"If the nation went to war today in a cyber war, we would lose. We're the most vulnerable. We're the most connected. We have the most to lose."
That was one of several alarming predictions offered yesterday by Michael McConnell, former director of national intelligence, in testimony before the Senate Commerce, Science, and Transportation Committee.
Here's another: "We will not mitigate this [cybersecurity] risk. We will talk about it. We will wave our arms. We will have a bill. But we will not mitigate this risk, and as a consequence of not mitigating the risk, we're going to have a catastrophic event."
"In our wonderful democracy, it usually takes a forcing function to move us to action," he said. "It's going to take that catastrophic event."
What might happen? He suggested that China and Russia -- countries that are frequently blamed for cyber attacks and cyber espionage -- would not benefit from a large-scale raid on U.S. networks. Likewise, cyber criminals have no interest in hindering the flows of money and data that keep them in business.
A third category of cyber villain, however, poses a greater danger -- the "non-state actor" who is not motivated by greed but hews to "a different world view" and wants "to destroy the information infrastructure which powers much of the modern world," Mr. McConnell testified.
The coming cyber catastrophe will spur the federal government to dramatically increase its oversight of the Internet, he said. The only thing that might head off that scenario, he argued, is solid legislation that unifies the federal government's cybersecurity efforts, provides money for training, and demands more from both the public and private sectors.
Other witnesses offered similar views, which undoubtedly pleased the committee's chairman, John D. (Jay) Rockefeller (D., W.Va.), who has a bill pending that would implement many of Mr. McConnell's recommendations. -- TL
Wednesday, February 24, 2010
Monday, February 22, 2010
Senate Eyes Cybersecurity
The U.S. Senate will take the next step toward adopting cybersecurity legislation with a hearing tomorrow before the Commerce, Science, and Transportation Committee.
The panel's chairman, John D. (Jay) Rockefeller (D., W.Va.), has introduced legislation with Sen. Olympia Snowe (R., Maine) that would direct the president to implement a comprehensive national cybersecurity policy and conduct a quadrennial review of the “cyber posture of the United States.”
The hearing is the Senate's first on the topic since the House approved the Cybersecurity Enhancement Act of 2009 (H.R. 4061), which would authorize the National Science Foundation to spend $395 million over five years on cybersecurity grants and $94 million on cybersecurity scholarships, among other things.
Sen. Rockefeller's bill is one of several legislative vehicles that could result in cybersecurity legislation reaching a House-Senate conference committee this year. Witnesses who are scheduled to testify at the hearing include Michael McConnell, former director of national intelligence; James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies; Scott Borg, director of the U.S. Cyber Consequences Unit; Jamie Barnett, chief of the FCC's Public Safety and Homeland Security Bureau; and Mary Ann Davidson, Oracle Corp.'s chief security officer. -- TL
The panel's chairman, John D. (Jay) Rockefeller (D., W.Va.), has introduced legislation with Sen. Olympia Snowe (R., Maine) that would direct the president to implement a comprehensive national cybersecurity policy and conduct a quadrennial review of the “cyber posture of the United States.”
The hearing is the Senate's first on the topic since the House approved the Cybersecurity Enhancement Act of 2009 (H.R. 4061), which would authorize the National Science Foundation to spend $395 million over five years on cybersecurity grants and $94 million on cybersecurity scholarships, among other things.
Sen. Rockefeller's bill is one of several legislative vehicles that could result in cybersecurity legislation reaching a House-Senate conference committee this year. Witnesses who are scheduled to testify at the hearing include Michael McConnell, former director of national intelligence; James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies; Scott Borg, director of the U.S. Cyber Consequences Unit; Jamie Barnett, chief of the FCC's Public Safety and Homeland Security Bureau; and Mary Ann Davidson, Oracle Corp.'s chief security officer. -- TL
Friday, February 19, 2010
More 'Voluntary' Cybersecurity Rules?
The Federal Communications Commission may soon urge more government action to shore up the cybersecurity posture of communications services providers in the U.S., but whether the recommendations have much bite to them remains to be seen.
FCC staff said yesterday that the agency’s national broadband plan now nearing completion may recommend creation of a “voluntary cyber security certification program” for communications service providers, as well as creation of a “cyber security information reporting system,” and a requirement for broadband service providers to submit network outage reports to the government – something that is already required of other communications service providers, although those reports are kept from public view.
