LATEST FBI CERT VULNERABILITIES
NATIONAL CYBER ALERT SYSTEM BULLETINS
CYBER SECURITY ALERTS
NEW THREATS
BLOG
Debunking the Growing Use of Misleading Claims and False Truisms in Cybersecurity: Wind River and Google Android Examples (Release)
Cyber Secure Institute Calls Wired Magazine’s “2009 Smart List” Idea “Forget Medical Privacy” Profoundly Stupid (Release)
Cyber Secure Institute Releases Preliminary Analysis of the National Institute of Standards and Technology’s Newly Announced Recommended Security Controls for Federal Information Systems and Organizations
CSI WHITEPAPERS
2/17/10
Cybersecurity: The Challenge of Political and Corporate Will
by Hon. C. Thomas McMillen
2nd in the series, Provoking Cybersecurity Change.
2/1/10
Cyberwar and Cyberterrorism
by Gen. Eugene Habiger
Today, the Cyber Secure Institute published a whitepaper, entitled “Cyberwar and Cyberterrorism: The Need for a New U.S. Strategic Approach,” written by Gen. Eugene Habiger USAF (ret.), who formerly served as Commander in Chief of United States Strategic Command. He also served as the Department of Energy's “Security Czar.”
General Habiger’s whitepaper draws a number of important conclusions, including these five points:
1. America is routinely the victim of nation-state driven cyber intrusions that can be seen as low-grade cyber-border conflicts.
2. Some of these attacks have crossed a critical line: they have compromised critical systems supporting our troops engaged in combat.
3. Our failure to proactively address these threats risks a digital Pearl Harbor or 9-11.
4. Deterrence by retribution and preemption, our nation’s core national security strategies, are of limited value against cyberwar and cyberterror threats—“these rotary-phone-era strategies are not well suited for today’s digital world.”
5. A new approach based upon deterrence by denial is needed, which will require nothing short of a total paradigm shift from both government and the private sector.
MEDIA
PRESS RELEASES
The Cyber Secure Institute
1100 New York Ave NW
Suite 750 West
Washington, DC 20005
(202) 289-3636
Cybersecureinstitute.org
March 10, 2009
The Honorable Yvette D. Clarke
Chair
Subcommittee on Emerging Threats, Cybersecurity, Science and Technology,
Committee on Homeland Security
United States House of Representatives
1029 Longworth House Office Building
Washington, DC 20515-3211
Dear Chairwoman Clarke,
On behalf of the Cyber Secure Institute, I write to offer you the Institute’s unqualified support for your position that new standards and incentives are vital to making our nation cyber secure. To this end, we respectfully ask you to introduce legislation that would provide baseline, performance- and evidence-based, objective standards for cybersecurity for both government and private sector critical infrastructure information technology (IT) systems.
The Cyber Secure Institute
The Cyber Secure Institute is an analysis and advocacy group dedicated to serving as the voice for effective cyber security. We were founded because our nation’s critical networks are inherently vulnerable. Our singular purpose is to help drive the development and deployment of next generation, inherently secure IT systems. Our name says a lot about our goal. We view “cyber secure” as an end-state goal, the state of being secure in the digital world; in contrast we see cybersecurity as the current reactive process of seeking to patch known flaws in inherently insecure IT systems.
Background
As you are well aware, our nation’s critical IT systems remain unacceptably at risk. Recent examples show that virtually no systems are adequately secure:
- A 2008 Center for Strategic International Studies (CSIS) report revealed that the departments of State, Defense, Homeland Security, and Commerce have all been compromised by attacks from foreign entities.
- The networks at the Pentagon alone are probed thousands of times each day.
- Last November, Chinese hackers penetrated the White House network multiple times, and were able to acquire emails between government officials.
Our critical infrastructure is also at risk:
- In December 2006, TJX Co., which operates Marshalls, TJ Maxx and other retail companies, experienced a serious attack on its computer networks. Hackers breached the company’s networks, putting at risk over 45 million credit and debit card numbers.
- On January 20th, Inauguration Day, Heartland Payment Systems Inc., a credit card processing company, announced that it had experienced a large data breach. While Heartland did not reveal how many records have been breached, industry experts have estimated that up to 100 million credit card numbers could have been compromised, making it potentially the largest known data breach in history.
