Large businesses spend too much money trying to comply with cybersecurity mandates and not enough to keep their high-value secrets from being stolen, according to a new study from Forrester Research.
"Enterprises are overly focused on compliance and not focused enough on protecting their secrets," said the study, which was released yesterday by Microsoft Corp. and RSA, the security division of EMC.
Forrester separated sensitive data into two groups: company secrets and custodial data. "Legislation, regulation, and contracts compel enterprises to protect custodial data," it noted. "Custodial data has little intrinsic value in and of itself. But when it is obtained by an unauthorized party, misused, lost, or stolen, it changes state."
"Data that is ordinarily benign transforms into something harmful," it warned. "When custodial data is spilled, it becomes 'toxic.'"
Businesses that participated in Forrester's survey indicated that they spent about equal amounts protecting trade secrets and custodial data. But the survey suggested that trade secrets were much more valuable and needed more protection. -- TL
Tuesday, April 6, 2010
Friday, March 19, 2010
Rules of Cyber War
"The Washington Post" this morning published an interesting report about the U.S. dismantling a Saudi Arabian website that anti-U.S. forces might have been using to coordinate attacks in Iraq. The article raises questions about the adequacy of U.S. policies governing cyber war.
When George W. Bush was president, intelligence officials apparently were forced "to refine doctrine as it executed operations," the article says. "Cyber was moving so fast that we were always in danger of building up precedent before we built up policy," former CIA Director Michael Hayden told the paper.
One question raised by the story deserves additional discussion: When is a cyber attack outside the theater of war allowed? Some military strategists would argue that the theater of war has no boundaries in cyberspace. "Every networked computer is on the front line," the U.S. Joint Forces Command said in a report released this week. In other words, if the U.S. is at war and its adversaries are using cyberspace, then all of cyberspace is a war zone.
Another puzzling aspect of the story: If the troublesome website was established by the CIA and Saudi government to gather intelligence on jihadists, why did it take a team of NSA experts to dismantle the site, with resulting collateral damage to other parts of the Internet? -- TL
When George W. Bush was president, intelligence officials apparently were forced "to refine doctrine as it executed operations," the article says. "Cyber was moving so fast that we were always in danger of building up precedent before we built up policy," former CIA Director Michael Hayden told the paper.
One question raised by the story deserves additional discussion: When is a cyber attack outside the theater of war allowed? Some military strategists would argue that the theater of war has no boundaries in cyberspace. "Every networked computer is on the front line," the U.S. Joint Forces Command said in a report released this week. In other words, if the U.S. is at war and its adversaries are using cyberspace, then all of cyberspace is a war zone.
Another puzzling aspect of the story: If the troublesome website was established by the CIA and Saudi government to gather intelligence on jihadists, why did it take a team of NSA experts to dismantle the site, with resulting collateral damage to other parts of the Internet? -- TL
Thursday, March 18, 2010
Flirting with Regulation
Companies that control key infrastructure have so far remained largely free of regulations to ensure that their information technology systems are secure. But policy-makers appear to be in the early stages of considering such rules.
Exhibit A: Legislation that would require the Department of Homeland Security to study an assortment of regulations was adopted this week by a House subcommittee. The bill allocates funds for research into, among other things, the efficacy of (1) "mandated reporting of security breaches" that threaten critical infrastructure; (2) "regulation that imposes, under threat of civil penalty, best practices" on operators of critical infrastructure; and (3) "accounting practices that require companies to report their cybersecurity practices and postures and the results of independently conducted 'red-team' simulated attacks or exercises."
Exhibit B: The "Rockefeller-Snowe Cybersecurity Act" introduced this week would require the president and critical infrastructure industries to develop cybersecurity best practices, which the companies would be expected to follow. Independent audits would be conducted, and companies that fell short would have "to work collaboratively with the government and private sector colleagues within their critical infrastructure sector (via existing sector coordinating councils) to develop and implement a collaborative remediation plan."
Exhibit C: The FCC's national broadband plan unveiled this week proposes expanding network outage reporting rules that now apply only to traditional telephone service. The FCC would like the rules to apply to all broadband network services. The FCC also proposed a "voluntary cybersecurity certification program" for businesses.
None of the above examples present major challenges for the private sector. In fact, several industry associations have successfully steered Congress and the FCC away from regulatory solutions for cybersecurity. But policy-makers like to create rules, and they're still learning about cybersecurity. -- TL
Exhibit A: Legislation that would require the Department of Homeland Security to study an assortment of regulations was adopted this week by a House subcommittee. The bill allocates funds for research into, among other things, the efficacy of (1) "mandated reporting of security breaches" that threaten critical infrastructure; (2) "regulation that imposes, under threat of civil penalty, best practices" on operators of critical infrastructure; and (3) "accounting practices that require companies to report their cybersecurity practices and postures and the results of independently conducted 'red-team' simulated attacks or exercises."
Exhibit B: The "Rockefeller-Snowe Cybersecurity Act" introduced this week would require the president and critical infrastructure industries to develop cybersecurity best practices, which the companies would be expected to follow. Independent audits would be conducted, and companies that fell short would have "to work collaboratively with the government and private sector colleagues within their critical infrastructure sector (via existing sector coordinating councils) to develop and implement a collaborative remediation plan."
Exhibit C: The FCC's national broadband plan unveiled this week proposes expanding network outage reporting rules that now apply only to traditional telephone service. The FCC would like the rules to apply to all broadband network services. The FCC also proposed a "voluntary cybersecurity certification program" for businesses.
None of the above examples present major challenges for the private sector. In fact, several industry associations have successfully steered Congress and the FCC away from regulatory solutions for cybersecurity. But policy-makers like to create rules, and they're still learning about cybersecurity. -- TL
Tuesday, March 16, 2010
Beyond Boilerplate
The national broadband plan that the FCC issued today offers few surprises in the cybersecurity realm. The plan was assembled in public, and its recommendations -- at least those pertaining to cybersecurity -- were largely known weeks ago.
In some ways, however, the FCC has managed to one-up other agencies by offering proposals that might actually move the ball on cybersecurity policy. For example, the FCC wants to require broadband service providers to follow the network outage reporting rules that now apply only to traditional telephone service.
"The timely and disciplined reporting of network outages will help protect broadband communications networks from cyber attacks by improving the FCC’s understanding of the causes and how to recover," the report says. "This will help improve cybersecurity and promote confidence in the safety and reliability of broadband communications."
Another example: The FCC wants to create a "voluntary cybersecurity certification program." It notes that many businesses aren't making cybersecurity a priority.
"A voluntary cybersecurity certification program could promote more vigilant network security among market participants, increase the security of the nation’s communications infrastructure, and offer end-users more complete information about their providers’ cybersecurity practices," the plan says.
