Tag Archives: Homeland Security

Private sector advises Obama’s cybersecurity proposal

WASHINGTON —President Barack Obama’s cybersecurity information sharing proposal – with its focus on sharing only targeted threat information between private firms and the government is a better approach than “ill-advised” widespread sharing, a former top privacy official for homeland security said Wednesday.

The Committee on Homeland Security’s Cybersecurity, Infrastructure Protection and Security Technologies subcommittee heard from industry, privacy and academic experts regarding what they think cyber threat information sharing should look like. The previous week, Department of Homeland Security representatives went before the entire committee to explain how this legislation could protect Americans from increasing cybersecurity threats.

Obama’s three-part proposal includes increased sharing among private sector companies and between them and the government. It also encourages the formation of Information Sharing and Analysis Organizations and creates certain guidelines for both the private and federal sectors regarding personal information retention and sharing.

Under the legislation, businesses would share information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which would pass it onto relevant federal agencies and ISAOs. Participating businesses would receive targeted liability protection in return.

Mary Ellen Callahan, former Department of Homeland Security chief privacy officer, agreed with this targeted sharing approach, calling immediate widespread sharing of threats “ill-advised.” According to Callahan, private sector threats–usually IP addresses and URLs–are reported to the DHS, and then distilled to remove any personal information.

In the end, government security professionals only have information on the threat, its source and target, and how to combat it.

Subcommittee Chairman John Ratcliffe, R-Texas, referred to recent breaches at companies such as Anthem, Sony Pictures, Target and J.P. Morgan as examples of why the legislation is needed. “We need to pass legislation that facilitates the sharing of cyber threat indicators and contains robust privacy protections to improve collaboration between federal civilian agencies, like DHS, and the private sector,” he said.

Many companies choose not to share cyber threat indicators or breaches with one another or the government for fear of legal liability, or having their names in the media as companies with poor cybersecurity. Without this sharing of information, hackers can use the same tactics repeatedly with multiple companies.

Private companies want to see a bill that would allow them to voluntarily share cyber threats with other organizations, but have flexibility in what they share with the government, according to Matthew Eggers, senior director of National Security and Emergency Preparedness for the U.S. Chamber of Commerce.

“This is a bill trying to convince them to participate in a voluntary program that makes their lives more difficult. For folks like me saying ‘I’m not fond of government being in my cell or ERP (Enterprise Resource Planning–software for data management),’ that’s going to be a neat trick,” Eggers said.

The key will be convincing companies that Obama’s proposal would better protect everyone in the long run.

“We need a federated sharing community, not a competitive one,” Greg Garcia,
executive director of the Financial Services Sector Coordinating Council, said. “Withholding info to get ahead… Balkanizing or siloing information–that defeats the purpose.”

This is not the first time Obama has proposed legislation to safeguard America from cyber attacks. In 2011, he rolled out his Cybersecurity Legislative Proposal in an effort to give the private sector and government the tools they need to combat cyber threats. In 2013, he issued the Executive Order on Improving Critical Infrastructure Cybersecurity, which established cybersecurity framework standards that were developed in tandem with the private industry.

Republican Peter King to lead National Security Solutions Group

Rep. Peter T. King (R-NY), Ranking Member of the House Committee on Homeland Security, has been selected by House Republican Leader John Boehner (R-OH) to  chair a new National Security Solutions Group.

According to a news release, the 18 person National Security Solutions Group will “take the lead in advocating and developing better solutions to the national security challenges we face and hold the Obama Administration accountable when it pursues misguided policies that make the American people less safe.” It is another Solutions Groups created by the Republican party that, according to the release, will “complement and support the work of Chief Deputy Whip Kevin McCarthy (R-CA), who is leading the effort by House Republicans to engage the American people and put forth a positive governing agenda.” Other GOP Solutions Groups focused on issues such as economic recovery, energy reform and health care reform.

King said that it is important to “ensure that Congressional Democrats and the Obama Administration do what is necessary to keep the nation secure, including properly funding our troops and keeping terrorists out of America.”

Not everyone sees the new group as a step forward.

“The only problem the GOP has solved is how to thoroughly, unilaterally and dangerously politicize America’s national security. At every step, Congressional Republicans have mindlessly stood against America’s justice system, military leadership and our Commander-in-Chief, all of whom continue to keep America safe at home and overseas,” said Adam Blickstein of the National Security Network, a group of 2,000 members and experts that represent the emerging generation of foreign policy leaders.

