"I will tell (you) how to break into a nuclear reactor," Ira Winkler, president of security firm ISAG said as he launched into his presentation on "How to Take Down the Power Grid" at RSA 2008 on Tuesday night.
"Frankly, it's really easy to break into the power grid," he said. "It happens all the time."
First, you set up a Web server that downloads spyware onto the computers that visit.
Second, you send an e-mail to people who work inside a power station that entices them to click on a hyperlink to the Web server with the spyware. Warning them that their human resources benefits are going to be cut and sending them to a Web site with "hr.com" in the domain would work, according to Winkler, who said he has done this several times in company-approved penetration tests.
Third, you wait as the recipients--and everyone else they forwarded the e-mail to--visit the server and get infected.
"Then we had full system control," he said. "Once the malware was downloaded onto their systems...we could see the screens and manipulate the cursors."
It took about a day to set up the attack and was effective within minutes, according to Winkler.
"It had to be shut down after a couple of hours because it was working too well," he said.
This is akin to social engineering attacks that happen all the time, but this attack has more far-reaching consequences than most such attacks.
Power stations running special SCADA control software have the perception that they are more secure than other networked systems. However, they are just as vulnerable because they are connected to the Internet and run on computers that also run Windows NT, he said.
"Things are really this bad," Winkler said. "I'm not exaggerating."
Below is a video showing a staged cyber attack on a power station that Winkler showed during his presentation:
Secretary of the Department of Homeland Security Michael Chertoff
(Credit: Charles Cooper/CNET News.com)Risks from cyberattacks are increasing and the consequences are so great that the country needs a "Manhattan Project" for network security, Michael Chertoff, secretary of the U.S. Department of Homeland Security, said in a keynote on Tuesday at RSA 2008.
"We need a game-changer with how we deal with attacks," he said. "In January, the president signed a homeland security directive, for a national cybersecurity initiative...almost like a Manhattan Project."
"Cyberthreats have enabled terrorists and criminals to do the kind of damage they would never be able to contemplate doing in the real world," he said.
For example, a botnet denial-of-service attack shut down the Estonian government last year for about two weeks, according to Chertoff. "It went beyond simple mischief, and represented an actual threat to government to govern its country."
"A single individual, a small group of people, or a nation-state can exact the kind of damage or disruption that in years past only came when you dropped bombs or set off explosives," he added.
The government needs the "best and brightest" from Silicon Valley and elsewhere in the private sector to work on creating an advanced warning system to prevent such cyberattacks.
"We face a very serious challenge and it's only likely to grow more serious as time passes," Chertoff said. "We're operating in a domain in which traditional military power or the power of the government is insufficient to address the full nature of the threat. A command and control response will simply not be adequate. We need a network response to deal with a network attack."
During a question-and-answer session afterward, Chertoff defended the government's Real ID law, which would create a uniform national ID card. Chertoff said the card would make the country's buildings and airplanes more safe from terrorists. Opponents say the inconvenience and privacy concerns outweigh any perceived benefits.
Chertoff asked rhetorically, when choosing between an airline that allows people without identification to board and one that doesn't, "which airline would you put your children on?"
The U.S. government has been keeping watch from space for almost 50 years, starting with the Corona program overseen by the National Reconnaissance Office. In September 1967, a Corona camera in orbit took this picture of the Pentagon.
(Credit: National Reconnaissance Office)WASHINGTON--A plan to expand the number of government police and security agencies that can tap into detailed satellite images is proceeding, despite concerns from Congress, the head of the U.S. Department of Homeland Security said Wednesday.
During a roundtable discussion with bloggers and journalists here, Secretary Michael Chertoff said a "charter has been signed" to create a new office, which will serve as a clearinghouse for requests from law enforcement, border security, and other domestic homeland security agencies to view feeds from powerful satellites. It will be called the National Applications Office.
"I think the way is now clear to stand (the office) up and go warm on it," said Chertoff at Homeland Security's headquarters here.
