Get Smart about Business Spending
Jeff Moss
(Credit: Darington Forbes)Like many young hackers, Jeff Moss got his start copying computer games, learned how to program, and began to explore the world through a modem.
Unlike many young hackers, Moss has managed to turn his computer and social-networking skills into a business. He founded Defcon, the first major hacker conference and the largest in the world, as well as Black Hat, its more corporate counterpart. And now he is helping the U.S. government, as a member of the Homeland Security Advisory Council.
Moss talked to CNET News during National Cyber Security Awareness Month about his digital coming-of-age and how Google, Yahoo, Facebook, and other sites are putting consumer privacy at risk and jeopardizing social-justice movements around the world.
This is the final installment of a two-part Q&A with Moss. Part 1 ran on Friday.
Q: When you first started Defcon, that was what year again?
Moss: Ninety-two, '93. I think I started planning in '92 and it happened in '93.
So, things were different then. Can you talk about how the landscape has changed and what the real threats are now?
Moss: I'd say the biggest change is just that money got involved and once money was involved it changed everything. Actually that's not true. Technology grew up. So two things: money and technology. Technology grew up and a lot of the original motivations for hacking sort of changed, at least for my generation. When Internet access is essentially free and Unix is free and phone calls are essentially free and pennies on the minute, not dollars on the minute, why do you need to steal a phone call when it's free? Why do you need to break into a university to read man (manual) pages on Unix when you can download free security guides online?
You had to work so hard to learn something, and once you learned it you felt like it was yours. You made it yours by discovering it and figuring it out and sharing it with your friends. But now it's basically just handed to you on a Google search page so that motivation is just different now. Now it's not a question of figuring out how the SS7 phone switching network works. You can download 50 documents that tell you how it works. It's more about now the information is basically free what do you do with the information? How do you use it? Before it was about the quest for information; just getting your hands on the information was a victory.
As soon as people started making money on the Net...during the dot-com boom, that's when you could see the impact. Everybody needed somebody with Internet skills. And at that time it was hackers and early adopters. So all the early adopters could go out and get paid for their hobbies. That changed the nature of it too. It became a job as opposed to a hobby. When the criminals finally caught on that there was some real money with low risk and potential high reward...once nation states and organized crime groups got involved, that was the end of the age of innocence. It happened really quickly; 10 years or so. It used to be that you could probably defend against the bored college student and a couple of his buddies and you could do some defensive maneuvers and watch your log and know when somebody is poking around (your network) and have a pretty good handle on things.
Audio
Jeff Moss
This is an edited audio version
of the interview with CNET's Elinor Mills.
Download mp3 (3MB)
But the amount of noise and the amount of scanning and the amount of resources that people can put against you now, its kind of...(laughs) I used to always say that large governments, military, and an EDS or a Microsoft, they've got the in-house talent to defend themselves and the budget to do it if they have to. But the SMBs, the small and medium businesses, they don't have the talent or the budget or the experience, so those poor companies are at a disadvantage in this kind of world... The technology hasn't matured to where you just plug it in and it works. You still need a certain amount of high-end talent if you want to be secure. So we're not at the point where you buy a car and you've got the air bag. We're not there yet. Every year the bar keeps getting raised and it's a little bit harder to break in. But that just means that the better-funded organized crime groups and governments could potentially be the last ones left standing. And when the attacks get so sophisticated and so subtle your average sec guy is not going to necessarily have the computer skills to protect against it.
Is that an argument then for managed security services?
Moss: Hmm. Do you mean something like a Counterpane, the sort of centralized log management where they analyze everything?
Yeah.
Moss: That's essentially (similar to the idea of putting) your eggs in less baskets and have experts watch the logs. The DHS (Department of Homeland Security) is trying to do that with Einstein. It seems like that's a rational response to the problem. I'll have to think about that. The problem is by the time they notice something is the damage already done if they're infiltrating secrets, say, versus defacing your home page? If you look at the nature of the problems the organized crime groups generally want money and the government wants secrets and they go about their business differently because the goals are different. Maybe centralized services like that work better against one group than the other.
How did you first get into hacking and on to computer security? What got you interested in all this?
Moss: It was kind of random. My dad was a doctor at the University of San Francisco and the university was offering some discount if you bought an IBM, you could get it at some kind of educational discount...so they bought a pretty expensive computer back then for me and my sister to play with.
How old were you?
Moss: I was right around 12 or 13.
And you are how old now?
