Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for December 8th, 2008

The “Night Cap”

leave a comment »

U.S. Is Losing Global Cyberwar, Commission Says
Center for Cybersecurity Operations is proposed to protect military, government, and corporate electronics from criminals and other nations

By Keith Epstein

The U.S. faces a cybersecurity threat of such magnitude that the next President should move quickly to create a Center for Cybersecurity Operations and appoint a special White House advisor to oversee it. Those are among the recommendations in a 44-page report by the U.S. Commission on Cybersecurity, a version of which will be made public today. The bipartisan panel includes executives, high-ranking military officers and intelligence officials, leading specialists in computer security, and two members of Congress.

To compile the report, which is entitled “Securing Cyberspace in the 44th Presidency,” commission members say they reviewed tens of thousands of pages of undisclosed documentation, visited forensics labs and the National Security Agency, and were briefed in closed-door sessions by top officials from Pentagon, CIA, and British spy agency MI5. From their research, they concluded that the U.S. badly needs a comprehensive cybersecurity policy to replace an outdated checklist of security requirements for government agencies under the existing Federal Information Security Management Act.

The report calls for the creation of a Center for Cybersecurity Operations that would act as a new regulator of computer security in both the public and private sector. Active policing of government and corporate networks would include new rules and a “red team” to test computers for vulnerabilities now being exploited with increasing sophistication and frequency by identity and credit card thieves, bank fraudsters, crime rings, and electronic spies. “We’re playing a giant game of chess now and we’re losing badly,” says commission member Tom Kellermann, a former World Bank security official who now is vice-president of security at Boston-based Core Strategy.

Obama seems on board

Kellermann should know: He had a hand in crafting the nation’s cybersecurity strategy in 2003. But as he tells it, government efforts led by the Homeland Security Dept. have been stymied by bureaucratic confusion and an unwillingness by agencies and corporations to share information about cyber break-ins. The commission’s report catalogues incidents afflicting financial institutions, large corporations, and government agencies, including some first detailed publicly over the last year in various BusinessWeek articles. In an ominous note for the private sector, the commission notes that “senior representatives from the intelligence community told us they had conclusive evidence covertly obtained from foreign sources that U.S. companies have lost billions in intellectual property.” For more on the spread of malicious software, read Saturday’s New York Times article, “Thieves Winning Online War, Maybe Even in Your Computer.”

Kellermann describes a behind-the-scenes effort by several members of the commission, some of whom are advisors on President-elect Barack Obama’s transition team, to convince him of the need for action “to stop the hemorrhaging of national secrets, proprietary information, and personal data. We need to begin to deal with this cancer.” Informal briefings by members of the commission, starting last July, seem to have affected Obama’s thinking, sources say. Those who worry about the problem are heartened by his July 16 vow to “declare our cyber-infrastructure a strategic asset” and to “bring together government, industry, and academia to determine the best ways to guard the infrastructure that supports our power.” At the time, the candidate also pledged that, if elected, he would appoint a “national cyber advisor” who would report directly to the President.
The Threat from China

Over the past 11 months, BusinessWeek has examined high-tech security threats to U.S. weapons systems and to government and defense industry computer networks. The three main installments in the BusinessWeek series were based on previously undisclosed documents and interviews with more than 100 current and former government employees, defense industry executives, and people with ties to U.S. military, space, and intelligence agencies. They are: E-spionage (BusinessWeek, 4/10/08), Dangerous Fakes (BusinessWeek, 10/2/08), and The Taking of NASA’s Secrets (BusinessWeek, 11/20/08).

As the world’s corporations, governments, military forces, and computer users have gravitated to the Web, so have competitors, adversaries, criminals, and spies, including government-backed electronic operatives establishing footholds for potential attacks, according to groups such as the congressionally created U.S.-China Economic & Security Review Commission, which warned on Nov. 21 of the threat from China (BusinessWeek.com, 11/21/08).

