By
Brittany Ballenstedt
//
February 29, 2012
SAN FRANCISCO - Agency chief information security officers are becoming more human resources savvy as they determine how to keep key programs afloat in the midst of tight budgets.
During a panel discussion at the RSA Conference on Tuesday, a theme among government CISOs was that people issues were a major focus in adopting a "doing more with less" mentality.
"There's a significant amount of incest in the security world," said Matt McCormack, CISO at the Defense Intelligence Agency. "If you have two vacancies, you're going to hire two people, and I will have lost two people. We need to increase the gene pool for security folks."
McCormack said labor costs were soaking up 80 percent of the DIA's IT security budget, causing the agency to dramatically rethink its approach to staffing. As a result, DIA moved 25 percent of its staff out of Washington to Florida and Colorado. "By continuing to hire in D.C., we were continuing to pay a premium for the same people," he said. "If I'm paying 80 percent for labor, a 2 percent to 3 percent increase in average salaries is hard to take if I'm having to deal with ...
By
Aliya Sternstein
//
February 28, 2012
Charles Dharapak/AP
A new report proposes China and the United States discuss taboo hacking topics, such as cyberattacks, to cool cybersecurity relations before the dispute becomes as explosive as global finance.
Unlike many recent accounts condemning China for gross cyber spying, the Brookings Institution paper avoids pointing fingers at either side. In fact, much of the analysis recounts instances of computer sabotage and espionage in other countries, such as Russia allegedly bringing down Estonia's Internet and a Spanish-origin virus that infiltrated more than 12 million computers worldwide. Authors Kenneth G. Lieberthal and Peter W. Singer, both senior fellows at the Washington think tank, plan to distribute a Chinese-language version of the report to the foreign country's policymakers.
"The potentially poisoning effect of cybersecurity on the [U.S.-China] relationship is occurring at a time when there is genuine uncertainty about the degree and speed of changes in the global balance of power," they write. "Discussions of intractable arenas can deepen mutual understanding of the differing underlying assumptions and concerns that make them so difficult, and thus, to some degree, increase the prospect for addressing some of these issues -- or at least of somewhat limiting their negative effects ...
By
Josh Smith
//
February 28, 2012
While new computer technology has made power grids more effective, systems designed to secure those networks from cyberattacks continue to lag, Government Accountability Office officials told a House subcommittee on Tuesday.
"Cybersecurity and industry experts have expressed concern that, if not implemented securely, smart-grid systems will be vulnerable to attacks that could result in widespread loss of electrical services essential to maintaining our national economy and security," the GAO's Gregory Wilshusen and David Trimble said in joint testimony at a hearing of the House Energy and Commerce Oversight and Investigations Subcommittee.
Officials have had difficulty securing power grids because they are usually operated by private companies, and government efforts are often dogged by concerns over privacy and intrusion. Another complication -- there is disagreement over the extent of the threat. In 2008 intelligence officials reported that cyberattacks had disrupted electric power in several different areas overseas, but it is unclear if such targeted cyberattacks have occurred in the United States.
The subcommittee examined the issue as Congress debates legislation that could give the Homeland Security Department more authority to protect critical infrastructure like power grids from cyberattacks. The National Security Agency, which has warned of cyberattacks on power systems, has ...
By
Josh Smith
//
February 28, 2012
Government officials have warned that cyberattacks are rapidly becoming one of the greatest threats to the United States and its allies, but a new report says the North Atlantic Treaty Organization is still playing catch up.
"NATO's central missions of collective defense and cooperative security must be as effective in cyberspace as they are in the other domains of air, land, sea, and space," concluded a report released by the Atlantic Council on Monday.
While NATO enacted a new cyberdefense policy in June, the alliance now needs to focus on a core set of priorities to make cybersecurity efforts more effective, the report said.
A special worry for the miltary comes from networks controlled by private companies. The Wall Street Journal and Washington Post reported on Monday that the National Security Agency has pushed for greater cybersecurity authority but has been rebuffed by the White House over privacy concerns.
In 2002, NATO started a cyberdefense program, largely in response to cyberattacks carried out when the organization conducted military operations to force Serbian soldiers out of Kosovo in 1999. During that operation, the U.S. military reported a three-fold increase in the number of attacks aimed at defacing its websites ...
By
Aliya Sternstein
//
February 22, 2012
At NIST headquarters, Sen. Barbara Mikulski, D-Md., said, "The new enduring war is a cyberwar.
The Commerce Department and state of Maryland are opening an office near the National Institute of Standards and Technology headquarters in Montgomery County to create jobs and invent ways to safeguard online transactions.