Sure, the plan also contains the conventional boilerplate recommendations about multi-year roadmaps, milestones, public awareness, and international outreach. But it appears that somebody at the FCC is unafraid to consider new cybersecurity rules and programs. -- TL
In some ways, however, the FCC has managed to one-up other agencies by offering proposals that might actually move the ball on cybersecurity policy. For example, the FCC wants to require broadband service providers to follow the network outage reporting rules that now apply only to traditional telephone service.
"The timely and disciplined reporting of network outages will help protect broadband communications networks from cyber attacks by improving the FCC’s understanding of the causes and how to recover," the report says. "This will help improve cybersecurity and promote confidence in the safety and reliability of broadband communications."
Another example: The FCC wants to create a "voluntary cybersecurity certification program." It notes that many businesses aren't making cybersecurity a priority.
"A voluntary cybersecurity certification program could promote more vigilant network security among market participants, increase the security of the nation’s communications infrastructure, and offer end-users more complete information about their providers’ cybersecurity practices," the plan says.
Sure, the plan also contains the conventional boilerplate recommendations about multi-year roadmaps, milestones, public awareness, and international outreach. But it appears that somebody at the FCC is unafraid to consider new cybersecurity rules and programs. -- TL
Wednesday, March 10, 2010
Tightening the Screws
Look out, Waledac botnet. Microsoft isn't done with you yet.
Not content with merely disabling the botnet's lines of communications, Microsoft this week asked a federal court for permission to serve subpoenas on Internet service providers and set up a system to capture IP addresses that contact the domains formerly used by the botnet.
The purpose: to locate the botnet's unknown human operators. "Microsoft has good reason to believe that it will be able to identify, name, and serve the 'John Doe' defendants if granted authority to conduct formal discovery for 90 days," the company told the court in a March 9 request.
Microsoft has located one of the John Does in Beaverton, Ore., and has decided that his domain was being used by an unknown third party. He apparently is cooperating with the company. The other 26 defendants, however, are thought to be in China. The judge is expected to rule on Microsoft's request next week. -- TL
Not content with merely disabling the botnet's lines of communications, Microsoft this week asked a federal court for permission to serve subpoenas on Internet service providers and set up a system to capture IP addresses that contact the domains formerly used by the botnet.
The purpose: to locate the botnet's unknown human operators. "Microsoft has good reason to believe that it will be able to identify, name, and serve the 'John Doe' defendants if granted authority to conduct formal discovery for 90 days," the company told the court in a March 9 request.
Microsoft has located one of the John Does in Beaverton, Ore., and has decided that his domain was being used by an unknown third party. He apparently is cooperating with the company. The other 26 defendants, however, are thought to be in China. The judge is expected to rule on Microsoft's request next week. -- TL
Thursday, March 4, 2010
Blaming China
China is frequently blamed for cyber attacks on the U.S., although Chinese authorities complain that they are just as often victims. A new article in Foreign Policy offers a more nuanced portrait of the Chinese government's role.
"The hacking scene in China probably looks more like a few intelligence officers overseeing a jumble of talented -- and sometimes unruly -- patriotic hackers," it reports. "Mix together widespread youth nationalism with a highly wired population -- China now boasts the most Internet users in the world, with 384 million people online -- and out comes patriotic hacking."
"The fact that these hackers' interests overlap with Chinese policy does not mean they are working on behalf of Beijing," it adds. "It helps, however, that Beijing turns a blind eye to their attacks."
On the latter point, some U.S. cybersecurity experts would like the U.S. government to take a stronger stance toward countries that tolerate cyber attacks. "We talk to Russia and China about a lot of things, but we've never made this a big issue," noted Richard Clarke, a former White House cybersecurity adviser, during an appearance this week at the RSA conference in San Francisco.
His solution: an international treaty that would require national governments to crack down on hackers within their borders and cyber "arms control" that would acknowledge that governments have an incentive to use cyberspace to attack and spy on adversaries, but would limit the tools and techniques they could use. -- TL
"The hacking scene in China probably looks more like a few intelligence officers overseeing a jumble of talented -- and sometimes unruly -- patriotic hackers," it reports. "Mix together widespread youth nationalism with a highly wired population -- China now boasts the most Internet users in the world, with 384 million people online -- and out comes patriotic hacking."
"The fact that these hackers' interests overlap with Chinese policy does not mean they are working on behalf of Beijing," it adds. "It helps, however, that Beijing turns a blind eye to their attacks."
On the latter point, some U.S. cybersecurity experts would like the U.S. government to take a stronger stance toward countries that tolerate cyber attacks. "We talk to Russia and China about a lot of things, but we've never made this a big issue," noted Richard Clarke, a former White House cybersecurity adviser, during an appearance this week at the RSA conference in San Francisco.
His solution: an international treaty that would require national governments to crack down on hackers within their borders and cyber "arms control" that would acknowledge that governments have an incentive to use cyberspace to attack and spy on adversaries, but would limit the tools and techniques they could use. -- TL
Tuesday, March 2, 2010
Meet John Doe
John Doe no. 21 lives or works -- or picks up his (or her) -- mail at Jiuyangxi Road 12 in Shanghai. Number 22 has some sort of office in a shopping center in Beaverton, Ore., near a Computer Moms outlet and Beaverton Ship & Pack.
Altogether, there are 27 of these John Does, according to Microsoft Corp., and they are -- or were -- in charge of a huge botnet known as Waledac. The past tense might be appropriate because Microsoft claims it has beheaded Waledac.
With a court order in hand, Microsoft has disabled 277 Internet domains that helped Waledac's brain communicate with its body -- the thousands of "zombie" PCs that the botnet commandeered to do its dirty work, including reproducing itself and sending out spam pushing dubious products and services.
Some security experts doubt that Microsoft has killed Waledac, but its approach is novel. It obtained a temporary restraining order that required VeriSign, Inc., which controls ".com" Internet names, to pull the plug on the domains that Microsoft believes were a major part of the botnet's communications infrastructure.
The restraining order expires on March 8, but that might not be a problem for Microsoft. Judge Leonie Brinkema, of U.S. District Court for the Eastern District of Virginia, has ordered all 27 of the John Does to attend a March 8 hearing "to show cause, if there is any," for not making the injunction permanent and taking further action against them for violating an assortment of U.S. laws. John Doe no. 21 better call his travel agent. -- TL
Altogether, there are 27 of these John Does, according to Microsoft Corp., and they are -- or were -- in charge of a huge botnet known as Waledac. The past tense might be appropriate because Microsoft claims it has beheaded Waledac.
With a court order in hand, Microsoft has disabled 277 Internet domains that helped Waledac's brain communicate with its body -- the thousands of "zombie" PCs that the botnet commandeered to do its dirty work, including reproducing itself and sending out spam pushing dubious products and services.
