Nextgov/FCW - Authors - Jessica Herrera-Flanigan

Cyber Policy Still Stuck in the ‘90s

Jessica Herrera-Flanigan — Wed, 22 Oct 2014 17:43:11 -0400

A few weeks ago, I wrote about the need to move the cybersecurity dialogue to its next stage and to start to seriously consider what disruptors are sitting out there that could help us do so.

I identified four areas ripe for discussion.

Policy disruptors
Data breaches vs. cybersecurity
Cyber weaponization
Post-Snowden security

Let’s start this disrupting conversation by looking at policy disruptors.

To do that, we have to go back to the Clinton administration.

Back in 1997 and 1998, we saw the issuance of the President’s Commission on Critical Infrastructure Protection. This was a report on the scope and nature of the vulnerabilities and threats to the nation’s key industries, like power and water systems. Then, in 1998 came the release of Presidential Decision Directive 63.

Those cutting-edge Clinton-era efforts talked about the “shared responsibility and partnership between owners, operators and government.” They discussed incentives and only using regulation in the “face of a material failure of the market.”

Research and development investments as well as government procurement were also discussed. Information sharing, including the legal impediments and possible liability issues, insurance and standards were all evaluated and deemed necessary.

Fast forward 17 years, through countless reports, think-tank events, congressional hearings, legislation and administration action.

The policy debates are still focused on shared responsibilities, incentives, R&D investment, government procurement, information sharing, insurance and standards.

In the nearly two decades since the first cyber policy discussions were seriously initiated, technology has changed tremendously: Email, the Internet, and mobile devices are now the norm, not unusual like they were in the mid-1990s.

The policy debates, sadly, have not changed.

We have reached the point where the policy framework for addressing cybersecurity and critical infrastructure protection probably should not be the same as it was when the first clamshell a.k.a flip mobile phone was considered the latest innovation.

If we are to tackle cybersecurity effectively, we need to be able to look to the future of technology and map out policy positions that are going to be relevant in the years to come.

Three areas I would be interested in seeing more “big thinking” on:

The integration of technology. There has been some work in this area and increasing interest in doing more, given the attention on the “Internet of Things.” But it feels as if not enough is being done to really explore the policy implications here.

Many years ago, the former National Communications System, when it was still in the Defense Department, did a lot of technical work on this issue, especially in telecommunications. Today’s discussions, which still talk about cybersecurity in terms of “sectors,” could be better served by looking at how the lines between sectors are becoming blurred. More and more things are being considered “critical infrastructure,” given our increased reliance on technology.

Cybersecurity by design. This pops up as an issue every once in a while, especially in discussions about software design, but it does not feel like we have really had some serious discussion on how cybersecurity can and should be integrated into technology and services at the onset, instead of as an afterthought.

There is a tremendous number of policy questions that arise when we build things with cybersecurity (instead of convenience) in mind, and it would be helpful to have those discussions.

The intersection of cyber and economics and law. Many of the recent conversations around cybersecurity have used a disease-fighting framework, comparing to the health system and discussing “holistic” approaches to the issue. Less has been done to explore the intersection of law and economics on cybersecurity. This is an area that is ripe for policy debate.

In some ways, spending more time on this topic could lead to the same thought leadership we have seen when it comes to economics and law on the environment. Yes, it could result in many of the same old issues re-emerging and being discussed under the guise of “economic analysis,” but could be done in a more systematic and research-oriented way if done properly.

These are just three areas that seem ripe for policy exploration. There are many more, especially as we look at the international nature of cybersecurity. Of course, the real policy disrupters that are out there are probably still unknown ideas in some of the young bright minds who one day will help solve these issues.

]]>

Do We Need to ‘Disrupt’ the Cybersecurity Status Quo?

Jessica Herrera-Flanigan — Thu, 25 Sep 2014 16:41:17 -0400

Next Wednesday marks the beginning of the 11th annual Cybersecurity Awareness Month.

The Department of Homeland Security says the month is designed to “engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident.”

In anticipation of the celebration – the National Cyber Security Alliance has deemed it something to “celebrate.”

I have not written a great deal in the last several months about cybersecurity. In fact, one of my posts earlier this year noted that it seemed as if there was cybersecurity overkill going on, and I wanted to step back and take a deep breath and do an inventory of cybersecurity policy.

Now, as we embark on a month of “cyber-celebration,” it seems like a good time to step back into the fray and give some thoughts on the topic.

Specifically, I thought it would be helpful to look at how we could “disrupt” cybersecurity in the way Netflix disrupted video watching, Uber disrupted the taxi/car service, Zillow disrupted how we went about making housing decisions and other companies are disrupting various aspects of how our lives and technology intersect.

I did a search on “cybersecurity disrupters” and a few things popped up -- but nothing that made me think, “Wow, this changes the game.”

So, a few topics to throw out for discussion over the next few weeks. I’ll write more on each of them throughout the month.

Policy disruptors: Since the mid-1990s, the policy debates in D.C. have been focused on information sharing and critical infrastructure protection. Legislation, executive orders and presidential directives, as well as various reports have all pontificated on the topic. Maybe it’s time we move beyond the current policy debates to something else that can move the needle on cybersecurity.
Data breaches vs. cybersecurity: The two topics have been bifurcated in the policy debates and discussions among thought leaders. Why? Shouldn’t they be the same?
Weaponization and offensive actions: This may be one of the biggest disruptors of them all as we start afresh with a path forward on cyber weapons.
Post-Snowden cybersecurity: The struggle over surveillance and law enforcement-processes amid technology reforms.

These areas are ones where disruption could be game-changers. As I discuss them over the next few weeks, I welcome feedback and thoughts -- especially if you think there are other areas I missed.

Stay tuned.

(Image via Maksim Kabakou/Shutterstock.com)

]]>

Cybersecurity May Be Going the Way of Country Music

Jessica Herrera-Flanigan — Mon, 28 Apr 2014 16:35:33 -0400

Late last year Entertainment Weekly writer Grady Smith compiled the YouTube video Why Country Music Was Awful in 2013, explaining “so much of what's on the radio these days sounds exactly the same!” I’m an old school country music fan (my husband likes to say I’m so old school I listen to both country and “western” music) so when I saw that video, it confirmed my thoughts on a lot of today’s music.

So what does that have to do with cybersecurity, you ask? Well, in recent months, I’ve noticed that cybersecurity may be going the way of country music where we are overloaded with the same message over and over again from more and more sources. Publications are dedicating entire sections and subscriptions to cybersecurity threats (aka Armageddon scenarios). Companies are creating cybersecurity units and divisions in hopes of jumping on the $$$ created by cybersecurity threats and fears. If turning on the radio last year told me that every good country boy needs a truck, a dirt road, a drink, and gal in short shorts, opening up my browser to news tells me that cybersecurity failures are stressful, scary, and probably my (and every other American’s fault). Here are just a few that popped up in the last week in my box:

Cybersecurity Is a Puzzle—Where Does Your Piece Fit?
Why Obama needs to take on cybersecurity like Kennedy took on the moon
New cyber-threats that go bump in the night
Cybersecurity landscape gets rocky in 2014
Cybersecurity hackers target Boston Children's Hospital
It's Easier Than You Think to Cripple America
It's way too easy to cause a massive blackout in the US
Hackers Could Turn Out Your Lights

Two headlines that I did not include above perhaps best capture how we all probably feel about cyber these days: “Cybersecurity and stress” and “I have cybersecurity overload.”

What does this mean? On the one hand, it means more people recognize the potential of cyber threats and the need to prepare for them. On the other hand, it also means that more people will become de-sensitized to cyber as the message they continue to hear is being repeated over and over again: “Cyber threats are bad and unavoidable.”

How do we avoid the latter? I’m not really sure. We could look at how America became desensitized to the threat of nuclear war over the years and find lessons learned, but that is not a perfect example as the nuclear threat did not involve our everyday activities.