Right now, these spy satellites are more commonly used for things like monitoring volcanic activity, hurricanes, floods, and various environmental and geological shifts. But the agency has said it sees important applications for the images in other areas within its purview, such as terrorism investigations and illegal immigration busts.
Originally, the but those plans were delayed after congressional Democrats raised privacy concerns. They said they wouldn't be able to support the program until the agency lays out exactly what legal framework it will be using to fulfill requests by, say, state and local police, and how it will protect Americans' civil liberties.
Chertoff said Wednesday that the department has completed the privacy impact assessments for the new office and should be releasing them within a few days. He said that members of Congress have received briefings and that he thinks there's a "good process in place to make sure there aren't any legal transgressions."
This photo shows the Soviet Union's Dolon Air Field in August 1966. The NRO calls Corona the "first operational space photo reconnaissance satellite."
(Credit: National Reconnaissance Office)In the past, Homeland Security officials have downplayed the implications of allowing more agencies to access the satellites, arguing that in addition to scientific applications, the technique has already been employed from time to time by the Secret Service and FBI. For instance, when a well-publicized series of sniper attacks swept through the Washington, D.C., area in October 2002, the CIA and FBI were permitted to use images provided by the National Geospatial Intelligence Agency to look for places snipers might hide along highways along the east coast.
"I think we have fully addressed everybody's concerns," Chertoff said Wednesday. "We've made it clear this is not going to be interception of communications, verbal or oral or written. That's still going to be done under the traditional way."
The Homeland Security secretary, however, may not have that easy a time persuading congressional overseers.
Within the next few days, Reps. Jane Harman (D-Calif.) and Christopher Carney (D-Penn.), who lead Homeland Security subcommittees, are planning to send Chertoff a letter that says the new scheme still isn't ready for launch, a Democratic aide to the U.S. House of Representatives Homeland Security Committee, which oversees the department, told CNET News.com on Wednesday.
Committee leaders say the charter for the National Applications Office is "wholly inadequate," said the aide, who spoke on condition of anonymity since the letter is still being drafted. They plan to criticize the department for allegedly failing to outline the legal framework and other "standard operating procedures" governing the program.
Furthermore, the Government Accountability Office has not yet vetted the program's privacy guidelines, which was made a condition for the National Applications Office to receive congressional funding, the aide said.
On cybersecurity
Also at the roundtable discussion, Chertoff attempted to defuse concerns that Homeland Security's cybersecurity arm plans to "sit on the Internet," as he put it, and monitor traffic in a manner reminiscent of the Chinese government.
As part of its efforts to detect network intrusions in real time, Homeland Security has said it plans to expand use of an existing system known as Einstein, that will, among other things, monitor visits from Americans and foreigners visiting .gov Web sites. The set-up is in place at 15 federal agencies, but Chertoff has asked for $293.5 million from Congress in next year's budget to roll it out governmentwide.
In addition to outfitting federal networks with those tools, Chertoff said the government also plans to help companies to fend off cyberattacks by offering some of its "classified" intrusion detection tools--but such aid will be purely optional.
As for the department's broader strategy, "in some ways, it's more and better of what we're doing," Chertoff said. "In some cases, it may involve some additional things I can't talk about."
In addition, Chertoff spoke about the Real ID Act and the department's May 11 deadline--see our separate story.
At U.S. Secret Service headquarters, numerous companies, and state and international government offices this week, computer security types have been forced to fend off hundreds of potentially crippling cyberattacks.
No need to worry, though--at least this time around, no actual networks were harmed in the process.
It was all part of the Department of Homeland Security's second iteration of Cyber Storm. The weeklong, congressionally mandated exercise is designed to test the readiness of government and business officials if confronted by cyberthreats to critical networked services, from transportation systems to the electrical grid to chemical plants.
This time around, the mock attack involved officials from 18 federal government agencies, four foreign countries (Australia, Canada, New Zealand, and the United Kingdom), nine states, and more than 40 companies (among them: McAfee, Microsoft, Cisco, Dow Chemical Company, Juniper Networks, and Wachovia).