Moss: Thirty-nine. And my sister wasn't interested in it. She ended up getting into music and it turned into my computer instead of the family's computer. I started off as a software pirate. You're 13 years old and your buddy gets a game for his birthday and I've got a game and there just weren't that many games on the PC back then. You could either just straight copy the game or if there was some sort of copy protection you saved up and bought a copy of 'Copy to PC' and you could copy each others' games. You would try to figure out why did that work. There wasn't a whole lot of programming books back then so I learned BASIC and I started learning assembly language.
And then to upgrade the machine you had to learn how to take apart the machine and it was much cheaper to buy memory and install it yourself than to buy a memory card. I had no money as a kid. So there were these overclocking kits you could buy for like $50 or $60. You could overclock your CPU to make it go 30 or 40 percent faster. Instead of going something like 6.55 or whatever megahertz, you could make it go 8 megahertz and that was awesome. So then you would figure out why does that work? What's going on there?
And then the huge revelation for me was getting a modem. Once I got an acoustic coupler modem, a 300-baud modem, that was the beginning of the end for me because all of a sudden I got to communicate (with others online). It started with my friends who had modems and I would use them over at their house and eventually I saved up and got my own. And you would be on these message bulletin board systems talking with people in the Bay Area. They didn't know your age or your gender or your education or anything and you're having conversations with grownups about grownup topics, drugs, technology, music, whatever it is. The sort of conversations you didn't have with your parents. You could overhear other people having conversations about (things). It was this great glimpse into the bigger world that was out there. And that really opened up my eyes. It was different from what we talked about at school. It was different from what you talked about with your friends, your parents. It was a whole other world and it just made you want to find more and more bulletin boards and more and more people. And that led to phone phreaking, trying to figure out how the phone systems worked and how to call longer distance and the cheapest way to do it. It was that exploration.
And it was all very random for me. I knew about the phone systems because I ran a bulletin board and I spent a lot of time dialing long distance to get onto different bulletin boards. And I knew about software programming but I didn't really know about hacking until a chance encounter with someone. And he had the opposite experience. He didn't know anything about phones and he didn't know anything about copy protection or reverse engineering that way, but he knew all about hacking. He knew all about networking, which is something I didn't know about because I didn't have a network in my house. Everything was point-to-point dial-up. Nothing was a network. So through him I learned about networking.
Things happened in my life at certain times. Very random. It was luck. I was lucky my parents bought that computer. It was lucky I learned about the modem and lucky I ran into that guy who taught me about hacking. I would love to say it was some master plan on my part, but it was a happy set of circumstances.
That reminds me of the Malcolm Gladwell book "Outliers" that I'm reading right now. It's very relevant to what you're talking about--that it's not just intelligence, but also opportunities that give people the ability to accomplish things.
Moss: Is that the book that talks about the 10,000 hours (the amount of time it takes to practice something in order to become a success at it)?
Yes.
Moss: Somebody told me about that and I totally believe it. If I think about it, I put in thousands and thousands and thousands of hours just talking to people and reading and programming and screwing around with computers and trial and error on phones and everything until it became sort of second nature. If you think about people who are really good with musical instruments, they put in tens of thousands of hours. Or (people) working on cars. I have a friend who is fantastic car guy and he grew up with a wrench in his hand. He innately understands how mechanical things work.... (These people) see the world differently (and have) developed a sixth sense toward it.
Do you have a sixth sense toward hacking?
Moss: Well, you have a sixth sense toward looming problems. Somebody announces an (integration) project and you just think to yourself "Oh, that's going to be a problem. How are they going to do that?" From a technology standpoint how are they ever going to get all those systems to work and from an HR or organizational standpoint, you just know it's not going to happen...
In the back of my head I wonder if we haven't embraced the Internet technologies (too) quickly. If you're going to touch these critical systems you need a different mentality. You need a different skill set. I don't know. For example, SCADA (Supervisory Control and Data Acquisition) systems are starting to be hooked up to Web interfaces and it makes central management really easy and it makes understanding and visualizing the process flow information really easy. So the managers hear that and think cost savings and ease of management and ease of visibility. I hear that and I think "Whoops, that's going to be a problem." You're joining these two networks with Web protocols that are essentially inherently insecure or are difficult to secure and then you go and listen to Moxie Marlinspike talk about the problems with SSL and you think to yourself, "That's a problem." You just get a sixth sense about things like that.
So we've covered a lot of ground here. Is there anything else to discuss about computer security, cybersecurity, your background?
Moss: I have a current rant I've been going on about. It's my low-hanging fruit rant. Six months ago there was an open letter to Google asking them to please make everything HTTPS (Hypertext Transfer Protocol Secure) by default and I was a signer on that letter. It was another one of those (proposals that) made total sense. Why isn't there a push to just make everything HTTPS by default? Because everybody's browsers work with it. Computers are fast enough now. Home PCs are fast enough that the extra encryption doesn't even faze them. Why not start getting rid of HTTP and moving to HTTPS? That seems like a pretty low-hanging fruit, easy to do. If you can't do that what makes you think you are going to be able to do more complicated things?