Unlike our ability to turn off the country radio station and create our own mix of music on iTunes or Pandora, we can’t really turn off our awareness of cybersecurity threats. Maybe it is more like traffic and the weather -- it is what it is and we can just take it as it comes.

]]>

The Internet of Things Means More Things to Hack

Jessica Herrera-Flanigan — Fri, 14 Mar 2014 16:34:03 -0400

People often ask me if I “stay off the grid” by refusing to participate in online shopping and banking and express surprise when I tell them I don't bother. "Doesn’t it scare you?" they ask. "Aren’t you worried your information will be compromised?”

Yes and yes, but staying away from the Internet isn't much of an option. Plus, as the recent retail store credit card debacles have demonstrated, bad things can happen to shoppers no matter if they are online or physically in a store.

What scares me more than someone stealing my information as I shop on Zulily or Amazon is how quiet the drumbeat has been on securing the broader Internet of things.

In the past month we learned that hackers broke into the Target financial systems via an HVAC system. While the complete details are unknown, it is believed that a phishing attack using malware at an HVAC subcontractor allowed hackers to gain network credentials to reach Target’s financial systems.

As more of the items we use every day get online capabilities, our lives and the Internet of things are increasingly interconnected. From my desk, I can control the temperature of my house, look at my wrist and determine that I need to get up and walk, check my fitness app to see that my cousin in Texas is now ahead of me in total steps for the week, and open and close the windows of my networked car. From my phone, I can control my TV, my front door, my security system and the baby monitor.

Yet despite the connectivity we are not seeing a massive amount of discussion about the Internet of things and cybersecurity. Yes, there are a handful experts speaking about it – my friend and former colleague Jeff Greene at Symantec is one of them and does an amazing job of explaining the issue. The few, like Jeff, who are speaking up, however, are not enough to push for the security of Internet of things to be mainstream and the norm and not an afterthought or aftermarket add-on.

The concerns with Internet-of-things security are two-fold. The first is the ability to hack in and control aspects of our lives – open my front door, turn the heat up at my house or disable my security system. The second is the vulnerability and theft of the data collected as part of the Internet of things movement to make our lives easier and more interesting. Forget pictures of your kids, what cat video you shared with your friends and where you’ve ‘checked in’ – Internet-of-things data includes information on a user’s location, your activity level, your BMI/weight, how fast your run, when you arrive and leave home and countless other pieces of tidbits.

If you are concerned about Target's HVAC weakness, imagine a scenario where every personal aspect of your life is only as secure as the mobile devices of the friends you share with.

There is no question that the Internet of things is the future, and for those of us enamored by tech – that is awesome. We can only help the culture of security becomes a critical and common element in the Internet of things world.

Get the Nextgov iPhone app to keep up with government technology news.

]]>

Data Breach Epidemic: Why Are We Blaming the Victims?

Jessica Herrera-Flanigan — Wed, 29 Jan 2014 11:36:01 -0500

This week, the Michaels craft store chain became the fourth retailer to step forward and say that hackers had breached its computer systems and may have obtained customer information. The announcement followed those of Target, Neiman Marcus and Easton-Bell Sports, all of whose systems have been compromised in the last two months. The Easton-Bell breach was slightly different from the others in that its online, not physical, store was compromised.

As I’ve been reading the news coverage of the latest attack, I have a gnawing feeling that we are doing something wrong in how we treat data breaches and the companies affected. In at least two of the cases above -- Target and Michaels -- class action lawsuits have been filed against the retailers. Congress has called for hearings and some lawmakers have sent the companies letters and other inquiries asking for more details about their security practices. One Senator has requested the Consumer Financial Protection Bureau investigate credit card hacking while another has asked the Federal Trade Commission to examine at least one of the company’s data security policies and practices. All of these actions make me wonder how we have evolved into blaming the victim whose systems have been compromised. Yes, the consumer is also a victim. But short of a significant failure to practice cybersecurity norms or misrepresenting what efforts exist, is it healthy for us to fall into blaming the companies rather than focusing on those who are perpetrating the criminal acts?

I recognize that the companies affected by the hacks have a duty of care -- both to their customers and to their stakeholders (if they are public). For the lawyers out there, I’m well-aware of the case law in this area, including the First Circuit case Anderson v. Hannaford Brothers Co., where a grocery store whose systems had been hacked was found to potentially be liable for the costs incurred by customers to protect them from a breach. Despite all this, I worry that we are establishing an impossible situation, especially in an environment where systems throughout the government and commercial space are regularly hacked by criminal organizations and foreign interests. How do we balance the convenience customers demand with the security measures really required to lock down systems?

Over the last week, much has been discussed about how point-of-sale attacks could have been avoided if we moved away from outdated magnetic strip credit and debit cards to chip-based smart cards. That change would solve some problems but would also require a significant investment to change the readers and systems currently in place. It may be that the attacks push us to making that change but to do so is much bigger than one retailer.

The question going forward is what is the proper standard for protecting data, especially without the existence of universal technical, operational, and policy standards? In the lawsuit against Target, the plaintiffs allege that Target’s failure to act on a white paper outlining point-of-sale attacks by a security expert should suffice for showing that Target dropped the ball. Will the standard really be that a victim’s failure to act on every research paper explaining vulnerabilities will open it up to attack?

I am not suggesting that the specific retailers affected by the latest attacks were right or wrong in the security measures they used, especially as there is conflicting information on what they may or may not have had in place. I do think, though, if we are truly to develop a culture of security then all stakeholders must work together and recognize that when hackers attack an element of our society in such a systematic manner, we need to take a more holistic approach to protecting our networks.

(Image via ValeStock / Shutterstock.com)

]]>

The Adobe Breach This Week Should Get Your Attention

Jessica Herrera-Flanigan — Fri, 04 Oct 2013 08:14:19 -0400

Yesterday, software company Adobe announced that hackers had penetrated its network, compromising the information of some 2.9 million customers as well as the source code of numerous Adobe products.

Adobe's revelation was barely noted in a day crowded with news about the government shutdown and Capitol shooting. Unlike past data breaches that have garnered significant attention, Adobe's announcement seemed to register with few people.

The lack of attention to a significant attack begs the question: Is cybersecurity seeing its ebbtide?

Comprehensive cybersecurity legislation from Congress is all but dead this year. Any chance of passage was largely deflated by Snowden's revelations, which turned attention away from protecting networks from intruders to protecting information from the government.

The Obama Administration's efforts to implement its executive order on cybersecurity continue to progress, with NIST's cybersecurity framework due out in the coming weeks. But the government shutdown has effectively halted the project and, even once it is completed, there does not appear to be overwhelming enthusiasm surrounding its release.

Agencies’ cybersecurity programs are puttering along, though some advancements have fallen victim to the fiscal fights and slowdowns affecting Washington.

Outside of government, it feels as it companies aren't talking as much about cybersecurity and that groups like Anonymous are not gaining the headlines they did a year ago.

While the past two to three years have been frantic on the cyber front, it would appear that the trend we’ve seen in the past -- a flurry of intense activity followed by a lull -- may be occurring now.

What does this mean for cybersecurity? How long before the tide rises and cybersecurity is again front and center? Unclear. For those who have been around cybersecurity policy for a while, it is not surprising and we've seen this before. We can only wonder how long before it makes a comeback as a priority issue, and when it does, whether vulnerabilities can acuallly be addressed.

]]>

Fallout from Snowden Leak Should Be Greater Transparency

Jessica Herrera-Flanigan — Thu, 18 Jul 2013 17:38:27 -0400

As the debacle over Edward Snowden’s leak of information about alleged NSA surveillance continues to unfold, numerous cybersecurity lessons have been learned and threats revealed. The most obvious lesson, of course, is that the biggest threat to networks and systems, whether they belong to the government or the private sector, comes from inside organizations. Snowden’s revelations have potentially caused more harm than any breaches by foreign nations such as China or Russia.