The members of the GOP National Security Solutions Group include:

  • Rep. Peter T. King (R-NY), Ranking Member, Committee on Homeland Security
  • Rep. Howard P. “Buck” McKeon (R-CA), Ranking Member, Committee on Armed Services
  • Rep. Peter Hoekstra (R-MI), Ranking Member, Permanent Select Committee on Intelligence
  • Rep. Ileana Ros-Lehtinen (R-FL), Ranking Member, Foreign Affairs Committee
  • Rep. Jerry Lewis (R-CA), Ranking Member, Appropriations Committee
  • Rep. Lamar Smith (R-TX), Ranking Member, Committee on the Judiciary
  • Rep. Michael Conaway (R-TX)
  • Rep. Charles Dent (R-PA)
  • Rep. Trent Franks (R-AZ)
  • Rep. Duncan Hunter (R-CA)
  • Rep. Candice Miller (R-MI)
  • Rep. Jeff Miller (R-FL)
  • Rep. Sue Myrick (R-NC)
  • Rep. Hal Rogers (R-KY)
  • Rep. Mike Rogers (R-MI)
  • Rep. Edward Royce (R-CA)
  • Rep. Mac Thornberry (R-TX)
  • Rep. Frank Wolf (R-VA)

DHS discloses existence of three more domestic spying programs

In a blog post today, the Center for Investigate Reporting discloses documents relating to three more domestic spying programs conducted by the Department of Homeland Security in the wake of 9/11.

According to the blog post, three programs stand out: Pantheon, Pathfinder and Organizational Shared Space. They add to a growing list of domestic intelligence and surveillance efforts, including  information-sharing programs, “dozens of intelligence “fusion” centers formed by local, state and federal officials, and data-mining projects that involve probing mountains of telecommunications and commercial records for leads.” Though much of the information in the released documents is redacted, the Center for Investigate Reporting is able to read some details of the three noted programs.

Pathfinder, for example, is described as an “integrated text search, retrieval, display and analytic tool suite used to analyze intelligence community message traffic,” while Pantheon is described as a “system for the Department of Homeland Security to share intelligence with other federal, state and local governments when requested, which again includes information about U.S. citizens and permanent residents.”

Organizational Shared Space is described as “an umbrella portal for systems like Pantheon and allows agencies within DHS, from the Coast Guard to the Transportation Security Administration, to access classified intelligence internally.” The blog posts makes note that it is housed on the Joint Worldwide Intelligence Communications System, which defense and state departments use to exchange classified information. The implication is that those departments also have access to  information from the Organizational Shared Space.

The complete documents are also posted to the Center for Investigative Reporting blog using Scribd.

U.S. cyber security effort falls short

WASHINGTON — Two congressional studies released in April showed that no federal agencies have successfully implemented security programs required by the Office of Management and Budget (OMB).

That means not one of the 23 government agencies cited in the reports is secure enough to meet minimum government standards for preventing intrusions and destructive viruses.

The reports by the Government Accountability Office (GAO) regarding Internet connection and personal computer security both recommended that the agencies crack down and a a better job of  enforcing and implementing the plans. The GAO serves as an independent ­congressional watchdog and is the “official investigative arm” of Congress and provides data and research to lawmakers.

Several departments were in partial­ compliance but none were fully secure, the reports said. Among those in partial compliance, the Department of Defense was cited as having the best record for securing its Windows Vista computers; 99 percent of the workstations using the operating system were secure. However, none of their older computers were described as being in complete compliance.

Several departments including Education, Homeland Security, Transportation and State were listed as having zero percent of their computers in compliance.

The reports come at the same time as the State Department is launching a digital innovations team and planning greater expansion into the digital world. But if government agencies can’t properly implement existing minimum security standards, some critics ask, will such new innovations be any more secure?

Those  requirements were launched in 2007 and 2008, well before .President Obama’s much-reported refusal to give up his Blackberry. At the time there was much handwringing and debating whether it was safe for the leader of the free world to be carrying a tiny, hackable gateway to a treasure trove of state secrets.

­The GAO studies do not explicitly describe the basic security requirements in question, instead referring to approved settings at each individual agency.

Sen. Joseph Lieberman (I-Conn.), chairman of the Senate Homeland Security and Governmental Affairs Committee issued a response to the reports on April 12 expressing his disappointment in the study’s findings. He took? OMB to task for falling short in its enforcement of the standards. However, neither he, nor the agencies had a plan for how or when they’d reach the security standards.

“The security of federal IT [information technology] systems is an ever-growing problem that must be confronted aggressively and with all available means,” Lieberman said in a statement. Quote resume here? “Unfortunately, these key initiatives, which have been underway for years, have faced challenges, particularly the lack of communication and follow through from the Office of Management and Budget and the Department of Homeland Security.”

Lieberman went on to say that OMB agreed with the findings and would be “acting to address many of the lessons learned,” but noted that no concrete commitments were made as to how they would do so.

Some digital security analysts like Kevin Thompson, a Chicago area attorney and author of the blog Cyberlaw Central, aren’t surprised by the GAO’s low compliance findings.

“They’ve got a long way to go in living up to their requirements in being secure,” he said of the agencies. “A lot of people think that the government would have access to the latest and greatest technology but in reality they don’t.”

Thompson has researched government digital security infrastructure and says he’s seen a ­lack of funding and attention paid to the issue.

“We should be able to reach the minimums we set,” he said.

For his part, Thompson sees value in moving towards a creative, innovative approach to how the government uses digital tools while still ensuring their security.

In his statement Lieberman said his committee would be drafting legislation to address the issue. But the constantly evolving nature of the digital world begs the question, is another piece of legislation enough?