uncompiled.com

The Veterans Affairs Department’s inspector general has launched a criminal investigation into a physician assistant’s alleged downloading of veterans’ clinical data at its Atlanta medical center, sources have told Nextgov.

The assistant allegedly recorded two sets of patient data on to a personal laptop for research purposes. One set included three years’ worth of patient data and another held 18 years of medical information, according to a source familiar with the incident and who asked not to identified.

Roger Baker, VA’s chief information officer, commented on an item about the incident that was posted Monday evening on a Nextgov blog that the physician assistant’s laptop was never connected to the VA network and any data she recorded on her laptop was “hand entered.”

But the source told Nextgov the VA inspector general is investigating whether the assistant used two thumb drives to transfer the data to the laptop.

The department has not disclosed the number of patients involved in the incident, what kind of personal data was copied, or whether it plans to notify the veterans whose records were downloaded.

VA spokeswoman Katie Roberts said she cannot comment in detail on the Atlanta breach because it is under investigation. But in an e-mail, she stated, “VA is committed to protecting the privacy of veterans who have used our health care facilities. VA’s Office of Inspector General is currently investigating a report that a former VA physician assistant stored unauthorized clinical data about patients at the Atlanta [VA medical center] on a personal laptop computer.

“VA’s Office of Information and Technology is trying to gather more details about the circumstances, including the number of veterans whose information was involved and the nature of the information affected. The results of the investigation and analysis will help determine whether to send notifications and offers of credit protection services to the affected veterans.”

The inspector general has asked VA’s Office of Information and Technology, which Baker heads, to determine how many veterans were involved in the data breach and what kinds of personally identifiable or private health information might be involved.

The inspector general has determined that multiple documents on the laptop “appear to have come from an unapproved research project,” noted a document about the incident, which Nextgov obtained.

The incident is reminiscent of a 2006 cybersecurity breach at VA. In what was one of the largest security lapses in the department’s history, a Veterans Affairs analyst downloaded information on 26.5 million patients — practically every living veteran — on to the hard drive of his personal laptop so he could work on a research project at home. The laptop was later stolen and recovered. Investigators determined the personal information likely was not accessed.

But the breach resulted in VA instituting policies to bar the connection of personal computers to Veterans Affairs networks and to encrypt all patient data stored on department computers. Violation of the policies could result in could result in administrative, civil or criminal penalties.

In his comment on the Nextgov blog, Baker said those policies worked in the Atlanta case and the physician assistant was denied access to VA systems. In addition, a nurse scientist and visiting scholar at the medical center stopped the assistant from using the data after learning about the unapproved research project, according to the document on the incident. The nurse told the physician assistant to destroy the data, and when it was not destroyed, the nurse informed a research compliance officer in Atlanta on Feb. 8. The physician assistant resigned on Feb. 26, according to the document.

The breach illustrates the need for patients, not clinicians, to control their medical records, said Dr. Deborah Peel, founder of Patient Privacy Rights, a nonprofit based in Austin, Texas, that works to ensure medical information remains restricted. She said control should include a requirement to obtain a patient’s consent to send clinical information to another doctor or to use it for research. Peel added electronic consent software currently exists to automate the process.

Source

Pennsylvania’s chief information security officer, Robert Maley, has been fired, apparently for talking publicly at the RSA security conference last week about a recent incident involving the Commonwealth’s online driving exam scheduling system.

A source close to the matter said Maley was terminated for not getting the required approvals from the Commonwealth’s authorities to talk publicly about the incident.

Commonwealth rules explicitly require all employees to get approval from the appropriate authorities before they publicly disclose official matters, the source said.

A spokesman for the state’s governor, Edward Rendell, today confirmed that Maley is no longer working for the Commonwealth. But he refused to say if Maley had been terminated, citing privacy rules.

Maley, who was Pennsylvania’s CISO for more than four years, was part of a RSA conference panel discussing state cybersecurity issues last Thursday.

