In his first official appearance since being named to coordinate the Obama administration's cybersecurity strategy, Howard Schmidt yesterday said he would have the authority and the "president's ear" as he seeks to take the necessary steps to prevent cyber attacks. But one challenge that may be beyond anyone's capability to address is the range of conflicting interests among government agencies that could pull network operators in multiple directions on issues of security and privacy.
In an opinion piece at CNN.com, security expert Bruce Schneier says the real news behind the recent Chinese cyber attacks on Google's systems "isn't that Chinese hackers engage in these activities or that their attempts are technically sophisticated -- we knew that already -- it's that the U.S. government inadvertently aided the hackers." The hackers were able to gain access to Google's systems through a backdoor access system into Gmail accounts that Google created to comply with government search warrants on user data, Schneier says.
So a policy put in place to help law enforcement agencies investigate crimes and protect the public may have helped compromise the security of personal information online. As policy-makers pay closer attention to cybersecurity, can they craft policies that will truly help secure networks that are far more complex for them to understand? And what happens if some of those pro-cybersecurity policies bump up against other government priorities such as law enforcement or combating terrorism?
This isn't the only example of the policy tensions arising between different governments or different agencies. We've seen European policy-makers pressuring search engine operators to retain data collected on users for shorter periods of time in the interest of personal privacy, as demonstrated by Microsoft's recent move to discard such data after six months. But at the same time, some law enforcement agencies would prefer search engine data to be retained for longer periods of time due to the potential to assist in criminal investigations, in hopes that a murder suspect might have incriminating information in their search history, for example.
So as governments around the globe dive more into these rapidly emerging issues, we'll have to see if policy-makers can figure out how to balance these competing interests and come up with a coherent approach. It's a lot easier said than done. -- BH
Thursday, January 28, 2010
Wednesday, January 27, 2010
'Spear-Phishing'
“An increasing number of hackers have turned professional. Some who once attacked IT systems for the intellectual challenge and to match wits with (or to aggravate) others in their field have discovered strong financial rewards in online crime.”
That’s one of the conclusions of a report issued yesterday by Deloitte. And a timely conclusion it is. An alarming new investigative report by The Christian Science Monitor indicates that the IT systems of three major oil companies have been hijacked by spyware that has enabled hackers to steal valuable competitive data.
According to the Monitor’s scoop, the companies -- Marathon Oil, ExxonMobil, and ConocoPhillips – “didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them.”
The attackers apparently used a “spear-phishing” technique in which a fake e-mail is sent to specific executives in order to trick them into clicking on a link and downloading the malware that then spreads through their system and lays low until called on.
“You can’t get rid of this attacker very easily,” one source told the Monitor. “It doesn’t work like a normal virus. We’ve never seen anything this clever, this tenacious.”
China is being blamed again, but the responsible party, to a large extent, should be immaterial to policy-makers. If you leave a pot of gold unprotected, somebody will try to steal it, and their nationality is irrelevant. The larger question is whether oil companies, which control a valuable resource, and others responsible for key infrastructure are doing what they need to do. And, if not, what should be done about it.
“Today’s cyber criminals are increasingly adept at gaining undetected access and maintaining a persistent, low-profile, long-term presence in IT environments,” the Deloitte report says. “Meanwhile, many organizations may be leaving themselves vulnerable to cyber crime based on a false sense of security, perhaps even complacency.” -- TL
That’s one of the conclusions of a report issued yesterday by Deloitte. And a timely conclusion it is. An alarming new investigative report by The Christian Science Monitor indicates that the IT systems of three major oil companies have been hijacked by spyware that has enabled hackers to steal valuable competitive data.
According to the Monitor’s scoop, the companies -- Marathon Oil, ExxonMobil, and ConocoPhillips – “didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them.”
The attackers apparently used a “spear-phishing” technique in which a fake e-mail is sent to specific executives in order to trick them into clicking on a link and downloading the malware that then spreads through their system and lays low until called on.