A less obvious lesson is one that has been playing out this week: How do we ensure that the private sector’s efforts to contribute to national security is robust yet reasonable? We know that those who would steal our information or intellectual property or spy on us are using technology and the Internet to do so. Why wouldn’t they? Our society is dependent on bits and bytes, whether on the Internet, on mobile, or in the cloud. At the same time, the ease of communicating globally has become easier with emerging technologies. Given this, the U.S. government must use the best technology to counter the threats.

But the information the government needs to review often sits with third party companies whose business models are based on a level of perceived trust with their customers regarding how their information is protected or shared. While sophisticated users may recognize that little we do online is truly private, we still expect that the companies we work with do what they can to protect our privacy and security. Unfortunately, consumers have too little understanding of the evolving nature of government-private sector cooperation.

This battlefield on the intelligence and national security front requires the U.S. government to adjust its way of interacting with companies. It requires agencies to adjust their expectations of companies, as well as what they allow companies to reveal to their users. Transparency must be at the center of any public-private cooperation, partnership, or interaction.

This morning, 50 technology companies and civil liberties groups sent a letter to the Obama Administration and Congress urging the government to allow companies to reveal the amount and type of information they can report publicly about what they are and are not doing to cooperate with surveillance requests. Specifically, the group requested that they be allowed to report on:

The number of requests for information about their users under FISA, the Patriot Act, and in compliance with National Security Letters, and
The number of requests that sought content, subscriber information and related information.

The group also requested that the government issue its own transparency report letting the public know how many requests were made for what type of data and how many people were impacted. As noted in the letter, the government already does some type of similar reporting for criminal law enforcement investigations so it only makes sense to expand to do the same for national security investigations. In addition to the letter sent today, Reps. Zoe Lofgren (D-Calif.) and Jim Sensenbrenner (R-Wis.) sent a letter earlier this week asking the FBI and DNI to give tech companies permission to disclose the number of requests they receive from the government.

The requests make sense and are good for our nation’s cybersecurity efforts. For one, the letter supports what has been a fundamental principle of U.S. cybersecurity efforts: developing “interoperable, secure and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation.”

As discussed in the Administration’s May 2011 International Strategy to Secure Cyberspace, openness and innovation in Internet governance and international freedom are key to our cybersecurity efforts. This view contrasts with the views of other nations that have promoted cultural and Internet sovereignty within their borders over Internet liberty. Being transparent about how the government is interacting with those who are providing the products and services underlying the Internet, mobile applications, and the cloud is not only consistent with but critical to U.S. efforts to formulate a global vision of cybersecurity based on liberty and innovation.

In addition to promoting U.S. values, transparency will help mitigate a potentially significant amount of harm caused by Snowden’s irresponsible and seemingly self-promoting revelations. The leakage of bits and pieces of slides and documents does not give anyone a full picture of what is really happening. As anyone who has seen a PowerPoint presentation can attest, context is everything in understanding what words on a slide mean. Unfortunately, the information leaked has placed tech companies in the awkward position of defending actions (or non-actions) they cannot speak of because of the classified nature of the subject -- not only to their U.S. users but to users globally. Allowing companies to be transparent about basic aggregate information they are sharing under legal processes would be helpful in assuring that those companies can continue to compete effectively in the global economy.

We can expect continued scrutiny on domestic surveillance efforts over the next few months. The real policy issue should not be whether a spy agency should conduct surveillance, but rather how do we assure that the proper safeguards are in place to protect the Constitutional rights of our citizens and promote our nation’s innovation economy beyond our borders.

]]>

Five Critical Cyber Questions for the Next DHS Chief

Jessica Herrera-Flanigan — Fri, 12 Jul 2013 15:46:51 -0400

Homeland Security Secretary Janet Napolitano's announcement today that she plans to leave the department raises interesting questions for what is next for the government's cybersecurity efforts. She, along with recently-departed Deputy Secretary Jane Hall Lute, dedicated a significant amount of resources and time to making cybersecurity a priority for DHS.

This effort, which began under her predecessor Michael Chertoff, showed DHS moving from its toddler years in cyber to its teenage years -- maturing, but at times a bit awkward and still trying to find its place with Congress and the private sector. Like with many teenagers, DHS has spent time showing others that it has grown up and should be treated like other adults on cyber.

With the NSA's cybersecurity efforts potentially in limbo with the Snowden revelations -- especially as more comes to light -- DHS is in a position to be the agency that truly leads on cybersecurity. This comes at a time when threats, both national and economic, are growing and the issue is at the forefront of our national and international conversations.

So what should the next candidate for Secretary be considering?

China. What role does DHS have in international efforts to combat cyberthreats from China that are affecting our domestic systems? Does this role change if the threat is mostly on the economic side (e.g. cyber espionage and IP theft) rather than national security, i.e. critical infrastructure? What about the department's role in looking at supply chain threats and foreign investment issues in U.S. cyber assets?
Beyond critical infrastructure protection. What role does DHS have in helping the increasing number of businesses and companies impacted by cyber attacks? We know of the debates among voluntary standards for critical infrastructure but what about everyone else?
Privacy and surveillance. Not just Edward Snowden, but increased information sharing. In discussions regarding government privacy, the focus has been on Justice and the intelligence agencies. Will attention now focus more on DHS?
The future. Mobile, cloud and emerging technologies are changing how people use technology and creating new cybersecurity challenges. Is DHS in front of these changes or focused on nuts-and-bolts critical infrastructure protection?
Big data. The sheer volume of information that can be gathered on individuals is staggering and growing. What is DHS doing to address new challenges in this area?

Whoever takes over at DHS, they will face daunting cyber challenges and big shoes to fill given the progress Secretary Napolitano has made over the last four years.

]]>

The Gaming-Cyber Nexus Feds Should Explore

Jessica Herrera-Flanigan — Wed, 12 Jun 2013 16:09:26 -0400

Walking around E3, the annual video game conference and show being held this week in Los Angeles, is an experience. Innovation at its best on display throughout the LA Convention Center through Thursday. As a gamer, I was thrilled to be at the show and see the new consoles and games coming out in the near future.

While attending the show this week, I was able to attend the Fourth Annual Games and Learning Roundtable, which explored a number of initiatives engaging youth and others to pursue STEM fields and become inventors and designers. Those looking to improve our cybersecurity posture would do well to look at ways to better integrate their efforts with those in the gaming world.

While some work has been done in this area over the years, including games relating to cyber ethics and online safety, so much more can be done. Gamers are natural recruits to be the cybersecurity workers of the future.

At the same time, the gaming industry's efforts to promote STEM and use games to encourage kids to pursue science benefits our cyber efforts. Some may become game developers and designers, which requires attention to cybersecurity, especially as today's games go online and are integrated with other technologies. Others may become non-game software developers, engineers, and even rocket scientists.

As the private sector and the government continue their efforts to create secure technologies and a strong cyber workforce, let's hope they learn from E3 and the gaming world: Technology can be fun.

]]>

Cyber Recruiting, Country Music Style

Jessica Herrera-Flanigan — Wed, 22 May 2013 17:22:24 -0400

The need for skilled cybersecurity experts continues to be a priority for the U.S. government, the private sector and academia.

Since the need for a skilled workforce has been stressed in traditional and non-traditional methods and publications in almost every way possible – except maybe in song – I thought I would make the case in a country song. With apologies to Willie Nelson:

Mamas please let your babies grow up to be hackers
Please let ‘em write source code and fix their tablets

Make em be geeky and nerdy and such
Mamas please let your babies grow up to be hackers
To keep China out of our systems
And the networks we love

Hackers aren’t easy to find and they’re harder to hold
And these days they are worth more than diamonds or gold
Access Control Lists and Auditing Risks await skilled folks each day
And most just don't understand code unless they are young
So info is stolen away

Hackers like Austin, Denver, and Silicon Valley mornings
Little warm cookies and jobs that let them work through the night

And there are those that don’t know they need ‘em
And then those that do know don’t know how to get ‘em
The world is just so different
And just needs more nerds that can keep our computers all right

Mamas please let your babies grow up to be hackers
Please let ‘em write source code and fix their tablets
Make em be geeky and nerdy and such
Mamas please let your babies grow up to be hackers
To keep China out of our systems
And networks we love

]]>

Lute: 'We Cannot Run Cyber Like an Intelligence Program'

Jessica Herrera-Flanigan — Fri, 03 May 2013 01:00:00 -0400

Today, the Department of Homeland Security loses one of its top voices as Deputy Secretary Jane Holl Lute departs the agency after four years. In addition to her experience in homeland security, Lute has a long history of public service in national security and diplomacy. I had the opportunity to sit down with her this week for a Q&A to discuss her time at DHS and what the agency’s future might hold.