Some security experts doubt that Microsoft has killed Waledac, but its approach is novel. It obtained a temporary restraining order that required VeriSign, Inc., which controls ".com" Internet names, to pull the plug on the domains that Microsoft believes were a major part of the botnet's communications infrastructure.
The restraining order expires on March 8, but that might not be a problem for Microsoft. Judge Leonie Brinkema, of U.S. District Court for the Eastern District of Virginia, has ordered all 27 of the John Does to attend a March 8 hearing "to show cause, if there is any," for not making the injunction permanent and taking further action against them for violating an assortment of U.S. laws. John Doe no. 21 better call his travel agent. -- TL
Wednesday, February 24, 2010
Hair-raising Testimony
"If the nation went to war today in a cyber war, we would lose. We're the most vulnerable. We're the most connected. We have the most to lose."
That was one of several alarming predictions offered yesterday by Michael McConnell, former director of national intelligence, in testimony before the Senate Commerce, Science, and Transportation Committee.
Here's another: "We will not mitigate this [cybersecurity] risk. We will talk about it. We will wave our arms. We will have a bill. But we will not mitigate this risk, and as a consequence of not mitigating the risk, we're going to have a catastrophic event."
"In our wonderful democracy, it usually takes a forcing function to move us to action," he said. "It's going to take that catastrophic event."
What might happen? He suggested that China and Russia -- countries that are frequently blamed for cyber attacks and cyber espionage -- would not benefit from a large-scale raid on U.S. networks. Likewise, cyber criminals have no interest in hindering the flows of money and data that keep them in business.
A third category of cyber villain, however, poses a greater danger -- the "non-state actor" who is not motivated by greed but hews to "a different world view" and wants "to destroy the information infrastructure which powers much of the modern world," Mr. McConnell testified.
The coming cyber catastrophe will spur the federal government to dramatically increase its oversight of the Internet, he said. The only thing that might head off that scenario, he argued, is solid legislation that unifies the federal government's cybersecurity efforts, provides money for training, and demands more from both the public and private sectors.
Other witnesses offered similar views, which undoubtedly pleased the committee's chairman, John D. (Jay) Rockefeller (D., W.Va.), who has a bill pending that would implement many of Mr. McConnell's recommendations. -- TL
That was one of several alarming predictions offered yesterday by Michael McConnell, former director of national intelligence, in testimony before the Senate Commerce, Science, and Transportation Committee.
Here's another: "We will not mitigate this [cybersecurity] risk. We will talk about it. We will wave our arms. We will have a bill. But we will not mitigate this risk, and as a consequence of not mitigating the risk, we're going to have a catastrophic event."
"In our wonderful democracy, it usually takes a forcing function to move us to action," he said. "It's going to take that catastrophic event."
What might happen? He suggested that China and Russia -- countries that are frequently blamed for cyber attacks and cyber espionage -- would not benefit from a large-scale raid on U.S. networks. Likewise, cyber criminals have no interest in hindering the flows of money and data that keep them in business.
A third category of cyber villain, however, poses a greater danger -- the "non-state actor" who is not motivated by greed but hews to "a different world view" and wants "to destroy the information infrastructure which powers much of the modern world," Mr. McConnell testified.
The coming cyber catastrophe will spur the federal government to dramatically increase its oversight of the Internet, he said. The only thing that might head off that scenario, he argued, is solid legislation that unifies the federal government's cybersecurity efforts, provides money for training, and demands more from both the public and private sectors.
Other witnesses offered similar views, which undoubtedly pleased the committee's chairman, John D. (Jay) Rockefeller (D., W.Va.), who has a bill pending that would implement many of Mr. McConnell's recommendations. -- TL
Monday, February 22, 2010
Senate Eyes Cybersecurity
The U.S. Senate will take the next step toward adopting cybersecurity legislation with a hearing tomorrow before the Commerce, Science, and Transportation Committee.
The panel's chairman, John D. (Jay) Rockefeller (D., W.Va.), has introduced legislation with Sen. Olympia Snowe (R., Maine) that would direct the president to implement a comprehensive national cybersecurity policy and conduct a quadrennial review of the “cyber posture of the United States.”
The hearing is the Senate's first on the topic since the House approved the Cybersecurity Enhancement Act of 2009 (H.R. 4061), which would authorize the National Science Foundation to spend $395 million over five years on cybersecurity grants and $94 million on cybersecurity scholarships, among other things.
Sen. Rockefeller's bill is one of several legislative vehicles that could result in cybersecurity legislation reaching a House-Senate conference committee this year. Witnesses who are scheduled to testify at the hearing include Michael McConnell, former director of national intelligence; James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies; Scott Borg, director of the U.S. Cyber Consequences Unit; Jamie Barnett, chief of the FCC's Public Safety and Homeland Security Bureau; and Mary Ann Davidson, Oracle Corp.'s chief security officer. -- TL
The panel's chairman, John D. (Jay) Rockefeller (D., W.Va.), has introduced legislation with Sen. Olympia Snowe (R., Maine) that would direct the president to implement a comprehensive national cybersecurity policy and conduct a quadrennial review of the “cyber posture of the United States.”
The hearing is the Senate's first on the topic since the House approved the Cybersecurity Enhancement Act of 2009 (H.R. 4061), which would authorize the National Science Foundation to spend $395 million over five years on cybersecurity grants and $94 million on cybersecurity scholarships, among other things.
Sen. Rockefeller's bill is one of several legislative vehicles that could result in cybersecurity legislation reaching a House-Senate conference committee this year. Witnesses who are scheduled to testify at the hearing include Michael McConnell, former director of national intelligence; James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies; Scott Borg, director of the U.S. Cyber Consequences Unit; Jamie Barnett, chief of the FCC's Public Safety and Homeland Security Bureau; and Mary Ann Davidson, Oracle Corp.'s chief security officer. -- TL
Friday, February 19, 2010
More 'Voluntary' Cybersecurity Rules?
The Federal Communications Commission may soon urge more government action to shore up the cybersecurity posture of communications services providers in the U.S., but whether the recommendations have much bite to them remains to be seen.
FCC staff said yesterday that the agency’s national broadband plan now nearing completion may recommend creation of a “voluntary cyber security certification program” for communications service providers, as well as creation of a “cyber security information reporting system,” and a requirement for broadband service providers to submit network outage reports to the government – something that is already required of other communications service providers, although those reports are kept from public view.
At this point, it’s impossible to say what exactly will end up in the national broadband plan – which is due to be delivered to Congress on March 17 – and whether any of the plan’s recommendations, particularly those dealing with cybersecurity, could be accomplished under the FCC’s current statutory authority or whether they will have to be tossed to Congress for any action. Stay tuned here, and in TR’s Cybersecurity Policy Report.
FCC staff said yesterday that the agency’s national broadband plan now nearing completion may recommend creation of a “voluntary cyber security certification program” for communications service providers, as well as creation of a “cyber security information reporting system,” and a requirement for broadband service providers to submit network outage reports to the government – something that is already required of other communications service providers, although those reports are kept from public view.