Homeland Security is hailing the exercise as the largest-ever simulation of its kind, with a significant uptick in the number of "incidents" lobbed at participants. That may be true, but since it's also only the second such activity of its kind, it seems only logical that its scale would grow over time.
Participants this year have had to contend with nearly 2,000 "injects," ranging from hacker intrusions and amped-up denial-of-service attacks, with intentionally misleading intelligence information thrown in just to make things even more difficult, according to DHS officials' interviews in other published reports.
Cyber Storm I, which played out over a week in February 2006, involved seven federal agencies, more than 30 companies, and the same five countries. At the time, it was called the "most complex multinational, cross-sector cyber exercise to date" and involved coordination among people in 60 different physical locations.
A fairly general report on Cyber Storm I (PDF) spotlighted a number of remaining challenges, such as an insufficient number of "technical experts" on board to decipher loads of information pouring in; difficulties figuring who to call within organizations to seek help during crises; and lack of a "triage" plan for cyber incidents.
But we probably won't know for quite awhile exactly what the Cyber Storm II exercise looked like or how well the responses to incidents held up.
After all, it wasn't until nearly two years after Cyber Storm I that the Associated Press was able to obtain a portion of heavily censored internal files that shed some light on the scenarios. Fake catastrophes ranged from downed New York seaport computers, to bloggers revealing locations of railcars with hazardous materials, to airport control tower disruptions in Philadelphia and Chicago.
WASHINGTON--A new Bush administration plan to capture and analyze traffic on all federal government networks in real time is generating privacy worries from congressional Democrats and Republicans alike.
At a hearing convened here Thursday by the U.S. House of Representatives Homeland Security Committee, politicians directed pointed questions to Department of Homeland Security officials about their plans to expand an existing "intrusion detection" system known as Einstein. Among other things, the system will monitor visits from Americans--and foreigners--visiting .gov Web sites.
Einstein, which DHS calls an "early warning system" for cyber-incidents, is described in a Homeland Security document from September 2004 as "an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian government." It's still only in place at 15 federal agencies, but Homeland Security Secretary Michael Chertoff requesting $293.5 million from Congress in next year's budget to roll it out government-wide.
The round-the-clock system captures traffic flow data, which currently includes source and destination IP addresses and ports, Internet Control Message Protocol data, and the length of data packets. According to an internal 2004 privacy impact assessment (PDF), "the program is not intended to collect information that will be retrieved by name or personal identifier." Members of the U.S. Computer Emergency Readiness Team, which coordinates federal responses to cyber attacks, analyze the downloaded records once per day in hopes of detecting worms and other "anomalous activity," pinpointing trends, and advising agencies on how best to configure their systems.
Homeland Security says the setup has helped reduce the time it takes for agencies to share such data from four to five days to four to five hours. The next step is to hire more analysts and enable the analysis to occur in real time, DHS says.
Beyond that, it's not exactly clear what will change, including whether the system will gather more information than before, or what will be done with it. But some politicians said they're already apprehensive about the new plans.
"I encourage you to try to find something beyond Einstein that's going to be focusing on bad guys, not just focusing on the general public but finding some way to protect the privacy of American citizens," said Rep. Paul Broun (R-Ga.).
Rep. Jane Harman (D-Calif.) criticized the department on one hand for treating cyber threats with sufficient urgency--a common refrain from members of both parties ever since the sprawling government agency's inception. But she also questioned the new approach being offered.
"I can assure you constituents of mine listening to this hearing are thinking about this as the government sets up a new spy network," she said. "What would you advise me to tell my constituents (who want to know) how I'm going to stop this latest government spy network?"
Homeland Security under secretary Robert Jamison presides over an agency division that's responsible for coordinating all federal cybersecurity activities.
(Credit: U.S. Department of Homeland Security)Robert Jamison, a Homeland Security undersecretary whose division oversees cybersecurity activities, declined to talk specifics, saying details must be reserved for a classified session.
