Shaun Henry, the FBI’s top cyber cop and executive assistant director responsible for cyber, told the Wall Street Journal (WSJ) that “we’re not winning” and that the current approaches being used by the public and private sectors are:  “… Unsustainable. Computer criminals are simply too good and defensive measures too weak to stop them.”

 The WSJ article entitled: U.S. Outgunned in Cyber War also reported that Henry said:

  “"I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security…

We have found their [company] data in the middle of other investigations. They are shocked and, in many cases, they've been breached for many months, in some cases years, which means that an adversary had full visibility into everything occurring on that network, potentially….''

Meanwhile, other leading experts are sounding similar alarms. Richard Clark, former cybersecurity and cyberterrorism advisor to the White House, testified that “your government has failed you. Every major company in the United States has already been penetrated by China."

In an interview with the Smithsonian.com, Richard Clark goes further:

“I think we’re living in the world of non-response. Where you know that there’s a problem, but you don’t do anything about it. If that’s denial, then that’s denial….

My greatest fear is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China....After a while you can’t compete.”

Finally, the National Security Agency (NSA) chief, General Keith Alexander told U.S. Senators that that the Chinese were behind the RSA attacks last year.

“The attack against RSA, in which the attacker conducted a spearphishing campaign that sent disguised emails containing malware that installed backdoors via a zero-day Adobe Flash exploit, indicates a high level of sophistication by China's hackers, according to Alexander. ‘The ability to do it against a company like RSA is such a high-order capability that, if they can do it against RSA, that makes other companies vulnerable,’ he said.

… The NSA director admitted that the government needed more real-time capabilities to work with private sector organizations to stop cyber attacks, and perhaps more authority to take action. He cited an attack in which an "adversary" was attempting to exfiltrate 3 gigabytes of data from a defense contractor in a foreign country, and DOD processes for communicating with that company were too manual.”

 Taken together these quotes tell a pretty scary security story. I don't (generally) like to spread cyber fear, but these latest headlines and interviews are even a level worse than what I've seen in the past. Clearly, we need to adapt to the new global cyber attack environment.

Any response?

Internet privacy has long been a hot-button issue. Central questions are being asked about who owns what data, how that data can be used by various companies to target individuals in marketing and whether users can opt-in or opt-out of various data-sharing approaches. Just as in other areas of life in America in 2012, these questions are often settled in the courts.

Now, Google is facing a class action lawsuit over its new privacy policy. Computerworld reported that Google faces complaints that they changed earlier privacy policies which promised that information obtained by one service will not be used by another service. Beyond consumer complaints and online criticism, a new group seeks to bring nationwide class action on behalf of holders of Google accounts and owners of Android devices from Aug. 19, 2004 to Feb. 29, 2012, who continued to maintain the Google accounts and own the devices after the new privacy policy came into effect on March 1 this year.

Here’s an excerpt from the Computerworld article:

“The Internet company is being charged in both lawsuits for violation of the Federal Wiretap Act, for willful interception of communications and aggregation of personal information of its consumers for financial benefit, and the Stored Electronic Communications Act for exceeding its authorized access to consumer communications stored on its systems. Google is also charged with violation of the Computer Fraud Abuse Act, and other counts including state laws. …

The company's new privacy policy is already under scrutiny in the European Union and in the U.S., where 36 state attorneys general wrote to Google CEO Larry Page last month saying that Google's new policy does not give users a sufficient chance to opt out.”

Other groups tried to block Google’s privacy policy before it came into effect on March 1, but they were not successful in stopping the new policy from taking effect.

Google declined to comment on the lawsuits.

But Google is not alone. Last year Microsoft was sued over a phone-tracking feature. Here’s a quote from the Wall Street Journal last September:

“A Michigan woman is suing Microsoft Corp. for allegedly tracking phones that run the software giant's Windows Phone 7 operating system, the centerpiece of the company's efforts to grab part of the burgeoning mobile market.

The suit, filed in the U.S. District Court in Seattle, alleges the operating system collects data about a user's whereabouts even after the software's tracking feature is ostensibly disabled. The suit, filed by Rebecca Cousineau, accuses Microsoft of violating various communications and privacy laws and seeks class-action status. …”

In reality, the list of lawsuits regarding privacy policy changes is fairly long, and I suspect that it will get longer over the next few years. Companies want to use your data in new ways, and this information about us is very valuable. These fears of data misuse can be either overblown or valid, depending on the situation. However, I am still a big believer that users should control how their information is shared and used. In addition, end users should be able to opt-in or opt-out of various tracking mechanisms. Of course, companies have the right to offer a discount or better service in return for the right to share information with partners or other company services.

