Security

Acting White House Cyberspace Director Melissa Hathaway, who has reportedly resigned her post, addresses cybersecurity during the RSA computer security conference in April.

(Credit: James Martin/CNET)

Melissa Hathaway, acting cyberspace director for the White House's National Security and Homeland Security councils, has resigned from her post, citing personal reasons, according to The Wall Street Journal.

The White House press office did not immediately respond to a call seeking confirmation of her resignation, but a spokesman has offered an e-mail statement to other publications.

"We are grateful for her dedicated service and for the significant progress she and her team have made on our national cybersecurity strategy," White House spokesman Nick Shapiro said in an e-mail to the publication Federal Computer Week.

The timing of Hathaway's resignation is a bit surprising, given that President Obama was reportedly getting close to choosing a permanent replacement for her post as the country's "cyberczar," a position he created in late May. Hathaway, who had worked for the director of national intelligence in the Bush administration, led the Obama administration's recent 60-day review of the federal government's cybersecurity efforts.

At one point, Hathaway was considered a leading candidate to take over the cyberczar post permanently. But the Journal said she took her name out of the running two weeks ago. "She said she was leaving for personal reasons and that she plans to remain working in the cybersecurity arena," according to the Journal post, which added that her resignation will take effect August 21.

This was originally published at CBSNews.com.

President Obama on Friday confirmed that his presidential campaign suffered a cyber intrusion in which hackers gained access to a range of files.

Barack Obama says of cyberattacks: "It has happened to me."

(Credit: CBS)

In a speech in which he unveiled a plan for a comprehensive national cybersecurity strategy, the president said he understands what it is like to be a victim of a cyberattack because "it has happened to me and the people around me."

Between the months of August and October, Obama said, hackers accessed files including policy papers and travel plans. Files pertaining to fundraising information were left untouched, he assured his supporters in a joking manner.

Obama noted that his campaign's vulnerabilities reflected those of the rest of the world in the digital era.

"It's no secret my presidential campaign harnessed the Internet" to communicate with a wide swath of supporters, he said. However, the hacking was "a powerful reminder...one of your greatest strengths, our ability to communicate...could also be one of your greatest vulnerabilities."

The campaign worked with federal agents and hired security consultants to address the breach, Obama said. Newsweek reported in November that federal agents were investigating cyberbreaches of both the Obama and McCain campaigns.

President Obama in early February assigned Melissa Hathaway, a former consultant at Booz Allen Hamilton, to review the status of the nation's cybersecurity defenses, processes, and organization and report back to him with the findings 60 days hence. The president now has the results of the Hathaway study and the findings are likely to be made public this week.

Melissa Hathaway

(Credit: BusinessWire)

While anticipation around the Hathaway study has reached a fever pitch, the report itself is bound to be anticlimactic at best. Why? Much of the detail will be deemed as "classified" so the report conclusions will only be communicated in general terms. What's more, cybersecurity is not exactly an esoteric topic. The Center for Strategic and International Studies released a report of recommendations for President Obama in December 2008 while the Dartmouth Institute for Information Infrastructure Protection released its own cybersecurity report in February. Finally, there was the heavily publicized resignation of former director of the National Cybersecurity Center, who publicly accused the NSA of trying to control the whole cybersecurity enchilada.

Given all of this public discussion, the security community is fairly certain about the Hathaway report findings and recommendations. At a high level, the report will highlight the following conclusions and recommendations:

• People. There are too many people doing redundant tasks in some areas and too few in others. The report will recommend a new position reporting to the Office of the President responsible for cybersecurity oversight.

• Process. The Federal Information Security Management Act of 2002 is badly broken and needs to be aligned with departmental missions and not check boxes. It is also likely that the report will call for new best practices from the National Institute of Standards as well. Finally, the report will link cybersecurity and procurement with new security requirements for federal technology suppliers.

