CyberSecurity is Still Lagging Behind

By Rachel Ehrenfeld
Saturday, May 18th, 2013 @ 4:42AM

Print Friendly, PDF & Email
If you are one of some 600,000 subscribers to the
Financial Times, you may wish to change your account’s password.

Earlier today, a few of the paper’s Twitter accounts and a blog were compromised by Bashar Assad’s thugs, bragging on their Twitter, “Hacked by the Syrian Electronic Army.”

The FT reported earlier that a member of the Syrian Electronic Army was interviewed by the paper’s reporters via email, and that the hacking was facilitated by phishing attacks on some of the FT’s email accounts. Yet no link was made between that correspondence, which exposed FT email accounts, to today’s hacking.

In what can best be described as English subtlety, the article describing the attack did not even made headlines on the FT’s home page. “We have now locked those accounts,” announced the FT official, who praised Twitter’s help. Nothing was said about the paper’s subscribers’ accounts. Clearly, the new two-step authentication that Twitter was supposed to establish after the Associated Press account was hacked last month, failed.

The Syrian Electronic Army’s hacking of the AP Twitter account last month, falsely reporting on explosions at the White House, instantly wiped $136 billion off the DOW. The DOW came back. But what happened to those who lost the money?

Phishing, hacking emails, stealing passwords and compromising whatever and whoever is linked are not the only threat facing our cyber communications today.

Discoveries that computers–used by governments, industries financial institutions and everything else–have been infected by malware, either imbedded in software or through the Internet, don’t make headlines anymore. The damages that are reported are huge, but most still go unreported and possibly have not yet been discovered and the real cost is unknown.

While these discoveries demonstrate that security experts are catching up, it’s too little, too late. While protecting our cyber communication channels from stealth predators though the Internet is challenging, we could and should prevent the planting of malware in software by carefully vetting the designers.

However, software developers often seem more concerned with their bottom line and are cutting cost by employing cheap, unvetted labor. While their short term revenues may well increase, the cost to the economy and national security could be devastating.

Most public and private entities rely on and are dependent upon by the government for timely warning and for identifying the attackers after an attack. To better protect the critical infrastructure against cyberattack, DHS has contracted Northrop Grumman to begin the security accreditation process that is now required before approval to operate as a commercial services provider under the Department’s Enhanced Cybersecurity Services program.

Major private sector entities would like the government to allow them to take preventive/offensive tactics against cyber attacks. Since the government prohibits such measures, “Bank representatives on the Federal Advisory Council said at their last gathering on Feb. 8 in Washington that the Fed should collect and distribute threat information to lenders, law enforcement, securities exchanges and clearinghouses,” according to Bloomberg. A number of banks recently asked the Federal Reserve to take the lead in defending the financial services industry from cyberattacks by working with federal counterterrorism, intelligence, and law enforcement agencies.

The government, for its part, may have the expertise, but it’s stuck in the rut of only gathering and aggregating information on private sector cyber attacks. In the absence of enabling legislation the FBI have been meeting with big bankers urging them to report about attacks.

If the government is still at step one of cybersecurity–information sharing about attack–it appears that it cannot even manage that in a comprehensive way. On April 18, the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA).  It was dead on arrival in the Democratic Senate, due to White House opposition.

CBS News suggested the Administration opposed it “because language in its current draft suggests that companies like Facebook, Google and Twitter, share information with the federal government without a warrant.” Huffington Post argued that the House bill doesn’t “sufficiently protect privacy and civil liberties, ensure that a civilian department–not an intelligence agency–is the primary point of entry for cybersecurity information sharing, and provide narrowly tailored liability protections that would allow the private sector to respond to threats.” And The Hill offered that “the final version of the bill did not satisfy the White House’s key principles because it would allow companies to share cyber threat information directly with the military, including the National Security Agency (NSA), without being required to remove personal information from that data first.” The Hill also said the current bill doesn’t require companies to remove information on the identity of a specific person before sharing the threat information: “CISPA requires the government to strip that personal information from the cyber threat data it receives from companies instead.”