JHF: What do you see as the three most significant accomplishments during your four years there?

I think the first and foremost accomplishment is answering the question of whether this country can protect itself. The answer is yes. We can pool our strengths and we can be successful in protecting ourselves. It is clear that the government cannot do all that needs doing here. State and local governments and even the public must be brought in to help reach the common goal.

We cannot be complacent. The deterioration of Al Qaeda has not ended the objectives of those who want to do harm to the United States and our citizens. We have made an investment in this country, in the state and local government partnerships, as well as with the private sector, to be able to respond rapidly and effectively. This is the most significant accomplishment.

A second accomplishment is that we put on the map the importance of cybersecurity to our national and economic security. There was not much of a national dialogue four years ago. It was not clear what role the federal government would play. We have learned that we must improve cybersecurity by working together with our partners across government and with the private sector to build the world's most secure cyber economy.

A third significant accomplishment is what I would call the plumbing and wiring of the department. In less than 10 years, we achieved a qualified audit opinion. We have created administrative and operational systems more responsive and efficient than ever for dealing with all kinds of disasters. We continue to improve on individual preparedness, community resilience and the preparedness and capability of the entire homeland security enterprise.

JHF: One of the issues that has emerged as we get farther away from 9/11 is how do we balance the need for people to be aware of potential terrorism without having fear fatigue or getting them over complacent?

I am a New Yorker. That’s a city with a grip on itself from a security standpoint, and it is exciting and vibrant as it ever has been. Buses, subways, taxis -- everywhere are the signs: “If You See Something, Say Something.” We have taken a page out of that book and rolled it out nationwide. We have said to the public: If something looks suspicious, report it to the local authorities. We have taken the lessons of 9/11 and built a security framework where Americans take and understand that homeland security is a shared responsibility. America can protect itself and we must do it together.

JHF: Does the move away from Al Qaeda and organized terrorist groups to lone wolves change the dynamics?

State and local law enforcement has always known about the threat of lone wolves and the potential harm they can inflict. We continue to build on what we know. Police departments are more prepared and capable of responding. We have learned from past experiences and how to respond as effectively as possible. We also know it is unwise to generalize about a particular ethnicity or religious group based on the actions of a few. We will continue to work rapidly and responsively to recognize the signs of lone wolf actors. We also need to break barriers that isolate communities. And we must all stay vigilant.

JHF: One of the first things that the Department undertook under this Administration was the first ever Quadrennial Homeland Security Review. What were the lessons learned there? What do you think the agency should be focusing on as it turns to the next QHSR which is due out in the next year?

The first QHSR answered the questions: What is Homeland Security? What do we do? The upcoming QHSR will answer the question: How will we do it? How will we ensure Homeland Security while protecting civil rights, civil liberties and individual privacy?

JHF: Turning to cybersecurity- there is a lot of discussion on how do we talk about it. Is it national security? Is it law enforcement? Is it preparedness? Is it the private sector’s responsibility?

At the heart of cybersecurity is the reliability and integrity of your personal identity and your information -- are you who you say you are? How do we keep someone from profiting from your identity in cyberspace? The Internet is an extraordinary innovation for humanity in and of itself, and at its core cyberspace is a public space -- civilian space. It is growing organically and instantaneously. We must have norms in cyberspace. We need to understand what property means in cyberspace. What is the role of government?

It is interesting to me that generally speaking, security is an assignment that society gives to government. We expect government runs the police and makes law; government runs the military and makes treaties. Cybersecurity, however, has not been given to the government as a primary responsibility. It is still open, accessible, and what security exists is largely maintained by the public and the private sector. Again, the key to securing cyberspace is securing people’s identities and information and that will mean identifying roles and responsibilities for individual hardware manufacturers, software developers, internet service providers, governments, international partners, and others.

We will not be able to run the cybersecurity of the nation exclusively like an intelligence program. Is there a role for the intelligence community? Yes, but it is not the leading role. Is there a role for law enforcement? Yes, in that law enforcement must bring law to bear when crimes happen in cyberspace. We must manage cybersecurity as a civilian responsibility -- one that recognizes the need to bring reliability and integrity to identity and information protection.

JHF: So, comparing it the physical world, do we bring brick and mortar norms and laws into cyberspace? Or do we need a new way of dealing with the issue?

The Administration has made it a priority to narrate what we believe are fundamental norms in cyberspace -- freedom of access, privacy, an open Internet, reliability, trustworthiness, and safety. Globally, we have norms against criminal behavior that the majority of societies can agree with. We need to enforce those laws in cyberspace.

JHF: So what do you see as the biggest threat to us in cyberspace?

Existing unpatched vulnerabilities.

JHF: Do you feel that cybersecurity is more of a priority for non-critical infrastructure and tech companies, e.g. the rest of the Fortune 500, than it has been in the past?

Yes, cybersecurity so interesting in that we all have responsibility for it. We all have to be attentive and collaborative on security so that we are all more secure. All critical infrastructure owners and operators, Fortune 500 CEOs, and even owners of small companies and individuals must -- and are --paying attention to cyberspace. Every business connects to cyberspace. They manage business systems, employee communications, customer records and more. So every business has a responsibility to safeguard systems and prevent unauthorized use.

JHF: As more commercial sites are getting hacked- beyond critical infrastructures- has DHS seen its role change at all?

When we did the first QHSR four years ago, we listed five missions that are critical to our homeland security: preventing terrorism, securing our borders, administering and enforcing our immigration laws, building national resilience, and we called out the need to ensure the nation’s cybersecurity as an important part of the value proposition we call homeland security. Cybersecurity is a national mission and is part of the federal government’s responsibility, because, in many ways, cyberspace is the endoskeleton of modern life.

The government doesn’t have all the expertise or information to do it alone. We must make use of the information and tools we have. We must work to help educate the public, engage the private sector and partner in the larger international community in all the issues that fall under the word cybersecurity.

JHF: As part of the President’s Executive Order, the Department has put together Working Groups to deal with various cybersecurity issues. At the same time, NIST has issued RFIs and is holding workshops to gather information. How are the two processes working together?

They are interacting at many levels. DHS is charged with supporting NIST in the development of cybersecurity standards and private sector outreach. And in this respect, the Administration has taken a pragmatic approach to cybersecurity. It is not a theoretical question or simply a paper exercise. The standards will reflect what we -- at every level -- will have to do to enhance our nation’s cybersecurity and protect our critical infrastructure.

JHF: Any additional thoughts on the path forward for homeland security and DHS?

I get asked questions about the relative youthfulness of the Department and its status as a new agency. Enough with the new. DHS is 10 years old. It has learned and matured an enormous amount in the last 10 years. I’m also often asked to compare national and homeland security. As someone who spent a career in national security, I can say it is different.

National security is strategic, centralized, top-driven. Homeland security is transactional, decentralized and bottom-driven -- driven by the needs of the public and of state and local municipalities.

So when you think of the Internet and of cybersecurity, it is not strategic, centralized or top-driven. It is transactional, decentralized and driven by the billions of transactions that happen in cyberspace every day. It is a lot like Homeland Security. For me, it has been an extraordinary learning experience and a privilege to serve at DHS.