And if you look at what we rely on, we rely on the Web, which isn't secure. We rely on DNS (domain name system), which isn't secure and we rely on e-mail, which isn't secure. The three foundational things we've been using since the dawn of time aren't secure and there doesn't seem to be a big push to fix any of it. These big companies that are encouraging us to put our lives online, the Yahoos, the YouTubes of the world, they're not doing their bit to secure it.
The thing that really kind of pissed me off, during the whole Iranian revolution or protest over the election you saw all these people just pouring their hearts out on these different social sites and their political beliefs out over unsecured http. And the government is sitting there just collecting it all, recording it. And sooner or later they'll come knock on people's doors. It really drove home we are beyond sharing pictures of fluffy cats and the social sites are now being used to organize political movements and social-justice issues.
If that kind of stuff is going to happen you've got to do it in a secure fashion or you're being negligent. Because if it was SSL (Secure Sockets Layer) between say the dissidents in Iran and some social site they would know your IP (Internet Protocol) address connected to Facebook, for example. And they would know that you transferred a couple hundred thousand bytes (of data) but they wouldn't know your log in, they wouldn't know your friends, they wouldn't see what you are posting. They wouldn't know any of that. That seems like a good thing if you are concerned about the well-being of your citizens. A lot of problems would go away if everything were just SSL by default. A lot of the privacy concerns would go away. Every time I get a chance to talk to somebody at one of the big social sites I give them some grief and say, "How come you aren't doing this? Why do you protect my log in but you don't bother to protect the rest of my session?" It's super frustrating.
Jeff Moss, founder of Black Hat and Defcon.
(Credit: Darington Forbes)As a hacker and organizer of Defcon, an event where computer security vulnerabilities and exploits are routinely unveiled, Jeff Moss seemed an unusual choice when he was named to the Homeland Security Advisory Council in June.
But his background and lack of government experience brings a fresh, outsider's perspective to a public sector plagued by a fast-changing threat landscape, perpetual turf wars, and bureaucratic inertia.
With National Cyber Security Awareness Month under way, CNET News discussed with Moss his new role, his thoughts on the national ID card debate, and how the government wants to use social media sites for public emergency alerts. This edited interview is the first of two parts. Part two will run on Monday.
Q: So, how's it going on the Homeland Security Advisory Council?
Moss: It's going pretty well, it's pretty exciting actually. Recently we did a recommendation, I'm sure you read about it, the homeland security color codes. There are the five color codes. Normally the country is on like yellow or orange. I think we've only been to red once. But we've never been to the two lowest, blue and green. So the system was up for review. It turns out that the color codes work really well for industry and government. They have procedures in place. They do things automatically when the color codes are changed. It is actually successful for them but for the third group that uses them, civilians, it actually doesn't work well at all.
Right. We don't understand it. We're like, what does it mean? Is it real?
Moss: How does it give us any actionable information? How should we change our behavior based on it? That's what came out of the report was that it's very hard for civilians to do anything with it and it causes confusion, and it's the No. 1 source of ridicule. The system needs to stay because it's valuable for the other two groups, but it needs to change was the conclusion of the report. So they had a couple of recommendations and one was to just get rid of the two lowest colors because honestly we've never been at them; make the new normal orange. Three levels is probably more realistic than having five. The U.K. doesn't have five either, I think they have three.
Amit Yoran
(Credit: Amit Yoran)West Point graduate Amit Yoran went from security work in the Air Force, the Defense Department, and private industry before being tapped as director of cybersecurity for the Department Homeland Security.
He joined DHS in September 2003 and left about a year later, the first of several cybersecurity directors to have a short tenure. Now, the 38-year-old is chief executive of security firm NetWitness.
During the first week of National Cyber Security Awareness month, Yoran talked to CNET News about his efforts getting a federal cybersecurity program off the ground, how no organization is safe from attack and why he is "anti-user." Here is the edited interview.
Q: The big question on everyone's mind is when will the administration appoint a new cybersecurity czar and who will it be? Do you have any comments on that?
Yoran: (Laughs) Apparently, they'll report it when they're good and ready. I don't have any particular comment on that.
There's been a lot of talk about the structure. Do you think the position should report to the White House or an agency like the National Security Agency? Should the official snoops be in charge of protecting security and privacy?