“The damage from cyber attack is real,” states the cybersecurity group’s report, referring to intrusions last year at the departments of Defense, State, Homeland Security, and Commerce, and at NASA and the National Defense University.
Hacking for ‘friendly fire’

The report continues: “The Secretary of Defense’s unclassified e-mail was hacked and DOD officials told us that the department’s computers are probed hundreds of thousands of times each day; a senior official at State told us the department has lost ‘terabytes’ of information; Homeland Security suffered ‘break-ins’ in several of its divisions, including the Transportation Security Agency; Commerce was forced to take the Bureau of Industry and Security offline for several months; NASA had to impose e-mail restrictions before shuttle launches and allegedly has seen designs for new launchers compromised. Recently, the White House itself had to deal with unidentifiable intrusions in its networks.”

The report mentions some of the most severe threats, such as those being faced by U.S. war fighters in Iraq and Afghanistan, only hypothetically. It notes, for instance, that “the U.S. has a ‘blue-force tracking’ that tells commanders where friendly forces are located,” and then goes on to posit a scenario under which an opponent could turn some of the blue signals to red, a color used to flag adversaries’ forces. The implication is that an intruder might, for instance, provoke a so-called friendly-fire incident in which U.S. fighters mistakenly target U.S. personnel.

At least six members of the commission approached by BusinessWeek declined to share specifics of the most recent intrusions into the computers of companies, the Pentagon, the U.S. Central Command, and important centers of military operations such as Bagram Air Base in Afghanistan. Defense and intelligence officials also declined to describe the operational impacts of that massive penetration of corporate and military networks, but they did confirm that it culminated Nov. 22 in the raising of U.S. Strategic Command’s threat level—known as INFOCON—which entailed banning plug-in devices such as thumb drives throughout the U.S. military and in some allied forces. Emergency briefings were also given to Obama and President Bush.
U.S. military fights agent.btz

As first reported Nov. 28 by Los Angeles Times in “Cyber-Attack on Defense Department Computers Raises Concerns,”, the intrusion and compromise of the U.S. military networks began with a piece of malicious software—or malware—known as agent.btz, which has also afflicted corporate networks in recent months, U.S. military officials and private cybersecurity specialists confirmed. Such intrusions have grown increasingly sophisticated and difficult to trace to their origins. The latest generation of malware, developed by gangs and governments with large sums of money at their disposal, can easily cloak its activities and capabilities.

Complicating the cleanup is not only the nature of the malicious software, but the sheer scale of the task: The U.S. military has around 7 million vulnerable electronic devices. U.S. military officials tell BusinessWeek that assuring themselves that they have cleansed their computers of the intruders that gained a foothold via agent.btz has grown increasingly uncertain and expensive. Forensics examinations and the reprogramming of each computer—which continues in the Pentagon, in Central Command headquarters in Tampa, and in military installations in Afghanistan—costs around $5,000 to $7,000 per machine, sources said.

Kellermann and other computer security consultants declined to discuss the threat to the U.S. military, though several said they were intimately familiar with it. But Kellermann said it was yet another example of how “the cyber security threat has really gotten out of control. But it’s not only a national security threat. It’s an economic security threat.”

Yes, we are losing. Meanwhile the assclowns roam the Savannah huddling next to the watering hole….

I plan on writing a well worded letter to the next prez in the hopes that he acts on this ASAP.

Written by Krypt3ia

2008/12/08 at 21:35

Posted in Uncategorized

Laptop searches at border might get restricted

leave a comment »

Laptop searches at border might get restricted

By JOELLE TESSLER
AP Technology Writer
Buy AP Photo Reprints

Your Questions Answered
Ask AP: Bottom-up bailouts, gas pump tampering

WASHINGTON (AP) — Mohamed Shommo, an engineer for Cisco Systems Inc., travels overseas several times a year for work, so he is accustomed to opening his bags for border inspections upon returning to the U.S. But in recent years, these inspections have gone much deeper than his luggage.

Border agents have scrutinized family pictures on Shommo’s digital camera, examined Koranic verses and other audio files on his iPod and even looked up Google keyword searches he had typed into his company laptop.