“You can’t get rid of this attacker very easily,” one source told the Monitor. “It doesn’t work like a normal virus. We’ve never seen anything this clever, this tenacious.”
China is being blamed again, but the responsible party, to a large extent, should be immaterial to policy-makers. If you leave a pot of gold unprotected, somebody will try to steal it, and their nationality is irrelevant. The larger question is whether oil companies, which control a valuable resource, and others responsible for key infrastructure are doing what they need to do. And, if not, what should be done about it.
“Today’s cyber criminals are increasingly adept at gaining undetected access and maintaining a persistent, low-profile, long-term presence in IT environments,” the Deloitte report says. “Meanwhile, many organizations may be leaving themselves vulnerable to cyber crime based on a false sense of security, perhaps even complacency.” -- TL
Tuesday, January 26, 2010
Today’s Reading . . .
A real good read in today’s New York Times on Defense Department efforts to evaluate high-level cybersecurity threats and defense and response scenarios, and just how murky the universe of cyber threats remains.
One small nit to pick: The article states that unless the Chinese government takes steps including lifting current policies of enforcing Internet search engine censorship, then “millions of young Chinese will be deprived of the Google search engine, and be left to the ones controlled by the Chinese government.”
The Google.cn search engine made available by the company in China is already subject to government censorship rules; the regular Google search engine is available as a link from the Google.cn site, but some users of it in China in recent times have reported that connectivity to some of its search results may still effectively be blocked for users in China.
From AP late yesterday and overnight on Google’s reported talks with the Chinese government to keep research and other functions in China even it if shuts down the Google.cn business.
From Government Technology , some thoughts on the size of the “window” of near-term action for federal cybersecurity policy. -- JC
One small nit to pick: The article states that unless the Chinese government takes steps including lifting current policies of enforcing Internet search engine censorship, then “millions of young Chinese will be deprived of the Google search engine, and be left to the ones controlled by the Chinese government.”
The Google.cn search engine made available by the company in China is already subject to government censorship rules; the regular Google search engine is available as a link from the Google.cn site, but some users of it in China in recent times have reported that connectivity to some of its search results may still effectively be blocked for users in China.
From AP late yesterday and overnight on Google’s reported talks with the Chinese government to keep research and other functions in China even it if shuts down the Google.cn business.
From Government Technology , some thoughts on the size of the “window” of near-term action for federal cybersecurity policy. -- JC
Monday, January 25, 2010
Good Intentions...
The Washington Post’s lead editorial today applauds last week’s speech by Secretary of State Hillary Rodham Clinton taking China and several other nations to task for engaging in various forms of Internet censorship within their borders and says Google, Inc., which is threatening to walk away from its Google.cn service in China over censorship obligations and hacking allegations, has found an ally in “the fight for a free Web.”
The editorial goes on to say:
“The U.S. government has been grappling with these challenges for years. But it has not done enough to fight back politically in making Internet freedom an issue in diplomatic and commercial relations and by seeking the international censure of those who violate it. That’s why the speech delivered Thursday by Secretary of State Hillary Rodham Clinton was so important. Ms. Clinton made it admirably clear that abusers such as China will no longer get a free pass in U.S. public diplomacy or in international forums.”
It’s hard to disagree with the hope that threats of U.S. censure will do some good in keeping the Internet unfettered by government censorship, but is it realistic to assume that public scoldings will do much to change the ways of any country’s censors, especially in the case of China, which was ranked in 2009 as the U.S.’s second largest trading partner?
Or whether Secretary Clinton’s speech will do much for Google as it weighs whether to rethink its decision to submit to Chinese censorship rules in the first place?
On the same Post op-ed page today, you can find one good explanation of how deeply the U.S.-China trade relationship goes, including an estimate that perhaps two thirds of China’s $2.4 trillion of foreign exchange reserves are in U.S. dollars, reflecting in part China’s large and ongoing investments in U.S. debt instruments.