At this point, it’s impossible to say what exactly will end up in the national broadband plan – which is due to be delivered to Congress on March 17 – and whether any of the plan’s recommendations, particularly those dealing with cybersecurity, could be accomplished under the FCC’s current statutory authority or whether they will have to be tossed to Congress for any action. Stay tuned here, and in TR’s Cybersecurity Policy Report.
FCC staff said yesterday that the agency’s national broadband plan now nearing completion may recommend creation of a “voluntary cyber security certification program” for communications service providers, as well as creation of a “cyber security information reporting system,” and a requirement for broadband service providers to submit network outage reports to the government – something that is already required of other communications service providers, although those reports are kept from public view.
At this point, it’s impossible to say what exactly will end up in the national broadband plan – which is due to be delivered to Congress on March 17 – and whether any of the plan’s recommendations, particularly those dealing with cybersecurity, could be accomplished under the FCC’s current statutory authority or whether they will have to be tossed to Congress for any action. Stay tuned here, and in TR’s Cybersecurity Policy Report.
Thursday, February 18, 2010
Cyber Insecurity
Public-private partnerships. Standards and best practices.
Those have been the mantras of the cybersecurity policy community for several years now. The dominant argument has been that mandates on the private sector are costly and ineffective, and the recent parade of news stories about cyber attacks on public and private entities has not shaken that belief.
Will that eventually change? Will there be one -- or a series -- of precipitating events that will spur policy-makers to alter course?
Consider the events of the past week. On Tuesday, a centrist think tank staged an elaborate cyber attack simulation and concluded that the U.S. was woefully unprepared. Today, a cybersecurity firm, NetWitness, announced that it had discovered a major botnet infestation that has been stealing data from governments and corporations for nearly a year.
"Advanced threats have festered their way into thousands of enterprises," NetWitness warned. "The widely deployed security technologies modern enterprises use to protect themselves such as firewalls, antivirus, and intrusion-detection technologies, even when well-managed, are ineffective in countering the current and ongoing threat to our information systems posed by a focused criminal adversary or nation-state."
Leaving aside NetWitness's sales pitch for its own product -- which it claims is far more effective at countering cyber attacks than the next leading brand -- the firm's report is further evidence that the private and public sectors are vulnerable.
The challenge, according to yet another white paper from yet another think tank, isn’t lack of awareness about cyber insecurity. "Corporate leaders understand the seriousness of the threat," says the report from the Cyber Secure Institute.
"The challenge with cybersecurity is that for all the attention it gets, there is no uprising among voters, customers, or investors," it says. "Political leaders and corporate leaders will only make the sorts of systemic cybersecurity changes that are needed if the public -- voters, investors, and customers -- demands change." -- TL
Those have been the mantras of the cybersecurity policy community for several years now. The dominant argument has been that mandates on the private sector are costly and ineffective, and the recent parade of news stories about cyber attacks on public and private entities has not shaken that belief.
Will that eventually change? Will there be one -- or a series -- of precipitating events that will spur policy-makers to alter course?
Consider the events of the past week. On Tuesday, a centrist think tank staged an elaborate cyber attack simulation and concluded that the U.S. was woefully unprepared. Today, a cybersecurity firm, NetWitness, announced that it had discovered a major botnet infestation that has been stealing data from governments and corporations for nearly a year.
"Advanced threats have festered their way into thousands of enterprises," NetWitness warned. "The widely deployed security technologies modern enterprises use to protect themselves such as firewalls, antivirus, and intrusion-detection technologies, even when well-managed, are ineffective in countering the current and ongoing threat to our information systems posed by a focused criminal adversary or nation-state."
Leaving aside NetWitness's sales pitch for its own product -- which it claims is far more effective at countering cyber attacks than the next leading brand -- the firm's report is further evidence that the private and public sectors are vulnerable.
The challenge, according to yet another white paper from yet another think tank, isn’t lack of awareness about cyber insecurity. "Corporate leaders understand the seriousness of the threat," says the report from the Cyber Secure Institute.