During the discussion, Maley talked about a recent incident involving a Philadelphia-area driving school that was trying to get early driving tests for its students. The source said someone at the school exploited a configuration “anomaly” in the Department of Transportation’s online driver’s test scheduling system.

The vulnerability allowed the school to essentially cut the line and schedule “a whole bunch of driver’s license exams” for its students, the source said.

The incident was reported to the state police, and the matter is currently under investigation, the source said.

Danielle Klinger, a spokeswoman for Pennsylvania’s Department of Transportation, confirmed today that a problem had been uncovered in the driver test scheduling system, and that the matter has been turned over to state police.

However, she contested several media reports that have described the incident as a hacking attack, and said that as far as the the department was aware, there had been no hack or breach of the system.

Maley’s dismissal comes amid ongoing budget and staff cuts at Pennsylvania’s IT security organization, the source said. Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a “lockdown” on talking about cybersecurity, the source claimed.

Source

The former National Security Agency technical director told the RSA Conference he doesn’t trust cloud services and bluntly admonished vendors for leaving software vulnerabilities unpatched sometimes for years.

Speaking for himself and not the agency, Brian Snow says that cloud infrastructure can deliver services that customers can access securely, but the shared nature of the cloud leaves doubts about attack channels through other users in the cloud. “You don’t know what else is cuddling up next to it,” he says.

Snow was speaking as a member of the annual cryptographers panel at RSA Conference. Another panelist said he doesn’t trust clouds either, but his reluctance was based upon worry about what NSA might be up to.

Adi Shamir a computer science professor at Israel’s Weizmann Institute of Science and also the “S” in the RSA encryption algorithm, warned against trusting cloud computing services for the same reason he suspects the confidentiality of transmissions over telecom networks and the Internet. He says the phone systems are secure, but that major crossroads in their networks are tapped by the NSA. “There’s a pipe out of the back of an office at AT&T in San Francisco to NSA,” he said.

Government access to assets entrusted to public cloud providers will be similar, he says. He suspects in some cases cloud providers will be companies influenced by government spy agencies, similar to the way Crypto AG security gear gave the NSA backdoor access to encrypted messages sent by foreign governments that had bought the gear. “Please don’t use Crypto AG,” he said.

On another topic, Snow said many commercial applications and security products contain known flaws or shortcomings that users accept without understanding them or analyzing them thoroughly. That trust is similar to the trust investors had in unsound Wall Street derivative investment products, he said. Just as the country’s financial markets melted down last year, he said network security could face a “trust-bubble meltdown”.

He alluded to a 17-year-old Microsoft vulnerability that went unpatched. Fixing such problems before they are exploited gives vendors a commercial advantage, so they should do so. “Fix vulnerabilities before you first smell an attack,” he said. “End of message.”

Also during the panel, Snow acknowledged that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years but still maintain the upper hand in the sophistication of their crypto schemes and in their ability to decrypt.

“I do believe NSA is still ahead, but not by much — a handful of years,” said Snow, the former technical director for the agency. “I think we’ve got the edge still.”

He said that in the 1980s there was a huge gap between what the NSA could do and what commercial encryption technology was capable of. “Now we are very close together and moving very slowly forward in a mature field,” Snow said.

Source

North Korea has reportedly developed its own version of the Linux operating with a graphical user interface that closely resembles Microsoft Windows.

A copy of the North Korean Linux distribution, called Red Star, was purchased in Pyongyang for US$5 by a Russian student named Mikhail, who then posted a brief review of it on his blog using the Russian embassy’s Internet connection, according to the English-language Web site of Russia Today, a Russian television news channel.

Mikhail, who described himself as one of two Russian students at North Korea’s Kim Il-Sung University, posted several screen shots of the operating system, including a system clock with a date based on North Korea’s calendar, which considers 2010 to be year 99 of its Juche ideology — with his review.

Although the operating system is still considered stable, it was easy to set up, taking around 15 minutes to install, Mikhail wrote, adding that it came with a single language option: Korean.

