The White House Unveils New Cyber-Security Strategy
by Reuven Cohen
In the article “World War 3.0” in this months Vanity Fair magazine, Michael Joseph Gross lays out the stakes in what he describes as “ a new global conflict that could split the virtual world as we know it.” The spectacular piece tells of a decades old battle over who should have the power to control the Internet. Essentially, World War 3 has begun, and it’s not a conventional war, it’s a cyberwar. It’s a war for the future of the Internet and everything that touches it.
Gross describes the war for the Internet as “inevitable—a time bomb built into its creation. A war grown out of tensions that came to a head as the Internet grew to serve populations far beyond those for which it was designed. Originally built to supplement the analog interactions among American soldiers and scientists who knew one another off-line, the Internet was established on a bedrock of trust: trust that people were who they said they were, and trust that information would be handled according to existing social and legal norms. That foundation of trust crumbled as the Internet expanded. The system is now approaching a state of crisis on four main fronts.”
The timing of the article could not have been better. Earlier this week a massive distributed data harvesting virus known, as “Flame” was uncovered. The software was said to “dwarf Stuxnet in size and sophistication.” Stuxnet was the malware believed to be behind the cyber-attacks on Iran’s nuclear program in 2009 and 2010. Stuxnet was said to have been written through a partnership between Israel and the United States.
Adding to the cyber-security concerns was an announcement by researchers at Cambridge University who reported the discovery that a Chinese produced microprocessor used extensively by the US military is equipped with a backdoor – allowing the chip to be reprogrammed.
Sergei Skorobogatov of Quo Vadis Labs at Cambridge University describes the flaw. ”If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.”
This morning, at a Washington D.C. summit lead by Howard Schmidt, cyber-security coordinator at the White House, and Janet Napolitano, United States Secretary of Homeland Security, jointly announced a voluntary set of Internet-industry principles designed to prevent and detect botnets as well as a consumer-education campaign about the computer viruses to help combat the threat. Schmidt, in announcing the initiative, said that “the pervasive presence of malware is not the price of doing business.”
Wikipedia describes a botnet as “a collection of compromised computers, each of which is known as a ‘bot’, connected to the Internet. When a computer is compromised by an attacker, there is often code within the malware that commands it to become part of a botnet.”
Schmidt was also joined by FCC Chairman Julius Genachowski at the summit this morning. The Internet-industry principles initiative is being launched in coordination with an FCC/industry partnership on voluntary guidelines already announced by the FCC last March. Google, Comcast, Time Warner Cable, Cox, and other major ISPs have already agreed to participate.
A post on The White House Blog by Schmidt outlines the strategy. In it he writes, “Earlier this month, we gave the green light to two long-awaited Defense Industrial Base (DIB) efforts designed to help companies protect critical information related to Department of Defense programs and missions. The DIB Cybersecurity/Information Assurance (CS/IA) program allows eligible DIB companies and the Government to share cybersecurity information. The Government shares cyber security threat and mitigation information with DIB companies to incorporate into their security practices, and, in turn, DIB companies report known intrusion events that may compromise DOD information to the Government and participates in damage assessments as needed. In addition, DIB enhanced Cyber security Services — a joint DOD-DHS activity and based on lessons learned from the 2011 DIB Pilot — is available as an optional part of the DIB CS/IA program in which the Government will furnish classified information that enables DIB companies or participating commercial service providers to counter additional types of known malicious activity for participating DIB companies. “
I should also note that at the end of the month, Schmidt leaves his post, ending a two and a half year stint during which he was successful in bringing much-needed attention to the federal government’s cybersecurity efforts.
The summit is part of a broader plan by the administration to address a significant recent increase in cyber-warfare / crime activities by a variety of advisories, both government and non-government alike. Today’s summit intends to add further support to a bill sponsored by Senator Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), which would see the Department of Homeland Security in charge of regulating cybersecurity of the nation’s vital systems such as power grids and transportation networks.
Not everybody is happy about the proposed cybersecurity Bill. One of the most vocal opponents is Senator Ron Wyden (D-Ore.) who said on Monday that the Senate’s cybersecurity legislation that is being pushed by Lieberman and Collins is an overreaction to cyber threats and would undermine the privacy rights of American citizens. Wyden said that both the House and Senate bills “subordinate all existing privacy rules and constitutional principles to the poorly defined interest of ‘cybersecurity.’”
Wyden went on to say that there is a false narrative related to this bill, which puts forth the idea that you have to sacrifice one thing to achieve the other. ”There is no sound policy reason to sacrifice the privacy rights of law abiding American citizens in the name of cyber-security, and I will fight any legislation that asks this Senate to make that choice.”
Earlier this week, the Center for Democracy & Technology sent a letter to the Senate expressing its “grave concerns” over the cybersecurity bill calling the bill “as deeply flawed and dangerous to Internet freedom, individual liberty, and privacy.” Twenty one organizations and individuals including American Civil Liberties Union, Reporters Without Borders and Electronic Frontier Foundation have signed the letter.
The various groups have a number of issues with the Bill, mainly what they call “an exemption from all existing privacy and tort laws to allow companies to share communications and records with the government, including those of undefined “malicious cyber actors” even if those personal records are not necessary to describe a cybersecurity threat.”
Regardless of your stance, one thing is for certain. There has never been a worse time for security on the Internet. With battles raging on many fronts, it is an interesting time to be in technology.