"We have privacy and civil rights folks involved in this," he said. "We're in the process doing a privacy impact assessment for the new capability as we move forward."
Government agencies are required by law to produce such a report whenever they're planning to use a new technology that could involve collection of personally identifiable information. The goal is to ensure that no information is collected, stored, or accessed either unnecessarily or unlawfully.
The fact that Homeland Security officials are drawing up a new privacy impact assessment for the expansion of the Einstein project would seem to indicate they're considering gathering additional information, although it was unclear after Thursday's hearing whether that's the case.
Jamison, for one, claimed Einstein's new capabilities will be "no different" from those in commercial products used to detect worms or other malware. He indicated, however, that the government has no intention of scaling back the scope of its network monitoring.
"Adversaries are very adept at hiding their attacks in normal traffic--normal, everyday traffic that comes across the network that very well could be disguised and could be malicious," Jamison told the committee.
Einstein is just one part of Homeland Security's attempts to revamp its cybersecurity reputation. It's also working with the Office of Management and Budget on a project that would reduce the number of points at which all federal agency networks connect to the Internet--which right now numbers around 4,000--and thus encounter vulnerabilities from outside their realms.
Whenever a system monitors users' communications, privacy concerns naturally arise, said James Lewis, who runs the technology policy wing of the Center for Strategic and International Studies, a Washington think tank, and is working with members of Congress to devise cybersecurity policy recommendations for the next president. In this case, however, he said he didn't see any reason to be alarmed about Einstein quite yet.
"For Einstein to really affect privacy, you'd need to monitor and collect the communications, store them, and analyze them (e.g. have somebody actually read the content)," he said in an e-mail interview after Thursday's hearing. "I'm told that DHS won't store Einstein data and won't be analyzing it, which greatly reduces any risk to privacy."
Committee leaders warned that they'd be watching closely to see whether the plans pan out.
"It's hard to believe this administration now believes it has the answers to secure our federal networks and critical infrastructure," said Committee Chairman Bennie Thompson (D-Miss.).
Identity theft victims would be allowed to request monetary compensation for the time they spent getting their lives back in order under a bill approved by a U.S. Senate panel.
The Identity Theft Enforcement and Restitution Act of 2007 would allow those who fell prey to identity fraud to seek "criminal restitution"--that is, payouts from the offender in a particular case--for time "reasonably" spent correcting "actual" or "intended" harm.
While potentially significant, it's unclear exactly how much of an impact the legal changes would make, should they be made law (and they're a few steps off from that yet).
According to a Javelin Strategy and Research survey of 5,000 American adults released earlier this year, the number of identity theft victims has declined in recent years, as has the amount of time spent dealing with those harms.
In 2003, there were about 10.1 million adult victims of identity fraud in the United States, but that number dropped to about 8.4 million this year. Meanwhile, the average number of hours each victim spent resolving those issues declined from about 40 hours in 2003 to 25 in 2007.
Threaten to steal data, end up in prison?The Senate bill transcends identity theft-related issues, crossing over into cybercrime. It also includes rewrites to federal computer crime laws that are designed to make it easier for police to punish hackers, keyloggers, and spyware purveyors whose acts may not do quantifiable damage.
Under current law, federal prosecutors can go after only computer crimes that result in at least $5,000 in damage or losses to a victim's computer. Current law also requires that hacking cross state borders, immunizing from federal prosecution crimes in which the hacker and the victim are in the same state. But the approved Senate bill would remove those requirements in criminal cases.
The bill would also make it a felony to damage 10 or more computers with spyware or keyloggers, regardless of how much damage is done. It would create a new crime: threatening to steal or release information from a computer, with the intent to extort money or anything else of value from the person being threatened. Those offenses would carry up to five years in prison, fines, or both.
The Senate bill also adds additional penalties for cybercriminals. They'd be forced to give up any property used to commit their crimes or obtained in the process of those activities.