"The challenge with cybersecurity is that for all the attention it gets, there is no uprising among voters, customers, or investors," it says. "Political leaders and corporate leaders will only make the sorts of systemic cybersecurity changes that are needed if the public -- voters, investors, and customers -- demands change." -- TL
Thursday, February 11, 2010
Coming Soon to a Theater Near You
A new play is opening next week at the Mandarin Oriental Hotel in Washington, D.C. Starring former Homeland Security Secretary Michael Chertoff as “National Security Advisor,” former Director of National Intelligence John Negroponte as “Secretary of State,” and other former officials in similar supporting roles, the production will open and close the same day. It will employ professional scriptwriters and a mock White House Situation Room, and it could offer an instructive look at how the U.S. government might handle a massive cyber attack.
From all accounts, this simulation -- entitled Cyber ShockWave -- is a well-organized effort to ascertain how a cyber attack scenario might unfold and how top officials might react. It is being produced by the Bipartisan Policy Center, a centrist think tank founded by former Sens. Howard Baker (R.), Tom Daschle (D.), Bob Dole (R.), and George Mitchell (D.). General Dynamics, PayPal, and Symantec, among others, are sponsoring the simulated attack.
“The participants, whose mission is to advise the president and mount a response to the attack, will not know the scenario in advance,” the center said. “They will react to the threat in real time, as intelligence and news reports drive the simulation, shedding light on how the difficult split-second decisions must be made to respond to an unfolding and often unseen threat.”
“Following the simulation, there will be a post-event discussion with the participants and partners to discuss what the U.S. government can do to avoid a real-world cyber attack of this magnitude and what can be learned from the exercise,” it added.
Unlike similar simulations conducted by actual government officials, this one will unfold in public, with CNN taping it for later broadcast. It will be interesting to see what lessons emerge from this unique performance and how policy-makers in the real world react. -- TL
From all accounts, this simulation -- entitled Cyber ShockWave -- is a well-organized effort to ascertain how a cyber attack scenario might unfold and how top officials might react. It is being produced by the Bipartisan Policy Center, a centrist think tank founded by former Sens. Howard Baker (R.), Tom Daschle (D.), Bob Dole (R.), and George Mitchell (D.). General Dynamics, PayPal, and Symantec, among others, are sponsoring the simulated attack.
“The participants, whose mission is to advise the president and mount a response to the attack, will not know the scenario in advance,” the center said. “They will react to the threat in real time, as intelligence and news reports drive the simulation, shedding light on how the difficult split-second decisions must be made to respond to an unfolding and often unseen threat.”
“Following the simulation, there will be a post-event discussion with the participants and partners to discuss what the U.S. government can do to avoid a real-world cyber attack of this magnitude and what can be learned from the exercise,” it added.
Unlike similar simulations conducted by actual government officials, this one will unfold in public, with CNN taping it for later broadcast. It will be interesting to see what lessons emerge from this unique performance and how policy-makers in the real world react. -- TL
Tuesday, February 9, 2010
Securing the Mobile Phone ‘SUVs’
As mobile devices become more feature-rich, some of these new capabilities may be leading users to unwittingly put more of their personal information at risk. The European Network and Information Security Agency is seeking to enlist users as a "first line of defense" against threats by highlighting the risks of using mobile devices to connect to social networking sites and offering tips on what users should do to protect their privacy.
Many of the recommendations in the new report, "Online As Soon As It Happens," seem painfully obvious, advising users to think carefully about what personal information they want to post and to set privacy settings properly. But considering how many stories we hear of security breaches that begin with an unsecured laptop left in a car or of the widespread use of the password "password," it’s pretty clear that there’s a need to spread some of these messages.
Plus, devices are adding more and more features, and it’s not hard to believe that a lot of people are getting the latest, shiniest smartphones without having any idea of the power "under the hood." It’s a bit like when everyone started buying SUVs with off-road capabilities that they’d never dream of using.
Looked at that way, the ENISA recommendations suddenly look more valid. For example, I’m betting a lot of people would never think to deactivate location-based services when not using them, to lock their device’s keypad when it is not in use, or to implement all of the necessary firewall and security settings when connecting to public Wi-Fi spots. These may be obvious to advanced users, or at least the risks related to them are well understood, but many people with iPhones or BlackBerries in their pockets aren’t fully aware of the potential risks they face with such powerful devices. -- BH
Many of the recommendations in the new report, "Online As Soon As It Happens," seem painfully obvious, advising users to think carefully about what personal information they want to post and to set privacy settings properly. But considering how many stories we hear of security breaches that begin with an unsecured laptop left in a car or of the widespread use of the password "password," it’s pretty clear that there’s a need to spread some of these messages.