]]>

The Internet Equivalent of Yelling Fire in a Crowded Theater

Jessica Herrera-Flanigan — Fri, 26 Apr 2013 07:40:34 -0400

"The most stringent protection of free speech would not protect a man falsely shouting fire in a theater and causing a panic . . . The question in every case is whether the words used are used in such circumstances and are of such a nature as to create a clear and present danger that they will bring about the substantive evils that Congress has a right to prevent."

Justice Oliver Wendell Holmes, Jr. wrote that familiar analogy in the Supreme Court case Schenck v. United States. The underlying premise of Schenck limiting the First Amendment was later narrowed in Brandenburg v. Ohio in 1969 to only prohibit only speech that could cause imminent lawless action.

Earlier this week, after the Associated Press's Twitter account was hacked to broadcast the message “Two Explosions in the White House and Barack Obama is injured,” the stock market fell as the false news rapidly spread. While the markets quickly recovered when the truth was revealed, the incident raises an interesting question: How should we treat the Internet equivalent of falsely yelling fire in a crowded theater in the hacking realm?

While law enforcement is certainly investigating the breach, depending on the nature of the hack, the perpetrators could potentially be prosecuted under the Computer Fraud and Abuse Act. But spreading misinformation through hacking in and of itself is not a crime. While the CFAA does make it a crime to intentionally access a computer and cause damage or loss, it’s not clear that causing cascading events equivalent to a riot would be covered.

While the AP twitter fiasco may not be the best example, what if hackers distributed information during a disaster or attack that caused widespread havoc? Should the law criminalize non-military information warfare resulting from hacking? Is it even possible to codify the law in such a way that it would survive a legal challenge?

For now, existing laws will have to suffice, even as Congress attempts to revise the CFAA to make it stronger, as Rep. Bob Goodlatte, R-Va., and others have advocated, or narrower to avoid potentially questionable prosecutions, as Rep. Zoe Lofgren, D-Calif., has called for.

]]>

It’s Cyber Reform All Over Again

Jessica Herrera-Flanigan — Tue, 16 Apr 2013 16:50:29 -0400

Remember the 1993 movie Groundhog Day? Bill Murray, as meteorologist Phil, finds himself in a small town, waking up each day to find that he is reliving February 2. Stuck in an infinite time loop, the same day occurs again and again.

Hmmm. This week is cyberweek in the House of Representatives. The controversial Cyber Intelligence Sharing and Protection Act known as CISPA is up for consideration, and the chamber on Tuesday passed a reform of FISMA, the 2002 Federal Information Security Management Act, as well as two bills out of the Science Committee dealing with workforce and R&D.

On April 17, 2012 -- almost exactly a year ago -- I wrote a blog titled Cybersecurity is Coming! Cybersecurity is Coming!

It is starting to feel a lot like Groundhog Day in Washington. Will this year be any different than last, with separate smaller bills dealing with only some of the issues making it through the House only to get stuck in the Senate over issues relating to regulation and who should be in charge?

The White House on Tuesday warned that CISPA still needs improvements: “If the bill, as currently crafted, were presented to the president, his senior advisors would recommend that he veto the bill,” the statement of administrative policy said.

Still, some factors are different this year and could change cyber reform’s fate. Here are a few:

· Senate Leadership Changes. Sens. Tom Carper, D-Del., and Tom Coburn, R-Okla., took over this year as chair and ranking member, respectively, on the Homeland Security & Government Affairs Committee. They have not shown their hands yet but are working on a cybersecurity bill. They would like a bipartisan product that has wide support. This changing dynamic could make them more likely to move away from the issues that tanked the bill last Congress. Or not.

· The President’s Executive Order. The EO, issued in January, covers potential best practices, standards and the like for critical infrastructure, among other things. It may be just enough to give Senate leaders flexibility to not legislate on the issue that had the most opposition in the last Congress. Or it may cause opponents to want to push forward with something to counter it.

· Additional House Bills. In addition to the bills on the floor this week, media reports have indicated that the House Judiciary and Homeland Security Committees will have bills ready to go in the next month. These bills are seen as complements to those going this week and possibly will include cybercrime provisions, information sharing and Department of Homeland Securities authorities.

· The China threat. The debate is no longer about cyber 9-11s or Pearl Harbors lurking around the corner. This time around it is about the threat from China. Private sector security companies such as Mandiant have reportedly confirmed that the Chinese government is hacking into American systems and stealing information. The vulnerability of those systems -- including the possibility that systems hacked for information can also be hacked to be destroyed or damaged -- is a threat that many want to see addressed.

· Privacy. While privacy played a role in the debate last year, privacy groups and lawmakers concerned about the issue were not as vocal or as organized as they seem to be this year. All of the bills will be scrutinized to assure that the government is not overreaching in its efforts to protect networks and share information.

Only time will tell if Congress can break its time loop. The big question is – if it does – what will final legislation look like and will it advance the nation’s cybersecurity efforts, even as the opposition becomes more sophisticated and utilizes evolving technologies and tools?

]]>

Make Way for the Lone Cyber Ranger and Online Vigilantism

Jessica Herrera-Flanigan — Fri, 15 Mar 2013 16:25:10 -0400

As cybersecurity continues to heat up on the Hill and within the Administration, more policymakers are asking about whether the United States should be conducting cyber offensive activities to address the increasing international threat to cybersecurity. When it was revealed earlier this month that Chinese computers are conducting sweeping attacks on not only our government systems but on our commercial systems as well, and that large amounts of intellectual property and proprietary information potentially has been stolen, many asked: Why shouldn’t we hack back?

Some policymakers have urged taking a cautious approach to cyber offense activities, including House Intelligence Committee Chairman Mike Rogers, R-Mich., who recently said, “If you’re going to punch your neighbor in the nose, best to hit the weight room for a couple of months.” Chairman Roger’s observation is astute. We have to be very careful when we move forward on the cyber offense side because we know that those we attack, especially nation-states, can potentially strike-back and deliver their own blows.

What worries me, however, more than potential government cyber offense activities, is the possibility that private sector entities or individuals may engage in offensive cyber operations. Currently, much, if not all, of what we would envision as cyber offense behavior may be illegal under the Computer Fraud and Abuse Act. Attacks against computers in other nations potentially could violate those nation’s cybercrime laws and put those conducting the activities at risk for prosecution in foreign nations, as unenforceable as a prosecution or judgment might be.

Some have argued that we should allow cyber offense and that laws should be adjusted to assure that companies and individuals are allowed to use all available tools and resources to protect their systems. How that would work, however, is unclear. Would we allow anyone who has had their systems compromised or attacked to strike back? Would only certain activities be acceptable?

The potential for cyber vigilantism could be tremendous with limitations and safeguards in place. The old analogy of the Internet to the Wild West and being the Electronic Frontier could ring true with vigilante justice and a blurring of good-bad actors. The potential for the wrong computers to be counter-attacked could also be significant if there were no rules about who could act. Just imagine, if any individual with more than basic computer knowledge decided to track down someone targeting his system and try to take them down, the possibility is high that an innocent bystander, who’s computer may have been used as a pass-through device, would be harmed. Think of the diplomatic nightmare if that computer was in another country or, even worse, an unfriendly country. I also could see a modern-day version of the movie War Games play out depending on the entities involved. Maybe this example is a bit extreme, but it makes the point – we have to be careful about who and what we allow on the cyber offense side.

What if we created a licensing/certification process for cyber offense? Imagine the equivalent of a cyber bounty hunter or repo man. Keeping with the Wild West analogy, it would be the silver star given to the brave hero by besieged towns in countless Western films. It is an interesting concept. Determining the licensing would be tricky. Giving every state or local jurisdiction authority to issue licenses would not work – the Internet doesn’t stop at the town, county, or state line. It could be a federal process, using the government’s authority to act in interstate commerce. It would be an interesting concept – having the Department of Justice or the Department of Homeland Security oversee a cyber offense licensing program for the private sector. But the Internet does not stop at the U.S. borders either. Maybe we need an international organization (Interpol?) to authorize a certain number of companies to conduct cyber offense. Of course that would be beyond any structures we have seen in the past.