“They literally searched everywhere and every device they could,” said Shommo, who now minimizes what he takes on international trips and deletes pictures off his camera before returning to the U.S. “I don’t think anyone has a right to look at my private belongings without my permission. You never know how they will interpret what they find.”

Given all the personal details that people store on digital devices, border searches of laptops and other gadgets can give law enforcement officials far more revealing pictures of travelers than suitcase inspections might yield. That has set off alarms among civil liberties groups and travelers’ advocates – and now among some members of Congress who hope to impose restrictions on the practice next year.

They fear the government has crossed a sacred line by rummaging through electronic contact lists and confidential e-mail messages, trade secrets and proprietary business files, financial and medical records and other deeply private information.

These searches, opponents say, threaten Fourth Amendment safeguards against unreasonable search and seizure and could chill free expression and other activities protected by the First Amendment. What’s more, they warn, such searches raise concerns about ethnic and religious profiling since the targets often are Muslims, including U.S. citizens and permanent residents.

“I feel like I don’t have any privacy,” said Shommo, a native of Sudan who has been in the U.S. for more than a decade and plans to apply for citizenship next year. “I don’t feel treated equally to everybody else. I feel discriminated against.”

Customs and Border Protection, part of the Department of Homeland Security, asserts that it has constitutional authority to conduct routine searches at the border – without suspicion of wrongdoing – to prevent dangerous people and property from entering the country. This authority, the government maintains, applies not only to suitcases and bags, but also to books, documents and other printed materials – as well as to electronic devices.

Such searches, the government notes, have uncovered everything from martyrdom videos and other violent jihadist materials to child pornography and stolen intellectual property.

While Homeland Security points out that these procedures predate the attacks of Sept. 11, 2001, civil liberties groups have seen an uptick in complaints about border searches of electronic devices in the past two years, according to Shirin Sinnar, staff attorney at the Asian Law Caucus. In some cases, travelers suspected border agents were copying their files after taking their laptops and cell phones away for anywhere from a few minutes to a few weeks or longer.

Such inspections appear to amount to “a fishing expedition” by border agents, said Farhana Khera, executive director of Muslim Advocates.

These objections led the Asian Law Caucus and the Electronic Frontier Foundation to file a Freedom of Information request to obtain the federal policy on border searches of electronic devices. When the government failed to respond, the groups filed a lawsuit this year. And lawmakers began demanding answers.

So in July, amid the mounting outside pressure, Homeland Security released a formal policy stating that federal agents can search documents and electronic devices at the border without suspicion. The procedures also allow border agents to detain documents and devices for “a reasonable period of time” to perform a thorough search “on-site or at an off-site location.”

The problem with this policy, argues Marcia Hofmann, staff attorney with the Electronic Frontier Foundation, is that the contents of a laptop or other digital device are fundamentally different than those of a typical suitcase.

As Sen. Ron Wyden, D-Ore., who is co-sponsoring one of several bills in Congress that would restrict such searches, put it: “You can’t put your life in a suitcase, but you can put your life on a computer.”

Susan Gurley, executive director of the Association of Corporate Travel Executives, which filed its own Freedom of Information request to obtain the government’s laptop search policy, noted that border searches pose a particular concern for international business travelers. That’s because they often carry sensitive corporate information on their laptops and don’t have the option of leaving their computers at home.

And for many travelers, the concerns go beyond their own privacy or the privacy of their employers. Lawyers may have documents subject to attorney-client privilege. Doctors may be carrying patient records.

Tahir Anwar is an imam at a mosque in San Jose, Calif., so his laptop and iPhone contain confidential information about the mosque’s members, including their personal e-mail messages.

Anwar has traveled abroad 12 times over the past 2 1/2 years and he has been detained upon returning to the U.S. every time. Border agents have searched his laptop and once took away his cell phone for 15 minutes.

Now when Anwar travels, he simply leaves his laptop behind and deletes e-mail off his iPhone before crossing the border, synching it back up with his computer after he gets home.

