Archive for February, 2012
The National Institute of Standards and Technology released the draft of what it calls “major” revision proposals to the catalog of federal information security management practices.
The proposals are in draft form and not finalized and the agency is requesting public comments by April 6, 2012.
The revisions to the Federal Information Security Management Act (FISMA) publication released on Feb. 28, adds guidance for combating new information security threats and incorporates new privacy controls to the framework that federal agencies use to protect their information and information systems, said NIST.
By William Jackson
SAN FRANCISCO — Deputy Defense Secretary Ashton B. Carter told the security industry at the RSA Conference that protecting cyberspace is a cooperative effort between the government and the private sector, and that the Defense Department is preparing to play an active role in both military and civilian systems.
The top threat to the DOD is assaults on its military networks. “That’s our problem,” he said. “We know how to deal with that.” But a second serious threat is to the critical civilian infrastructure on which the DOD depends. “We want to play a role in defending that as well,” Carter said.
From: Foreign Policy
But can it be controlled?
BY JOHN ARQUILLA
In the nearly 20 years since David Ronfeldt and I introduced our concept of cyberwar, this new mode of conflict has become a reality. Cyberwar is here, and it is here to stay, despite what Thomas Rid and other skeptics think.
By Molly Bernhart Walker
Cybersecurity is one of the Obama Administration’s top five information technology priorities, said Federal Chief Information Officer Steven VanRoekel, while speaking at a Feb. 24 AFECA Bethesda event. He said cybersecurity will be a focus for 2012 and there are “exciting investments” planned for fiscal 2013 that will enhance cybersecurity.
“The president’s budget for 2013 proposes a $769 million increase to support the national cybersecurity division at DHS. One of the parts that I’m most excited about is a little over $200 million to improve governmentwide continuous monitoring, so technology that will allow us to deploy into agencies the ability to do continuous monitoring for malicious activities across those agencies, giving us one view,” said VanRoekel.
From: L.A. Times
A former McAfee researcher has used a previously unknown hole in smartphone browsers to plant China-based malware that can record calls, pinpoint locations and access user texts and emails.
By Ken Dilanian, Los Angeles Times
Just as U.S. companies are coming to grips with threats to their computer networks emanating from cyber spies based in China, a noted expert is highlighting what he says is an even more pernicious vulnerability in smartphones.
From: Information Week
Researchers will use National Cybersecurity Center of Excellence to develop new products and services to combat cybersecurity threats faced by U.S. government agencies and companies.
By Elizabeth Montalbano
The organization that sets federal technology standards is establishing a new center devoted to cybersecurity technology research across both the public and private sectors.
A partnership between the National Institute for Standards and Technology (NIST), the state of Maryland, and Montgomery County, Md., will create the National Cybersecurity Center of Excellence, where NIST researchers can exclusively work to improve cybersecurity in the United States, according to NIST.
By Eric Engleman and Chris Strohm
A Senate measure aimed at compelling operators of vital U.S. utility and other networks to strengthen cybersecurity drew resistance from some business groups concerned that the bill would raise companies’ costs.
Responses to draft versions of the legislation have included “hard pushback” from trade groups as well as enthusiastic support, Tommy Ross, senior intelligence and defense adviser to Senate Majority Leader Harry Reid said at a Bloomberg Government conference today.
Attached below are the Center for Regulatory Effectiveness’ comments on the Second Draft of the CAESARS Framework Extension (NIST Interagency Report 7756). The goal of the CAESARS FE document “is to facilitate enterprise continuous monitoring by presenting a reference model that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness.”
CRE’s comments explain that “one reason why the CAESARS FE is an important IT security document is that it was written to be useful to industry as well as government.”
From: The Atlantic
A U.S. Congressional probe is investigating whether China’s state-linked firms, which built much of the communications infrastructure in several Asian countries, is using its access for snooping.
Two Chinese telecommunications giants are under scrutiny by a US congressional committee. The outcome of the probe could have revealing implications for Central Asian states, which have used these companies to modernize their telecom sectors.
US legislators have expressed concern that Huawei and ZTE act as front companies for the Chinese government, and represent a grave “cyber-security threat.” The chairman of the House Permanent Select Committee on Intelligence, Michigan Republican Mike Rogers, asserted during a congressional hearing last October that China is engaged in the “brazen and wide-scale theft of intellectual property from foreign commercial competitors.”
By Chris Wilkinson
Successfully securing networks against cyber threats requires support from the top — not only from the IT staff, but from C-level executives as well. Network monitoring, patching or purging outdated software and hardware, communications, and coordination are essential for good risk management policies and practices.
A recent seminar sponsored by immixGroup, Bit9, Hewlett-Packard Enterprise Security, and Sourcefire featured cybersecurity experts from government and industry who explored the factors that contribute to a federal agency’s ability to assess and anticipate threats as well as mitigate risk.