It is a challenging issue but one that will inevitably have to be addressed, especially as more critical data goes online and attacks continue to grow. We’re not likely to see the hero ride off into the sunset on a reliable horse anytime soon.

]]>

As Cyber Events Pile Up, So Do the Stakes

Jessica Herrera-Flanigan — Wed, 20 Feb 2013 15:34:29 -0500

Those of us following cybersecurity were expecting 2013 to be busy. If the first two months are indicative of the rest of the year, then those expectations were well-grounded. A few of the events and reports that have garnered attention so far:

The suicide of Internet activist Aaron Swartz, who had been charged with illegally downloading millions of articles from a subscription-only service. His death resulted in a call for revisions to the Computer Fraud and Abuse Act.
The Pentagon said it plans to expand Cyber Command from 900 personnel to more than 4,900.
Hackers gained access to Twitter’s networks, possibly compromising 250,000 users’ information.
The Federal Reserve confirmed that one its internal websites was hacked.
The New York Times reported that Chinese hackers broke into the company’s computers and stole reporters’ passwords.
President Obama signed a much anticipated executive order on cybersecurity. As an added bonus, the Administration also released Presidential Policy Directive PPD-21 on Critical Infrastructure Security and Resilience, an update of similar policies implemented by President George W. Bush in 2003.
Reps. Mike Rogers, R-Mich., and Dutch Ruppersberger, D-Md., Chairman and Ranking Member of the House Intelligence Committee, rolled out the Cyber Intelligence Sharing and Protection Act that passed the House last Congress.
Representative Mike McCaul, R-Texas, chairman of the House Homeland Security Committee, said he would addressing cybersecurity in the coming week.
The Government Accountability Office reported that existing cybersecurity efforts are not enough.
Facebook discovered that its internal systems had been hacked through the exploitation of a Java vulnerability.
Apple discovered that it has been hacked – likely by the same entities and in the same manner as those attacking Facebook.
Security firm Mandiant alleged that a Chinese military unit hacked into almost 150 businesses, mostly to steal information.
Both the New York Times and the Wall Street Journal ran editorials today on the need for action in cybersecurity.
Attorney General Eric Holder, Commerce Deputy Secretary Rebecca Blank and Intellectual Property Enforcement coordinator Victoria Espinel announced a trade secrets strategy.

It’s not clear how all the recent attacks might affect proposed policy actions. We know -- and experts are quick to point out -- that our critical infrastructure is vulnerable and that we are fortunate not to have experienced a cyber 9/11 type attack. The policy solutions being offered by Congress and President Obama address protecting our critical infrastructure, but what about the attacks on our media outlets, companies generally, and our social networks? In the end, does it matter if the attacks are being generated by the Chinese military, Eastern European criminal syndicates, Anonymous hactivists, or the kid down the street?

As the government struggles to agree on an approach to protecting critical infrastructure, 2013 may very well demonstrate that the problem is bigger than what a U.S. public-private partnership can fix. Cybersecurity is a global issue and without some international agreement on how we can address cybersecurity, we can expect to continue to see the headlines of the last few months.

]]>

The future of innovation is at stake in the debate over Internet freedom

Jessica Herrera-Flanigan — Wed, 19 Dec 2012 08:08:05 -0500

Last week, the World Conference on International Telecommunications, organized by the International Telecommunications Union, concluded in Dubai with the passage of revisions to a 25-year-old treaty written for a telecom-focused world to include the Internet. One simple sentence caused the U.S., Canada, the United Kingdom, and 55 other nations to vote against a new agreement:

“[A]ll governments should have an equal role and responsibility for international Internet governance and for ensuring the stability, security and continuity of the existing Internet.”

The ITU’s power-grab for including the Internet in the telecom space has been troubling over the past several months. Granted, the language above is contained in a non-binding resolution but its inclusion goes to fundamental beliefs on how nations will and should approach the global Internet. At its core, it lays bare the schism between nations espousing Internet freedom versus those espousing Internet sovereignty -- a schism that will have a tremendous impact on nations’ capabilities to counter cybercrime, cyberterrorism and promote cybersecurity in the future.

On one side is the U.S., Canada, and our allies supporting efforts to allow for the free flow of the Internet -- whether that flow involves ideas, commerce, or entertainment. On the other side is Russia, China and their allies advocating for Internet sovereignty and the ability to shut down the Internet and control what their users access. It is the modern day version of the Cold War, with zeros and ones replacing nukes and traditional arms.

How a nation controls the Internet affects commerce, intellectual property rights, and trade. The Internet does not follow traditional borders or stop at nations’ edges so a common understanding of how it should be governed and by whom is critical to its future. Nations, especially those that espouse sovereignty over freedom, know that control over the Internet affects their national and international stature. Deciding whether sovereignty or freedom should underpin cyberspace will set the direction on how nations’ treat significant legal and policy challenges, such as national defense norms; criminal and civil penalties; standards; trade and privacy. If nations are allowed to dictate sovereignty over freedom, then online firewalls will become the Berlin Wall of the 21^stCentury.

While last week’s action is not binding, it does tell us that the U.S. and its allies will need to be aggressive in diplomatic and international negotiations going forward with regards to Internet governance. Tearing down walls, once built, is a difficult, if not impossible, task. In many ways, the future of innovation can and will be decided by who wins the Internet debate on the international stage.

]]>

On the Internet, the FBI knows if you’re a dog

Jessica Herrera-Flanigan — Wed, 14 Nov 2012 14:17:57 -0500

In 1993, the New Yorker ran a cartoon by Peter Steiner which showed a dog sitting in a chair at a computer seemingly typing while another dog sat on the floor and looked up at him. The caption: “On the Internet, nobody knows you’re a dog.”

As laid bare by the scandal engulfing former C.I.A. director David Petraeus and threatening the career of Gen. John Allen, that caption, written over 20 years ago, may not long remain true for the Internet.

Today, where lives are defined by emails, text and “private” messaging, Facebook postings and tweets, it is very likely that not only will companies (and the government) know whether you’re a dog, they will know what breed, what you had for lunch, and where you slept last night. Anonymity, despite its best efforts, is rapidly becoming a thing of a pre-connected past.

As noted in a posting I wrote last month, privacy and the lines between personal and work lives are becoming more complicated as our online personas merge the two. If you are a public figure such as Gen. Petraeus or Gen. Allen, that merger is even more complicated as additional norms and expectations are developed. Granted, as military and intelligence leaders, their norms are even more complicated than other public figures due the possibility of blackmail and/or compromise of state secrets. Nonetheless, they are still different from those for public figures in the past.

Imagine if the Internet was around when Eleanor Roosevelt was writing private letters to her friend Lorena Hickok. What if Mrs. Roosevelt, instead of writing letters calling Hickok “dear” and “darling,” had sent a direct message via Twitter with those same words? Or instead of Mrs. Roosevelt finding President Franklin Roosevelt’s letters to Lucy Mercer in his suitcase, the Secret Service found emails detailing the President’s affections towards his wife’s social secretary? In today’s information-driven society, it is unlikely that the media, blogs, and the gossip mills of social networking would have focused on the merits of the policies these public figures advocated while leaving their personal lives alone.

As more details emerge in the current scandal, expect more attention to be paid to the government’s surveillance methods in the case. Privacy and civil liberties advocates are already pointing to the scandal as reason to move on the long-stalled reform of the Electronic Communications Privacy Act (ECPA) in Congress to cover cloud data and eliminate distinctions between content (e.g. old versus new), among other things.

Whatever happens with ECPA reform, the type of information available online will not change, only how the government obtains it. Dogs everywhere should be wary.