Plus, devices are adding more and more features, and it’s not hard to believe that a lot of people are getting the latest, shiniest smartphones without having any idea of the power "under the hood." It’s a bit like when everyone started buying SUVs with off-road capabilities that they’d never dream of using.
Looked at that way, the ENISA recommendations suddenly look more valid. For example, I’m betting a lot of people would never think to deactivate location-based services when not using them, to lock their device’s keypad when it is not in use, or to implement all of the necessary firewall and security settings when connecting to public Wi-Fi spots. These may be obvious to advanced users, or at least the risks related to them are well understood, but many people with iPhones or BlackBerries in their pockets aren’t fully aware of the potential risks they face with such powerful devices. -- BH
Friday, February 5, 2010
An Inoffensive Bill
What does the Cybersecurity Enhancement Act’s lopsided win in the House indicate about the direction of federal cybersecurity policy?
Does it mean that lawmakers are genuinely worried that they are doing too little to protect cyberspace? Or is it simply another reminder that an inoffensive bill that can be characterized as important to national security can easily win friends on both sides of the aisle?
Some commentators have suggested that the act does very little, and that might be part of its appeal. Yet it is a perfect complement to President Obama’s 2009 “Cyberspace Policy Review,” a report that called for more public-private partnerships, research and development, and education. The House, like the administration, is wary of imposing rules on the private sector to improve cybersecurity.
In addition, the House bill promises to send a modest amount of federal funds into members’ districts to pay for educational programs and research centers. Education, national security, and something for the folks back home? That’s a hard combination to resist.
For more details about the bill and this week’s debate in the House, see the upcoming edition of Cybersecurity Policy Report. -- TL
Does it mean that lawmakers are genuinely worried that they are doing too little to protect cyberspace? Or is it simply another reminder that an inoffensive bill that can be characterized as important to national security can easily win friends on both sides of the aisle?
Some commentators have suggested that the act does very little, and that might be part of its appeal. Yet it is a perfect complement to President Obama’s 2009 “Cyberspace Policy Review,” a report that called for more public-private partnerships, research and development, and education. The House, like the administration, is wary of imposing rules on the private sector to improve cybersecurity.
In addition, the House bill promises to send a modest amount of federal funds into members’ districts to pay for educational programs and research centers. Education, national security, and something for the folks back home? That’s a hard combination to resist.
For more details about the bill and this week’s debate in the House, see the upcoming edition of Cybersecurity Policy Report. -- TL
Thursday, February 4, 2010
Google & the NSA: Whom Do You Trust?
The recent cyberattacks on Google, Inc.'s networks in China has reportedly prompted the Internet giant to explore a partnership with the National Security Agency designed to improve Google's cyber defenses, according to a report in this morning's Washington Post. But will the potential benefits of working with the leading experts at the NSA to better secure Google's network outweigh the concerns that some consumers might have about Google working with the spy agency that apparently was involved in the controversial warrantless wiretapping activities of the Bush administration?
The Post's sources say the agreement is being crafted to enable Google and the NSA to share information that will help prevent future cyberattacks while not violating Google's policies or laws addressing the privacy of its consumers. And while Google may be known for employing the best and the brightest in computer science and mathematics, there is surely still much for the company to gain from working with the IT security experts at the NSA, who presumably can rely upon a wealth of expertise in cyberdefense and intelligence that only a spy agency could have access to. But no matter how beneficial such a partnership may be and how many safeguards Google puts in place, any talk of a collaboration with NSA is sure to spark talk of Big Brother among many privacy advocates.
The interesting question may come down to this: Who do we trust more with our information, Google or the government? Judging by how much most of us use Google for everything from search and e-mail to location-based services on smartphones, most of us have shown that we're willing to give up some personal information to Google in exchange for services we find valuable. But will a partnership with the NSA - even with the safeguards that it would surely entail - be too much for some to take? -- BH
The Post's sources say the agreement is being crafted to enable Google and the NSA to share information that will help prevent future cyberattacks while not violating Google's policies or laws addressing the privacy of its consumers. And while Google may be known for employing the best and the brightest in computer science and mathematics, there is surely still much for the company to gain from working with the IT security experts at the NSA, who presumably can rely upon a wealth of expertise in cyberdefense and intelligence that only a spy agency could have access to. But no matter how beneficial such a partnership may be and how many safeguards Google puts in place, any talk of a collaboration with NSA is sure to spark talk of Big Brother among many privacy advocates.