“People tell me their innermost secrets,” Anwar said. “I tell people to e-mail me, so a lot of personal information is in my e-mail. If people find out that this information is being looked at, I can’t serve my purpose and people won’t come to me.”

For its part, the government argues that some of the most dangerous contraband is transported in digital form today – making searches of electronic devices a crucial law enforcement tool.

Among the successful searches the government cites from recent years: In 2006, a man arriving from the Netherlands at the Minneapolis airport had digital pictures of high-level Al-Qaida officials, and video clips of improvised explosive devices being detonated and of the man reading his will. The man was convicted of visa fraud and removed from the country.

“To treat digital media at the international border differently than Customs and Border Protection has treated documents and other conveyances historically would provide a great advantage to terrorists and others who seek to do us harm,” Jayson Ahern, the agency’s deputy commissioner, said in a statement submitted to the Senate Judiciary subcommittee on the Constitution in June. Homeland Security did not send anyone to testify.

Amy Kudwa, a spokeswoman for the department, also stressed that a tiny fraction of 1 percent of all travelers are singled out for laptop searches at the border. She added that Homeland Security does not profile based on religion, race, ethnicity or any other criteria in conducting such searches.

So far, only a handful of court cases have addressed the issue.

Federal appeals courts in two circuits have upheld warrantless or “suspicionless” computer searches at the border that turned up images of child pornography used as evidence in criminal cases.

But late last year, a U.S. magistrate judge in Vermont ruled that the government could not force a man to divulge the password to his laptop after a search at the Canadian border found child pornography. The U.S. Attorney’s Office in Vermont is appealing the decision to the U.S. district court.

Now Congress is getting involved. A handful of bills have been introduced that could pass next year.

One measure, sponsored by Sen. Russell Feingold, D-Wis., chairman of the Constitution subcommittee, would require reasonable suspicion of illegal activity to search the contents of electronic devices carried by U.S. citizens and legal residents. It would also require probable cause and a warrant or court order to detain a device for more than 24 hours.

And it would prohibit profiling of travelers based on race, ethnicity, religion or national origin.

Rep. Eliot Engel, D-N.Y., is sponsoring a bill in the House that would also require suspicion to inspect electronic devices. Engel said he is not trying to impede legitimate searches to protect national security. But, he said, it is just as important to protect civil liberties.

“It’s outrageous that on a whim, a border agent can just ask you for your laptop,” Engel said. “We can’t just throw our constitutional rights out the window.”

So the comic above is NOT how I feel about unlawful searches. I believe that the ACLU in this particular case is right on the money. This is absolute BS and I am ashamed that this is something that has been practiced. It’s one thing if you are suspected and you get a court order while detaining someone, it’s another to just expect me or anyone to hand over their computers and phones for “inspection” by DHS/TSA/low paid ass monkeys with tin security guard badges.

Now, I really wonder what they would do if they got to look at my system and saw encrypted files? For that matter, how would they handle oh, STEG? Would they even see it? Would their trained monkeys in the back room even know there was something there?

I doubt it.

This is security theater.. Nay… DINNER THEATER!

Buffoons.

Written by Krypt3ia

2008/12/08 at 21:22

Posted in Uncategorized

Bush’s Cyber Secrets Dilemma

leave a comment »

Bush’s Cyber Secrets Dilemma
Andy Greenberg, 04.10.08, 7:40 PM ET

There’s a problem facing the Bush administration: It has $30 billion to spend over the next five to seven years to keep the U.S. safe from hackers and cyberspies. But to extend that protection to the nation’s critical infrastructure–including banks, telecommunications and transportation–it needs the cooperation of the private sector.

And among corporate executives, even those who want to help are wary: How can the business world participate in the government’s cyber initiative, they ask, if the government remains intensely secretive?

“There’s very little transparency as to the government’s plans,” says Bruce McConnell, a former information technology policy director for the White House’s Office of Management and Budget who now works as a private consultant. “To protect critical infrastructure, we need to create trustworthy mechanisms for sharing information. That can’t happen when one side’s position is secret.”