The desktop interface shown in the screenshots closely resembles Windows, and appears to be based on a recent version of the K Desktop Environment (KDE). The Red Star browser, which Mikhail said was called My Country, is based on Mozilla’s Firefox browser, and allows users to access North Korea’s closed network , called My Country BBS.

Other features of Red Star include a word processor, an e-mail client, antivirus software, multimedia players for audio and video, as well as several games.

Source

Hackers breaking into businesses and government agencies with targeted attacks have not only stolen intellectual property, in some cases they have corrupted data too, the head of the U.S. Federal Bureau of Investigation said Thursday.

The United States has been under assault from these targeted spear-phishing attacks for years, but they received mainstream attention in January, when Google admitted that it had been hit and threatened to pull its business out of China — the presumed source of the attack — as a result.

FBI Director Robert Mueller called these attacks a threat to the nation’s security on Thursday, speaking at the RSA Conference in San Francisco. “Just one breach is all they need in order to open the floodgates,” he said, speaking about the hackers behind these intrusions. “We have seen not only a loss of data, but also a corruption of that data.”

Mueller did not say exactly what he meant by corruption of data, but security experts worry that if attackers are able to alter source code, they might put back-doors or logic bombs in the software they gain access to.

“If hackers made subtle, undetected changes to your code, they could have a permanent window into everything you do,” Mueller said. “Some in industry have likened this to death by 1,000 cuts. We are bleeding data, intellectual property, information, source code, bit by bit, and in some cases terabyte by terabyte.”

Researchers investigating the Google attack — thought to have affected at least 100 companies including Intel, Adobe and Symantec — say that prime targets of the hackers were the source code management systems used by software developers to build code.

Companies often fail to put basic security controls on these systems, meaning that once an engineer or quality assurance tester’s workstation has been hacked, the company’s crown jewels are often accessible.

In some cases, hackers moved valuable intellectual property overseas using their victim’s wide area networks, and then moved the data from branch offices to outside servers via the Internet, researchers say.

“We are playing the cyber equivalent of cat-and-mouse, and unfortunately the mouse seems to be one step ahead most of the time,” Mueller said.

Source

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

New US-CERT PGP Key

US-CERT has generated a new US-CERT Publications PGP key. We use this
key to sign all publications, including documents sent to this list.
Effective immediately, this new key (key ID 0×093916B7) is available
and will be valid until Saturday, October 1, 2011. This key replaces the
current PGP key (key ID 0xBEE871AC).

To obtain further information or to download the new
US-CERT publications PGP key, please visit

or

A copy of this new key has also been included at the bottom of this
message and sent to public PGP key servers.

In accordance with good key management practices, we have also generated
a revocation certificate for the existing PGP key. The revocation
certificate for PGP key id 0xBEE871AC has also been included below and
sent to the public PGP key servers.

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBS5F5Jj6pPKYJORa3AQKY7ggAk2StZdxazu29BfDJBIyXlzHKyGD4Tn5S
/3d2PsGnflEp2o5Imt8hUa7kWSrz3z+Z1xtmkB1hh+5uBeA4OdAQG4Zr6unlyTb1
ufVdB3EDRBUhqJ+SBIicqJLjwOdwPCnGXQDM597STT28CUCPIdf6ejGI4ZmRWDuL
FHClAsj5dnsK1TW+1rg5CpKJvNx8DSFQMGwsHTd5xyGLutpctZbvtw4xUT0bSgzt
71oDbSVTn3GDIcWhv2MpSy+K1lo7KJSilmwRr4rjEwZ90QPLHnkuxLYDTg3Dkxxu
DsaSFJMQ6jEgVWQZiMxy53aah5RzU0NZSKl7Cst5nJvkriBFmwMerA==
=Vfxw
—–END PGP SIGNATURE—–
—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1.4.5 (GNU/Linux)