The interesting question may come down to this: Who do we trust more with our information, Google or the government? Judging by how much most of us use Google for everything from search and e-mail to location-based services on smartphones, most of us have shown that we're willing to give up some personal information to Google in exchange for services we find valuable. But will a partnership with the NSA - even with the safeguards that it would surely entail - be too much for some to take? -- BH
Wednesday, February 3, 2010
DHS Cyber Road Map Long on Aspiration, Short on Detail
The Department of Homeland Security released its first Quadrennial Homeland Security Review late Tuesday in which it argued persuasively that much more should be done to improve the U.S. cybersecurity posture over the next four years.
While the document declares itself to be more focused on strategic visions rather than tactical steps, in many ways it reads like a gigantic to-do list that still needs to be fleshed out. For example, the report says the private sector needs to come up with “guidelines, codes, rules, regulations, and accepted standards” to ensure network and data integrity, while at the same time ensuring “confidentiality, integrity, and availability of systems, networks, and data without impairing innovation, and while ensuring privacy.”
That’s both a nice recap of the problem facing network operators and a goal to which they can aspire. What’s missing is more specific guidance on all the nitty-gritty work and decisions on how to get there.
What seems clear from the tone of the report is that the government will continue to rely on a partnership model for implementing better cybersecurity measures, rather than relying on top-down government mandates, and will strive for better information sharing between the feds and industry.
How DHS and the private sector put more meat on this bone will be our story of the next four years. -- JC
While the document declares itself to be more focused on strategic visions rather than tactical steps, in many ways it reads like a gigantic to-do list that still needs to be fleshed out. For example, the report says the private sector needs to come up with “guidelines, codes, rules, regulations, and accepted standards” to ensure network and data integrity, while at the same time ensuring “confidentiality, integrity, and availability of systems, networks, and data without impairing innovation, and while ensuring privacy.”
That’s both a nice recap of the problem facing network operators and a goal to which they can aspire. What’s missing is more specific guidance on all the nitty-gritty work and decisions on how to get there.
What seems clear from the tone of the report is that the government will continue to rely on a partnership model for implementing better cybersecurity measures, rather than relying on top-down government mandates, and will strive for better information sharing between the feds and industry.
How DHS and the private sector put more meat on this bone will be our story of the next four years. -- JC
Tuesday, February 2, 2010
Funding Priorities
We’re still sifting through the Obama administration’s 2011 budget proposal, where cybersecurity spending is spread among several departments and agencies. Here are a few highlights:
The Department of Homeland Security has requested $379 million to create the National Cyber Security Division, which would “support the development of capabilities to prevent, prepare for, and respond to incidents that could degrade or overwhelm the nation’s critical information technology infrastructure and key cyber networks.”
DHS is also seeking $10 million for the National Cyber Security Center, up from $5 million in fiscal year 2010. The center is “still in its infancy,” a DHS official noted during a conference call yesterday, but the new money would increase its staffing level to 40 people. The center is designed to “enhance cybersecurity coordination capabilities across the federal government, including mission integration; collaboration and coordination; situational awareness and cyber incident response; analysis and reporting; knowledge management; and technology development and management.”
Among targets for reductions in funding is the National Cybersecurity Protection System, which helps protect federal civilian government information technology enterprises by analyzing network flow and intrusion detection information. DHS said the system was being “deferred in order to fund higher-priority cybersecurity efforts.”
The FCC, meanwhile, is asking for $11 million to hire an additional 75 full-time equivalent employees to help it meet its cybersecurity responsibilities, implement its national broadband plan, and achieve other goals.
Elsewhere in the budget proposal, the National Institute of Standards and Technology’s laboratories, which are involved with spectrum, energy smart grid, and cybersecurity issues, among others, are budgeted to get $709 million of funding in 2011, up 6.9% from 2010.
The latest budget proposes a slight decrease in funding -- by $9 million -- to $4.3 billion for the multi-agency Networking and Information Technology Research and Development Program, which plans and coordinates agency research efforts in cybersecurity, advanced networking, and other areas.
Look for more on these proposals in the upcoming issue of Cybersecurity Policy Report. -- TL
The Department of Homeland Security has requested $379 million to create the National Cyber Security Division, which would “support the development of capabilities to prevent, prepare for, and respond to incidents that could degrade or overwhelm the nation’s critical information technology infrastructure and key cyber networks.”