Yoran: (Laughs) Is that a biased question? No. In my mind clearly the right thing to do is to put a coordinator at the White House. NSA has a key role in cyber, but they've got their mission focus and there's a number of other departments. And agencies that have other priorities and activities in cyber that are relevant and need to be coordinated at the White House level.
Audio
Amit Yoran
This is an edited audio version
of the interview with CNET's Elinor Mills.
Download mp3 (11.2MB)
You resigned as director of DHS' national cybersecurity division after only one year. Why?
Yoran: I had a specific start-up job or requirement that was asked of me--to help them get the US-CERT operation up and running and help get some of their cyber programs off on the right foot. After a year we had established some of those programs and (decided that) my interests lie elsewhere. We were as productive as we could be in a short period of time.
Do you think your division was given adequate attention and resources?
Yoran: At the time I don't think they were inadequate meaning when you're just starting something from scratch even if you have hundreds of millions of dollars at your disposal, I don't think that you can prudently and effectively spend it. I don't think you can be effective or responsible with large resources like that on day one. Until you know where you can add value, what the programs and activities you can undertake are, you aren't particularly resource-constrained. I do think over time some of these activities require greater funding. I just don't know if that was a shortfall while I was there.
You weren't the only to leave sooner than people might have expected. Former cybersecurity director Rod Beckström resigned in March and Melissa Hathaway resigned as acting director in August. What's going on here?
Yoran: Well, this is a very complex topic and dealing with it is a careful balancing act between an understanding of business, an understanding of technology and an understanding of how...to prioritize your programs and this was a national level of activities. So it doesn't particularly surprise me that we've had a high turnover of leadership, a fast pace of leadership turnover in this area. That doesn't mean that all the programs and activities start and stop with changes of political appointees.
The 60-day review that President Obama commissioned came out in May with the message that the country is not prepared to respond to cyberattacks. What's your opinion of the report?
Yoran: I would concur the nation is not prepared to adequately address cyberattack...The report, like cyber, has so many nuances some of which I agree with and some of which I don't agree 100 percent, but I think the observations being made were accurate.
You were a member of the commission that worked on a report that came out last December, right? Are the reports really all that different?
Yoran: There were a lot of similarities and there was a lot of alignment between observations made by the CSIS (Center for Strategic and International Studies) commission and ultimately 60-day review that Melissa Hathaway conducted for the White House. But that shouldn't be very surprising. It's not the same document...You've got a lot of the same expertise...a lot of the same types of analysis done...It also is reasonably well aligned with a lot of earlier presidential strategy and docs around cyber.
It doesn't seem like there's a lot of change after years of this. Do you get a sense we're treading water at all?
Yoran: I'm not certain treading water is the right analogy. It seems like we're making progress, progress is being made, but cyber is not a stagnant environment. It's not like a network router (which) behaves as you command it so you change the network or the architecture. In cyber you have a continuous sort of evolution, not only of technologies, but also you have an adversary game theory-type activity. What you think is secure today is based on your current knowledge and your knowledge expands and the adversaries change their techniques and methods. The landscape has changed so it would actually require a lot of swimming to stay in place versus treading water, I guess is how I would characterize it...Our adversaries are advancing their techniques and we're also deploying a lot of technologies and process and capabilities to help better protect ourselves. Overall, I don't think we're better protected, that we're better off or less exposed today than we were years ago.
You said "progress is being made." Can you elaborate?
Yoran: So in the last two years or more, the Bush administration carrying on into the Obama administration the primary national federal effort is really being driven by what they call CNCI, "Comprehensive National Cybersecurity Initiative." It remains highly classified as an initiative and series of programs. Work is under way. CNCI is more than people just talking about cyber. There is work being done. Unfortunately, a lot of it is behind the scenes.
What is the state of cybersecurity today?
Yoran: The organized crime, the criminal element today, is organized. They've got capability and because there is money on the line they've got phenomenal intent and focus and persistence. Last year, the FBI director said that more money was made using online cybercrime than by drug trafficking in the U.S. It's a mind-boggling number to people who aren't familiar with it...About 30 percent of the cybercrime today uses anti-forensic techniques, so you're literally not going to find them even if you know to look for them...The FBI also said that over 100 foreign governments have structured offensive cyberwarfare organizations as part of their network security and intelligence infrastructure. So the industry and the IT world is getting decimated by the cybercriminals and the nation-state activity is even more advanced than that. The technologies we're using to protect ourselves, that we're relying on, the dirty secret within the IT security world is that they're incapable almost by definition of dealing with the advanced threats of cybercrime or nation states.
