recommended reading


The FBI Is in the Market for Malware

By Aliya Sternstein // February 4, 2014

Pavel Ignatov/

Federal detectives want to buy viruses and other types of malicious software for assistance in cracking criminal cases, according to a "combined synopsis/solicitation for malware" published this week on the government's contracting database. 

The specific organization in need is the FBI Investigative Analysis Unit of the Operational Technology Division, a team of specialists providing on-the-scene tech support and "employing innovative, custom developed analytical methods" to analyze digital evidence, according to the solicitation.

"The collection of malware from multiple industries, law enforcement and research sources is critical to the success of the IAUs mission to obtain global awareness of malware threat," the request for bids states. "The collection of this malware allows the IAU to provide actionable intelligence to the investigator in both criminal and intelligence matters."

It's not exactly clear whether the bureau wants to buy the kind of spyware that feds reportedly use to eavesdrop on a suspect's Internet communications, or whether it simply needs to better understand the nature of malware to trace it back to its originator. 

In either case, there are existing -- free -- avenues for the FBI to obtain these kinds of hacking tools. 

Since 1996, the FBI has used a public-private...

Op-Ed: It’s Time to Take Action on Cybersecurity

By Frank Cilluffo and Sharon Cardash // February 4, 2014

Maksim Kabakou/

With each New Year comes the promise of a fresh start, and nowhere is there a more pressing need for that than in Washington, where gridlock has taken hold for too many months. The good news is that the close of 2013 witnessed the beginnings of forward motion, on the part of key actors, on select issues of national importance. In December, Rep. Paul Ryan, R-Wis., and Sen. Patty Murray, D-Wash., jointly took the lead on preventing another government shutdown only three months after the last one by crafting a bipartisan budget deal.  While the deal is nowhere near a grand bargain in scale and scope, it does reflect incremental progress that is still a step in the right direction and as such, is emblematic of what may be the new model of governance in the capital: Getting things done through small steps forward.

Indeed, the new golden rule in Washington may be: Don’t let the perfect be the enemy of the good. In the present partisan atmosphere, holding out for a panacea that addresses all challenges comprehensively may simply be a bridge too far. Cybersecurity is just one important area that could benefit much from this type of...

Data Breach Epidemic: Why Are We Blaming the Victims?

By Jessica Herrera-Flanigan // January 29, 2014

Target experienced a massive data breach in 2013.
Target experienced a massive data breach in 2013. // ValeStock/

This week, the Michaels craft store chain became the fourth retailer to step forward and say that hackers had breached its computer systems and may have obtained customer information.  The announcement followed those of Target, Neiman Marcus and Easton-Bell Sports, all of whose systems have been compromised in the last two months. The Easton-Bell breach was slightly different from the others in that its online, not physical, store was compromised.

As I’ve been reading the news coverage of the latest attack, I have a gnawing feeling that we are doing something wrong in how we treat data breaches and the companies affected. In at least two of the cases above -- Target and Michaels -- class action lawsuits have been filed against the retailers. Congress has called for hearings and some lawmakers have sent the companies letters and other inquiries asking for more details about their security practices. One Senator has requested the Consumer Financial Protection Bureau investigate credit card hacking while another has asked the Federal Trade Commission to examine at least one of the company’s data security policies and practices. All of these actions make me wonder how we have evolved into blaming the victim whose systems have...

Agencies to Focus on Illegal Cyberweapons Trade in 2014

By Aliya Sternstein // December 20, 2013


Agencies governmentwide over the next nine months must work together on guidelines for controlling the trade of cyberwar technology, under newly approved military legislation.

In programming, a cyberweapon often refers to malicious code that takes advantage of a software glitch unknown to developers, called a "zero day," to insert itself and manipulate data. For example, Stuxnet, an alleged U.S-Israeli cyberweapon, upended Iranian's nuclear program by exploiting a flaw in the country's centrifuge systems.

The concern in Congress is that war worms, let loose in the black market, are being sold to the public and overseas aggressors. 

The 2014 National Defense Authorization Act that lawmakers cleared on Thursday night requires that federal departments, with input from industry, devise "intelligence, law enforcement, and financial sanctions" mechanisms to "suppress the trade in cyber tools and infrastructure that are or can be used for criminal, terrorist, or military activities while preserving the ability of governments and the private sector to use such tools for legitimate purposes of self-defense."

This week’s bill also directs the Obama administration to address the problem at the international level – an effort that apparently already has begun.

Earlier this month, the Financial Times reported that 41...

White House's $14 Billion Cyber Spending Claim Is Squishy

By Aliya Sternstein // November 8, 2013

Adam Parent/

The size of the federal budget for computer security is hard to believe -- not because of the dollars involved, but because such spending is nearly unquantifiable. 

Consider this history lesson: In 2011, the White House proposed dedicating $2.3 billion to cybersecurity across the Defense Department for fiscal 2012.  

Officials at the Air Force, for their part, released a separate budget document that said the service planned to spend $4.6 billion on cyber. That's right: The Air Force planned to spend twice what the White House attributed to the entire Defense Department. 

After an exasperating attempt to reconcile these wildly different numbers, an effort that entailed repeated calls to multiple Pentagon components that, in turn, passed the buck to other components, a department spokeswoman explained the Air Force was improperly counting "things" that are not typically considered cyber in its request. Defense also revised it's cyber spending estimate and provided a higher total budget -- $3.2 billion

Now, the administration's Chief Information Officer Steven VanRoekel claims the White House has dedicated $14 billion to cybersecurity across the entire government.

Flabbergasted as to how the administration was able to identify cyber things at every agency to come...