• Technology. While the federal government has spent billions on security technologies over the past few years, the report will likely recommend even more. For example, Hathaway may recommend federal funding for digital identity projects like the RealID Act and Homeland Security Presidential Directive 12.

Finally, the report will disclose that communication, cooperation, and technology integration between the public and private sector need to be updated, improved, and funded.

These are important matters indeed but none of the points here are new and we are burning precious cycles studying and discussion the same issues over and over. When your house is on fire, you don't stand around and debate whether the cause was faulty electricity or arson--you call 911 and get out as fast as you can.

Talk (and written reports) is cheap and there is far too much of it going on inside the Beltway. Let's hope that this report leads to a Trumanesque management philosophy where President Obama declares that, "the cybersecurity buck stops here," quickly initiating a series of actions, resources, and legislation to finally address these critical vulnerabilities. If the report recommends further study or a presidential commission, call your congressman and demand action.

As the financial meltdown continues, there has still been plenty of attention on cybersecurity within the Beltway. Note these three events last week in Washington.

1. Budget increases. President Obama's proposed 2010 budget includes $42.7 billion for the Department of Homeland Security with cybersecurity spending included in this sum. Additionally, the budget allocates $355 million to the National Cyber Security Division. There are a few additional items that affect cybersecurity.

2. A new cybersecurity report. A new report from Dartmouth College's Institute for Information Infrastructure Protection (I3P) was delivered to U.S. Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), who serve as the chairperson and ranking member of the Senate Committee on Homeland Security and Government Affairs, respectively. The report recommends a coordinated response across the government and the private sector, coordinated metrics to assess progress, and an increasing focus on cybersecurity education.

3. The National Institute of Standards and Technology (NIST) is revising its "Guide to Enterprise Telework and Remote Access Security," first published in 2002. While NIST is a federal government entity, this is an excellent set of guidelines for any organization providing remote access to its network for employees and third parties. NIST is asking for comments to this new publication, NIST 800-46 Revision 1, by March 27.

As a security professional, I am always worried that security concerns will be ignored when times get tough. It is nice to see that the Obama administration recognizes the scope of cybersecurity issues and is willing to fund efforts to address these problems rather than take the old "security by obscurity" approach.

President Obama's first flight in Marine One.

(Credit: White House)

An Internet security company claims that Iran has taken advantage of a computer security breach to obtain engineering and communications information about Marine One, President Barack Obama's helicopter, according to a report by WPXI, NBC's affiliate in Pittsburgh.

Tiversa, headquartered in Cranberry Township, Pa., reportedly discovered a security breach that led to the transfer of military information to an Iranian IP address, according to WPXI. The information is said to include planned engineering upgrades, avionic schematics, and computer network information.

The channel quoted the company's CEO, Bob Boback, who said Tiversa found a file containing the entire blueprints and avionics package for Marine One.

"What appears to be a defense contractor in Bethesda, Md., had a file-sharing program on one of their systems that also contained highly sensitive blueprints for Marine One," Boback told WPXI.

Tiversa makes products that monitor the sharing of files online. A representative for the company was not immediately available for comment.

Boback believes that the files probably were transferred through a peer-to-peer file-sharing network such as LimeWire or BearShare, then compromised.

A new Internet worm that displays an image of President Obama is likely a prank by a student, several security experts speculated on Thursday.

Walling Data, a distributor of AVG security software, said the worm it discovered on computers at an Illinois grade school spreads via external devices like USB drives and network shares. Once a week, on Mondays, it displays a photo of President Obama's face in the lower right corner of screens on infected computers, but otherwise appears to be more of a nuisance than a threat.

The worm looks like a variant of MAL_OTORUN code that spreads using thumb drives and network shares, said Jamz Yaneza, a senior threat analyst and researcher at Trend Micro.

"Someone played around with one of the many number of DIY malware kits and just added this small social engineering bait of Obama's picture," he wrote in an e-mail. Given that it lacks a malicious payload, "it is probably some prank by a student since today's 'serious' malware, as you may have noticed, would have at least installed a keylogger to steal some information."

