the US Congress is doing a special program covering the Administration's Cyber Security Legislative proposal. They have asked the Internet Security Alliance to provide the private sector perspective. Marc Rotenberg from the Electronic Privacy Information Center will be interviewed to represent individual privacy perspectives on the proposal. ISA’s comments during the interview were based on the ISA testimony before the House Homeland Security Committee in June and Larry Clinton’s appearance before the Congressional cyber Security Task Force set up by Speaker Boehner in July.
The 30 minute C-SPAN program aired three times - Saturday, August 20 at 6:30 PM EDT on C-SPAN, Monday, August 22 at 8 AM, and again, at 8 PM on C-SPAN II.
NIST Seeks Comment on the National Initiative for Cybersecurity Education Draft Strategic Plan
The National Institute of Standards and Technology (NIST) is pleased to announce that the Draft National Initiative for Cybersecurity Education (NICE) Strategic Plan is available for comment. The plan, “Building a Digital Nation,” outlines NICE’s mission, vision, goals and objectives. NIST and its interagency NICE partners seek comments from all interested citizens and organizations concerned with cybersecurity awareness, training and education.
Comments on this draft should be entered into the Comment-Template_Draft-NICE.xls and e-mailed to nicestratplan@nist.gov. Comments on the NICE draft strategic plan are due by September 12. NIST’s federal partners that contributed to the plan include the Department of Homeland Security, the Department of Defense, the Department of Education, the National Science Foundation, the Office of Personnel Management, and the National Security Agency.
NIST coordinates the interagency NICE program, which is a national campaign focused on enhancing cybersecurity in the United States by accelerating the availability of educational and training resources designed to improve the cyber behavior, skills and knowledge of every segment of the population. The program aims to improve secure use and access to digital information in a way that advances America’s economic prosperity and national security.
http://csrc.nist.gov/nice/documents/nicestratplan/NICE-Strategic-Plan-Announcement.pdf
Draft Guideline for Securing Electronics Supply Chain Available for Comment
ISA is circulating to its members the product of its multi-year effort to outline cost effective measures for securing the electronics supply chain. The paper is a 50 page set of instructions intended to be a both a guidebook for managing the supply chain as well as reference document in drafting contracts between producers and suppliers of electronic products in a way that hopefully secures greater benefits from globalization. The guidelines are affirmatively shaped by technical as well as economic considerations. The guidelines are written so as to be accessible both to technical as well non-technical personnel. More than 60 government and industry players collaborated in the development of the guidelines in a series of technical and legal workshops under the direction of Scott Borg of the US-CCU. Member comments can be provided to Josh Magri at jmagri@isalliance.org.
DPA Survey Request for Comments
ISA has developed a set of bullet points that speak to the fact that an effort is underway to compel potentially thousands of companies to provide proprietary data under the Defense Production Act (DPA) under the threat of fines and criminal prosecution. While use of the DPA has ample precedent, the current use seems to go well beyond its intended purposes with targets well beyond the traditional DIB companies. We are told as many as 5000 companies from a variety of industry sectors may receive these compulsory surveys.
US House Homeland Security Committee Hearing
ISA President, Larry Clinton has been ask to testify before the Homeland Security subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. The hearing is entitled "Examining the Homeland Security Impact of the Obama Administration's Cybersecurity Proposal. The webcast can be viewed live through the following link: http://homeland.house.gov/hearing/subcommittee-hearing-examining-homeland-security-impact-obamaadministrations-cybersecurity
Summer 2011, Journal of Strategic Security
"A Relationship on the Rocks: Industry-Government Partnership for Cyber Defense" authored by Larry Clinton was published in a recent issue. To view click here and then select the PDF file next to the article's title.
May 2011, Cutter IT Journal
ISA President Larry Clinton authored the article, "A Theory to Guide US Cyber Security Policy." To view the article click here, download the issue and go to page 30.
Spring 2012, Conflict and Cooperation in the Commons
Larry Clinton has authored the chapter "Cyber Security Social Contract". This book is forthcoming from Georgetown University Press.
No comments:
Post a Comment