Yoran: The challenge faced by the government departments and agencies is 98 or 99 percent similar to the challenge faced by enterprise IT environments which is very blatantly the IT security industry is not equipped to deal with the advanced threats. If we think we're monitoring systems and if we think we're protecting our systems using the products we have then we're uninformed about the threat, or misleading ourselves or just plain loony.
And the most advanced threats being specifically what?
Yoran: Custom exploits. Custom malware. The same concerns that thought leaders in the industry have been predicting or projecting from a few years ago or maybe even five years ago as conceptually possible are now an every day occurrence. Attacks being embedded in the application layers. Attacks being embedded into the content of applications or behavior of applications. It's by infiltrating and compromising the supply chain of an enterprise, be it in the hardware supply chain or more likely the services supply chain...
So a lot of attacks also use social engineering. Which attack vector is more successfully exploited, social engineering or the one targeting vulnerabilities?
Yoran: That's great question. I think that the attack surface is so large. Whether you're going into a supplier, whether you are socially engineering an employee, or whether you're doing some sort of spear phishing type of exercise. The attack surface is so large and the IT security industry's ability to adequately protect a complex enterprise is so poor that I believe we have to have a shift or a change of paradigm in how we think about security. We have to believe, and I would say almost every security industry leader that I respect today, we have to believe that our defenses are imperfect and that our adversaries, criminal or otherwise, are already on the inside and that no matter what we do to protect ourselves they're still going to get inside.
Yoran: How do you live, how do you operate in an organization's IT environment, and how do you enable the organization to still accomplish their mission knowing that their IT systems are already living in a state of compromise? The bad guys are already inside. I don't care if it came in through social engineering or through a new exploit I didn't know about or a piece of malware they just wrote or by bribing someone on the cleaning crew to get into an environment. In order to succeed today you have to operate under the assumption that the compromise is already on the inside.
So then is it a matter of just minimizing the damage?
Yoran: Unfortunately I think that is a good part of it. You've got to understand where they are. Minimize the damage, containment, prioritize your limited resources, and focus efforts on the core assets, the most important assets of the enterprise. The data, the database, the brain, whatever you deem to be most sensitive in your business. Intellectual property.
Which is more important for curtailing threats--user education or technical countermeasures or something else?
Yoran: I'm a (laughs) I'm a believer in anti-user. Users are part of the problem, not part of the solution. (Laughs)
But you have to deal with them still. They are part of the equation.
Yoran: I typically advise folks to get rid of their users as the best defense but they usually don't have that as an option. I don't think user education is very effective. There's definitely a benefit to it. Is the marginal return worth the cost? I don't know. If you have some cost-effective programs it does make sense. Any security architecture which relies on the awareness or education of the user population is flawed by design. I'm a security professional. I've been doing it security for the past 18 years or so and some of the spear phishing and other methods are so slick, so well engineered and so sophisticated that I could easily see myself falling victim to them. Having an alert user, that's valuable. Can you put any confidence in a security program that requires any end user awareness or education? No.
How did you get into computer security?
Yoran: Originally through gaming way, way back when, before it was called gaming, video games. I had my first introduction to computer security as a comp science student at West Point. There was an information security course that was taught and I found it to be a very fascinating topic.
Where did you go from there?
Yoran: On graduation from West Point, I inter-service transferred and served for five years in the Air Force...because it was in the leading edge of adopting technology and focusing on computer security. In the early days, I started with an organization that became the DOD CERT team, the Department of Defense's Computer Emergency Response Team and worked there for a number of years and then got out in the '98 time frame and started a company called RipTech, a managed security services company, knowing absolutely nothing about business. It was 1998 I figured how hard can this be? Everybody's making a couple of billion dollars and so I jumped into the business world...Symantec bought RipTech in 2002 and in 2003 I went into DHS as the cyberguy, the national cybersecurity director, really trying to help the government get the federal effort off on the right foot I did that for a year or so and got out of the government in late 2004 and since then have been involved in a series of IT security business mostly as an investor or board member until 2006 when I organized a management buy out of NetWitness and focused on bringing its product and technology to market.
So tell me about that. What is it?
Yoran: NetWitness at its core is a network forensic engine. The government started the development effort almost 10 years ago, looking at packet switched data networks, trying to be able to rapidly produce intelligence about what's happening on a data network because they clearly saw the evolution of technology in this direction. The company that was developing the product was a services company and really not very well suited to bring this technology to success as a product. So I got some investors together and we basically did a management buy out of the developers, the patents, the patent filings they applied for and we had a series of additional capabilities we wanted to add to the product...
Do you do online banking?
Yoran: I do, because laziness drives so much of my behavior. Absolutely not the right thing to do, but I'm lazy.
Acting White House Cyberspace Director Melissa Hathaway, who has reportedly resigned her post, addresses cybersecurity during the RSA computer security conference in April.
