November 4, 2012 By Dan Lohrmann
We currently have several important security stories and not much public attention.
As America prepares to vote in a pivotal presidential election on Tuesday, there have been several significant security stories recently. However, they are receiving minimal national attention. Between the coverage of Tropical Storm Sandy, pre-election rallies and the latest unemployment rate coverage, almost all security news has taken a back seat – unless you are talking about the September 11, 2012, Benghazi attack.
South Carolina Data Breach Reactions
Nevertheless, state and local government leaders have been quietly been scurrying around after South Carolina recently revealed the vast scope of their security breach.
From my perspective on the S.C. breach, I have never seen such a wide number of questions and urgent security checks from the business side of the house in many states. Tax officials across state and local governments nationwide seem worried as never before. Everyone is asking some variation of the questions: “Could this happen to us? Has it happened to us?”
For those who have not heard about or followed this story, more data came out mid-week with the announcement that businesses were affected:
“As many as 657,000 S.C. businesses had their tax information stolen in the massive security breach at the state Department of Revenue that also claimed the records of up to 3.6 million people, Gov. Nikki Haley said Wednesday….
The discovery came after a two-hour Senate Finance Committee hearing, where Revenue Department director James Etter pointedly was asked whether business records also had been taken by the hackers. State officials still are learning more about the data theft, which is affecting four times as many people as all previous breaches combined in the state over the past seven years.”
State governments across the U.S. reacted in a variety of ways following the announcement of what one paper called: “The mother of all security breaches,” and “The largest breach against a state tax agency in the nation.”
But while there were plenty of articles, phone calls and online discussions about what exactly happened and who is (or isn’t) to blame, the exact breach details are still not clear to those outside the sensitive Secret Service investigation in South Carolina. I am confident that we will be hearing much more on this story in the weeks and months to come.
What is clear to me is that this is a big wake-up call for government officials – even more so than after the Utah data breach earlier this year. More and more, government executives are realizing that we face serious global cyberdefense challenges that affect governments at all levels. As I said in April, there are dark clouds over technology, and we are all vulnerable and being targeted. Action cannot wait. I’ll be back with more on this story in a few weeks.
Is An Executive Order on Cybersecurity Still Coming?
There continues to be a strong chance that an executive order is coming on cybersecurity is coming soon – perhaps in the upcoming lame duck session of Congress.
“[Homeland Security Secretary Janet Napolitano] said that "when" President Obama is reelected, "I think he will have to consider an executive order that covers many of the areas that legislation would cover."
But a Heritage Foundation blog thinks this is still a bad idea as they pronounced that the more regulation is coming.
“This draft executive order is similar to the failed Cybersecurity Act of 2012 in that it proposes additional regulations as a solution to the U.S.’s cybersecurity woes. A regulatory executive order for cybersecurity is flawed and insufficient, and it ignores the deliberative process of Congress, which has thus far rejected a regulatory approach.”
A similar view is shared by some of my friends over at CIO Magazine.
Still, the Chicago Tribune reported that the Senate likely to revisit cyber bill when Congress returns.
As I hinted back in March while discussing cybersecurity legislation, my guess is that some type of executive order or legislation on cybersecurity may still come in November or December after the election. I continue to hope that a bipartisan compromise can be reached.
A Treaty on Cyber?
Meanwhile, Thehill reports that the United Nations (UN) wants cybersecurity mandates to be in a new telecommunications treaty. Many countries are:
“Pushing to include cybersecurity proposals in the treaty that could lead to online censorship or put one regulatory body in charge of cybersecurity mandates….
The U.S. submitted a baseline set of proposals for the telecom treaty in August. The latest tranche of proposals it's sending to the U.N.'s International Telecommunications Union are more concrete positions that are in response to proposals discussed by other countries and trade groups.
The treaty will be reviewed for the first time since 1988 at the World Conference on International Telecommunications (WCIT) in Dubai this December....”
I find the timing of this and a variety of other cybersecurity topics to be interesting, in that new proposals are being sent the day after the election. This may just be a coincidence, but one thing is clear: whether for political reasons or more likely because other topics have a higher priority during the election season, quite a few cybersecurity issues are lining up for the November/ December 2012 timeframe.
Tropical Storm Sandy Scams
One more story to point out in this security news roundup. As can now be expected after almost every major global news event, and especially with natural disasters, there are many Tropical Storm Sandy scams being revealed.
“State attorneys general, business and consumer groups and the Justice Department are among those cautioning consumers to be wary as requests for donations start arriving via email, text message, telephone and Twitter.
‘’Fraud is an unfortunate reality in post-disaster environments,’ said Joe Wehrle, president of the National Insurance Crime Bureau, a nonprofit group which deals with vehicle sales and repairs fraud. ‘As the initial recovery from Hurricane Sandy begins, there are people right now who are planning to converge on the affected areas in order to scam disaster victims out of their money.’”
USA Today reported: Beware: Time is ripe for Hurricane Sandy scams
“A decade ago fraudsters had to rely on phone calls to deliver their high-pressure sales pitches. Then they were able to use e-mail. Now social media adds an entirely new weapon to their arsenal.”