A New bipartisan legislation [PDF], “The Deter Cyber Theft Act, S. 884” was introduced on May 7th, by Sens. Carl Levin, D-Mich.; John McCain, R-Ariz.; Jay Rockefeller, D-W.Va.; and Tom Coburn, R-Okla.

Levin said we should hit those who commit cyberespionage in their wallets, “by blocking imports of products or from companies that benefit from this theft.”  The law would require an annual report listing the countries involved in cyberespionage and detail the kind of data the perpetrators were stealing.  These listing could result in the president blocking imports of certain products from those countries.

This would be a welcome step in the right direction.

The trouble is one cannot be sure how the White House would react. All of its actions regarding the Chinese cyberthreat have been “let’s talk.” While the administration has more than acknowledged China’s depredations, no other steps seem to be taken. The Chairman of the Joint Chiefs of Staff, Gen. Martin Dempsey, recently visited with Chinese general Fang Fenghui, and talked about setting up a cybersecurity “mechanism.”  What does that mean?  This seems to indicate that the administration is less interested in getting China to stop cyberattacks than it is in finding a compromise where no compromise ought to be seen as an outcome favorable to the United States. Remember: The Chinese want to regulate the Internet.

The May 6th Pentagon report openly blamed Chinese cyber attacks directly on its government and military.  The report also said that Chinese espionage “was designed to benefit its defense and technology industry into U.S. policy makers’ think about China.”  But there is nothing new in the report that we haven’t known about for years. In fact latest reports say the Chinese have increased their cyberattacks.

If the Defense Department is so concerned about Chinese penetration of U.S. defense systems, as the report suggests, then how does it explain its recent $10.6 million contract with the Chinese for a year’s use of their Apstar-7 satellite for data communications purposes?

On March 20, NASA administrator Charles Bolden told Congress that the agency “had closed down its technical reports database and imposed tighter restrictions on remote access to its computer systems” as a consequence of suspected espionage by an employee who happened to be a Chinese national. Bolden also said he had ordered to prevent access of “foreign nationals from designated countries — including China, Iran and North Korea — are given to NASA facilities and a moratorium on providing new access to citizens of those countries.” Why do China, Iran, and North Korean nationals have access to NASA facilities, let alone serve as NASA contractors?

The SEC trade-tracking computer system has been recently introduced. It is purportedly designed to insulate the market from flash crashes caused by High-Frequency Trading and other glitches.

SEC Commissioner Mary Shapiro broke a 2-2 commission deadlock in favor of next-day reporting on hacking, instead of an immediate reporting, ostensibly because the real-time version would be too costly.

“The costs and risks of real-time reporting? The 2010 crash erased $862 billion from equities in less than 20 minutes before prices rebounded. The 2013 recommended system was expected to cost $125 million to build, plus  $40 million in annually in “equities data” cost. Choosing “next-day” reporting is akin to closing the empty barn door after the horse run away.

“1) See horse in barn; 2) see horse leave barn; and 3) go close gate.” Unfortunately, the same applies to the general state of U.S. cybersecurity.

Further Reading:

DARK READIING: U.S. Cyber Command Head General Alexander To Keynote Black Hat USA 2013

U.S. NEWS: Keep Your Government Hands Off the Internet

TELEGRAPH UK: US under ‘constant’ cyber attack, top general claims

IRISH EXAMINER: Cyber crime: the new battleground

CYBER WAR ZONE: Hackers create cheap device unlocks Hotel room doors Cross US

INFORMATION WEEK: 3 Big Mistakes In Security Incident Response. Avoid these common “tunnel vision” mistakes when investigating a breach or hack.

Categories: Cyber, U.S. Policy

On The Campaign Trail

Check the dates and see when we're in your town!