mQENBEuPx5IBCADJcQEYmhJEnI97gjhyww/H/TskTPPXxHrhVvCv/thU8r7G1zXU
rMpU8o1hJgRoke7hqWFigHK3X5rJgWmoF/GqvwyTuYwews+8U9J9Q1NRBJle6ROW
A/lEOcwF9P8K0sU6vCXG8i9I7AdEVvuJSgywr84CxhSfGUD1Ua6bOk+2GbzMNLyz
+CZK399/5w4nnEvgNlSL5006QJA7Q4ETRer/g3OTCOq5+FK8fZSPZaYs/mj/qmpN
STPihcZXEZMCn18oPkr40y3PqyyCPaFbunG4afWi4aNK/bWipjsvv3xftZAGa7dw
yYYe1ML0TV9UEIy1hzLpGo6WBWQZ2L9zIqwBABEBAAG0LlVTLUNFUlQgUHVibGlj
YXRpb25zIEtleSA8dXMtY2VydEB1cy1jZXJ0Lmdvdj6JATwEEwECACYFAkuPx5IC
GwMFCQL2DoAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRA+qTymCTkWt71xB/9K
ZLP6tef/OCBwSSECWP330k4MJrcOGpcOETxLiIlmgK7zDbL6rPS7Y5M63MEXqfd8
9Cxf3RT9mawSCj/b54JpFct8crPGyCGgoqdtia8VmJtM2/OCXIqCzf50kzlDtpC1
jKxrL90N0woEm+ol4jnMXI6MYDitByQ4jA2Z1BXQCUBu6KhjmQSFq0LNrqqrkTfR
ypnrCiqjmAFSmj5BWDfiUlCX9JLWSDPsVjWkrZ60Ogsv2zWNXRlzLIgt6ovt8mzT
1ikz4CnMpcSv6Y09eOteTTAcUrtPfPXuEHnqY/egIPa8Lxf5kKU2m92NRbLkOBrL
AoZjzpGA77sY5dKVWytkiQIcBBABAgAGBQJLj8xPAAoJEEWjTleKqjfILicP/3YP
VBX9CaXdBOvSEgKnP7WdUIs50pBq2tgqj5Q6prc58elG45GyEP5Y9YESqmdRC3a3
AlTO0kMKiRwIi/XArOTlWo+bCYK0qnjEIBHkXzeusSi4vOtndzDBC0cVxUwJY4dZ
egFYO1wm5kH6payKSOWQXFDCUwpa4I/j4doxJ7qfVSbcvuZYQ6mbrI3A962mQVM+
rkOzJpYaRwvY2RCScR+9HnduYunsyGjaSsSo6qVwbPLXypxW3qbtzCGeFsSYtrTM
1OY14Dln/WCflaVsBjai44t7eKOhk52Gbi0zoZC+ANIFwcVgHEd8R7ktzwAevTVJ
3vZvUJpJkAyZL5bOmItLwq2FLdPJTRWCtwllJH1XnwncoNj6w9hHJfURxAvpT9z0
pZj3IOb3ERR4RnJNsgdA73IcX8FcUsYI4ASX7uFNnjvj1wsGS328V/sJhFv+Vn96
90i3KlfAPqUv0fZ+/xeOQn7lvCyByX56l/fxRW2Kh+tML98luTRjRTL3XioBqTDW
aoqeIG/2mf8UqA5umJFCO43fotaSTQXHumWiOB2AK9pqwOdLPCAS2Pyh6n2nf0TD
IYvG1CKp1KYGTFj/lXyjgD5RNO52×2fWybNiILvF3J7HWEDaKytJrE3zcbyM2NRp
/NtUXf1zFBrLO4JRQ8iOlNV0zvVJxJFicU6v/HIumQENBEtYY9MBCADa4DSI00lH
FCvLg0hOU9P/YLYQuSSSk2Z++86OSC3AJICiKV8lusswXGSYcSL4kFs2F2tTCet/
N3M7bkN7qgoCF5X+Pr0pRCkfdoWPVaEj58Kz8pa7sdl9yPu83f5mv7wSTK/lvTja
GmXo/QFcj+OR/Y0G2dOmeSmWlev/+ydUvSidmKj6pLfZDqmHsHLRg9VLhOakhGhS