Sen. Patrick Leahy (D-Vt.), who sponsored the bill along with Sen. Arlen Specter (R-Penn.), said the proposal contains "important and long-overdue steps to protect Americans from the growing and evolving threat of identity theft and other cybercrimes."
The measure doesn't appear to be particularly controversial. It's backed by the U.S. Department of Justice and the Secret Service, and it has also drawn support from a diverse set of groups, including the AARP, the Consumers Union, the Cyber Security Industry Alliance, and the Business Software Alliance, Leahy said. The BSA, for its part, said it would be pressuring the House of Representatives to act this year on a similar proposal, as well as pressuring the full Senate to bless the bill approved in committee Thursday.
WASHINGTON--The presidential elections may be more than a year off, but a newly unveiled group is already plotting how to ensure No. 44 has a fresh "blueprint" for managing cybercrises.
The Center for Strategic and International Studies, a Washington-based think tank, said on Tuesday that it's forming an independent, nonpartisan Commission on Cyber Security for the 44th Presidency, composed of more than 30 people who are considered experts in the field.
Its goal by the end of 2008 is to "come up with a set of recommendations for the next administration, whether Democratic or Republican," James Lewis, a senior fellow at CSIS, said at a morning press conference here on Capitol Hill.
It's not as though strategic cybersecurity plans don't already exist. More than four years ago, President Bush signed off on a policy statement known as the "National Strategy to Secure Cyberspace."
But Reps. Jim Langevin (D-R.I.) and Michael McCaul (R-Texas), who currently head a House of Representatives cybersecurity subcommittee, said they believe the new group is necessary because they've seen firsthand that the government still isn't paying enough attention to cybersecurity. They said they feared that future cyberintrusions could do everything from disrupting the electrical grid to throwing off bank balance sheets.
"This is really about trying to manage, reduce and eliminate possible risks and vulnerabilities that are out there," Langevin said.
Langevin and McCaul will be co-chairing the commission, along with Adm. Bobby Inman, former director of the National Security Agency and now a professor at the University of Texas, and Scott Charney, Microsoft's corporate vice president for Trustworthy Computing.
The commission will comprise 32 other members, including several former high-level officials from agencies like the Department of Justice, the Office of Management and Budget, the Federal Trade Commission, and the Department of Homeland Security.
McCaul said he envisioned the commission's work product being as important as the recommendations issued by the 9/11 Commission, which probed the attacks and the government's response.
"This is not a political exercise," McCaul said. "This issue is far too important for partisan agendas."
But unlike the 9/11 Commission, this group won't be aggressively subpoenaing documents and assessing what has happened in the past on the cyberfront. Rather, it plans to take a look at current and future threats, scrutinize existing government policies toward cybersecurity, and chart a path for information security for both the government and private companies.
The group plans to hold four "plenary sessions" next year, but it wasn't immediately clear whether those sessions would be open to the public, because classified material may be involved.
WASHINGTON--Some critics of the U.S. government's cybersecurity efforts might argue that nothing short of a bomb going off--or, well, purported Chinese cyberattacks on feds' machines--will land the issue more notice.
Without tougher security standards, Americans are in danger of hacker-induced blackouts, some politicians say.
(Credit: Declan McCullagh/mccullagh.org)This time around, the wake-up call for politicians was, indeed, an explosion: In September, U.S. Homeland Security officials revealed that researchers at the Idaho National Laboratory had managed to destroy a small electrical generator through a simulated cyberattack. A few weeks ago, CNN aired a gloom-and-doom segment featuring snips from the once-classified video showing the device going up in smoke.
Although the prospect of that sort of incident causing massive disruption to the U.S. electrical grid , the success of the experimental hack is drawing new calls from Congress for tougher federal security standards on the computer systems that control the nation's power systems.
"I'll be blunt--if this administration doesn't recognize and prioritize these problems soon, the future isn't going to be pretty," said Rep. Jim Langevin (D-R.I.), chairman of a House of Representatives cybersecurity panel that convened a hearing here on the topic Wednesday afternoon.