Roger Thompson, owner of Thompson Security Labs who said he was informed about the worm from AVG, wrote on his Thompson Cyber Security Labs blog a note to administrators at the school where the worm was found: "There's some chance one of your students wrote it. Find your smartest, geekiest, dweebiest kid, and look hard at him. Remember, the geek shall inherit the earth."

Once a week, the Obama worm displays a picture of the president's face on infected PCs.

(Credit: Walling Data/Roger Thompson)

We have Valentines Day and Mothers Day and even Inauguration Day. And now that cyber crooks have turned the Internet into their playground, we've got Data Privacy Day.

Companies and agencies in the U.S., Canada and more than two dozen European countries will be holding events in honor of Data Privacy Day on Wednesday geared toward educating consumers as to how to better protect themselves online.

And privacy groups are sending messages to the newly installed administration of President Obama.

In the latest issue of The Identity Theft Newsletter, three consumer privacy experts give their advice.

Jay Foley, who founded the nonprofit Identity Theft Resource Center, suggests ways to curb identity fraud that uses the identities of children and the deceased. Pam Dixon, executive director of the World Privacy Forum, suggests centralizing control of all identity fraud-related issues under the Federal Trade Commission and adopt a federal law requiring companies to report data breaches to the agency. Similarly, Chris Hoofnagle, director of the Berkeley Center for Law and Technology, would like to see companies share information on identity-fraud rates.

The Electronic Frontier Foundation, a group that advocates for the rights of Internet users, has its own suggestion for Obama's administration. In a statement published on its Web site on Tuesday, the EFF said the new Whitehouse.gov site uses embedded YouTube movies that place a cookie on the visitor's computer, which enables tracking of the computer as it visits different Web sites. The White House should work with YouTube to end the retention of cookie data for any video on a government site, the EFF said.

Even private companies were getting in on the act. Executives at one pharmaceutical research company in the U.S. distributed an e-mail to workers encouraging them to clean up their data files on Wednesday.

"Never have time to send those files to off-site storage or identify piles of old papers that should to be shredded? Have you neglected to clean out your e-mail folders? Take time to do it on Data Privacy Day!" the e-mail says. "Don't retain sensitive data longer than it needs to be kept. This applies to paper documents, as well as computer files and e-mails. Keeping unnecessary data creates risks to the individuals whose data is kept beyond the required date and takes up valuable storage space both in file rooms and online."

Meanwhile, Microsoft was preparing to host a Data Privacy Day panel in San Francisco on Wednesday afternoon. The panel will include representatives from MySpace, Intel, the California Office of Privacy Protection, Teenangels and the Center for Democracy and Technology.

Microsoft also will discuss findings of two focus groups, including the fact that while consumers are concerned about online privacy, they tend to have a "surface understanding" of the how to protect against the threats they face online. Identity fraud is the most prevalent concern for consumers, while another top concern is the sharing or selling of personal information without their consent.

"There's a sense of resignation" among consumers, but education is the key, Peter Cullen, Microsoft's chief privacy strategist, said in an interview on Tuesday.

"To say its hopeless is not accurate at all," he said. "It means all of us have to be prepared to invest so we don't lose the consumer trust."

To get the word out to people, Microsoft partners with organizations like the American Association of Retired People to reach certain groups and offers basic tools and tips for consumers on its Web site, according to Cullen.

Microsoft also provides information in its products that users can see when they are surfing. For instance, Internet Explorer 8 has a filtering agent that alerts users when one online site seems to be collecting a lot of data that could be used for behavioral targeting and other advertising means, he said.

Microsoft was one of the companies that, a decade ago, liberal privacy groups loved to hate. The Electronic Privacy Information Center, for instance, sent letters to state attorneys general and the Federal Trade Commission urging action against the company's authentication system called Microsoft Passport. The FTC and Microsoft eventually settled; Microsoft also abandoned its so-called Hailstorm program, which would have expanded passport.