That call for transparency was a common refrain this past week at the security industry’s biggest gathering, the annual RSA conference held in San Francisco. The government has plenty of money tagged to the Bush administration’s classified Presidential Directive 54, the plan for shoring up the cyber defenses of the U.S. government. But any extension to key parts of the private sector, according to former officials and security professionals, could be hamstringed by the government’s own secrecy.

The need for private sector partnership was a new wrinkle in Department of Homeland Security (DHS) Secretary Michael Chertoff’s speech on the cyber initiative at the conference–one of the first public discussions of the classified program. Chertoff asked the audience to imagine a situation in which hackers took control of the nation’s air traffic control system, comparing the threat to the Sept. 11th attacks. “So many of our national assets are in the hands of the private business,” he said. “We can’t be serious about national security or national cyber security without engaging with the private sector, and not just those in IT, but power plants, financial systems and transportation.”

But given that much of the cyber initiative remains classified–including key details like the anatomy of the government’s new networking monitoring technology and the degree to which it will be deployed on private sector networks–building trust with the private sector will be difficult, McConnell argues. The problem, he says, is the little-discussed role of the National Security Agency in the project, in partnership with the DHS and the Office of the Director of National Intelligence.

“The intelligence community, which is leading this effort, has a tradition of overclassifying information,” McConnell says. “So it’s not surprising that there’s an inappropriate level of classification in an area, which deserves broad public debate.”

The Bush administration’s cyber initiative, signed by the president in early January, aims to increase surveillance of government networks, which have suffered multiple major intrusions in recent years. But the vulnerability of critical infrastructure systems, mostly owned by the private sector, has slowly emerged as a real threat to national security. Over the past two years, cybercriminals extorted hundreds of millions of dollars from critical infrastructure companies, according to Alan Paller, director of the SANS Institute, an organization that hosts a crisis center for hacked companies. (See: America’s Hackable Backbone). In January, a CIA official told a conference of cybersecurity professionals that power outages affecting multiple non-U.S. cities had been the work of hackers. (See: Hackers Cut Cities’ Power).

Marcus Sachs, the executive director of national security policy at Verizon (nyse: VZ – news – people ), was hopeful that Chertoff’s appeal to the private sector at RSA might mean more information sharing with those critical infrastructure systems. But so far, he says, details on the cyber initiative have been held closely within the government. “They’re acting like they have a family problem that they can’t tell the neighbors about,” he says. “We feel like we’re absolutely ready to help out, but the family in distress doesn’t want our help.”

Last May, the DHS released a National Infrastructure Protection Plan (NIPP) designed to create channels for security collaboration between the government and business. Those channels, says Sachs, aren’t being used. In March, Forbes.com obtained a document revealing a piece of the cyber initiative known as Project 12, which former officials say is designed to create channels for sharing classified information between government and critical infrastructure. But Project 12 is only a small piece, says Sachs. (See: Show Me Your Cyberspies, I”ll Show You Mine).

“At the very least, there are eleven other projects, and we don’t know anything about those,” Sachs says. “I think we’d all like to learn a little more.”

Laura Sweeney, a DHS spokesperson, countered that it’s still too early to judge how the cyber initiative deals with the private sector–the project is still focused on securing government networks, she argued. But she pointed to NIPP as evidence that the government can successfully work with private industry, even when trading in classified data. “For now we’re focused on getting our own house in order,” she said. “But we’ve realized that the private sector will be an incredibly important partner moving forward.”

But the disconnect between the private sector and government is a familiar problem, says Howard Schmidt, a former Air Force and DHS official who has also held jobs at eBay (nasdaq: EBAY – news – people ) and Microsoft (nasdaq: MSFT – news – people ). “When I was working with a corporation, I would hear from the government about a new attack pattern, and because it was classified, I wouldn’t be able to share it with my IT people,” he says. “It’s a very real problem.”