At this point, it’s impossible to say what exactly will end up in the national broadband plan – which is due to be delivered to Congress on March 17 – and whether any of the plan’s recommendations, particularly those dealing with cybersecurity, could be accomplished under the FCC’s current statutory authority or whether they will have to be tossed to Congress for any action. Stay tuned here, and in TR’s Cybersecurity Policy Report.
Thursday, February 18, 2010
Cyber Insecurity
Public-private partnerships. Standards and best practices.
Those have been the mantras of the cybersecurity policy community for several years now. The dominant argument has been that mandates on the private sector are costly and ineffective, and the recent parade of news stories about cyber attacks on public and private entities has not shaken that belief.
Will that eventually change? Will there be one -- or a series -- of precipitating events that will spur policy-makers to alter course?
Consider the events of the past week. On Tuesday, a centrist think tank staged an elaborate cyber attack simulation and concluded that the U.S. was woefully unprepared. Today, a cybersecurity firm, NetWitness, announced that it had discovered a major botnet infestation that has been stealing data from governments and corporations for nearly a year.
"Advanced threats have festered their way into thousands of enterprises," NetWitness warned. "The widely deployed security technologies modern enterprises use to protect themselves such as firewalls, antivirus, and intrusion-detection technologies, even when well-managed, are ineffective in countering the current and ongoing threat to our information systems posed by a focused criminal adversary or nation-state."
Leaving aside NetWitness's sales pitch for its own product -- which it claims is far more effective at countering cyber attacks than the next leading brand -- the firm's report is further evidence that the private and public sectors are vulnerable.
The challenge, according to yet another white paper from yet another think tank, isn’t lack of awareness about cyber insecurity. "Corporate leaders understand the seriousness of the threat," says the report from the Cyber Secure Institute.
"The challenge with cybersecurity is that for all the attention it gets, there is no uprising among voters, customers, or investors," it says. "Political leaders and corporate leaders will only make the sorts of systemic cybersecurity changes that are needed if the public -- voters, investors, and customers -- demands change." -- TL
Those have been the mantras of the cybersecurity policy community for several years now. The dominant argument has been that mandates on the private sector are costly and ineffective, and the recent parade of news stories about cyber attacks on public and private entities has not shaken that belief.
Will that eventually change? Will there be one -- or a series -- of precipitating events that will spur policy-makers to alter course?
Consider the events of the past week. On Tuesday, a centrist think tank staged an elaborate cyber attack simulation and concluded that the U.S. was woefully unprepared. Today, a cybersecurity firm, NetWitness, announced that it had discovered a major botnet infestation that has been stealing data from governments and corporations for nearly a year.
"Advanced threats have festered their way into thousands of enterprises," NetWitness warned. "The widely deployed security technologies modern enterprises use to protect themselves such as firewalls, antivirus, and intrusion-detection technologies, even when well-managed, are ineffective in countering the current and ongoing threat to our information systems posed by a focused criminal adversary or nation-state."
Leaving aside NetWitness's sales pitch for its own product -- which it claims is far more effective at countering cyber attacks than the next leading brand -- the firm's report is further evidence that the private and public sectors are vulnerable.
The challenge, according to yet another white paper from yet another think tank, isn’t lack of awareness about cyber insecurity. "Corporate leaders understand the seriousness of the threat," says the report from the Cyber Secure Institute.
"The challenge with cybersecurity is that for all the attention it gets, there is no uprising among voters, customers, or investors," it says. "Political leaders and corporate leaders will only make the sorts of systemic cybersecurity changes that are needed if the public -- voters, investors, and customers -- demands change." -- TL
Thursday, February 11, 2010
Coming Soon to a Theater Near You
A new play is opening next week at the Mandarin Oriental Hotel in Washington, D.C. Starring former Homeland Security Secretary Michael Chertoff as “National Security Advisor,” former Director of National Intelligence John Negroponte as “Secretary of State,” and other former officials in similar supporting roles, the production will open and close the same day. It will employ professional scriptwriters and a mock White House Situation Room, and it could offer an instructive look at how the U.S. government might handle a massive cyber attack.
From all accounts, this simulation -- entitled Cyber ShockWave -- is a well-organized effort to ascertain how a cyber attack scenario might unfold and how top officials might react. It is being produced by the Bipartisan Policy Center, a centrist think tank founded by former Sens. Howard Baker (R.), Tom Daschle (D.), Bob Dole (R.), and George Mitchell (D.). General Dynamics, PayPal, and Symantec, among others, are sponsoring the simulated attack.
“The participants, whose mission is to advise the president and mount a response to the attack, will not know the scenario in advance,” the center said. “They will react to the threat in real time, as intelligence and news reports drive the simulation, shedding light on how the difficult split-second decisions must be made to respond to an unfolding and often unseen threat.”
“Following the simulation, there will be a post-event discussion with the participants and partners to discuss what the U.S. government can do to avoid a real-world cyber attack of this magnitude and what can be learned from the exercise,” it added.
Unlike similar simulations conducted by actual government officials, this one will unfold in public, with CNN taping it for later broadcast. It will be interesting to see what lessons emerge from this unique performance and how policy-makers in the real world react. -- TL
From all accounts, this simulation -- entitled Cyber ShockWave -- is a well-organized effort to ascertain how a cyber attack scenario might unfold and how top officials might react. It is being produced by the Bipartisan Policy Center, a centrist think tank founded by former Sens. Howard Baker (R.), Tom Daschle (D.), Bob Dole (R.), and George Mitchell (D.). General Dynamics, PayPal, and Symantec, among others, are sponsoring the simulated attack.
“The participants, whose mission is to advise the president and mount a response to the attack, will not know the scenario in advance,” the center said. “They will react to the threat in real time, as intelligence and news reports drive the simulation, shedding light on how the difficult split-second decisions must be made to respond to an unfolding and often unseen threat.”
“Following the simulation, there will be a post-event discussion with the participants and partners to discuss what the U.S. government can do to avoid a real-world cyber attack of this magnitude and what can be learned from the exercise,” it added.
Unlike similar simulations conducted by actual government officials, this one will unfold in public, with CNN taping it for later broadcast. It will be interesting to see what lessons emerge from this unique performance and how policy-makers in the real world react. -- TL
Tuesday, February 9, 2010
Securing the Mobile Phone ‘SUVs’
As mobile devices become more feature-rich, some of these new capabilities may be leading users to unwittingly put more of their personal information at risk. The European Network and Information Security Agency is seeking to enlist users as a "first line of defense" against threats by highlighting the risks of using mobile devices to connect to social networking sites and offering tips on what users should do to protect their privacy.