Maryland Democratic Sen. Barbara Mikulski, chairwoman of the Senate committee that funds NIST, secured $10 million to start operating the National Cybersecurity Center of Excellence this year. The goal of the facility is to turn cybersecurity research into everyday protections for workplaces and home computers. Mikulski, NIST and local government officials described the new venture during a Monday press briefing.
"America's under attack -- America's under attack right this minute," Mikulski said. "The new enduring war is a cyberwar," with successful attempts to hack into U.S. dealings on the dot-mil, dot-gov and dot-com domains. Maryland Lt. Gov. Anthony G. Brown noted that Fort Meade, Md., is home to the Pentagon's Cyber Command.
The next step, federal officials said, is to situate a computer lab in an existing building close to NIST's campus in Gaithersburg. The initiative will generate 23 new jobs in Montgomery County and ...
Washington, Seattle and San Francisco all topped the list of riskiest cities for cybersecurity for their increased smart phone and social networking use.
Read more.
Senate Republicans oppose the current bill on the grounds that it would give the Department of Homeland Security regulatory authority over private business operating infrastructure systems.
Read more.
By
Aliya Sternstein
//
February 16, 2012
Pablo Martinez Monsivais/AP
This story was updated to clarify the agencies that would be required to share real-time threat information with companies.
Homeland Security Department Secretary Janet Napolitano told lawmakers the White House approves of new Senate computer security legislation that would require critical sectors to report network intrusions to the government.
The endorsement came during a House hearing Wednesday, the day before Napolitano was slated to testify on the measure, S. 2105, before its authors on the Homeland Security and Governmental Affairs Committee. The 205-page package -- a compromise bill among numerous competing measures -- would grant the federal government the power to address penetrations into private networks.
"The administration supports the bill that was introduced in the Senate this week," Napolitano said on Wednesday during a House Appropriations Homeland Security Subcommittee hearing on the department's funding request for fiscal 2013.
The information-sharing measures that she supports would involve businesses whose computers are vital to U.S. financial markets, power grids, transportation systems and other services that if disrupted could cause mass casualties, prolonged evacuations or catastrophic economic damage. Covered companies would have to inform the government about "significant cyber incidents" that jeopardize their systems. If they fail to ...
By
Chris Wilkinson
//
February 15, 2012
Successfully securing networks against cyber threats requires support from the top -- not only from the IT staff, but from C-level executives as well. Network monitoring, patching or purging outdated software and hardware, communications, and coordination are essential for good risk management policies and practices.
A recent seminar sponsored by immixGroup, Bit9, Hewlett-Packard Enterprise Security, and Sourcefire featured cybersecurity experts from government and industry who explored the factors that contribute to a federal agency's ability to assess and anticipate threats as well as mitigate risk.
To start with, agencies must "push cybersecurity ownership up" the management ranks within the organization, said Gil Vega, the Energy Department's associate chief information officer for cybersecurity and chief information security officer. At Energy this meant creating a risk management executive body that included senior executives and undersecretaries. Initiating meaningful cybersecurity practices required sharing the responsibilities of risk management decisions, Vega said.
He recommended taking inventory of endpoints and patching applications and operating systems. Network surveillance and incident response are critical activities as well, he noted. Sharing information is vital. Energy distributes threat information departmentwide and a joint cybersecurity coordination center ensures appropriate communication among the stakeholders.
Energy is implementing a number of lessons ...
By
Josh Smith
//
February 14, 2012
Top members of the Senate Commerce, Intelligence, and Homeland Security committees introduced a long-awaited bill on Tuesday to address a wide range of cybersecurity issues in government and private industry.
The Cybersecurity Act of 2012 (S. 2105) would direct the Department of Homeland Security to assess and determine what industries to classify as "critical infrastructure." If selected, industries like electric grids or financial services would be required to meet a minimum level of cybersecurity.
Under the bill, all of DHS's cybersecurity efforts would be consolidated in a new National Center for Cybersecurity and Communications. The legislation would also seek to increase information sharing between the government and private businesses; provide a new program for research and development; and increase standards for federal networks.
"This bill would begin to arm us for battle in a war against the cyber mayhem that is being waged against us by our nation's enemies, organized criminal gangs, and terrorists who would use the Internet against us as surely as they turned airliners into guided missiles," one of the bill's sponsors, Senate Homeland Security Chairman Joe Lieberman, I-Conn., said in a statement.
Other sponsors include Commerce Committee Chairman Jay Rockefeller, D-W.Va., Homeland ...