What’s my advice as we head past election day and into the holiday season? No matter who wins the election on Tuesday, watch out for post-election scams to match or exceed the Tropical Storm Sandy scams - beginning this Weds morning. The bad guys will do anything to "tempt the click."
Also, stay informed on the security threats in your corner of cyberspace. We need to be ready – because these hot security stories won’t go away even after the election and the Tropical Storm Sandy cleanup move off of the front pages.
October 23, 2012 By Dan Lohrmann
Day 2 at the NASCIO annual meeting, and one hot topic is the new Cybersecurity survey results that were released this morning called
October 22, 2012 By Dan Lohrmann
I am at the National Association of State CIOs Annual Conference in San Diego, and here are some of the first day highlights.
The roundtable sessions over breakfast covered over a dozen topics, and I attended a session on BYOD led by the CIO from Delaware. The session was excellent with comparsions between public and private sector organizations on the use of different mobile devices. All of the topical discussion sessions seemed well attended, and it was a great way to engage professionals from around the country with different approaches to this cutting-edge issue.
The opening keynote was called: Overhauling the Ship: Extreme Government Makeover - led by Ken Miller who is the Founder of the Change and Innovation Agency. He used a lot of analogies and his basic message was that "the house of government doesn't need another layer of paint or new carpets, but an extreme makeover." His points on process improvement were very well made.
The next session covered multi-jurisdictional collaboration with panelists from Michigan, North Carolina, Montana and Cook County, Illinois. The examples and stories made it clear that more sharing of services is coming nationwide - both within states and across state lines. Great session that was lively with a good Q/A session afterwards.
After lunch, there was a general session which covered the results of a State CIO survey by TechAmerica and NASCIO. Priorities discussed included: moble devices and applications, social media, cloud computing, big data and the public safety broadband network. The examples and overall discussion were excellent.
I also attended a breakout session called "Batten Down the Hatches on Health Data Exchange" which was a great look at the latest security and privacy actions being taken in California, Arkansas and around the country. It is clear that progress is being made on health data, but many hurdles remain. The panelists were not as optimistic on this topic as they were a year ago, and many questions from the audience seemed to have "we'll see" answer to them.
Tonight, the NASCIO best-practice awards to states are given out at dinner.
More after Day 2.
Are you at the NASCIO conference? Any comments to share?
October 19, 2012 By Dan Lohrmann
The National Association of State Chief Information Officers (NASCIO) is holding their annual conference in San Diego this year from October 21-24, 2012.
The agenda is packed with many interesting topics, such as an opening keynote by Ken Miller, Founder, Change & Innovation Agency. Here’s how this 90-minute session is described in the program:
“Pinnacle General Session Overhauling the Ship: Extreme Government Makeover
Government is under incredible pressure right now. The economic crisis has hit us with a double whammy: exponential increases in demand and dramatically reduced resources. How have we responded to these new pressures? By trotting out the old ideas. We outsource, upgrade and right-size. The house of government doesn't need another layer of paint or some new carpet -- it needs an extreme makeover. And just like on the show, it needs it done fast! This presentation makes obvious the real problems plaguing government, how you can join the crew and gives you the tools to complete the makeover.”
There are several interesting sessions on topics ranging from multi-jurisdictional collaboration, to health data exchange, to data and analytics to the “choppy seas of outsourcing.”
On the cybersecurity side, there are three sessions that are of special interest to readers of this blog. On Monday afternoon, there is a breakout session on mobile device management. That session is described this way:
“Striving to Protect: Mobile Device Management and Security
Whether the data is in your pocket, on your desktop or in your network, how do you strive to protect the information and manage the devices? … And a new generation of workforce and citizens used to being connected -- anytime, anywhere, all the time - are requiring CIOs to rethink policy and security….”
On Tuesday morning, there is a panel session discussing the results of the cybersecurity survey sent from state governments and U.S. territories. I am participating in this session, and the session is presented with the title and description:
“State Governments at Risk
NASCIO initiated the 2012 cybersecurity study to assist state leaders in understanding the current cybersecurity environments and to provide key insights to aid state leaders in making informed decisions relative to cybersecurity threats, risks, priorities and strategy. Survey questions covered topics across information security governance, budget, use of security technologies, quality of operations and more. This special briefing will be an interactive session covering the aggregated study results.”
Last, but not least, there is an important session entitled:
“Charting the Course: Public Safety Broadband
We have all heard that Congress reallocated the 700-MHz D-Block spectrum to public safety and established the FirstNet Board to create a nationwide public safety broadband network for first responders. Come and hear what the creation of this network can mean to state government and how first responders and others will use the network….”
Other topics include data transparency, redesigning procurement and the explosion in mobile applications.
I think this agenda looks outstanding overall, and the best part is almost always the networking and side-discussions. I know we say this every two years or so, but I think we are at an important crossroad in state government support of technology and security, and I find these annual NASCIO conferences to be “must-attend” events each year.