(Credit: James Martin/CNET)Melissa Hathaway, acting cyberspace director for the White House's National Security and Homeland Security councils, has resigned from her post, citing personal reasons, according to The Wall Street Journal.
The White House press office did not immediately respond to a call seeking confirmation of her resignation, but a spokesman has offered an e-mail statement to other publications.
"We are grateful for her dedicated service and for the significant progress she and her team have made on our national cybersecurity strategy," White House spokesman Nick Shapiro said in an e-mail to the publication Federal Computer Week.
The timing of Hathaway's resignation is a bit surprising, given that President Obama was reportedly getting close to choosing a permanent replacement for her post as the country's "cyberczar," a position he created in late May. Hathaway, who had worked for the director of national intelligence in the Bush administration, led the Obama administration's recent 60-day review of the federal government's cybersecurity efforts.
At one point, Hathaway was considered a leading candidate to take over the cyberczar post permanently. But the Journal said she took her name out of the running two weeks ago. "She said she was leaving for personal reasons and that she plans to remain working in the cybersecurity arena," according to the Journal post, which added that her resignation will take effect August 21.
The U.K. government plans to form a cybersecurity agency, with functions including cyberattack capability.
The Office of Cyber Security (OCS), dedicated to protecting Britain's IT infrastructure, will be created with a model proposed--and in part practiced by--the U.S. The U.K. government said Thursday that the OCS will have charge of a cross-government program, while a multi-agency Cyber Security Operations Centre (CSOC) will coordinate the protection of critical IT systems.
The OCS will also act as a conduit for information security collaboration between government and industry experts. Robert Hannigan, the prime minister's security adviser, said the OCS would be about "drawing together what people are already doing in the Ministry of Defense, the intelligence services, and the police."
The government has never admitted that it has the systems and personnel to launch a cyberattack. However, according to a senior government official, who wished not to be named, the OCS will have a role in coordinating cyberoffense capabilities that will build on the resources the government currently has.
In extreme cases, the government would launch a cyberattack in response to intrusions into the UK's own systems.
"Yes, we will do things proactively," the official said at a Cabinet Office press briefing. "Information assurance has been about building stronger walls, but there's only so much you can do. You come to a point when you are allowing criminals and others a low risk in continuing to attack, and there comes a time when that has to change. This is the first time we are saying publicly we are not going to sit back."
The government will develop information systems to allow it to launch denial-of-service attacks and to spy on chosen targets, said the official. "We will have a whole range of offensive capabilities, including distributed denial-of-service," said the official. "DDoS is not a first response. We definitely need graduated responses."
"Aggressive attacks are pretty far up the scale, and we want to avoid collateral damage as far as possible. It's a fine line. We don't want to get into cyberwarfare, but it's not reasonable to sit back," the official added.
The Cabinet Office official said the government would try to respond to attacks on U.K. systems by legal recourse: "Whenever we can, we will pursue criminals through legal frameworks, but that only works in some countries. Clearly, in other areas of the world, people are acting with impunity."
The model for the OCS is similar to that in the U.S., which plans to quadruple the number of security experts defending against cyberattack, while cyberoffense capabilities are currently under the aegis of the U.S. Air Force. The Pentagon will create a cybercommand to oversee U.S. cybermilitary efforts.
The OCS will pool intelligence capabilities from MI5, MI6, the Ministry of Defense, the Metropolitan Police e-Crime Unit, and the Serious and Organized Crime Agency.
The OCS will launch with a staff of 16 to 20, while the CSOC in will have 20 to 25. "We will start small and learn from initial U.S. attempts," said a Cabinet Office official.
Tom Espiner of ZDNet UK reported from London.
This was originally published at CBSNews.com.
President Obama on Friday confirmed that his presidential campaign suffered a cyber intrusion in which hackers gained access to a range of files.
Barack Obama says of cyberattacks: "It has happened to me."
(Credit: CBS)In a speech in which he unveiled a plan for a comprehensive national cybersecurity strategy, the president said he understands what it is like to be a victim of a cyberattack because "it has happened to me and the people around me."
Between the months of August and October, Obama said, hackers accessed files including policy papers and travel plans. Files pertaining to fundraising information were left untouched, he assured his supporters in a joking manner.
Obama noted that his campaign's vulnerabilities reflected those of the rest of the world in the digital era.
"It's no secret my presidential campaign harnessed the Internet" to communicate with a wide swath of supporters, he said. However, the hacking was "a powerful reminder...one of your greatest strengths, our ability to communicate...could also be one of your greatest vulnerabilities."