It's widely agreed that the threats to so-called "control" systems--sometimes known by the acronym SCADA, short for "Supervisory Control And Data Acquisition"--have grown in recent years. That's because more and more of them are being hooked up to "open" networks, including corporate intranets and the Internet, in an effort by their owners and operators to improve efficiency and lower costs.
But there was never much focus on the idea of building security features into those systems when they were first created, and that trend, unfortunately, continues today, said Joseph Weiss, a consultant and nuclear engineer who spent more than 30 years designing, implementing and analyzing control systems.
Feds: We're on it
Government regulators, for their part, say they are growing increasingly aware of those shortcomings and working valiantly to address the problem. Homeland Security's cybersecurity czar, Greg Garcia, told politicians Wednesday that his agency is handing out cybersecurity self-assessment guidelines to control systems operators, offering training to workers in that sphere, and distributing recommended "mitigations" against real-world attacks like the one simulated in Idaho.
And right now, the Federal Energy Regulatory Commission (FERC), which is responsible for overseeing the reliability of the nation's power systems, is considering proposed rules that purport to strengthen cybersecurity standards for the nation's power systems.
That proposal, however, falls woefully short of offering sufficient protections, Langevin and his Democratic and Republican colleagues said in comments filed recently with FERC. One major problem: The proposed rules are written in such a way that they would not even require electric grid operators and owners to install comprehensive security measures on all critical pieces of their systems that, if compromised, could cause significant disruptions, they argued. Instead, they'd have some latitude to focus only on certain components and neglect others.
The politicians are urging FERC to incorporate some of the more comprehensive, stringent standards developed by the National Institute of Standards and Technology, which is considered home to the government's technical experts.
Weiss, the consultant, argued that the infamous blackout that pummeled the Northeast in August 2003 (and was reportedly linked to the so-called MSBlast worm) arguably wouldn't have been prevented by the proposed regulations, but the NIST rules are comprehensive enough to deal with that issue.
Some suggested that the rules may not be up to par because, as required by law, they were devised chiefly by a group called the North American Electric Reliability Corporation (NERC), which was long considered the trade association for the power industry and was recently given legal authority to propose regulations for federal regulators to approve. An entity with those potential conflicts of interest isn't necessarily well-positioned to come up with objective standards, and it's high time for Congress to create a more independent means of devising critically important cybersecurity rules, Weiss said.
Rep. Zoe Lofgren (D-Calif.) appeared sympathetic to that idea and suggested that Homeland Security's cybersecurity division should be granted more authority to help out. "I don't think the energy sector is necessarily the expert on cybersecurity," she said.
NERC Executive Vice President David Whiteley said his organization was open to revising the proposed rules, while Joseph McClelland, director of FERC's Office of Electric Reliability, acknowledged that further improvements should be made before the rules gain final approval.
Although the electric grid was the primary focus Wednesday, threats to the control systems that deal with myriad other types of utilities could also prove, how shall we say, messy.
After all, the first prominent recorded incident of such an act came in 2000, when a software developer in Australia, apparently miffed after being turned down for a government job, used stolen radio equipment to hack into a system controlling a sewage plant. On nearly 50 occasions, he sent malicious code that opened control valves, causing refuse to ooze into nearby rivers and parks.
WASHINGTON--If your in-box is pelted by a seemingly ever-growing supply of inquisitive e-mails purporting to come from the likes of PayPal and Bank of America, the federal agency charged with consumer protection says it feels your pain.
FTC Chairman Deborah Majoras
The deceptive technique--in which crooks dispatch e-mails requesting sensitive personal information, typically by masquerading as financial institutions--"is one practice that absolutely drives me insane," Federal Trade Commission Chairman Deborah Platt Majoras told attendees at the first National Cybersecurity Awareness Summit, which was put on here Monday by a nonprofit partnership of federal government agencies and software vendors.
That's because phishing, more so than some other forms of cyber malice, is a prime example of a tactic that would all but evaporate if more consumers were better informed of what to look out for, she suggested. (After all, it's also an only slightly higher-tech variant of one of the oldest scams in the book--the "ph" comes from the original telephone-based variety of phony information-seeking.)