One final point, with related headlines coming out from Wired magazine about NSA spying on our emails and plans for access to “deep data” or “deepnet” (which is password-protected information), I don’t see these privacy issues being resolved anytime soon. Another article from the UK Daily Mail recently reported that the CIA wants to spy on us through our TVs (which I don’t believe). Nevertheless, I think more privacy lawsuits are on the way. In my opinion, these topics will continue to be front and center for the next decade.

What are your thoughts on where Internet privacy is going?

 

I was blessed with the opportunity to travel to Eastern Europe last week to speak at two different one day cybersecurity conferences that are a part of a series of events known as the IDC IT Security Roadshow 2012. This was the tenth anniversary of this excellent IDC conference series. I previously had the privilege to speak at their event in Moscow two years ago. (After that Moscow conference, I wrote this blog.)  

So here are my initial impressions. I intend to write another piece over the next few months with some more detailed observations. (At the end of this blog, I’ll offer some answers to several background questions related to the trip.)

First Impressions:

1)      Almost everyone I met in Eastern Europe speaks English – Both conferences had simultaneous translation with headsets. However, the majority of conference attendees didn’t need the headsets, since they spoke both English and their local language. Most of the sessions were in English.

2)      The people were wonderful – I met dozens of people during the trip. Everyone I met was kind, professional and articulate. The discussions were similar to the questions asked at conferences I speak at in the USA. However, conference attendees wanted to know more about governance, how we get (or strengthen) a security budget, how to get buy-in for cyber and how many security staff we have in Michigan.

3)      Cybersecurity (or “IT Security” as they called it) is a hot conversation topic all over Eastern Europe – Take a look at the specific conference agendas for both Prague and Sofia.  You may not be surprised by what you see, since the items are just as in depth and intriguing as most US security events. No doubt that the breadth of speakers was wider in Prague, as the conference was larger (over 200 people in Prague versus about 175ish in Sofia).

4)      Cloud Computing and mobile applications are also hot issues – just as in the USA. What was on the mind of attendees during Q/A panel sessions? Implementing public and private clouds as well as smartphone security. 

5)      The security appliance market is the fastest growing segment with products like “Unified Threat Management” coming on strong. 

6)      Prague is a headquarters for many European companies. I was surprised by the number of businesses that had their European HQs in Prague. On the other hand, there was a lack of the same technology buzz in Sofia.

7)      Budgets (and staffing levels) are lower for security in Eastern Europe. The organizations described to me were all struggling with justifying even a few dedicated cyber professionals.  

8)      IDC has their act together. These were great security events that were well-planned and professionally orchestrated.

9)      Prague is a beautiful city with a rich history and pride that I vastly underestimated. We had a great time relearning about Charles IV and the amazing history of Prague. The many tourist stores were everywhere, and mall prices were similar to the US mall prices.

10)   Bulgaria is economically poor in the European Union with a tragic history. Average monthly Bulgarian income in 2008 was 384 Euros. One recent IDC report stated that last year the country purchased a total (public and private sector) of $9 million (US) worth of IT security goods and services. (This will shock my security team who think that we are way under-staffed.) Still, there one million smartphones and seven million citizens in Bulgaria.

11)   Bulgaria has beautiful mountains, excellent skiing and seashore resorts on the Black Sea. The history of the country is amazing – dating back thousands of years. Over the past hundred years is a sad tale that they are trying to overcome. They have great wines and nice restaurants in Sofia.

12)   Best complement I received - One person was very surprised that I was a government employee – saying that government speakers in their country are “boring and put us to sleep.” He wanted to know, “Why are you in government?” And yet, both countries had many governments employees and attendees at the conference.

13)   Most interesting person I met – A man named Boris from Bulgaria who was a CISSP, go-getter. He started as a bodyguard (he’s big) without a degree or any qualifications, but he’s worked his way into a senior consulting role in cybersecurity. His passion and expertise were obvious as he spoke and answered questions fluently in several languages. Very impressive. I also met an FBI agent from the Baltic region as well as several cyber experts from the US who are now expats living in Europe.