Given the depth of the business relationships between the two countries, it’s worth asking how far the U.S. is, and is not, prepared to go to influence China’s Internet policies -- beyond policy speeches -- if push should come to shove. Only time will tell the answer to that question, but if I was Google or a Chinese activist with a hacked gmail account, I wouldn’t hold my breath waiting.
JC
The editorial goes on to say:
“The U.S. government has been grappling with these challenges for years. But it has not done enough to fight back politically in making Internet freedom an issue in diplomatic and commercial relations and by seeking the international censure of those who violate it. That’s why the speech delivered Thursday by Secretary of State Hillary Rodham Clinton was so important. Ms. Clinton made it admirably clear that abusers such as China will no longer get a free pass in U.S. public diplomacy or in international forums.”
It’s hard to disagree with the hope that threats of U.S. censure will do some good in keeping the Internet unfettered by government censorship, but is it realistic to assume that public scoldings will do much to change the ways of any country’s censors, especially in the case of China, which was ranked in 2009 as the U.S.’s second largest trading partner?
Or whether Secretary Clinton’s speech will do much for Google as it weighs whether to rethink its decision to submit to Chinese censorship rules in the first place?
On the same Post op-ed page today, you can find one good explanation of how deeply the U.S.-China trade relationship goes, including an estimate that perhaps two thirds of China’s $2.4 trillion of foreign exchange reserves are in U.S. dollars, reflecting in part China’s large and ongoing investments in U.S. debt instruments.
Given the depth of the business relationships between the two countries, it’s worth asking how far the U.S. is, and is not, prepared to go to influence China’s Internet policies -- beyond policy speeches -- if push should come to shove. Only time will tell the answer to that question, but if I was Google or a Chinese activist with a hacked gmail account, I wouldn’t hold my breath waiting.
JC
Welcome
Hello and welcome, we’re glad you’re here.
The TRCybersecurity Policy Report Blog is a public venue created by us to discuss federal cybersecurity policy, legislation and regulation, and their impact on network service providers, equipment vendors and the larger corporate community that must secure their networks from attack, intrusion and leakage.
We will seek to prompt stimulating public discussion of these issues every business day as we continue to undertake our full-time jobs of prowling for fresh news, information and insight into federal and state-level policy, legislation, and regulations impacting the communications sector and landscape.
We would love to have your constructive contributions to this conversation, and look forward to the engagement and learning what we can all share.
In our real lives as career Washington journalists, we publish Telecommunications Reports, TRDaily, TR State Newswire, and TRCybersecurity Policy Report. These are subscription products, and you can take a look at them in brief form at tr.com.
Thanks again for visiting – please bookmark us, hang around, and join the discussion.
Sincerely,
Your Editors
Brian Hammond, brian.hammond@wolterskluwer.com
Tom Leithauser, tom.leithauser@wolterskluwer.com
John Curran, john.curran@wolterskluwer.com
The TRCybersecurity Policy Report Blog is a public venue created by us to discuss federal cybersecurity policy, legislation and regulation, and their impact on network service providers, equipment vendors and the larger corporate community that must secure their networks from attack, intrusion and leakage.
We will seek to prompt stimulating public discussion of these issues every business day as we continue to undertake our full-time jobs of prowling for fresh news, information and insight into federal and state-level policy, legislation, and regulations impacting the communications sector and landscape.
We would love to have your constructive contributions to this conversation, and look forward to the engagement and learning what we can all share.
In our real lives as career Washington journalists, we publish Telecommunications Reports, TRDaily, TR State Newswire, and TRCybersecurity Policy Report. These are subscription products, and you can take a look at them in brief form at tr.com.
Thanks again for visiting – please bookmark us, hang around, and join the discussion.
Sincerely,
Your Editors
Brian Hammond, brian.hammond@wolterskluwer.com
Tom Leithauser, tom.leithauser@wolterskluwer.com
John Curran, john.curran@wolterskluwer.com
Subscribe to:
Comments (Atom)