]]>

BYOD can quickly become BYOM -- bring your own malware

Jessica Herrera-Flanigan — Tue, 23 Oct 2012 07:08:32 -0400

Increasingly, companies and the government are turning to employees to bring their iPads, iPhones, and other smartphones to work to do work. Bring your own device is a trend that is gaining momentum in both the public and private sectors. From an employer perspective it is not a bad deal -- lower overhead by passing along the purchase and upkeep costs of devices to employees. Employees gain flexibility as work and personal lives coverge.

Unfortunately, balancing convenience with security is not easy. If not handled properly, BYOD can quickly turn into BYOM -- bring your wwn malware, with the problems plaguing individual's home computers permeating corporate systems. There are other problems too, such as when an employee loses a device that contains sensitive information. Just think of the controversy the last several years of lost, stolen, or misplaced laptops that affected many companies and government agencies. The problems posed by those disappearing computers are tame compared to the threats posed by BYOD.

In addition, employers have to deal with emerging legal regimes on how, when and why they can access their employees' devices. There has been much thinking, as well as policy and legal wrangling, over how employers can monitor and regulate employees' use of computers owned by the employer. Banners and employee policies often lay out strict rules on what can and can't be done on company computers. How does this translate to a BYOD world, where personal and work lives merge and workhours are not easily delineated?

From an employer's perspective, maybe it is not such a good economic deal. Instead of dealing with procurement and upkeep issues, employers may find themselves dealing with implementation, privacy both of employee's personal stuff and corporate information comingled on a device -- and security headaches not contemplated in a corporate-owned technology world.

Whatever the case, BYOD looks to be growing, not shrinking, and we should continue to see the law, policy, and technology worlds evolve to meet changing demands and practices.

]]>

Not All Critical Infrastructure Is Created Equal

Jessica Herrera-Flanigan — Wed, 26 Sep 2012 17:17:49 -0400

Earlier this week, Rep. Zoe Lofgren, D-Calif., released a letter she had sent to White House Cybersecurity Coordinator Michael Daniel urging the White House, as it considers issuing an Executive Order to regulate cybersecurity, to only focus on “genuinely” critical infrastructure.

Specifically, Rep. Lofgren says that the order should only include those systems that if disrupted, could cause “major economic disruption, the loss of thousands of lives, or severe degradation of national security.” She goes on to write that the letter should exclude “non-critical online services, such as social networking, search engines, and e-commerce networks.”

Common sense says that Rep. Lofgren’s approach is the right one. It doesn’t make sense for the White House to issue an Executive Order requiring agencies, especially during these tight budgetary times, to be conducting risk assessments and developing standards for my Facebook wall, Bing searches, and Amazon purchases or wish lists. I even wonder how such an order would look, especially given the constant changes and advances being made in those areas, as well as the emergence of new innovative sites and actors in those spaces.

That said, I have written before that Congress and the administration should be thinking about how to more effectively work with the private sector to secure each of the areas identified by Rep. Lofgren to ensure that consumer privacy and security are not compromised. While not rising to a national security level (yet), identity theft, intellectual property theft, and data breaches do threaten our economic security and need to be addressed in a comprehensive yet non-restrictive manner that doesn’t harm innovation and technology advancement. Rep. Lofgren acknowledges this by noting the need for a “transparent legislative process that affords technical experts and the public adequate opportunity for input.” Any effective effort will require the industry to lead in those areas, though the government could assist by providing critical intelligence and threat information in a timely manner.

As Congress and the Administration continue to grapple with cybersecurity for government and critical infrastructures in the national security arena, future discussions should consider the nexus between national security and economic security and how to construct a holistic approach to address both while also recognizing the inherent differences in how and why to protect our nation’s assets or, in an individual’s case, social networking likes and 140-word missives.

]]>

Senator’s Letters to Corporate Execs Stir Cyber Bill Hopes

Jessica Herrera-Flanigan — Thu, 20 Sep 2012 11:01:07 -0400

Yesterday, Senate Commerce, Science & Technology Chairman John D. Rockefeller IV sent letters to the CEOs of the Fortune 500 companies expressing his disappointment in the Senate’s stalemate on cybersecurity legislation, as well as his desire for President Obama to issue an Executive Order. In the identical letters, which were sent to companies ranging from Exxon to IBM to Toys R US to Hormel Foods, the chairman blamed business lobbying groups and trade association (singling out the Chamber of Commerce) as being behind the stalled legislation.

Rockefeller asked each CEO eight questions about his or her company’s view on cybersecurity and what their specific concerns are with particular issues contained in the legislation. He asked about the company’s own cyber best practices and how they came about. He also asked whether the federal government assisted in the development and what concerns the company may have with a voluntary public-private sector regime for developing best practices, as described in the Senate legislation. He also asked what the company’s concerns are with the federal government conducting risk assessments of cyber vulnerabilities and determining the most critical cyber infrastructure.

The letters send a clear message to corporate America – the Senators pushing for comprehensive cybersecurity legislation that includes some form of federal government role in best practices and critical infrastructure risk assessments aren’t giving up on the legislation yet. Rockefeller is pushing that message outside of Washington by circumventing the associations and trade groups that have led the charge against the legislation and going directly to corporate executives. Maybe he wants to better understand their reasoning for opposing the legislation. Maybe he wants to educate them on what is happening in D.C. Or perhaps he wants to put each of the corporations on the spot. It is an interesting tactic, whatever the reason.

During the past several weeks, we’ve seen more senators call for a cybersecurity Executive Order. We’ve seen renewed calls for legislation. We’ve also seen both parties include cyber in their platforms for the first time. It is clear that cybersecurity is not going away as an issue in Washington or, if Senator Rockefeller and others have their way, as an economic issue. I expect that the national security messaging around cybersecurity may soon be expanded to include economic security, something we have seen less of in the recent debates. When the Pet Smarts, Bed Bath & Beyonds, and Kelloggs of the world are getting pulled into the debate, as they are with letters from Senator Rockefeller, it is hard to see cybersecurity policymaking as either a fading issue or one that any part of corporate America can ignore.

]]>

Waiting for a Cyber 9/11 Is a Poor Security Strategy

Jessica Herrera-Flanigan — Tue, 11 Sep 2012 15:19:22 -0400

Today, on the 11^th anniversary of the 9/11 attacks, Americans are remembering and honoring those who were lost and affected. Among the stories that have been circulating during the past week (and today) are those that talk about the fight for cybersecurity legislation being about avoiding the next 9/11. Just this morning, the National Journal ran a story entitled “9/11 Haunts Debate Over Cybersecurity.” Other recent headlines include “Does a Cyber 9/11 loom?” “Former FBI cyber cop worries about a digital 9/11.” and “Despite Threat of ‘Cyber 9/11′, Lawmakers Punt Cyber Security Bill.”

Regardless of whether one believes that a cyber 9/11 or cyber Pearl Harbor is imminent, one thing is clear—the government’s efforts on cybersecurity have and will be intimately connected to terrorist threats to our critical infrastructure. The genesis of much of our cybersecurity efforts pre-dates 9/11, yet trace back to another attack on U.S. soil—the Oklahoma City bombings. Following those attacks on April 19, 1995, President Clinton signed a then-classified Presidential Decision Directive 39 (PDD 39), U.S. Policy on Counterterrorism, that required:

The Attorney General, as the chief law enforcement officer, shall chair a Cabinet Committee to review the vulnerability to terrorism of government facilities in the United states and critical national infrastructure and make recommendations.

The Committee, which became the Critical Infrastructure Working Group, identified critical national infrastructure and the threats to them. Among its final recommendations—create a commission to further evaluate what should be done to protect our national infrastructure. From that recommendation, the President issued Executive Order 13010, creating the President’s Commission on Critical Infrastructure Protection. The Commission issued its findings in October 1997 in the report Critical Foundations. Protecting America's Infrastructures. The report connected the dots between terrorism, critical infrastructure protection and cybersecurity in a cohesive manner not previously done. The introduction to the report read:

Our national defense, economic prosperity, and quality of life have long depended on the essential services that underpin our society. These critical infrastructures—energy, banking and finance, transportation, vital human services, and telecommunications—must be viewed in a new context in the Information Age. The rapid proliferation and integration of telecommunications and computer systems have connected infrastructures to one another in a complex network of interdependence. This interlinkage has created a new dimension of vulnerability, which, when combined with an emerging constellation of threats, poses unprecedented national risk.