The campaign worked with federal agents and hired security consultants to address the breach, Obama said. Newsweek reported in November that federal agents were investigating cyberbreaches of both the Obama and McCain campaigns.
Correction, 5:05 p.m. PDT May 12: This story initially mischaracterized iBotnet. It is a Trojan horse.
As an analyst, it is my job to follow the industry, internalize trends, and then use this information to make predictions. OK, here goes: Within the next 18 months, Apple will begin recommending that Macintosh users install Internet security software on all systems.
Now I realize that this statement is blasphemy to dedicated Mac users, so let me start with a few qualifying statements. I am not comparing Mac OS with Windows, or Apple with Microsoft, and my prediction should not be interpreted as an attack on Apple, its developers, or the security of its code.
The truth is that all sophisticated software contains vulnerabilities and Mac-based malicious code is nothing new. The recent iBotnet Trojan is just one example. My hunch is that Mac attacks will increase precipitously over the next year, driving Apple to drop its Windows security insults and partner with the likes of Sophos, Symantec, and Trend Micro. Here are a few reasons why:
Macs users are a lucrative target. Mac owners tend to affluent and Net savvy. To the bad guys, this means identities to steal and broadband connections to exploit.
Organized cybercrime is diversifying. Cybercriminals tend to work as a loose confederation with each group specializing in a certain task. There are malware writers, botnet owners, mules, etc. Some entrepreneurial bad guy is bound to see a green field market in Mac cybercrime, recruit Mac hackers, develop expertise, and market these capabilities. If there is an equivalent of a cybercrime venture capital firm, they are probably looking at business plans like this already.
Macs are growing in the enterprise. In many large firms, Macs make up about 5 percent of endpoints. If the bad guys infect these systems, they can troll the network looking for other vulnerabilities and juicy data at will.
Macs are fairly easy to hack. In March as part of a contest, security expert Charlie Miller won $5,000 for exploiting a hole in Safari in about 10 seconds. If he can do this in 10 seconds, how many techies can do it in an hour? This is a frightening thought to me.
The company and Macintosh users should not fight this trend--doing so would only increase risk and help cybercriminals. Realize that most enterprises that already use Macs do so with the caveat that these systems must run security software. The goal is reducing risk, not singling out Mac users. There is a lesson to be learned here.
Senior citizens often hark back to a time when people left their house unlocked and left their car keys in the ignition. Now they lock their doors for safety. Apple, along with Mac users, should prepare for a similar transition. Given the state of cybersecurity today, pragmatism should trump romanticism.
President Obama in early February assigned Melissa Hathaway, a former consultant at Booz Allen Hamilton, to review the status of the nation's cybersecurity defenses, processes, and organization and report back to him with the findings 60 days hence. The president now has the results of the Hathaway study and the findings are likely to be made public this week.
Melissa Hathaway
(Credit: BusinessWire)While anticipation around the Hathaway study has reached a fever pitch, the report itself is bound to be anticlimactic at best. Why? Much of the detail will be deemed as "classified" so the report conclusions will only be communicated in general terms. What's more, cybersecurity is not exactly an esoteric topic. The Center for Strategic and International Studies released a report of recommendations for President Obama in December 2008 while the Dartmouth Institute for Information Infrastructure Protection released its own cybersecurity report in February. Finally, there was the heavily publicized resignation of former director of the National Cybersecurity Center, who publicly accused the NSA of trying to control the whole cybersecurity enchilada.
Given all of this public discussion, the security community is fairly certain about the Hathaway report findings and recommendations. At a high level, the report will highlight the following conclusions and recommendations:
• People. There are too many people doing redundant tasks in some areas and too few in others. The report will recommend a new position reporting to the Office of the President responsible for cybersecurity oversight.
• Process. The Federal Information Security Management Act of 2002 is badly broken and needs to be aligned with departmental missions and not check boxes. It is also likely that the report will call for new best practices from the National Institute of Standards as well. Finally, the report will link cybersecurity and procurement with new security requirements for federal technology suppliers.
• Technology. While the federal government has spent billions on security technologies over the past few years, the report will likely recommend even more. For example, Hathaway may recommend federal funding for digital identity projects like the RealID Act and Homeland Security Presidential Directive 12.
Finally, the report will disclose that communication, cooperation, and technology integration between the public and private sector need to be updated, improved, and funded.
These are important matters indeed but none of the points here are new and we are burning precious cycles studying and discussion the same issues over and over. When your house is on fire, you don't stand around and debate whether the cause was faulty electricity or arson--you call 911 and get out as fast as you can.
