Archive for February, 2012

NIST proposes major FISMA revisions aimed at new security threats


By: Mark Rockwell

The National Institute of Standards and Technology released the draft of what it calls “major” revision proposals to the catalog of federal information security management practices.

The proposals are in draft form and not finalized and the agency is requesting public comments by April 6, 2012.

The revisions to the Federal Information Security Management Act (FISMA) publication released on Feb. 28, adds guidance for combating new information security threats and incorporates new privacy controls to the framework that federal agencies use to protect their information and information systems, said NIST.

DOD wants in on protecting civilian infrastructure

From: GCN

By William Jackson

SAN FRANCISCO — Deputy Defense Secretary Ashton B. Carter told the security industry at the RSA Conference that protecting cyberspace is a cooperative effort between the government and the private sector, and that the Defense Department is preparing to play an active role in both military and civilian systems.

The top threat to the DOD is assaults on its military networks. “That’s our problem,” he said. “We know how to deal with that.” But a second serious threat is to the critical civilian infrastructure on which the DOD depends. “We want to play a role in defending that as well,” Carter said.

Cyberwar Is Already Upon Us

From: Foreign Policy

But can it be controlled?


In the nearly 20 years since David Ronfeldt and I introduced our concept of cyberwar, this new mode of conflict has become a reality. Cyberwar is here, and it is here to stay, despite what Thomas Rid and other skeptics think. 

VanRoekel: Cybersecurity is an administration priority

From: FierceGovernmentIT

By Molly Bernhart Walker

Cybersecurity is one of the Obama Administration’s top five information technology priorities, said Federal Chief Information Officer Steven VanRoekel, while speaking at a Feb. 24 AFECA Bethesda event. He said cybersecurity will be a focus for 2012 and there are “exciting investments” planned for fiscal 2013 that will enhance cybersecurity.

“The president’s budget for 2013 proposes a $769 million increase to support the national cybersecurity division at DHS. One of the parts that I’m most excited about is a little over $200 million to improve governmentwide continuous monitoring, so technology that will allow us to deploy into agencies the ability to do continuous monitoring for malicious activities across those agencies, giving us one view,” said VanRoekel.

Cyber security expert finds new flaw in smartphones

From: L.A. Times

A former McAfee researcher has used a previously unknown hole in smartphone browsers to plant China-based malware that can record calls, pinpoint locations and access user texts and emails.

By Ken Dilanian, Los Angeles Times

Reporting from Washington—


Just as U.S. companies are coming to grips with threats to their computer networks emanating from cyber spies based in China, a noted expert is highlighting what he says is an even more pernicious vulnerability in smartphones.

NIST Cybersecurity Center Tackles Public And Private Threats

From: Information Week

Researchers will use National Cybersecurity Center of Excellence to develop new products and services to combat cybersecurity threats faced by U.S. government agencies and companies.

By Elizabeth Montalbano

The organization that sets federal technology standards is establishing a new center devoted to cybersecurity technology research across both the public and private sectors.

A partnership between the National Institute for Standards and Technology (NIST), the state of Maryland, and Montgomery County, Md., will create the National Cybersecurity Center of Excellence, where NIST researchers can exclusively work to improve cybersecurity in the United States, according to NIST.

Senate Cyber Legislation Facing Industry Resistance Over Cost

From: Bloomberg

By Eric Engleman and Chris Strohm

A Senate measure aimed at compelling operators of vital U.S. utility and other networks to strengthen cybersecurity drew resistance from some business groups concerned that the bill would raise companies’ costs.

Responses to draft versions of the legislation have included “hard pushback” from trade groups as well as enthusiastic support, Tommy Ross, senior intelligence and defense adviser to Senate Majority Leader Harry Reid said at a Bloomberg Government conference today.

CRE Comments on Draft CAESARS FE Draft

Attached below are the Center for Regulatory Effectiveness’ comments on the Second Draft of the CAESARS Framework Extension (NIST Interagency Report 7756).  The goal of the CAESARS FE document “is to facilitate enterprise continuous monitoring by presenting a reference model that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness.”

CRE’s comments explain that “one reason why the CAESARS FE is an important IT security document is that it was written to be useful to industry as well as government.” 

Chinese Telecoms May Be Spying on Large Numbers of Foreign Customers

From: The Atlantic

A U.S. Congressional probe is investigating whether China’s state-linked firms, which built much of the communications infrastructure in several Asian countries, is using its access for snooping.

Two Chinese telecommunications giants are under scrutiny by a US congressional committee. The outcome of the probe could have revealing implications for Central Asian states, which have used these companies to modernize their telecom sectors.

US legislators have expressed concern that Huawei and ZTE act as front companies for the Chinese government, and represent a grave “cyber-security threat.” The chairman of the House Permanent Select Committee on Intelligence, Michigan Republican Mike Rogers, asserted during a congressional hearing last October that China is engaged in the “brazen and wide-scale theft of intellectual property from foreign commercial competitors.”

Commentary: Cybersecurity requires buy-in from the top

From: NextGov

By Chris Wilkinson

Successfully securing networks against cyber threats requires support from the top — not only from the IT staff, but from C-level executives as well. Network monitoring, patching or purging outdated software and hardware, communications, and coordination are essential for good risk management policies and practices.

A recent seminar sponsored by immixGroup, Bit9, Hewlett-Packard Enterprise Security, and Sourcefire featured cybersecurity experts from government and industry who explored the factors that contribute to a federal agency’s ability to assess and anticipate threats as well as mitigate risk.