- Last year the Department of Homeland Security released previously classified video showing that a cyber attack could physically destroy an industrial electrical power generator.
- Each year cyber attacks cost the U.S. economy $2.6 billion.
In our view this is a direct and predictable result of the last administration’s laissez-faire approach to cybersecurity.
The most revealing evidence for this can be found in a recent communication to the newly appointed Secretary of Homeland Security, the Honorable Janet Napolitano, from the leadership of the National Cybersecurity Center (NCSC’s). Denied resources and devoid of real authorities, the NCSC’s leadership described its major accomplishments as including: the completion of a CONOP and implementation plan; development of a working group; development of an economic model for cybersecurity; introducing concepts of game theory; creating a vision for a new National Cyber Center; contributing to the national thinking on this issue; and presenting to 10,000 people at 40 events.
What is startling is that there is not a single mention of a significant improvement in the actual cybersecurity of the nation. That is because the gains in cybersecurity to date have been marginal at best. At a time when we require bold action, we instead find ourselves caught up in a Sisyphean struggle – the endless cycle of hack and patch trying to fix legacy systems that are, at best, inherently insecure.
This must change, and, as you rightly noted, change will not come on its own, unprompted. To be blunt, we have tried the laissez-faire approach to cyber security and it has gotten us only so far; it is now time to drive technological progress.
In order for our nation to become “Cyber Secure,” the Congress and the Executive will need to drive change. We share your view that a combination of regulation and incentives are needed to overcome the inertia of the status quo.
It is the Institute’s view that to be effective such legislation needs to be based upon objective, performance- and evidence-based standards. The beginnings of and necessary technological capacities for such a framework are already in place within the certification program carried out by the National Security Agency (NSA) and the National Information Assurance Partnership (NIAP) (a joint program of the NSA and the National Institute for Standards).
THE NSA-NIAP CERTIFICATION SYSTEM
The federal government, namely the NSA-NIAP, issues security certifications for the IT technologies used across our economy and digital-lives. The NSA-NIAP certification scheme is based on the Common Criteria Evaluation and Validation Scheme (CCEVS), which provides a framework of protection profiles recognized by nations around the world, against which technologies are measured. Certifications are awarded on the basis of independent evaluations of a technology’s performance against the specific protection profile. At the higher certification levels this evaluation process includes extensive penetration testing, including using source code and design manuals as guides to find the most potentially vulnerable areas of the system.
The NSA-NIAP/CCEVS system is the only government-recognized, objective cybersecurity certification system in existence.
However, the system is not mandatory and is under-utilized—its potential benefits are squandered. There are no baseline cybersecurity standards—neither NIAP/CCEVS nor any other standards—for federal civilian agencies (e.g., the Department of State, the Department of Energy, the Department of Health and Human Services), nonfederal government agencies (e.g., State level counter-terrorism offices, State-level Departments of Health, Emergency Management, Public Safety, Homeland Security), or the private sector. The Department of Defense (DoD) mandates the use of NIAP/CCEVS evaluated technologies on all DoD networks. However, even within DoD, there are no baseline or minimum NIAP/CCEVS standards.
As a result, many of the IT systems widely in use today have never been independently evaluated against their marketing claims, let alone against objective, evidence- and performance-based measures. Companies are free to make all sorts of security claims—ranging from mere puffery to clearly deceptive advertising. Even the most sophisticated buyers have little way to actually evaluate every such claim in the marketplace in advance of a purchasing decision.
Further, all widely deployed, currently certified technologies are certified against protection profiles that safeguard against only inadvertent and non-hostile attacks. In other words, even the certified systems, are actually certified—in the negative—as being incapable of defeating the sorts of sophisticated hostile attacks that our nation faces every day.
Moreover, these certified systems are only certified at low confidence levels against the most minimal protection profiles. The NSA-NIAP system utilizes Evaluation Assurance Levels in conjunction with the Common Criteria security profiles to grade both the security of systems and indicate the level of confidence in that grade. These levels range from EAL1 (minimal security) to EAL 7 (highly secure). Most systems we rely on today have been certified only up to EAL4+. This includes virtually all the systems across both the federal government (e.g., the White House, the Congress, the Department of Defense) and our most critical infrastructure (e.g., nuclear plants, power grids, water systems, healthcare systems, banking and finance systems).