The Commission noted that while it had “not discovered an immediate threat sufficient to warrant a fear of imminent national crisis,” it was important to address our nation’s cyber vulnerabilities before America faced a disaster, not after. Among the Commission’s recommendations:

Information sharing “clearing houses” to facilitate partnerships between infrastructure owners and operations and appropriate government agencies;
A real-time capability for attack warning;
A top-level policy making office in the White House;
Education and awareness program;
Government tightening of its own systems;
Reforming the legal structure to keep pace with technology; and
Research and development

Ironically, these very issues are what we’ve seen hammered out and argued over during the past two years of debate on cybersecurity legislation.

The PCCIP report led to President Clinton issuing PDD-63, which over time led to additional PDDs and Executive Order. Many were directly linked to the attacks of 9/11, such as President Bush’s issuance of Executive Order 13231, Critical Infrastructure Protection in the Information Age. All arguably followed the language and themes laid out years earlier, whether by building upon them or altering them to keep up with changing technology.

As the same issues continue to evolve today, it may well be that a cyber 9/11 is around the corner. It may or may not be as imminent as it was in 1997 when the PCCIP warned of the need to act. The PCCIP’s conclusion, “waiting for disaster is a dangerous strategy. Now is the time to act,” however, remains valid.

While cybersecurity may have become a political football in recent months leading up to this year’s elections, hopefully government, industry, and political parties will be able to overcome the politicization and polarization to address an issue that is critical to our national security and efforts against terrorism that threatens our critical assets and infrastructure. While President Obama is contemplating issuing Executive Orders and Presidential Directives, it’s clear from the history of cybersecurity policy that Congress will need to act to truly further our nation’s efforts.

]]>

More Than Critical Infrastructure Is at Stake in Cyber Debates

Jessica Herrera-Flanigan — Wed, 29 Aug 2012 17:21:43 -0400

While Congress and the Administration continue to debate how to tackle critical infrastructure protection and information sharing in legislation and potential executive orders, other areas demanding cybersecurity continue to grow. These areas are not necessarily specifically addressed in the existing proposed legislation or regulatory action but are ones with which technical experts, government agencies and independent users are increasingly grappling. In particular, one area to watch is the mobile space.

The federal government, along with a growing number of companies, is trying to figure out how to deal with the increasing number of smartphones, tablets, and laptops that are penetrating the workspace. Efforts to allow users to bring their own devices have resulted in new policies and positions on how to merge users' home life (and potential app use) with their work environment.

Is this an area in need of legislative action? It is unclear, though it is clear that secure mobility is integral to both cybersecurity and efforts to increase broadband use for public safety. In addition to employers and end users, service providers are increasingly finding themselves having to guarantee the integrity, confidentiality, and attribution of all data on the network. Some may argue that existing legislative and regulatory actions may cover this with their interest in putting together safeguards, guidelines and "standards" for critical infrastructure, but it is unclear.

How can entities safeguard individual devices to not provide an entry point for cyber attacks in an increasingly open and merged network space? It is one thing to discuss protecting the networks that run the electric grid. It is another to discuss protecting voice, video, and data streams for intelligence, military, public safety, and various private sector communities, which must be protected to safeguard users of these networks.

As mobile computing and cloud computing (another area that is barely touched by the legislation) become more prominent, it would not be surprising to see policymakers turning their attention away from critical infrastructure and information sharing to a more holistic approach that tackles these emerging issues. What that approach will look like, however, is unknown.

]]>

On the Goal Line: Senate Cybersecurity Bill

Jessica Herrera-Flanigan — Wed, 25 Jul 2012 17:39:08 -0400

Well, it is safe to say that it is facing fourth and goal, with eight points needed to tie the game and send it into overtime. The move to a compromise bill was a finesse move that might just give the bill’s proponents the six points needed to score a touchdown (a.k.a. get past the cloture vote to get the bill to the floor for debate). The two-point conversion, however, could be another story as Republicans opposed to critical infrastructure regulation, while more open than previously, still may oppose the bill’s compromise voluntary language to create a voluntary certification program using standards created by a council, with industry receiving incentives to participate.

Earlier today, senators on both side of the debate sat down to discuss how to move the bill forward in the Senate, with reports indicating the meeting was civil but did not resolve the issues. Indeed, even if the Senate managed to score a two-point conversation and pass the legislation to tie the cybersecurity game with the House, it is unclear who would win the coin toss and whether either side could score before a tie is declared at the end of 2012.

In any event, it is clear that cybersecurity will remain a priority for both the House and the Senate going into the lame duck session at the end of the year and, most likely, into 2013.
]]>

DNSChanger Doomsday? Not on Monday.

Jessica Herrera-Flanigan — Tue, 10 Jul 2012 06:38:50 -0400

What was the Doomsday Virus? It is a piece of malware discovered about five year ago that manipulated the Domain Name Server routing service for affected computers, rerouting an individual's computer to servers mostly in Estonia. Computers became infected through an online advertising scheme that ended up impacting hundreds of thousands of computers. Late last year, the FBI took down the criminal ring responsible for the virus, but realized that if they took down the offending servers, most of those infected would lose Internet connectivity. Instead, the FBI kept the servers (or substitute servers) in place to avoid Internet chaos.

That all ended yesterday when the FBI closed down the servers. Leading up to the date, the FBI and numerous private sector partners worked to educate Internet users about the Doomsday Virus, warning them to check to see if their systems were infected. Many, however, estimated that lots of users were still infected and would lose the Internet today.

It didn't seem to happen that way which is good. It means that the FBI and the private sector did a good job plugging the vulnerability and getting everyday users to fix their systems. Less drama and "the sky is falling" mentality in cyberspace is what we need right now, along with more operational and technical fixes to the cybersecurity problem. We won't eliminate bots, malware, worms, or viruses but we can try to mitigate the damage caused by them.

The Doomsday Virus efforts bode well for groups like the Internet Botnet Group announced at the end of May at the White House. The group is bringing the federal government together with industry to combat botnets and better educate users (e.g. "Keep a Clean Machine") and promote technical standards at NIST. Hopefully, with true partnerships and a coordinated effort, combating malware can help set an example for our larger cybersecurity efforts. ]]>

July Fireworks: Senate May Take Up Cybersecurity, But Then What?

Jessica Herrera-Flanigan — Mon, 25 Jun 2012 14:49:00 -0400

Even if cybersecurity legislation does get through the Senate, there is not a clear path forward for reconciling that bill (or bills) with any or all of the House cybersecurity measures passed earlier this year. Congress is only in session a short span in July, before lawmakers exit for August recess. September will be an even shorter work period before attention is turned to home districts and the upcoming elections. There is much talk of an end of the year marathon, but with the debt, sequestration, appropriations, tax cut extensions and other headline-grabbing topics front and center, will there be room for negotiated cybersecurity legislation? Could it be attached to another moving vehicle in hopes of passage? What would "it" be anyway?

Short of a cyber-tragedy, it is hard to see a clear trajectory for a cyber bill to reach President Obama's desk. Not impossible, but the stars would have to align perfectly. More likely, we will see the cyber debates move into 2013. If they do, expect some of the same issues -- information sharing, critical infrastructure regulatory structures, workforce challenges, research and development, and the Federal Information Security Management Act -- to remain at the forefront of discussions. Data breaches, which have long been treated as a "privacy/consumer" issue – also could be blended into larger efforts. In addition, in light of Stuxnet, increased IP theft from abroad, and Flame, how the U.S. plays on the international cyber front also could be addressed.

First, the Senate has to act.
]]>