Many of the recommendations in the new report, "Online As Soon As It Happens," seem painfully obvious, advising users to think carefully about what personal information they want to post and to set privacy settings properly. But considering how many stories we hear of security breaches that begin with an unsecured laptop left in a car or of the widespread use of the password "password," it’s pretty clear that there’s a need to spread some of these messages.
Plus, devices are adding more and more features, and it’s not hard to believe that a lot of people are getting the latest, shiniest smartphones without having any idea of the power "under the hood." It’s a bit like when everyone started buying SUVs with off-road capabilities that they’d never dream of using.
Looked at that way, the ENISA recommendations suddenly look more valid. For example, I’m betting a lot of people would never think to deactivate location-based services when not using them, to lock their device’s keypad when it is not in use, or to implement all of the necessary firewall and security settings when connecting to public Wi-Fi spots. These may be obvious to advanced users, or at least the risks related to them are well understood, but many people with iPhones or BlackBerries in their pockets aren’t fully aware of the potential risks they face with such powerful devices. -- BH
Many of the recommendations in the new report, "Online As Soon As It Happens," seem painfully obvious, advising users to think carefully about what personal information they want to post and to set privacy settings properly. But considering how many stories we hear of security breaches that begin with an unsecured laptop left in a car or of the widespread use of the password "password," it’s pretty clear that there’s a need to spread some of these messages.
Plus, devices are adding more and more features, and it’s not hard to believe that a lot of people are getting the latest, shiniest smartphones without having any idea of the power "under the hood." It’s a bit like when everyone started buying SUVs with off-road capabilities that they’d never dream of using.
Looked at that way, the ENISA recommendations suddenly look more valid. For example, I’m betting a lot of people would never think to deactivate location-based services when not using them, to lock their device’s keypad when it is not in use, or to implement all of the necessary firewall and security settings when connecting to public Wi-Fi spots. These may be obvious to advanced users, or at least the risks related to them are well understood, but many people with iPhones or BlackBerries in their pockets aren’t fully aware of the potential risks they face with such powerful devices. -- BH
Friday, February 5, 2010
An Inoffensive Bill
What does the Cybersecurity Enhancement Act’s lopsided win in the House indicate about the direction of federal cybersecurity policy?
Does it mean that lawmakers are genuinely worried that they are doing too little to protect cyberspace? Or is it simply another reminder that an inoffensive bill that can be characterized as important to national security can easily win friends on both sides of the aisle?
Some commentators have suggested that the act does very little, and that might be part of its appeal. Yet it is a perfect complement to President Obama’s 2009 “Cyberspace Policy Review,” a report that called for more public-private partnerships, research and development, and education. The House, like the administration, is wary of imposing rules on the private sector to improve cybersecurity.
In addition, the House bill promises to send a modest amount of federal funds into members’ districts to pay for educational programs and research centers. Education, national security, and something for the folks back home? That’s a hard combination to resist.
For more details about the bill and this week’s debate in the House, see the upcoming edition of Cybersecurity Policy Report. -- TL
Does it mean that lawmakers are genuinely worried that they are doing too little to protect cyberspace? Or is it simply another reminder that an inoffensive bill that can be characterized as important to national security can easily win friends on both sides of the aisle?
Some commentators have suggested that the act does very little, and that might be part of its appeal. Yet it is a perfect complement to President Obama’s 2009 “Cyberspace Policy Review,” a report that called for more public-private partnerships, research and development, and education. The House, like the administration, is wary of imposing rules on the private sector to improve cybersecurity.
In addition, the House bill promises to send a modest amount of federal funds into members’ districts to pay for educational programs and research centers. Education, national security, and something for the folks back home? That’s a hard combination to resist.
For more details about the bill and this week’s debate in the House, see the upcoming edition of Cybersecurity Policy Report. -- TL
Thursday, February 4, 2010
Google & the NSA: Whom Do You Trust?
The recent cyberattacks on Google, Inc.'s networks in China has reportedly prompted the Internet giant to explore a partnership with the National Security Agency designed to improve Google's cyber defenses, according to a report in this morning's Washington Post. But will the potential benefits of working with the leading experts at the NSA to better secure Google's network outweigh the concerns that some consumers might have about Google working with the spy agency that apparently was involved in the controversial warrantless wiretapping activities of the Bush administration?
The Post's sources say the agreement is being crafted to enable Google and the NSA to share information that will help prevent future cyberattacks while not violating Google's policies or laws addressing the privacy of its consumers. And while Google may be known for employing the best and the brightest in computer science and mathematics, there is surely still much for the company to gain from working with the IT security experts at the NSA, who presumably can rely upon a wealth of expertise in cyberdefense and intelligence that only a spy agency could have access to. But no matter how beneficial such a partnership may be and how many safeguards Google puts in place, any talk of a collaboration with NSA is sure to spark talk of Big Brother among many privacy advocates.
The interesting question may come down to this: Who do we trust more with our information, Google or the government? Judging by how much most of us use Google for everything from search and e-mail to location-based services on smartphones, most of us have shown that we're willing to give up some personal information to Google in exchange for services we find valuable. But will a partnership with the NSA - even with the safeguards that it would surely entail - be too much for some to take? -- BH
The Post's sources say the agreement is being crafted to enable Google and the NSA to share information that will help prevent future cyberattacks while not violating Google's policies or laws addressing the privacy of its consumers. And while Google may be known for employing the best and the brightest in computer science and mathematics, there is surely still much for the company to gain from working with the IT security experts at the NSA, who presumably can rely upon a wealth of expertise in cyberdefense and intelligence that only a spy agency could have access to. But no matter how beneficial such a partnership may be and how many safeguards Google puts in place, any talk of a collaboration with NSA is sure to spark talk of Big Brother among many privacy advocates.
The interesting question may come down to this: Who do we trust more with our information, Google or the government? Judging by how much most of us use Google for everything from search and e-mail to location-based services on smartphones, most of us have shown that we're willing to give up some personal information to Google in exchange for services we find valuable. But will a partnership with the NSA - even with the safeguards that it would surely entail - be too much for some to take? -- BH
Wednesday, February 3, 2010
DHS Cyber Road Map Long on Aspiration, Short on Detail
The Department of Homeland Security released its first Quadrennial Homeland Security Review late Tuesday in which it argued persuasively that much more should be done to improve the U.S. cybersecurity posture over the next four years.
While the document declares itself to be more focused on strategic visions rather than tactical steps, in many ways it reads like a gigantic to-do list that still needs to be fleshed out. For example, the report says the private sector needs to come up with “guidelines, codes, rules, regulations, and accepted standards” to ensure network and data integrity, while at the same time ensuring “confidentiality, integrity, and availability of systems, networks, and data without impairing innovation, and while ensuring privacy.”
That’s both a nice recap of the problem facing network operators and a goal to which they can aspire. What’s missing is more specific guidance on all the nitty-gritty work and decisions on how to get there.