The reliance on low-level certified technologies is also particularly troubling because at such levels even the NSA-NIAP program does not require penetration testing.
Putting all this in context, virtually all our vital systems today are certified to only a modest level of confidence (4 out of 7) that they can withstand only non-hostile, inadvertent attacks.
Unfortunately, the cyber-adversaries we face today are anything but inadvertent or non-hostile. Our nation is under constant cyber-attack by domestic and foreign adversaries, ranging from elite hacking units of the Chinese Army to the Russian Mafia to al Qaeda to cybercriminals. Our nation’s critical networks will continue to remain at risk if steps are not taken to secure them.
New technologies are available that meet the most secure protection profiles (“high robustness”) at EAL6 and EAL7 certification confidence levels. These inherently secure technologies offer the nation the ability to significantly reduce our cyber vulnerabilities.
Request for Legislation
To this end, we would respectfully ask that in your leadership role as the Chair of the Emerging Threats, Cybersecurity, Science and Technology Subcommittee, you consider advancing legislation that would put in place baseline cybersecurity performance standards to drive the adoption of inherently secure technologies.
Such legislation could and should be:
- Based on the NIAP-NSA certification program, which offers an objective technology and performance-based evaluation process.
- Mandatory for both government and private sector critical infrastructure IT systems.
- Phased-in but within an expedited timeframe that recognizes the serious present-day threats to our nation.
- Action forcing, driving the adoption of next generation technologies.
- Comprehensive and strong, including, for example, oversight provisions to ensure such standards, once promulgated, are actually implemented.
- Accompanied by both transition and technical assistance.
The Institute recommends that rather than re-inventing the proverbial wheel, any such cyber baseline legislation should task NSA-NIAP to work, in conjunction with the Department of Homeland Security and other relevant federal agencies, to develop such standards.
We further recommend that the legislation also take steps to address ways to improve the current NSA-NIAP certification program, including:
- Provide grant monies for small businesses with promising technologies to offset the costs of certification.
- Put in place a mentor-protégé program to assist small businesses going through the certification program for the first time.
- Reduce the certification (or more accurately re-certification) requirements for simple updates to an already certified technology—an improvement the NSA is already working towards.
- Increase the program’s funding and capacities to enable it to meet the new demand such standards will create for certifications, reduce the overall time required for certification decisions to be made, and enhance consistency of the testing processes.
- Provide highest-level certified IT providers, and, in turn, those companies that rely on highest-level certified technologies for their IT systems incentives, which might range from caps on liability (akin to those under the SAFETY Act) to preferential tax treatment.
- Create an outreach program to assist the private sector in understanding the importance of the certification regime and how it can help their individual enterprises.
We also share your view that such a regulatory program should be accompanied by targeted incentives to help the private sector offset the costs of deploying new, inherently secure technologies. We would stress that any such incentives must be tailored to meet the goal of driving technological change and a new cyber secure end state. They should not be available to offset just any new IT security spending—helping companies deploy more patches will not change our nation’s level of security. Rather, such incentives should be available solely for the deployment of high-level certified, inherently secure technologies.
The benefits of this approach are substantial. Most importantly, baseline evidence- and performance-based requirements will ensure a high-level degree of security for all the nation’s critical IT systems.
Such an approach will also increase next generation R&D and innovation. To the extent that standards and incentives are put in place to drive government and industry to adopt certified, inherently secure technologies, more IT providers will endeavor to develop new, better technologies that can meet these standards—rather than working on the next patch or modestly better firewall. Over the mid-term this approach will provide the government and private sector more and better options for real cybersecurity.
Additionally, this approach framework will encourage IT providers to submit their technologies for testing and certification processes. Outside expert testing will help improve the quality of products introduced to the marketplace. Such testing will help weed inferior and insecure products out before they can be marketed, widely adopted and their flaws seized upon by criminals, terrorists, and our nation’s adversaries. Certified products will be proven inherently secure.