It is easy to gain “tunnel vision” regarding the activities locally, but NASCIO always provides insights on the national picture. With the election coming up soon after the conference, the conversations always get interesting.
In addition to the topical experts who speak, I like hearing the perspectives from CIOs from around the country. There are always plenty of federal partners in attendance as well who want to talk about various interfaces and systems. Not to be outdone, our vendor partners will be available to brief us on their latest offerings.
Lastly, I will be writing a blog on my thoughts about the national cybersecurity survey as well as observations from several other sessions. I look forward to seeing many of you in San Diego next week.
October 14, 2012 By Dan Lohrmann
Senior officials in the U.S. government believe that Iranian hackers are responsible for a new wave of significant cyberattcks. These unprecedented cyberattacks were very destructive in nature, and crippled several Persian Gulf oil and gas companies.
Last week, CBS News reported that “U.S. officials say a cyber attack against ARAMCO, has been traced to hackers inside Iran. This attack is yet another volley in an increasingly high stakes war going on in cyberspace. Defense Secretary Panetta warns that potential enemies, including Iran, are developing the capability to launch devastating attacks.”
Back in September, hackers hit 30,000 computers at the world’s biggest oil companies. Sky News reported:
“Saudi Arabia's national oil company was hit after at least one insider with high-level access allegedly assisted hackers to wreak havoc on the company's network last month.
The attack, using a computer virus known as Shamoon against Saudi Aramco, is one of the most destructive cyber strikes conducted against a single business. Shamoon spread through the company's network and wiped computer hard drives clean."
According to the Washington Post, Defense Secretary Leon Panetta said the cyberthreat from Iran has grown, and he declared that the Pentagon is prepared to take action if American is threatened by a computer-based assault.
The Wall Street Journal gave significant front page attention to these recent cyberattacks. Here’s an excerpt:
“U.S. agencies have been assisting in the Gulf investigation and concluded that the level of resources needed to conduct the attack showed there was some degree of involvement by a nation state, said the former official. The officials spoke on condition of anonymity because the investigation is classified as secret.
‘Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for their actions that may try to harm America,’ Panetta said in a speech to the Business Executives for National Security. He later noted that Iran has ‘undertaken a concerted effort to use cyberspace to its advantage.’"
Cyberattacks Against Banks
Back in late September, Iran was also named as the source of several cyberattacks against Bank of America, JPMorgan, Citi. According to Reuters:
“The attacks, which began in late 2011 and escalated this year, have primarily been ‘denial of service’ campaigns that disrupted the banks' websites and corporate networks by overwhelming them with incoming web traffic, said the sources.
Whether the hackers have been able to inflict more serious damage on computer networks or steal critical data is not yet known. The sources said there was evidence suggesting the hackers targeted the banks in retaliation for their enforcement of Western economic sanctions against Iran.”
It should be noted that Iranian officials have denied hacking U.S. banks. Instead, Iran accused U.S. officials of “demonizing Iran in cyberspace to portray the country as a global threat to cyber security and justify the U.S. and Israeli cyber attacks on Iran."
How Effective Are These Cyberattacks?
Meanwhile, Yahoo News reported that “Iran has a growing legion of low-grade hackers that are quickly becoming a pain in the side of the Obama Administration, and financial companies….
The potential danger of Iran, or anyone causing havoc digitally is something the administration knows they have to consider, which is why the government spends $3 billion annually on digital defense.”
What is clear is that both business and government leaders around the world are very concerned about this escalation of attacks in cyberspace. Many are now thinking that we are entering a new cyber Cold War, with cyberhacking threats taking the place of 20th century nuclear weapons.
What makes this situation so much more complicated is that we have many different nation-states now entering and/or already participating in this cyber Cold War. Besides Iran and China, dozens of countries are thought to be boosting their cyberwar capabilities – whether that focuses solely of cyberdefense or includes more cyberattack capabilities remains to be seen.
What is not in doubt is that Stuxnet and Flame have recently cleared the way for a new chapter for nation-state sponsored or approved cyberattacks. Nations are scrambling to stay ahead of others and/or to gain advanced cybersecurity capabilities.
Where is this heading? Check out this video interview with Eugene Kaspersky from back in June, 2012. Kaspersky is recognized as a global expert on a variety of cybersecurity topics, and he helped launch the now famous company that bears his name. He describes “the end of the world as we know it” in this video piece with a new era of “cyberweapons, cyberwar and cyberterrorism.” Scary stuff.
Why Release This Information Now?
There is no doubt in my mind that the events of the past week have ratcheted-up the pressure even further on cybersecurity, if that is possible.
So why did Defense Secretary Panetta give this speech now? Are these attacks getting worse? Given that we are in the middle of an election campaign, what is the significance of naming Iran. Yes, I think Iran is being warned, but could an executive order on cyber still be coming soon?
I suspect there still may be an executive order coming on cybersecurity, and these Iranian cyberattack realities may be named as a big part of the reason why. As I have said before, I think that the time for government action, hopefully with bipartisan legislation, is now.
I’d love to hear your thoughts.
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.