Despite Chertoff’s comments about private sector partnership and Project 12’s initial attempt to open communication, that old problem of overclassification still afflicts the cyber initiative, says Schmidt. “When I think about what I would do to secure government networks–things like intrusion protection, strong authentication, event correlation and data analysis–none of it would be classified,” he says. “This decision about what to classify is a very big deal, and it’s something that the government has got to fix.”

First, let me start with I don’t think that the Bush administration (whats left of it) “could” work this out to a successful fruition to begin with. That said, what will be left for the Obama administration will be the start of a framework that perhaps they can work with and make a go of.. This is my hope.

The problems though are huge. Private sectors will not want government oversight nor the government really knowing their vulnerabilities at all really. I mean, well, would you trust the government with your secret shit? Not me… So, what to do? It’s a tough question and I really don’t have an answer.

What I do know is this: SOX and that type of regs are nice but ineffective because they lack any real information security tooth. What if they made the regulations really have consequences? Hmmmm? Real oversight by a governmental body that would look at reports (high level) and certifications that “due diligence” is being carried out by companies on their infosec programs?

Hmmm now you’re talkin….

Written by Krypt3ia

2008/12/08 at 21:08

Posted in Uncategorized

Bush’s Cyber Secrets Dilemma

leave a comment »

Bush’s Cyber Secrets Dilemma
Andy Greenberg, 04.10.08, 7:40 PM ET

There’s a problem facing the Bush administration: It has $30 billion to spend over the next five to seven years to keep the U.S. safe from hackers and cyberspies. But to extend that protection to the nation’s critical infrastructure–including banks, telecommunications and transportation–it needs the cooperation of the private sector.

And among corporate executives, even those who want to help are wary: How can the business world participate in the government’s cyber initiative, they ask, if the government remains intensely secretive?

“There’s very little transparency as to the government’s plans,” says Bruce McConnell, a former information technology policy director for the White House’s Office of Management and Budget who now works as a private consultant. “To protect critical infrastructure, we need to create trustworthy mechanisms for sharing information. That can’t happen when one side’s position is secret.”

That call for transparency was a common refrain this past week at the security industry’s biggest gathering, the annual RSA conference held in San Francisco. The government has plenty of money tagged to the Bush administration’s classified Presidential Directive 54, the plan for shoring up the cyber defenses of the U.S. government. But any extension to key parts of the private sector, according to former officials and security professionals, could be hamstringed by the government’s own secrecy.

The need for private sector partnership was a new wrinkle in Department of Homeland Security (DHS) Secretary Michael Chertoff’s speech on the cyber initiative at the conference–one of the first public discussions of the classified program. Chertoff asked the audience to imagine a situation in which hackers took control of the nation’s air traffic control system, comparing the threat to the Sept. 11th attacks. “So many of our national assets are in the hands of the private business,” he said. “We can’t be serious about national security or national cyber security without engaging with the private sector, and not just those in IT, but power plants, financial systems and transportation.”

But given that much of the cyber initiative remains classified–including key details like the anatomy of the government’s new networking monitoring technology and the degree to which it will be deployed on private sector networks–building trust with the private sector will be difficult, McConnell argues. The problem, he says, is the little-discussed role of the National Security Agency in the project, in partnership with the DHS and the Office of the Director of National Intelligence.

“The intelligence community, which is leading this effort, has a tradition of overclassifying information,” McConnell says. “So it’s not surprising that there’s an inappropriate level of classification in an area, which deserves broad public debate.”

The Bush administration’s cyber initiative, signed by the president in early January, aims to increase surveillance of government networks, which have suffered multiple major intrusions in recent years. But the vulnerability of critical infrastructure systems, mostly owned by the private sector, has slowly emerged as a real threat to national security. Over the past two years, cybercriminals extorted hundreds of millions of dollars from critical infrastructure companies, according to Alan Paller, director of the SANS Institute, an organization that hosts a crisis center for hacked companies. (See: America’s Hackable Backbone). In January, a CIA official told a conference of cybersecurity professionals that power outages affecting multiple non-U.S. cities had been the work of hackers. (See: Hackers Cut Cities’ Power).