"I feel like if we could just teach every consumer what this means, never respond to that kind of contact, and train them to hit delete and not reply, we could clear this up," she said.
To that end, the agency is concocting a new video to supply "important information about phishing" and plotting other ways to "revitalize consumer education efforts," Majoras said. Working with the financial sector to spread the word will be critical because the messages so often rely on confusing consumers with the real thing, she added.
Attempting to go after the enterprising e-mailers in court will play some role, too. Majoras said the commission has already targeted phishers with three civil cases and has also worked closely with the Department of Justice to pursue criminal penalties, which the FTC doesn't have authority to levy, as what they hope will supply a further deterrent.
At the moment, the FTC has about two dozen open investigations involving corporate data security practices, she said, adding, "where appropriate, we will again take enforcement actions."
But it's questionable whether such actions will really make a dent. Phishing attempts have by far outnumbered any other sort of malicious activity reported to the U.S. Computer Emergency Readiness Team (US-CERT) since 2003, accounting for nearly 42,000 of some 63,000 total reports, Department of Homeland Security cybersecurity czar Greg Garcia told summit attendees.
Still, there's no reason for panic, said Wayne Abernathy, who represents the American Bankers Association. It's actually quite simple--banks don't do business by asking consumers for basic account information via e-mail, he said. "If customers receive e-mails for asking such information, they should consider them to be fraudulent in nature," he told summit attendees.
WASHINGTON--The U.S. government's cybersecurity czar on Monday called on those in the know to become "ambassadors" of the protect-thy-computer message to the masses.
Greg Garcia, DHS cybersecurity chief
Greg Garcia, assistant secretary for cybersecurity and communications within the Department of Homeland Security, said it's critical for everyone to take cyberrisks seriously, in hopes of meeting his department's ultimate goal: making the United States "the most dangerous place in the real world for cybercriminals to do business."
Welcome to the fourth annual National Cybersecurity Awareness month, the government's designated time for drumbeating how much it cares about apprehending cybercrooks, keeping your own data under wraps and pressuring others to treat it with care as well. That's no small task, as Homeland Security in particular has drawn criticism for years--and as recently as a few months ago--from politicians concerned the agency chiefly responsible for coordinating the nation's response to cyberincidents hasn't been doing a good enough job at it.
Garcia spoke at the inaugural National Cybersecurity Awareness Summit, a daylong event put on here by a non-profit partnership of federal government agencies and software vendors like Microsoft, McAfee, Symantec and Computer Associates.
But his pep talk wouldn't have been complete without the prognostications of doom and gloom evoked so often in this space. In this case, Garcia said the number of cyberincidents reported to the U.S. Computer Emergency Readiness Team (US-CERT) has been growing ever since the clearinghouse for tracking and managing security incidents was established in 2003, and the report tally is likely to continue to rise. That's not necessarily because the raw number of attacks or other malicious events is climbing, though--it may just be because more people are becoming aware of US-CERT's services.
Within the federal government, Garcia said he's aiming to get all cabinet-level agencies hooked up by the end of next year to a system known as Einstein. It's the first tool that has allowed agencies to watch in real time over traffic patterns at their network gateways in an attempt to spot worms or other unwanted presences. The 13 federal agencies currently using the tool have been able to report problematic sightings to US-CERT within four to five hours, rather than four to five days, Garcia said.
Homeland Security is also preparing to release a document outlining essential skills that IT security professionals need and to stage another mock cyberattack, known as Cyber Storm 2, next March. As with the first exercise conducted last year, it's intended to test the readiness and potential responses of various government and private sector entities should a massive cybercatastrophe strike.
But ultimately, securing cyberspace depends on each computer user taking on a measure of "personal responsibility," Garcia said. He urged people to bone up on the educational materials available at Web sites like OnGuardOnline.gov and StaySafeOnline.org and to encourage others to do the same.