14)   I was surprised to see New Horizons training as well as many other western companies represented at these events. Many of these businesses have parent companies in the USA. The FBI is also helping the law enforcement agencies with cyber cases in many of these Eastern European countries as well.

15) The students that I spoke with in Sofia, after a special speaking event at their IT Academy on Weds night, were very smart with good questions. Despite a lack of modern university facilities, there was a thirst for knowledge and a passion to learn. Local software companies were helping with building local technology talent.

Here is some other information that you may find interesting. These are the typical questions that I have been asked in the past by my colleagues in government and the private sector when I return from overseas as they try and process what I’m telling them about technology and security in a very different part of the world.

Why do I speak at these overseas technology and security events?

Beyond the kind invitations, I truly enjoy seeing and hearing about our security business from other perspectives, in other cultures, in other languages. We all know that the Internet is a globally-connected mesh of devices, and yet many professionals only see the network from an American (US) perspective. The articles and speeches we hear in the USA on cyber can become fairly predictable and repetitive, if we’re not careful to listen to others.

Although I have traveled fairly extensively around Western Europe and even lived in the United Kingdom (UK) for almost seven years in the 1990s, this was my first visit to both Prague (Czech Republic) and Sofia (Bulgaria). My daughter Katherine, who is on Spring break from her college in Chicago, traveled with me, which made the trip especially enjoyable. I also enjoy sightseeing in new places and different cultures with very unique histories. 

Nevertheless, I limit my overseas travel - turning down the vast majority of international invitations to speak at conferences, so I can get the work done at home. I often route conference requests to respected colleagues around the country when I can't attend. Many friends are surprised that security and technology conferences are becoming much more widespread, with new events in Asia and even the Middle East now starting up.  

Who pays for this and how do I get work done in such remote places?

OK – this always comes up. For all of my auditor-friends out there who (rightfully) keep track of these things…  Yes, I was on annual leave all week (smile). Since we did quite a bit of sightseeing, I need to be above reproach on any overseas trips, even though my management insisted I did not need to use leave time on the days when I was participating in the conferences. Of course, IDC paid for my travel and conference entry expenses, so I didn’t charge the Michigan government for the trip.

In both cities, the excellent hotels had free (fast) Wifi that worked with my iPad. I was able to keep up with work email and even stay in touch with my family using Facetime video, although the video cut out at times and needed to be reconnected. (Note: even though my 3G Verizon mobile connectivity did not work on my iPad, this was only a minor inconvenience.) 

Why do I bring family members along?

I plan on doing a separate blog on this topic later in April. But needless to say, this is always the best part of the trip for me.  Katherine has been on many trips with me over the years, including a similar trip to speak at a global ICT conference in 2009 in South Africa. I’m a big believer in not just bringing our daughters and sons to work, but bringing our children on the road with us, when they are at the appropriate age to understand and handle the situations.

I love this saying: “If you want to go fast, go alone. If you want to go far, go together.”  Not only does Katherine enjoy and learn from the experiences, I am a better speaker through her advice and help.

I started bringing Katherine to conferences with me when she was nine years old. She is now 19 and seen numerous cities with me all over the USA and the world. I ask skeptics: is there a better way to build strong, positive relationships and teach our children at the same time? More than that, it makes the trips fun and memorable.

As in the trip to Moscow, I sometimes bring my wife Priscilla with me rather than my children. And yet, oftentimes, she cannot get away due to family and school commitments. So why not bring one of you children with you to a conference or training event? 

Wrap-up

In conclusion, cybersecurity is a hot topic all over the world – as you might expect. According to the conference organizers and colleagues I spoke with, the IT Security Roadshows events are the most popular events that IDC offers in Eastern Europe – surpassing even their Cloud Computing and Datacenter Transformation Roadshows over time.

I learned a lot on the trip about cybersecurity projects and programs around Europe. But perhaps no lesson was more important than to be thankful for the resources and teams we have in the USA to fight cyber crime and mitigate risk.

 Photo: Dan and Katherine Lohrmann in Prague

Will new cybersecurity legislation pass in 2012? If yes, what will be included, what will be left out and which agencies or organizations will be in charge of various information sharing and monitoring roles? These are hot questions in DC right now.