What seems clear from the tone of the report is that the government will continue to rely on a partnership model for implementing better cybersecurity measures, rather than relying on top-down government mandates, and will strive for better information sharing between the feds and industry.
How DHS and the private sector put more meat on this bone will be our story of the next four years. -- JC
While the document declares itself to be more focused on strategic visions rather than tactical steps, in many ways it reads like a gigantic to-do list that still needs to be fleshed out. For example, the report says the private sector needs to come up with “guidelines, codes, rules, regulations, and accepted standards” to ensure network and data integrity, while at the same time ensuring “confidentiality, integrity, and availability of systems, networks, and data without impairing innovation, and while ensuring privacy.”
That’s both a nice recap of the problem facing network operators and a goal to which they can aspire. What’s missing is more specific guidance on all the nitty-gritty work and decisions on how to get there.
What seems clear from the tone of the report is that the government will continue to rely on a partnership model for implementing better cybersecurity measures, rather than relying on top-down government mandates, and will strive for better information sharing between the feds and industry.
How DHS and the private sector put more meat on this bone will be our story of the next four years. -- JC
Tuesday, February 2, 2010
Funding Priorities
We’re still sifting through the Obama administration’s 2011 budget proposal, where cybersecurity spending is spread among several departments and agencies. Here are a few highlights:
The Department of Homeland Security has requested $379 million to create the National Cyber Security Division, which would “support the development of capabilities to prevent, prepare for, and respond to incidents that could degrade or overwhelm the nation’s critical information technology infrastructure and key cyber networks.”
DHS is also seeking $10 million for the National Cyber Security Center, up from $5 million in fiscal year 2010. The center is “still in its infancy,” a DHS official noted during a conference call yesterday, but the new money would increase its staffing level to 40 people. The center is designed to “enhance cybersecurity coordination capabilities across the federal government, including mission integration; collaboration and coordination; situational awareness and cyber incident response; analysis and reporting; knowledge management; and technology development and management.”
Among targets for reductions in funding is the National Cybersecurity Protection System, which helps protect federal civilian government information technology enterprises by analyzing network flow and intrusion detection information. DHS said the system was being “deferred in order to fund higher-priority cybersecurity efforts.”
The FCC, meanwhile, is asking for $11 million to hire an additional 75 full-time equivalent employees to help it meet its cybersecurity responsibilities, implement its national broadband plan, and achieve other goals.
Elsewhere in the budget proposal, the National Institute of Standards and Technology’s laboratories, which are involved with spectrum, energy smart grid, and cybersecurity issues, among others, are budgeted to get $709 million of funding in 2011, up 6.9% from 2010.
The latest budget proposes a slight decrease in funding -- by $9 million -- to $4.3 billion for the multi-agency Networking and Information Technology Research and Development Program, which plans and coordinates agency research efforts in cybersecurity, advanced networking, and other areas.
Look for more on these proposals in the upcoming issue of Cybersecurity Policy Report. -- TL
The Department of Homeland Security has requested $379 million to create the National Cyber Security Division, which would “support the development of capabilities to prevent, prepare for, and respond to incidents that could degrade or overwhelm the nation’s critical information technology infrastructure and key cyber networks.”
DHS is also seeking $10 million for the National Cyber Security Center, up from $5 million in fiscal year 2010. The center is “still in its infancy,” a DHS official noted during a conference call yesterday, but the new money would increase its staffing level to 40 people. The center is designed to “enhance cybersecurity coordination capabilities across the federal government, including mission integration; collaboration and coordination; situational awareness and cyber incident response; analysis and reporting; knowledge management; and technology development and management.”
Among targets for reductions in funding is the National Cybersecurity Protection System, which helps protect federal civilian government information technology enterprises by analyzing network flow and intrusion detection information. DHS said the system was being “deferred in order to fund higher-priority cybersecurity efforts.”
The FCC, meanwhile, is asking for $11 million to hire an additional 75 full-time equivalent employees to help it meet its cybersecurity responsibilities, implement its national broadband plan, and achieve other goals.
Elsewhere in the budget proposal, the National Institute of Standards and Technology’s laboratories, which are involved with spectrum, energy smart grid, and cybersecurity issues, among others, are budgeted to get $709 million of funding in 2011, up 6.9% from 2010.
The latest budget proposes a slight decrease in funding -- by $9 million -- to $4.3 billion for the multi-agency Networking and Information Technology Research and Development Program, which plans and coordinates agency research efforts in cybersecurity, advanced networking, and other areas.
Look for more on these proposals in the upcoming issue of Cybersecurity Policy Report. -- TL
Monday, February 1, 2010
'Hypocrisy'
“U.S. cybersecurity policy-makers are in the habit of thinking too much about those who attack us and too little about our attacks on others.”
So we are told this morning by Jack Goldsmith, a legal scholar and cybersecurity expert, on the op-ed page of The Washington Post.
For those who are unfamiliar with Mr. Goldsmith, he is a Harvard law professor who also worked for George W. Bush. In fact, he reportedly was in John Ashcroft’s hospital room when Alberto Gonzales and Andrew Card tried to pressure Mr. Ashcroft to approve the Bush administration's warrantless wiretap program.
Mr. Goldsmith’s column this morning responds to Secretary of State Hillary Clinton’s recent condemnation of Internet censorship and cyber attacks.
“The problem with Clinton’s call for accountability and norms on the global network -- a call frequently heard in policy discussions about cybersecurity -- is the enormous array of cyberattacks originating from the United States,” he says.
Aside from the widespread use of hijacked U.S.-based computers as zombies in botnets, the U.S. tolerates and even supports some forms of hacking in cases where the cyber attackers are human-rights activists or members of the U.S. intelligence or defense establishment, he asserts.
“Creating norms to curb cyber attacks is difficult enough because the attackers’ identities are hard to ascertain,” he says. “But another large hurdle is the federal government’s refusal to acknowledge more fully its many offensive cyber activities, or to propose which such activities it might clamp down on in exchange for reciprocal concessions by our adversaries.”--TL
So we are told this morning by Jack Goldsmith, a legal scholar and cybersecurity expert, on the op-ed page of The Washington Post.
For those who are unfamiliar with Mr. Goldsmith, he is a Harvard law professor who also worked for George W. Bush. In fact, he reportedly was in John Ashcroft’s hospital room when Alberto Gonzales and Andrew Card tried to pressure Mr. Ashcroft to approve the Bush administration's warrantless wiretap program.
Mr. Goldsmith’s column this morning responds to Secretary of State Hillary Clinton’s recent condemnation of Internet censorship and cyber attacks.
“The problem with Clinton’s call for accountability and norms on the global network -- a call frequently heard in policy discussions about cybersecurity -- is the enormous array of cyberattacks originating from the United States,” he says.
