recommended reading


Russia's Holding Back Cyber Capabilities in Ukraine

By Aliya Sternstein // March 10, 2014


There is a big difference between the known capabilities of Russian hackers -- such as cyber espionage -- and the debilitating software the country actually possesses, which could hamper U.S. efforts to predict Putin’s next move, say some security researchers. 

So, far Russia's alleged cyber operations amid unrest in Ukraine have caused more spectacle than destruction. Reportedly a “massive denial-of-service attack” paralyzed Ukraine’s National Security and Defense Council servers for several hours last week, but such temporary traffic floods cannot access data or damage systems. 

This doesn't mean Russia can't carry out a cyberattack that would physically or economically damage Ukrainian citizens. 

"Russia has the capability to completely shut down Ukraine's infrastructure," Jeffrey Carr, author of Inside Cyber Warfare and a government consultant, said during an interview. "But if they did that it would be inviting all kinds of sanctions."

Russian contacts have told Carr that laboratories in the country are at work on programs that could degrade industrial control systems, such as power plants, he said.

"I've been preaching this gospel to the federal government for years," said Carr, founder of Taia Global. "Most of our customers have been overseas. The UK's...

Four Federal Cyber Escapades to Watch For This Spring

By Aliya Sternstein // March 5, 2014

Maksim Kabakou/

The Obama administration’s 2015 budget request hints at novel approaches to the cyber threat at civilian agencies and the Pentagon. Funding-related papers released on Tuesday to justify spending for congressional appropriators do not include the details. So, look for officials to color in the picture during House and Senate hearings in the weeks ahead. 

1. Deployment of new cyber mission forces

The Defense Department last year reorganized cyber warriors among three "cyber mission force" components. Now comes the challenge of recruiting and retaining personnel to boost the size of each of those components. The quadrennial defense review states, “The Cyber Mission Force will be manned by 2016.” Employees will be positioned among the following groups:

  • 13 Cyber Command National Mission Teams with 8 National Support Teams that thwart cyberattacks headed stateside
  • 27 Cyber Command Combat Mission Teams with 17 Combat Support Teams that aid combatant commands worldwide
  • 18 Cyber Command National Cyber Protection Teams that operate and safeguard the dot-mil domain and internal military networks
  • 24 Service-level Combat Mission Teams
  • 26 Combatant Command-level and Defense Information Network- level Cyber Protection Teams

2. A federal cyber campus

The administration will design a Federal Cyber Campus to "co-locate key civilian cybersecurity...

Dropbox Addresses Government Spying

By Aliya Sternstein // February 21, 2014

Flickr user babyben

Dropbox, a cloud storage app the government recommends for federal teleworkers, has revised its privacy policy to address concerns about other federal workers spying on users’ data.  

The new policy, which goes into effect March 24, acknowledges that Dropbox might share user data with outsiders to comply with the law, "if we determine that such disclosure is reasonably necessary."  An email to users immediately adds that the company will follow its own Government Request Principles, guidance that obliquely antagonizes the National Security Agency and includes fighting requests for bulk data.

"Government data requests should be limited to specific people and investigations," the principles state. "We’ll resist requests directed to large groups of people or that seek information unrelated to a specific investigation." 

Would the federal teleworker cohort also be protected? A mobile worker toolkit guide distributed by the General Services Administration suggests that teleworkers consider using Dropbox as "basic mobility equipment."

The handbook states: “Have you considered the free downloadable program ‘DROPBOX’?”

The amendments to Dropbox's privacy policy are part of a larger movement by many Internet giants and startups to address concerns about massive NSA data sweeps. The service says it will strive to protect its systems...

Op-Ed: Three Steps That Would Significantly Improve Cybersecurity

By Robert Dix // February 14, 2014


The trends are clear: cyber threats to individuals, organizations and institutions are increasing in number and the damage they can do is serious and growing. Nonetheless, the prospect for meaningful legislative action to shore up network defenses remains slim, at least in the near term. Despite lawmakers’ lack of progress, however, there is plenty that agencies, companies and individuals can do to address the challenge. I recommend three immediate steps:

1. Implement a comprehensive national education campaign.

Many cyber intrusions are easily preventable. According to government sources, roughly 80 percent of exploitable vulnerabilities that contribute to cyber attacks are the direct result of poor or no cyber hygiene. If network administrators were more attentive to timely patch management, proper configuration policies, routine password management and effective network monitoring, many compromises could be prevented or the impact diminished. A comprehensive and sustained national education and awareness effort that arms people and businesses with information about how to more easily and effectively protect themselves could help alleviate many immediate threats.

In addition, we should leverage what we have learned from past cyber events that were successful, unsuccessful, interrupted or disrupted. We should examine the tactics, techniques and procedures that were used by...

DHS Hires Booz to Finish Cyberattack Drill Job

By Aliya Sternstein // February 13, 2014

United States Customs and Border Protection file photo

The Homeland Security Department has decided to extend a contract for help on a biennial cyberattack drill with Booz Allen Hamilton.

The roughly $400,000 follow-on runs from Feb. 6 through April 6, according to a Jan. 13 justification for not letting other firms bid on the upcoming work. Booz won a five-year $15 million contract for the project in 2009

Booz was unable to get the job done on time due to hiccups in the federal billing cycle, DHS said.. 

"The delays can be entirely attributed to government action, including the government shutdown," DHS officials said in the justification, which was signed Jan. 13. Homeland Security offices "would like to complete planned deliverables that have projected schedule delays through no fault of the contractor."

Officials said they expect to let the entire cyber industry vie for a renewal of the contract in March. 

Cyber Storm, billed as the most extensive government-sponsored cybersecurity exercise of its kind, "builds on lessons learned from previous real world incidents" the department's website states.

DHS and Booz officials declined to comment on the "real world incidents" they might draw from for upcoming simulations. 

Edward Snowden was assigned by Booz to the National Security...