But now two things have happened to change how Microsoft approaches privacy. The first is being under an antitrust consent decree, which has subjected the Redmond, Washington-based company to ongoing regulation and has made it less aggressive in some areas. The second is that it has found privacy to be a useful argument against "cloud computing" in general and Google in particular, and it is trying to restyle itself as a "pro-privacy" company and Google as the opposite. Update 3 p.m. PST January 28: A Microsoft spokeswoman said that Microsoft does not oppose cloud computing so much as it sees privacy as a competitive differentiator in that market.

CNET News' Declan McCullagh contributed to this report.

The administration of President Barack Obama will be hiring a new national cyber adviser, according to the agenda for homeland security released on his first full day in office.

Janet Napolitano sworn in at her confirmation hearing.

(Credit: U.S. Department of Homeland Security)

The Agenda for Homeland Security, released Wednesday, lists goals for defeating terrorism and improving intelligence gathering, as well as for protecting the nation's information networks and critical infrastructure.

The top item under protecting information networks is to strengthen leadership on cyber security by establishing a "position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy."

Other items include: supporting an initiative to develop next-generation secure computers and networking for national security applications, and deploying secure hardware and software to protect critical cyber infrastructure; establishing "tough new standards for cyber security and physical resilience;" developing systems to protect trade secrets from being stolen online from U.S. businesses; shutting down "untraceable Internet payment schemes;" and securing personal data stored on government and private systems and requiring companies to disclose data breaches.

The homeland security agenda also calls for ensuring that "security is considered and built into the design of new infrastructure, so that our critical assets are protected from the start and more resilient to naturally-occurring and deliberate threats throughout their life-cycle."

Also on Wednesday, former Arizona Gov. Janet Napolitano was sworn in as secretary of the Department of Homeland Security.

President-elect Barack Obama's cell phone billing records were improperly accessed by employees of Verizon Wireless, CNN reported late on Thursday.

Obama's transition team was informed of the breach by Verizon Wireless representatives on Wednesday, team spokesman Robert Gibbs told the news agency. The Secret Service has been informed, Gibbs said.

The phone, a voice flip-phone with no e-mail access, is no longer active or being used by Obama, the report said. Lists of phone numbers and calls made by Obama could have been accessed, but "nobody was monitoring voicemail," Gibbs is quoted as saying.

Verizon Wireless has notified federal law enforcement authorities, Verizon Wireless President and Chief Executive Lowell McAdam wrote in an internal company e-mail distributed on Wednesday that CNN obtained. In a press statement, McAdam wrote:

"This week we learned that a number of Verizon Wireless employees have, without authorization, accessed and viewed President-Elect Barack Obama's personal cell phone account. The account has been inactive for several months. The device on the account was a simple voice flip-phone, not a BlackBerry or other smartphone designed for e-mail or other data services."

"All employees who have accessed the account - whether authorized or not - have been put on immediate leave, with pay. As the circumstances of each individual employee's access to the account are determined, the company will take appropriate actions. Employees with legitimate business needs for access will be returned to their positions, while employees who have accessed the account improperly and without legitimate business justification will face appropriate disciplinary action."

"We apologize to President-Elect Obama and will work to keep the trust our customers place in us every day."

Employees who viewed the records without authorization could be fired, McAdam said in the internal e-mail.

This is the latest in a string of technology-related security incidents to hit this election season. Earlier this month, Newsweek reported that PCs used by the campaigns of Obama and former Republican presidential candidate John McCain were compromised last summer.

In September, McCain's running mate Alaska Governor Sarah Palin had her Yahoo e-mail account broken into. And back in April, someone exploited a weakness in the Web site for Obama's campaign and redirected some visitors to then-Democratic presidential hopeful Hillary Clinton's site.