Aside from the widespread use of hijacked U.S.-based computers as zombies in botnets, the U.S. tolerates and even supports some forms of hacking in cases where the cyber attackers are human-rights activists or members of the U.S. intelligence or defense establishment, he asserts.
“Creating norms to curb cyber attacks is difficult enough because the attackers’ identities are hard to ascertain,” he says. “But another large hurdle is the federal government’s refusal to acknowledge more fully its many offensive cyber activities, or to propose which such activities it might clamp down on in exchange for reciprocal concessions by our adversaries.”--TL
Thursday, January 28, 2010
Conflicting Policies
In his first official appearance since being named to coordinate the Obama administration's cybersecurity strategy, Howard Schmidt yesterday said he would have the authority and the "president's ear" as he seeks to take the necessary steps to prevent cyber attacks. But one challenge that may be beyond anyone's capability to address is the range of conflicting interests among government agencies that could pull network operators in multiple directions on issues of security and privacy.
In an opinion piece at CNN.com, security expert Bruce Schneier says the real news behind the recent Chinese cyber attacks on Google's systems "isn't that Chinese hackers engage in these activities or that their attempts are technically sophisticated -- we knew that already -- it's that the U.S. government inadvertently aided the hackers." The hackers were able to gain access to Google's systems through a backdoor access system into Gmail accounts that Google created to comply with government search warrants on user data, Schneier says.
So a policy put in place to help law enforcement agencies investigate crimes and protect the public may have helped compromise the security of personal information online. As policy-makers pay closer attention to cybersecurity, can they craft policies that will truly help secure networks that are far more complex for them to understand? And what happens if some of those pro-cybersecurity policies bump up against other government priorities such as law enforcement or combating terrorism?
This isn't the only example of the policy tensions arising between different governments or different agencies. We've seen European policy-makers pressuring search engine operators to retain data collected on users for shorter periods of time in the interest of personal privacy, as demonstrated by Microsoft's recent move to discard such data after six months. But at the same time, some law enforcement agencies would prefer search engine data to be retained for longer periods of time due to the potential to assist in criminal investigations, in hopes that a murder suspect might have incriminating information in their search history, for example.
So as governments around the globe dive more into these rapidly emerging issues, we'll have to see if policy-makers can figure out how to balance these competing interests and come up with a coherent approach. It's a lot easier said than done. -- BH
In an opinion piece at CNN.com, security expert Bruce Schneier says the real news behind the recent Chinese cyber attacks on Google's systems "isn't that Chinese hackers engage in these activities or that their attempts are technically sophisticated -- we knew that already -- it's that the U.S. government inadvertently aided the hackers." The hackers were able to gain access to Google's systems through a backdoor access system into Gmail accounts that Google created to comply with government search warrants on user data, Schneier says.
So a policy put in place to help law enforcement agencies investigate crimes and protect the public may have helped compromise the security of personal information online. As policy-makers pay closer attention to cybersecurity, can they craft policies that will truly help secure networks that are far more complex for them to understand? And what happens if some of those pro-cybersecurity policies bump up against other government priorities such as law enforcement or combating terrorism?
This isn't the only example of the policy tensions arising between different governments or different agencies. We've seen European policy-makers pressuring search engine operators to retain data collected on users for shorter periods of time in the interest of personal privacy, as demonstrated by Microsoft's recent move to discard such data after six months. But at the same time, some law enforcement agencies would prefer search engine data to be retained for longer periods of time due to the potential to assist in criminal investigations, in hopes that a murder suspect might have incriminating information in their search history, for example.
So as governments around the globe dive more into these rapidly emerging issues, we'll have to see if policy-makers can figure out how to balance these competing interests and come up with a coherent approach. It's a lot easier said than done. -- BH
Wednesday, January 27, 2010
'Spear-Phishing'
“An increasing number of hackers have turned professional. Some who once attacked IT systems for the intellectual challenge and to match wits with (or to aggravate) others in their field have discovered strong financial rewards in online crime.”
That’s one of the conclusions of a report issued yesterday by Deloitte. And a timely conclusion it is. An alarming new investigative report by The Christian Science Monitor indicates that the IT systems of three major oil companies have been hijacked by spyware that has enabled hackers to steal valuable competitive data.
According to the Monitor’s scoop, the companies -- Marathon Oil, ExxonMobil, and ConocoPhillips – “didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them.”
The attackers apparently used a “spear-phishing” technique in which a fake e-mail is sent to specific executives in order to trick them into clicking on a link and downloading the malware that then spreads through their system and lays low until called on.
“You can’t get rid of this attacker very easily,” one source told the Monitor. “It doesn’t work like a normal virus. We’ve never seen anything this clever, this tenacious.”
China is being blamed again, but the responsible party, to a large extent, should be immaterial to policy-makers. If you leave a pot of gold unprotected, somebody will try to steal it, and their nationality is irrelevant. The larger question is whether oil companies, which control a valuable resource, and others responsible for key infrastructure are doing what they need to do. And, if not, what should be done about it.
“Today’s cyber criminals are increasingly adept at gaining undetected access and maintaining a persistent, low-profile, long-term presence in IT environments,” the Deloitte report says. “Meanwhile, many organizations may be leaving themselves vulnerable to cyber crime based on a false sense of security, perhaps even complacency.” -- TL
That’s one of the conclusions of a report issued yesterday by Deloitte. And a timely conclusion it is. An alarming new investigative report by The Christian Science Monitor indicates that the IT systems of three major oil companies have been hijacked by spyware that has enabled hackers to steal valuable competitive data.
According to the Monitor’s scoop, the companies -- Marathon Oil, ExxonMobil, and ConocoPhillips – “didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them.”
The attackers apparently used a “spear-phishing” technique in which a fake e-mail is sent to specific executives in order to trick them into clicking on a link and downloading the malware that then spreads through their system and lays low until called on.
“You can’t get rid of this attacker very easily,” one source told the Monitor. “It doesn’t work like a normal virus. We’ve never seen anything this clever, this tenacious.”
China is being blamed again, but the responsible party, to a large extent, should be immaterial to policy-makers. If you leave a pot of gold unprotected, somebody will try to steal it, and their nationality is irrelevant. The larger question is whether oil companies, which control a valuable resource, and others responsible for key infrastructure are doing what they need to do. And, if not, what should be done about it.
“Today’s cyber criminals are increasingly adept at gaining undetected access and maintaining a persistent, low-profile, long-term presence in IT environments,” the Deloitte report says. “Meanwhile, many organizations may be leaving themselves vulnerable to cyber crime based on a false sense of security, perhaps even complacency.” -- TL
Tuesday, January 26, 2010
Today’s Reading . . .
A real good read in today’s New York Times on Defense Department efforts to evaluate high-level cybersecurity threats and defense and response scenarios, and just how murky the universe of cyber threats remains.