Talk (and written reports) is cheap and there is far too much of it going on inside the Beltway. Let's hope that this report leads to a Trumanesque management philosophy where President Obama declares that, "the cybersecurity buck stops here," quickly initiating a series of actions, resources, and legislation to finally address these critical vulnerabilities. If the report recommends further study or a presidential commission, call your congressman and demand action.
In my humble opinion, the RSA 2009 security conference, held this week in San Francisco, was extremely flat compared with past years. Yes, the economy had a lot to do with it. I believe last year's attendance was around 17,000 people, and I've heard that this year was off about 12 percent to 13 percent. Personally, I can't believe there were more than 10,000 folks there.
Beyond economic woes however, RSA 2009 was still rather lifeless for a few reasons:
The speakers. The keynote speakers really had nothing new to say. This was especially troubling because the lineup looked so strong. Unfortunately, the most disappointing speaker of all was President Obama's cybersecurity point person, Melissa Hathaway, who read from a script and said next to nothing about her cybersecurity research effort. Hathaway underwhelmed an audience of security professionals, missing an opportunity to bond with a constituency whose support is critical to her success.
The topics. In the past, there was always one topic at RSA that grabbed everyone's attention. Not this year--same old tired stuff.
The vendors. I'm now convinced that most security vendors have no conception of what their customers need. Vendors pitch point technology solutions while users are crying for help to secure their IT-based business processes. There are really only a few security vendors that recognize this. I can't overstate how much this disconnect alienates the security community.
I was certainly pleased to see the active discussion around cybersecurity and public-private cooperation, but even this fell flat. Too much boring rhetoric and nearly no action.
It's time the security industry recognizes a few realities. First, the whole term "security" is a misnomer. The real goal here is risk management. Second, users don't want security technologies, they want solutions based upon the old IT triad of people, process, and technology. Finally, reducing risk has to go hand in hand with business process enablement. In other words, make the business agile and secure.
What do I expect for 2010? I'm pretty cynical and a bit frightened at this point. If the security industry can't understand the relationship between business processes and risk management we are all in trouble.
In past years, I looked at the RSA security conference as a high-tech flea market staffed by the world's best security carnival barkers. Yes, important security topics were discussed, but the real focus of the show was selling products and doing deals.
This year's event has its share of tacky presentations and booth babes, but I'm hearing a lot of chatter about a far more important topic: the state of information security and its impact on us all. Finally, the combination of unending data breaches, sophisticated malware, and the very real cybersecurity threat has everyone paying attention. There is a broad recognition that we security professionals aren't hawking hardware or writing code, we actually have a responsibility to educate, help, and safeguard users.
This theme is evident throughout the event. Microsoft's Scott Charney, a former U.S. Department of Justice attorney, talked about Microsoft's vision for end-to-end trust, describing why this is necessary and how it can be done in simple terms. While security crowds are often skeptical about Microsoft, Charney stated clearly, "It is our responsibility to make technology trustworthy."
Charney was followed later in the day by National Security Agency Director Lt. Gen. Keith Alexander, who talked about NSA capabilities and its role in security cyberspace. Wednesday's speakers include Melissa Hathaway, acting senior director for cyberspace and the individual tasked with researching the state of domestic cybersecurity and reporting her results to President Obama. Finally, the day concludes with one of my favorite authors, James Bamford, who has written several books such as "Body of Secrets" and "The Shadow Factory" that are must-reads for anyone interested in cybersecurity, privacy, and the NSA.
I applaud this group of speakers and their messages, but I truly believe that private-public security cooperation needs to go to another level. Here are a few suggestions where this would help:
Security standards. The National Institute of Standards and Technology and the NSA should champion standards across the public sector while cooperating with the security industry on education and promotional programs. I'd like to see this cooperation on standards like the Key Management Interoperability Protocol (KMIP) and the Extensible Access Control Markup Language (XACML). I'd also like to see a standard for data "tagging" so that security requirements travel with the data for distributed security policy enforcement.
Information assurance. The defense and intelligence community is pretty good at data discovery, classification, and security. The private sector on the other hand is struggling. I'd like to see government agencies work more closely with the security industry to define standards, create best practices models, and enhance education.
Secure software development. This is the Achilles' heel of the technology industry, and secure development programs remain underfunded and behind the scenes. The federal government should flex its purchasing muscles by auditing vendor development processes, demanding that vendors adhere to the Common Weakness Enumeration/SANS Institute list of "Top 25 Most Dangerous Programming Errors," and creating some type of "good housekeeping seal of approval" certification for software vendors. This will stimulate new security training, products, and services and force the private sector into similar requirements.
Talk is cheap and cybersecurity gets worse each day. I hope that the government and security industry can build upon this common understanding to make real and immediate progress.