b1gXQsj5Ei9CeXaiqMkXKz+iUBR6HKwk62Tk5vn0LGmIquvLBPTMKVon7JLaCYgp
01ZCIN5ZV2YyIiMzJ/GSKzxZsx+rdjxsGuE3MWA6qwgfVF1uw0ayuTCVimpclRAp
axN3pyRH8VTjABEBAAGJAR8EIAECAAkFAkuP0jgCHQAACgkQL8T2R77ocaydWQf8
CVUpTyzB46hXrV0XR6YLqiar/u5mLXto+6S2KWCgA0xWew599IzMjD76fNcWXPUe
SSBsZAC8v8RayNh5rXncrZXnL6XxHxDFBe/rOQOrx5UcC2Ytv0C8JCeihJJKPEHK
O/9ab5YkBn9D6YpwOmsxtjsUYAsP/IB/+WEtXaztROxwIecM7JDotFe+RFcaKz3l
Ar2QBQAPnFdZbch1wZ454/kQMh3VUj6kSiH/HdN7qgwiRuzgV7jkczin1e0GXTmL
AyNDZogy8wcV7UjV5Iz5IOk3GUf6yNxYis2Akp7JKiFzpe66VGmQabdv7RkpIkgd
s3bnDg/aNmuda/Gu1Gw9LbQuVVMtQ0VSVCBQdWJsaWNhdGlvbnMgS2V5IDx1cy1j
ZXJ0QHVzLWNlcnQuZ292PokBPAQTAQIAJgUCS1hj0wIbAwUJAy6/AAYLCQgHAwIE
FQIIAwQWAgMBAh4BAheAAAoJEC/E9ke+6HGscmIH+wfSN3hqUyWLLeGVPPEUHGv3
YNFQwZylT1DVMm8Qe8IjOoG84PxvuVOjnzsI0TL3PatKU/FIOBlHe1SXx6BIWrxK
mlm64uSJhidAWACBFSFdsHmuvjPfThvA6T5nFU5/c6d2LNwPVYa6uVrpZ+Y60zR5
zbjbM5Vbw2KWP7PEnyWtM9tYyUf/Zx/Zws5tXORvuJlMNOwWPdNXFHNWf9i9vvxo
2xWLS7GhRRgksiPypzFMxA/rh04grAPVBcBYbJiq/RlrVKTk5n44RkPNUYT4DS3+
wA7wXS2pNRKt81Am+KV7NU6×4y4Fbnu8rbLHOC8973fV7s6Sj98eUhW4F6QkoT2J
AhwEEAECAAYFAktYZpoACgkQRaNOV4qqN8hZ5Q//b/OVkGKsFaqDWNXXZyvw/MeU
fkD9CB5sbiWca07Ei1N+Tzl355twSIzd/mwYNlwqGo9ZKVcbLjefXXe4KrDUPsaY
mHbT8YkHNeOUZKEVDWR6MsV5rPiu2/ljrp+84E70l+Upwia0WwPWgEQyAGDrSXQK
13saIlGOaV4ux7h8BepH5icKa718HTm74dVa/3dw3/A2xxqJuVgZWCYmG9y7XXwh
aG3AFsARTiSDw1IElcOQOCCiiWIOSX4q/zXxA0SkP7BVoV709diz3k/jELlSBA32
NwAwbCoYO9ZPip+F+91JdJt9nWKs7al1Dib6WhmXxNvkfmKGDjEfAZ4Pnqu2/fAc
ly7rLZN5V43thQr61qPmCw9lSSuSQo8r0wmzW54cBHwIoDY4KMBFFjx94WLgVggF
1nns/YzSC7xJTRk5RS1KqJwlgAnREwHa2o1S/92vD7e8btTskzA15iIOo0dzNcsN
hHOfiyP/2qKFcng0Mp910B7QutHk8yWyqjXiFIkkvvfqpJKIiYtMXttSqM/uiW+B
0sEKqar/VmENYPUVgiyKKQHEfSdaH8Y4/L2SXDrBNNVxWR5eEnlNT382mhAIHN6R
BlI+273gYnU722hUYWKUhF7OkIB3QCIDghVqhgsOQuSaoHz7urylaVfgO2D7owUF
fwiNUPckqp0xXGeBFZU=
=8RIm
—–END PGP PUBLIC KEY BLOCK—–