DHS is also seeking $10 million for the National Cyber Security Center, up from $5 million in fiscal year 2010. The center is “still in its infancy,” a DHS official noted during a conference call yesterday, but the new money would increase its staffing level to 40 people. The center is designed to “enhance cybersecurity coordination capabilities across the federal government, including mission integration; collaboration and coordination; situational awareness and cyber incident response; analysis and reporting; knowledge management; and technology development and management.”
Among targets for reductions in funding is the National Cybersecurity Protection System, which helps protect federal civilian government information technology enterprises by analyzing network flow and intrusion detection information. DHS said the system was being “deferred in order to fund higher-priority cybersecurity efforts.”
The FCC, meanwhile, is asking for $11 million to hire an additional 75 full-time equivalent employees to help it meet its cybersecurity responsibilities, implement its national broadband plan, and achieve other goals.
Elsewhere in the budget proposal, the National Institute of Standards and Technology’s laboratories, which are involved with spectrum, energy smart grid, and cybersecurity issues, among others, are budgeted to get $709 million of funding in 2011, up 6.9% from 2010.
The latest budget proposes a slight decrease in funding -- by $9 million -- to $4.3 billion for the multi-agency Networking and Information Technology Research and Development Program, which plans and coordinates agency research efforts in cybersecurity, advanced networking, and other areas.
Look for more on these proposals in the upcoming issue of Cybersecurity Policy Report. -- TL
Monday, February 1, 2010
'Hypocrisy'
“U.S. cybersecurity policy-makers are in the habit of thinking too much about those who attack us and too little about our attacks on others.”
So we are told this morning by Jack Goldsmith, a legal scholar and cybersecurity expert, on the op-ed page of The Washington Post.
For those who are unfamiliar with Mr. Goldsmith, he is a Harvard law professor who also worked for George W. Bush. In fact, he reportedly was in John Ashcroft’s hospital room when Alberto Gonzales and Andrew Card tried to pressure Mr. Ashcroft to approve the Bush administration's warrantless wiretap program.
Mr. Goldsmith’s column this morning responds to Secretary of State Hillary Clinton’s recent condemnation of Internet censorship and cyber attacks.
“The problem with Clinton’s call for accountability and norms on the global network -- a call frequently heard in policy discussions about cybersecurity -- is the enormous array of cyberattacks originating from the United States,” he says.
Aside from the widespread use of hijacked U.S.-based computers as zombies in botnets, the U.S. tolerates and even supports some forms of hacking in cases where the cyber attackers are human-rights activists or members of the U.S. intelligence or defense establishment, he asserts.
“Creating norms to curb cyber attacks is difficult enough because the attackers’ identities are hard to ascertain,” he says. “But another large hurdle is the federal government’s refusal to acknowledge more fully its many offensive cyber activities, or to propose which such activities it might clamp down on in exchange for reciprocal concessions by our adversaries.”--TL
So we are told this morning by Jack Goldsmith, a legal scholar and cybersecurity expert, on the op-ed page of The Washington Post.
For those who are unfamiliar with Mr. Goldsmith, he is a Harvard law professor who also worked for George W. Bush. In fact, he reportedly was in John Ashcroft’s hospital room when Alberto Gonzales and Andrew Card tried to pressure Mr. Ashcroft to approve the Bush administration's warrantless wiretap program.
Mr. Goldsmith’s column this morning responds to Secretary of State Hillary Clinton’s recent condemnation of Internet censorship and cyber attacks.
“The problem with Clinton’s call for accountability and norms on the global network -- a call frequently heard in policy discussions about cybersecurity -- is the enormous array of cyberattacks originating from the United States,” he says.
Aside from the widespread use of hijacked U.S.-based computers as zombies in botnets, the U.S. tolerates and even supports some forms of hacking in cases where the cyber attackers are human-rights activists or members of the U.S. intelligence or defense establishment, he asserts.
“Creating norms to curb cyber attacks is difficult enough because the attackers’ identities are hard to ascertain,” he says. “But another large hurdle is the federal government’s refusal to acknowledge more fully its many offensive cyber activities, or to propose which such activities it might clamp down on in exchange for reciprocal concessions by our adversaries.”--TL
Subscribe to:
Comments (Atom)