Mark Weatherford, Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate (NPPD) at the US Department of Homeland Security (DHS) posted an interesting blog on Tuesday.  Titled: The Private Sector Agrees, We Need Cybersecurity Legislation Now, Mark points out that the status quo is simply not acceptable.

Here’s an excerpt:

 “Congress is now poised to act on cybersecurity legislation. We must balance private sector innovation with government accountability to protect the nation’s cyber networks, safeguard individual privacy, and enhance the reliability and resiliency of our critical infrastructure.

There will be debates about the legislative proposals in days and weeks ahead, but we owe the American public some basic upgrades to laws that enhance a safer cyberspace…

We need for Congress to pass legislation that allows innovative thinkers from both industry and government to come together quickly and share information that is relevant to cybersecurity. We also need for that legislation to mandate increased and more robust privacy oversight, including penalties for misuse of voluntarily shared information. I came back to Washington last week filled with hope that we can deliver all of this and more because we are all in this together.”

And Mark is not alone. The Cybersecurity Law Blog quoted numerous sources who support new legislation, albeit with different views on who should (or will) be doing what. However, the reality of a new approach was almost a given in that piece. One quote was from a cyber expert at Kaspersky Labs who said:

"After Stuxnet, I got quite involved with the U.S. critical infrastructure, and what's very clear to me is that unless things are mandated by D.C., nothing is changing . . . These companies are being run for the bottom line, and there's simply no budget for anything that's not being mandated by D.C."

The Christian Science Monitor wrote about why the Cybersecurity bill in Congress is getting a big push from the Pentagon. The first sentence sets the tone:

“What keeps Pentagon planners today up at night, even more than the threat of a terrorist attack? It is the prospect of an act of cyberwarfare – an incursion into America’s financial systems, water treatment plants, or the electrical grid that keeps lights on and homes heated….

Legislation on Capitol Hill would require a certain degree of federal oversight of cyberprotection for “critical infrastructure” such as power stations and water plants. Disabling such facilities by attacking their computer systems, say defense officials, would be a “cyber Pearl Harbor.” The bill also would require private firms to let the government know when their systems are hacked.”

The list of articles highlighting the need for cybersecurity legislation in 2012 goes on and on. So is this a done deal? Well … this is an election year and partisan battles are raging.

While some groups like ISPs and civil libertarians are still saying no new regulations are needed, the holdup seems to be dueling bills between the two sides of the isle. The public rhetoric emphasizes two extremes of a government Internet takeover on one side versus the very serious cyber threat to all critical infrastructures and our economy on the other. There is also debate over who should do what, such as should the National Security Agency (NSA) have control over domestic monitoring and/or information sharing – which would be a big change in policy.

A recent Reuters article reported this:

“A Senate aide, speaking on condition of anonymity, said the Senate is unlikely to pass either the McCain bill or the Democratic version and that talks on a possible compromise could begin in the coming weeks.

President Obama's proposed legislation, like the omnibus bill Reid wants, would leave DHS in charge of cybersecurity. DHS could ask for help from the NSA, but would be subject to closer oversight than actions led by the NSA and other parts of the Defense Department.”

What do I think? My view is that cyber legislation deal will get done in 2012.

No, I don’t have any inside knowledge. Nor do I know what will be in the final deal and what will be left out.

Nevertheless, too much is at stake to do nothing until 2013. In my view, Mark Weatherford is right that the Internet is too vital and the risks are too high to hold off.

Could cyber legislation wait until after the election in November? Possibly – with a deal coming after Thanksgiving. But I hope it doesn’t take that long.

 Like many around the world – I’m watching closely and seeing cyber holes that need to be filled. Bottom line, I agree that more can be done - and needs to be done - on cybersecurrity in DC in 2012.

What are your thoughts?

As discussed in several previous blogs, the term “hacker” can mean many different things to different people.  For a large section of the 15-25 year-olds entering the programming world, hacking is a state of mind. To be a hacker is to apply an aggressive approach to attempting new things or to explore the unknown (or untested) with technology in the 21^st century. Of course, you can be a “white hat” or “black hat” hacker (good guy or bad guy). 