Source

Howard Schmidt, the new cybersecurity czar for the Obama administration, has a short answer for the drumbeat of rhetoric claiming the United States is caught up in a cyberwar that it is losing.

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.

His stance contradicts Michael McConnell, the former director of national intelligence who made headlines last week when he testified to Congress that the country was already in the midst of a cyberwar — and was losing it.

Schmidt’s official title is cyber-security coordinator at the White House, a job he took over just before Christmas. Schmidt has no budgetary authority, but he said that doesn’t make him powerless, because his office is in the White House. He’s been there before as an adviser to President George W. Bush, and he’s been the president and board member of countless security associations.

One of his first moves in his new job was to publish an unclassified summary of the country’s 12-point cybersecurity plan, known as the Comprehensive National Cybersecurity Initiative, a move toward transparency that he announced Monday as the keynote speaker at the world’s premier security conference.

That plan was first formulated under a veil of secrecy in January 2008 by President Bush. He was prompted in no small part by McConnell, who was director of national intelligence and reportedly convinced the president that a cyberattack could cause more economic damage to the United States than the 9/11 terrorist attacks.

Much of the authority and the funds under that initiative fell to the National Security Agency, the military’s premier spying agency that also has responsibility for locking down the government’s classified networks. Not surprisingly, McConnell, as DNI, held power over the NSA.

McConnell rejoined Booz Allen Hamilton, a defense contractor who made more than $4 billion in 2008, mostly in government contracts, including secret ones. A former NSA director, McConnell now servers as the vice president for national security business at Booz Allen Hamilton. It was recently acquired by the powerful and politically connected Carlyle Group, the world’s largest private equity whose advisers and board members have included George Bush, George W. Bush, James Baker and former SEC chief Arthur Levitt.

In an op-ed in the Washington Post last weekend, McConnell called for a re-engineering of the internet and a return to a Cold War mentality of deterrence, based on the threat that the United States would massively retaliate against any perceived attack.

“More specifically, we need to re-engineer the internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable,” McConnell wrote.

Threat Level rebutted that notion Monday, in a post that called McConnell the greatest threat to the internet.

For his part, Schmidt said no re-engineering of the internet is in the plans under the Obama administration. And he re-emphasized the president’s promise — delivered in a May speech addressing cybersecurity — that the government would not monitor the internet at large.

“People have to recognize that when we close the door and go home, we are just normal netizens like anyone else,” Schmidt said. “I’ve been in the internet from the very beginning. We don’t want to see it changed to where it is no longer available and we don’t have the ability to do things anonymously as we choose to in certain realms.”

“But we also need to do our financial transactions securely and you need to be able to file your story online in a manner so that by the time you upload it, it doesn’t say ‘At noon, today San Francisco had a terrible earthquake’ when that didn’t happen,” Schmidt added.

But that commitment to keep the government’s monitoring equipment out of the commercial internet seems belied by a CNET interview at RSA with a Homeland Security cybersecurity official, who said that DHS was considering installing its classified “Einstein 3″ security technology to non-government infrastructure.

Cyberwar advocates make their case for this in part by pointing to high-profile stories that hackers have penetrated the grid and, in some cases, caused massive blackouts including the 2003 cascading failure in the Northeast that affected some 50 million citizens. Those stories (on 60 Minutes, in the Wall Street Journal and the National Journal), relied nearly exclusively on anonymous defense intelligence officials or contractors, and are often easily debunked.