One small nit to pick: The article states that unless the Chinese government takes steps including lifting current policies of enforcing Internet search engine censorship, then “millions of young Chinese will be deprived of the Google search engine, and be left to the ones controlled by the Chinese government.”
The Google.cn search engine made available by the company in China is already subject to government censorship rules; the regular Google search engine is available as a link from the Google.cn site, but some users of it in China in recent times have reported that connectivity to some of its search results may still effectively be blocked for users in China.
From AP late yesterday and overnight on Google’s reported talks with the Chinese government to keep research and other functions in China even it if shuts down the Google.cn business.
From Government Technology , some thoughts on the size of the “window” of near-term action for federal cybersecurity policy. -- JC
One small nit to pick: The article states that unless the Chinese government takes steps including lifting current policies of enforcing Internet search engine censorship, then “millions of young Chinese will be deprived of the Google search engine, and be left to the ones controlled by the Chinese government.”
The Google.cn search engine made available by the company in China is already subject to government censorship rules; the regular Google search engine is available as a link from the Google.cn site, but some users of it in China in recent times have reported that connectivity to some of its search results may still effectively be blocked for users in China.
From AP late yesterday and overnight on Google’s reported talks with the Chinese government to keep research and other functions in China even it if shuts down the Google.cn business.
From Government Technology , some thoughts on the size of the “window” of near-term action for federal cybersecurity policy. -- JC
Monday, January 25, 2010
Good Intentions...
The Washington Post’s lead editorial today applauds last week’s speech by Secretary of State Hillary Rodham Clinton taking China and several other nations to task for engaging in various forms of Internet censorship within their borders and says Google, Inc., which is threatening to walk away from its Google.cn service in China over censorship obligations and hacking allegations, has found an ally in “the fight for a free Web.”
The editorial goes on to say:
“The U.S. government has been grappling with these challenges for years. But it has not done enough to fight back politically in making Internet freedom an issue in diplomatic and commercial relations and by seeking the international censure of those who violate it. That’s why the speech delivered Thursday by Secretary of State Hillary Rodham Clinton was so important. Ms. Clinton made it admirably clear that abusers such as China will no longer get a free pass in U.S. public diplomacy or in international forums.”
It’s hard to disagree with the hope that threats of U.S. censure will do some good in keeping the Internet unfettered by government censorship, but is it realistic to assume that public scoldings will do much to change the ways of any country’s censors, especially in the case of China, which was ranked in 2009 as the U.S.’s second largest trading partner?
Or whether Secretary Clinton’s speech will do much for Google as it weighs whether to rethink its decision to submit to Chinese censorship rules in the first place?
On the same Post op-ed page today, you can find one good explanation of how deeply the U.S.-China trade relationship goes, including an estimate that perhaps two thirds of China’s $2.4 trillion of foreign exchange reserves are in U.S. dollars, reflecting in part China’s large and ongoing investments in U.S. debt instruments.
Given the depth of the business relationships between the two countries, it’s worth asking how far the U.S. is, and is not, prepared to go to influence China’s Internet policies -- beyond policy speeches -- if push should come to shove. Only time will tell the answer to that question, but if I was Google or a Chinese activist with a hacked gmail account, I wouldn’t hold my breath waiting.
JC
The editorial goes on to say:
“The U.S. government has been grappling with these challenges for years. But it has not done enough to fight back politically in making Internet freedom an issue in diplomatic and commercial relations and by seeking the international censure of those who violate it. That’s why the speech delivered Thursday by Secretary of State Hillary Rodham Clinton was so important. Ms. Clinton made it admirably clear that abusers such as China will no longer get a free pass in U.S. public diplomacy or in international forums.”
It’s hard to disagree with the hope that threats of U.S. censure will do some good in keeping the Internet unfettered by government censorship, but is it realistic to assume that public scoldings will do much to change the ways of any country’s censors, especially in the case of China, which was ranked in 2009 as the U.S.’s second largest trading partner?
Or whether Secretary Clinton’s speech will do much for Google as it weighs whether to rethink its decision to submit to Chinese censorship rules in the first place?
On the same Post op-ed page today, you can find one good explanation of how deeply the U.S.-China trade relationship goes, including an estimate that perhaps two thirds of China’s $2.4 trillion of foreign exchange reserves are in U.S. dollars, reflecting in part China’s large and ongoing investments in U.S. debt instruments.
Given the depth of the business relationships between the two countries, it’s worth asking how far the U.S. is, and is not, prepared to go to influence China’s Internet policies -- beyond policy speeches -- if push should come to shove. Only time will tell the answer to that question, but if I was Google or a Chinese activist with a hacked gmail account, I wouldn’t hold my breath waiting.
JC
Welcome
Hello and welcome, we’re glad you’re here.
The TRCybersecurity Policy Report Blog is a public venue created by us to discuss federal cybersecurity policy, legislation and regulation, and their impact on network service providers, equipment vendors and the larger corporate community that must secure their networks from attack, intrusion and leakage.
We will seek to prompt stimulating public discussion of these issues every business day as we continue to undertake our full-time jobs of prowling for fresh news, information and insight into federal and state-level policy, legislation, and regulations impacting the communications sector and landscape.
We would love to have your constructive contributions to this conversation, and look forward to the engagement and learning what we can all share.
In our real lives as career Washington journalists, we publish Telecommunications Reports, TRDaily, TR State Newswire, and TRCybersecurity Policy Report. These are subscription products, and you can take a look at them in brief form at tr.com.
Thanks again for visiting – please bookmark us, hang around, and join the discussion.
Sincerely,
Your Editors
Brian Hammond, brian.hammond@wolterskluwer.com
Tom Leithauser, tom.leithauser@wolterskluwer.com
John Curran, john.curran@wolterskluwer.com
The TRCybersecurity Policy Report Blog is a public venue created by us to discuss federal cybersecurity policy, legislation and regulation, and their impact on network service providers, equipment vendors and the larger corporate community that must secure their networks from attack, intrusion and leakage.
We will seek to prompt stimulating public discussion of these issues every business day as we continue to undertake our full-time jobs of prowling for fresh news, information and insight into federal and state-level policy, legislation, and regulations impacting the communications sector and landscape.
We would love to have your constructive contributions to this conversation, and look forward to the engagement and learning what we can all share.
In our real lives as career Washington journalists, we publish Telecommunications Reports, TRDaily, TR State Newswire, and TRCybersecurity Policy Report. These are subscription products, and you can take a look at them in brief form at tr.com.
Thanks again for visiting – please bookmark us, hang around, and join the discussion.
Sincerely,
Your Editors
Brian Hammond, brian.hammond@wolterskluwer.com
Tom Leithauser, tom.leithauser@wolterskluwer.com
John Curran, john.curran@wolterskluwer.com
Subscribe to:
Comments (Atom)