 But where do hackers live and spend their time? Beyond Black Hat Conferences around the world, where do hackers congregate online? As security pros scan the world-wide-web for the good, the bad and the ugly, we come across information, tools and methods that the majority of people don’t know exist. The hacker hangouts discussed in this blog are not unethical or illegal, but in some cases, it’s difficult to see how some of the materials could be used for good.

But regardless of my perspective, this information is everywhere. We do have freedom of speech in most of the western world and cyber crime toolkits have been for sale for a long time. Our freedoms extend to hacker websites that openly teach readers how to perform acts that the majority in society may frown upon. Still, there are numerous beneficial reasons to hack - especially to test security controls. Under the label of “for educational purposes only,” it is fairly easy for young people to get started as a hacker – with popular sites like Wikihow.com even joining in the fray.

So I thought I’d dedicate a blog to share some information that hackers already know – but the rest of the government technology community may want to think about. This piece is only intended to be a primer for those in the community who have spent little time or effort pondering such things. No doubt, some people learn the skills of the cyber trade at other sites, but hopefully, this is a thought-provoking start.

First stop is at a blog called Hacker The dude which also lists the top ten hacker websites from several years ago. This website also provides detailed hacker information on topics such as the Xbox Live being hacked.  Spending some research time at this site is worth the effort with plenty of interesting topics and hacking history.

Second stop is at Hacker Dojo. This is a description from their website:

“For over 2 years Hacker Dojo has been a strong community and a great place to throw hackathons, conferences, classes, movie nights, and job fairs. These events (legally termed our "permission to assemble") are essential to the spirit of the Dojo.

In the past, the City of Mountain View had been more permissive of occupancy limits in buildings; however, due to fire code and Mountain View zoning regulations, our ability to hold large events is hampered and is currently capped at 49 attendees.

Now Hacker Dojo is launching a massive fundraising effort so that we can renovate our building and invite everybody back to assemble again!

We're expecting renovations to cost well over $250,000, and we're very grateful for the community's support.”

SIDE NOTE: After originally posting this piece, I received an update email from David Weekly at Hacker Dojo. He pointed out several things to me, and I revised my words on Hacker Dojo's role and organizational purposes. David wanted me to mention that: "Most people there are learning how to program to create websites, or create companies or contribute to open source projects...."

This does sound like a very noble endeavor to train people and grow relevant job skills, and he even offered me a tour and more to learn more about them. I appreciate the quick follow-up from David. This is certainly a group that fits into the "white hat" side of the world with good intentions.

Still, the name chosen by this group shows the wide variation in the use of the word "hacker" on the Internet. David even highlighted the website hackerspaces.org, which lists many similar professional situations all over the country. Looking back, I may have slightly misrepresented this organization initially based upon their web presence and what I read about them online.   

Third stop, a website called Daily Hacking Tips with an article about FUD Crypter. This website is on the list to provide a “darker side” example. (I find it interesting that hacker toolkits and all kinds of software are also available simply by googling words like “hacker toolkits.”)  Here’s an excerpt from the Daily Hacking Tips website: 

"What Is FUD Crypter?

FUD is acronym for fully undetectable. It is a software that can be used to encrypt your exe files.

What is the use of FUD Crypter?

FUD crypters can be used to encrypt viruses, RAT, keyloggers, spywares etc to make them undetectable from antiviruses.

How Does FUD Crypter Work?

The Basic Working Of FUD Crypter is explained below

The Crypter takes the original binary file of you exe and applies many encryption on it and stores on the end of file(EOF).So a new crypted executable file is created….”

Stop number 4 is Hack This Site.org which boasts over 5000 unique visitors per day and promotes: “A free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.”

My final stop in this blog is over at the US Cyber Challenge with Netwars – the ultimate online game. If you want to try out your hacking skills in a safe, legal way, visit this website and try your hand. This is from the website:

“Netwars is the ultimate online game: an adventure across the Internet. You can play as an analyst, a penetration tester, a defender, or any combination. You earn points by finding keys, moving to higher levels, capturing services such as a website, overcoming obstacles (attack techniques) and protecting resources (defensive techniques). You can see the other players' scores and your own points scored, live, or on an overall scoreboard."

In conclusion, there are plenty of resources and tools that are available online for free to help learn more about hacking and hackers. It’s worth visiting a few of these sites to test your cyber knowledge and/or begin your hacker “state of mind” journey.

Any other hacker websites to recommend?