Schmidt said it’s possible that hackers have gotten into administrative computer systems of utility companies, but says those aren’t linked to the equipment controlling the grid, at least not in developed countries. He’s never heard that the grid itself has been hacked.

“As for getting into the power grid, I can’t see that that’s realistic,” Schmidt said.

There’s been much ink spilled in recent years over the turf battles in D.C. over whether the NSA (representing the military) or DHS (on the civilian side) takes the lead role in cybersecurity.

Rod Beckstrom, now the president of the International Corporation for Assigned Names and Numbers, resigned from his role heading cybersecurity for DHS last spring. He protested that the NSA was encroaching too far, and that the job of protecting non-military government websites should be handled by civilians — especially as the government pushes citizens to use those websites for more and more business.

But Schmidt said he hasn’t run into that problem and said government agencies are working together.

“I haven’t seen that tension,” Schmidt said.

As for which will take the cybersecurity lead, Schmidt simply says it’s a shared effort.

But that’s a very thorny issue — one that has dogged the government’s intrusion protection system Einstein and its successors, Einstein 2 and 3.

Why should U.S. citizens trust cybersecurity to the NSA? Under President Bush, it secretly turned its powerful spying apparatus inward in violation of U.S. law and its longstanding mantra to never spy on citizens.

Schmidt counters that the NSA has long had the job of protecting classified computers and has already become a participant in the wider security community. Among other things, it offers advice on how to secure computer systems, such as Linux and Windows. And more important, Schmidt said, the president maintains the NSA has to obey limits.

“When your boss, in our case the president, tells an agency not to do something and here are the controls put in place and here is the coordination put into place, that’s a pretty big commitment,” Schmidt said.

As for his priorities, Schmidt says education, information sharing and better defense systems rank high.

That includes efforts to train more security professionals and have the government share more information with the private sector — including the NSA’s defensive side.

“One thing we are looking at is how do make sure that the private sector has the information it needs from the government,” Schmidt said, referring to what he called “some of the unique visibility the government has from the attacks on our systems.”

The government must also be active in reducing its own vulnerabilities, according to Schmidt.

“We can’t sit there and be waiting for the next intrusion attempts to take place,” Schmidt said. “We need to become stronger in what we are doing so we are better able to resist the things that are being thrown at us.”

Schmidt, who has held cybersecurity positions inside the Air Force, the FBI and Microsoft, mentioned he’s part of a Facebook group of Wired magazine collectors. The oldest one he has, he said, had co-founder of the Electronic Frontier Foundation John Perry Barlow on the cover. Though the irascible Barlow never made the cover (other than a mock-up of the first edition), Schmidt could have been referring to Issue 2.04 which included a promo for an essay from Barlow.

Fittingly, that essay – about the failed effort to mandate government-accessible backdoors in encryption technology, was entitled “Jackboots on the Infobahn.”

Source

Official government cyber defenders are now required to have the skills of a hacker according to a mandatory certification approved this week by the Department of Defense.

The DoD now requires its computer network defenders (CNDs) pass Certified Ethical Hacker certification program from the International Council of E-Commerce Consultants (EC-Council) to fulfill baseline skills.

The Certified Ethical Hacker qualification tests someone’s knowledge in the mindset, tools, and techniques of a hacker.

CNDs — who are part of the DoD’s information assurance workforce — protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks.

Assistant Secretary of Defense John Grimes officially instated the Certified Ethical Hacker requirement in late February under DoD Directive 8570, which provides guidance for how DoD information workers should be trained and managed.

The move is significant because it solidifies the practice of ethical hacking — also known as penetration testing — in mainstream IT practices, said Jay Bavisi, co/founder and president of EC-Council. The council is a vendor-neutral organization that certifies IT professionals in security-related skills.

“Now hacking is no longer a bad word in mainstream IT community,” he said, adding that ethical hacking is not exactly what people think of when they hear that word anyway.