Marcus Sachs, the executive director of national security policy at Verizon (nyse: VZ – news – people ), was hopeful that Chertoff’s appeal to the private sector at RSA might mean more information sharing with those critical infrastructure systems. But so far, he says, details on the cyber initiative have been held closely within the government. “They’re acting like they have a family problem that they can’t tell the neighbors about,” he says. “We feel like we’re absolutely ready to help out, but the family in distress doesn’t want our help.”

Last May, the DHS released a National Infrastructure Protection Plan (NIPP) designed to create channels for security collaboration between the government and business. Those channels, says Sachs, aren’t being used. In March, Forbes.com obtained a document revealing a piece of the cyber initiative known as Project 12, which former officials say is designed to create channels for sharing classified information between government and critical infrastructure. But Project 12 is only a small piece, says Sachs. (See: Show Me Your Cyberspies, I”ll Show You Mine).

“At the very least, there are eleven other projects, and we don’t know anything about those,” Sachs says. “I think we’d all like to learn a little more.”

Laura Sweeney, a DHS spokesperson, countered that it’s still too early to judge how the cyber initiative deals with the private sector–the project is still focused on securing government networks, she argued. But she pointed to NIPP as evidence that the government can successfully work with private industry, even when trading in classified data. “For now we’re focused on getting our own house in order,” she said. “But we’ve realized that the private sector will be an incredibly important partner moving forward.”

But the disconnect between the private sector and government is a familiar problem, says Howard Schmidt, a former Air Force and DHS official who has also held jobs at eBay (nasdaq: EBAY – news – people ) and Microsoft (nasdaq: MSFT – news – people ). “When I was working with a corporation, I would hear from the government about a new attack pattern, and because it was classified, I wouldn’t be able to share it with my IT people,” he says. “It’s a very real problem.”

Despite Chertoff’s comments about private sector partnership and Project 12’s initial attempt to open communication, that old problem of overclassification still afflicts the cyber initiative, says Schmidt. “When I think about what I would do to secure government networks–things like intrusion protection, strong authentication, event correlation and data analysis–none of it would be classified,” he says. “This decision about what to classify is a very big deal, and it’s something that the government has got to fix.”

First, let me start with I don’t think that the Bush administration (whats left of it) “could” work this out to a successful fruition to begin with. That said, what will be left for the Obama administration will be the start of a framework that perhaps they can work with and make a go of.. This is my hope.

The problems though are huge. Private sectors will not want government oversight nor the government really knowing their vulnerabilities at all really. I mean, well, would you trust the government with your secret shit? Not me… So, what to do? It’s a tough question and I really don’t have an answer.

What I do know is this: SOX and that type of regs are nice but ineffective because they lack any real information security tooth. What if they made the regulations really have consequences? Hmmmm? Real oversight by a governmental body that would look at reports (high level) and certifications that “due diligence” is being carried out by companies on their infosec programs?

Hmmm now you’re talkin….

Written by Krypt3ia

2008/12/08 at 21:08

Posted in Uncategorized

C41

leave a comment »

SOUP NAZI!

Written by Krypt3ia

2008/12/08 at 19:18

Posted in Uncategorized

C41

leave a comment »

SOUP NAZI!

Written by Krypt3ia

2008/12/08 at 19:18

Posted in Uncategorized

C41

leave a comment »

SOUP NAZI!

Written by Krypt3ia

2008/12/08 at 19:18

Posted in Uncategorized

C41

leave a comment »

SOUP NAZI!

Written by Krypt3ia

2008/12/08 at 19:18

Posted in Uncategorized

C41

leave a comment »

SOUP NAZI!

Written by Krypt3ia

2008/12/08 at 19:18

Posted in Uncategorized

C41

leave a comment »

SOUP NAZI!

Written by Krypt3ia

2008/12/08 at 19:18

Posted in Uncategorized