By Ben Bain
FBI Director Robert Mueller wants companies to share information with authorities after they have been victimized by cyber criminals.
In a recent speech at a cybersecurity conference in New York sponsored by the FBI and Fordham University, Mueller said bureau officials would do their best to minimize disruption to businesses that share such information and would in turn share the bureau's information about the means and methods of attack as quickly as possible.
“We do not want you to feel victimized a second time by an investigation,” he said Aug. 5, according to a copy of the speech released by the FBI.
The government wants industry to share more information about cyberattacks because most of the country’s critical infrastructure is in private hands. Meanwhile, some industry officials say the government needs to share more data with companies, and they worry that the data they share with the government could become public and hurt business.
“Remember that for every investigation in the news, there are hundreds that will never make the headlines,” Mueller said. "Disclosure is the exception, and not the rule. That said, we cannot act if we are not aware of the problem. Maintaining a code of silence will not benefit you or your clients in the long run.”
Mueller also discussed cyber terrorism. He said terrorists have not used the Internet to launch a full-scale cyberattack but have executed denial-of-service attacks and defaced Web sites.
“As you well know, a cyberattack could have the same impact as a well-placed bomb,” he said, adding that in the past decade, al Qaeda’s online presence “has become almost as potent as its physical presence.”
Posted on Aug 09, 2010 at 1:16 PM2 comments
The 2010 Intelligence Authorization Act, which the Senate passed today, includes a provision that would increase oversight for intelligence-related multiagency cybersecurity programs that involve the use of personally identifiable information.
Section 337 of the bill (S. 3611) “sets forth a preliminary framework for executive and congressional oversight to ensure that the government’s national cybersecurity mission is consistent with legal authorities and preserves reasonable expectations of privacy,” according to a report from Senate Select Intelligence Committee that cleared the bill last month. The legislation that the Senate cleared today included one amendment, but it didn’t alter the focus of the bill’s cybersecurity provisions.
The report said the definition of cybersecurity programs in the section “intentionally excludes firewalls, anti-virus programs and other routine programs.” It also excludes individual cyber operations or cyber information-sharing conducted in a non-programmatic fashion, such as the sharing of a piece of information for a particular investigation.
The section “instead focuses on multiagency cybersecurity programs in which large amounts of information are characterized, screened, or inspected for the purpose of protecting government networks,” the report said. “These types of programs pose challenging new legal and privacy questions that make congressional and Executive branch oversight particularly important.”
Specifically, the bill would require the White House to notify Congress about cybersecurity programs and provide lawmakers with information on a program’s legal basis, certifications of the program’s legality, concepts of operations privacy impact statements and plans for independent audit or review of the program.
For existing programs, the notification and documentation would need to be provided with 30 days of the enactment of the bill. The notification and documents for new programs would be required within 30 days of the commencement of the program, assuming the bill became law.
The notification requirements are intended to ensure that Congress knows of significant legal, privacy and operational aspects of each new cybersecurity program, the report submitted by the committee chairwoman, Sen. Dianne Feinstein, said.
The committee report said a certification of a cybersecurity program as described by the bill would have to address the legality of the program as a whole and would have the potential to authorize providers of wire or electronic communication to provide significant assistance to the government, without fear of litigation.
“Given the potential impact of any certification, the committee believes that significant congressional oversight is warranted,” the report said.
In addition, heads of agencies with responsibility for a cybersecurity program would have to work with their inspectors general to prepare a report describing the results of any audit or review under the audit plan and assess whether the cybersecurity program is in compliance with and adequately described by the documents submitted to Congress.
“This subsection is designed to provide an independent check that the agencies are conducting cyber operations in a manner consistent with executive branch guidance and to supply Congress more information about the operation of those programs,” the report stated.
In addition, according to the report, the bill would:
- Require inspectors general to prepare a report on the sharing of cyber threat information inside the government and with those responsible for critical infrastructure one year after the bill would be enacted.
- Allow intelligence community experts to be made available to the Homeland Security Department through a detail program.
- Require the Director of National Intelligence to have a plan for recruiting, retaining and training an adequate cybersecurity workforce and to assess the capabilities of the current workforce.
- Have the DNI work with the attorney general, the head of the National Security Agency, the White House Cybersecurity Coordinator, and any other officials the DNI considers appropriate to submit three annual reports containing guidelines or legislative proposals to improve the cybersecurity capabilities of intelligence and law enforcement agencies.
Posted on Aug 05, 2010 at 3:04 PM0 comments
The Obama administration is working on an update to a classified presidential directive signed during the George W. Bush administration that guides the government’s overall cybersecurity efforts.
The White House’s National Security Staff is developing the update to the directive that established the Comprehensive National Cybersecurity Initiative (CNCI), according to a document released July 14. The resulting changes to the government’s national strategy will incorporate aspects of the President Barack Obama’s Comprehensive Cyberspace Policy Review, released in May 2009, the document said.
The administration described plans to update the directive in a document it released to highlight progress it said has been made since the release of that review during a speech by Obama on cybersecurity. The Obama administration released an unclassified outline of the CNCI earlier this year. The actual Bush-era directive remains a government secret.
“Since the president’s speech last year and the release of the President’s Cyberspace Policy Review, the administration has taken concrete steps to make cyberspace more secure,” White House Cybersecurity Coordinator Howard Schmidt said in a post on the White House blog.
Schmidt said that since the review was released:
- The administration has released for public comment a plan for secure, voluntary, privacy-enhancing credentials for authenticating identities in cyberspace more securely
- The Homeland Security Department has been developing a National Cyber Incident Response Plan to ensure that there is a coordinated national response to a significant cyber incident
- The administration has released new performance metrics for agencies under the Federal Information Management Security Act (FISMA) for more continuous monitoring of security and
- Obama has appointed a cybersecurity coordinator and a privacy and civil liberties official, and the administration has released documents outlining cybersecurity initiatives to ensure greater transparency.
Obama, Schmidt, Homeland Security Secretary Janet Napolitano and Commerce Secretary Gary Locke met with interested parties from industry, state and local governments, academia and privacy and civil liberties groups in Washington on July 14 to discuss cybersecurity. The event was not open to the press.
Posted on Jul 15, 2010 at 8:25 AM0 comments