“What we are doing is not hacking — we are seeking permission from the owners of the network to beat the hackers at their own game,” Bavisi said. In fact, the tag line for the EC-Council’s Certified Ethical Hacker educational program is: “To beat a hacker, you must think like one.”

IBM coined the term “ethical hacking” in the 1960s to define a way for IT security researchers to emulate the work of hackers so they can better defend networks, Bavisi said.

Ironically, though ethical hacking was first adopted in covert practices by the U.S. military, in the last decade or so it has become a common practice among Fortune 500 companies to employ ethical hackers to defend networks, he added.

The practice seems to have come full circle with the DoD directive, which Bavisi said the department took three years to approve.

“We were put through a lot of hoops before the DoD accepted us,” he said. “It was a very well-thought, very well-planned, researched movement.”

Source

To make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation—risk = threat x vulnerability x consequence—rather than solely focusing on threat vectors and actors.

Each factor is important, Steven Chabinsky, deputy assistant director at the FBI’s Cyber Division, said today. Chabinsky spoke on a panel at the Armed Forces Communications and Electronics Association Homeland Security Conference in Washington.

Nation-states that commit espionage, terrorist organizations, individuals interested in using the Internet as an attack tool and criminal syndicates are the types of attackers mostly likely to target computer systems in both the public and private sectors, he said. Threat vectors on which the FBI is focused include remote access and intrusion, supply chain vulnerabilities, proximate or close access threats, and insider access threats, he said.

Chabinsky said the risk model is compelling is because risk drops down to zero if any of those three elements or variables is zero. He said the risk model is the first place he goes when he needs to step back strategically.

“Unfortunately, we haven’t gotten to the point where I feel we can maintain at zero any one of those element so we have to constantly figure out as an organization how we are we driving down each of those,” he said.

He added, “If you look through the risk model you’ll find that you have opportunities on the threat vulnerability and consequence management side, and you have to find your partners so that you could work together.”

Source

Young U.S. Internet users are not receiving enough education about being safe online, according to a new poll by the National Cyber Security Alliance (NCSA) and supported by Microsoft.

More than three quarters of teachers have spent fewer than six hours on education related to cyberethics, cybersafety, and cybersecurity in the last 12 months; more than 50% of teachers reported their school districts do not require these subjects as curriculum; and only 35% taught proper online conduct.

Key highlights of the survey include:

*More than 90% of technology coordinators school administrators and teachers support teaching cyberethics, cybersafety and cybersecurity in schools. However, only 35% of teachers and just over half of school administrators report that their school districts require cyberethics, cybersafety, and cybersecurity in their curriculum.

*Low levels of integration of key cyberethics, cybersecurity, and cybersafety topics into everyday instructional activities. For example, only 27% of teachers taught about the safe use of social networks, only 18% taught about scams, fraud and social engineering, and only 19% taught about safe passwords in the past 12 months. Additionally, 32% of teachers indicated they had not taught cyberethics, and 44% of teachers had not taught cybersafety or cybersecurity.

*Differing opinions between teachers and administrators as to who is or should be responsible (parents vs. teachers) for educating students about cyberethics, cybersafety, and cybersecurity. For example, while 72% of teachers indicated that parents bear the primary responsibility for teaching these topics, 51% of school administrators indicate that teachers are responsible.

“The study illuminates that there is no cohesive effort to provide young people the education they need to safely and securely navigate the digital age and prepare them as digital citizens and employees,” said Michael Kaiser, Executive Director of the National Cyber Security Alliance. “Unfortunately, we are not meeting the needs of schools, teachers, or students.

The survey also found schools rely on shielding students instead of teaching behaviors for safe and secure Internet use. More than 90 percent of schools have built up digital defenses, such as filtering and blocking social networking sites, to protect children on school networks. Those measures may help reduce the online risks children face at school, they do not prepare students to act more safely when accessing the Internet at home or on mobile devices.

Source