Increased testing and certification will also greatly reduce the “cyber snake-oil factor” that undermines the effective functioning of the cybersecurity market. Objective measures of security performance will provide the government and the private sector the ability to cut through the current morass of deliberately confusing, and often over-hyped marketing claims. A robust certification system that replaces claims with performance standards will allow the individuals charged with protecting vital systems the ability to identify and buy certified, best-in-class systems.
The overall effect of such an approach will be to empower America for a new era of innovation. The Institute recently opined that the greatest impediment to American innovation—our nation’s core comparative advantage—and economic progress is IT insecurity. The promise of next generation technologies to improve our lives and increase efficiency and productivity is immense. We stand on the verge of genetic cures for diseases, the ability to predict and prevent illnesses, smart power grids, and machines that can react to our thoughts and needs through brain interfaces—the list is long. However, the adoption of such technologies is seriously undermined by inherent technological insecurities. People will not trust their personal data—let alone their very lives—to IT systems that they cannot fully trust. Nor can we trust a smart grid to power our nation if that grid can be hacked and shut down by our enemies. Driving security will empower innovation and foster progress.
# # #
Chairwoman Clarke, we welcome your leadership of this vital Subcommittee, and we are excited at the prospect of working with you to make our nation truly cyber secure.
We would welcome the opportunity to meet with you to discuss these issues. Please feel free to have your staff contact me at (202) 289-3666 or via email at rhousman@cybersecureinstitute.org.
Sincerely,
Rob Housman
Executive Director
February 26, 2009
Cyber Secure Institute Praises Action by Director of National Intelligence to Increase NSA Cybersecurity Responsibilities
Institute’s January 6, 2009 Report Called for Precisely This Action
WASHINGTON--(BUSINESS WIRE)--Today, Rob Housman, Executive Director of the Cyber Secure Institute, issued this statement praising an announcement yesterday by Admiral Dennis Blair, Director of National Intelligence (DNI), that the National Security Agency (NSA) will be taking on a larger role in America’s cybersecurity program.
Housman said, “DNI Blair’s action is an enormously positive step for our nation’s security. We strongly agree with DNI Blair’s approach. In fact, we have previously called for action precisely along these lines in a report issued by the Institute on January 6, 2009.”
DNI Blair stressed that “The National Security Agency has the greatest repository of cyber talent . . .’ and that “[the NSA] know[s] best about what's coming back at us, and it is defenses against those sorts of things that we need to be able to build into wider and wider circles.”
The Institute’s report similarly emphasized that:
- “The NSA is the laboring oar in the federal government’s technology security certification programs. As a result it has extensive expertise in reviewing and analyzing the real security of IT systems. The agency also has many of the world’s best penetration experts on staff. This would give the NSA a major leg up in managing a set of carrots or sticks, or both, to drive private sector cybersecurity; they would know which systems meet the mark and which fall short. These capabilities mean that a shift to the NSA could be much more than a bureaucratic reshuffling of the deck chairs.”
The Institute’s call for greater NSA involvement also stressed that:
- “Even within the private sector, the NSA cybersecurity experts are highly regarded . . . . This cache might enable the NSA to work more productively within the tech community.”
- “The NSA director also occupies a special place within the national security apparatus . . . . Putting corporate cybersecurity and . . . federal cybersecurity, into the director’s hands could elevate the issue, which, as a practical matter is vital for progress with the bureaucracy of the federal government.”
- “The NSA by virtue of what it is and what it does has a certain aura . . . . Companies have become rather comfortable dealing with DHS—gone are the days when companies just saluted like good foot soldiers when DHS called. Being ‘invited’ into a discussion with NSA might help move the dialogue, and real security, along.”
Housman continued, “We hope that the NSA will use this new role to help drive our critical IT infrastructure away from today’s inherently insecure systems to systems that can withstand the types of sophisticated, hostile cyber attacks our nation now faces every day. To this end, the Institute will soon be issuing a proposal for legislation that would empower the NSA to develop baseline cybersecurity standards for all critical IT systems across both the public and private sectors.”
The entire text of CSI’s report from January 6, 2009 can be viewed at: http://cybersecureinstitute.org/blog
| Contact: | Rob Housman |
| 202-486-5874 or 202-289-7999 | |
| rhousman@cybersecureinstitute.org |
FOR IMMEDIATE RELEASE
| Contact: | Rob Housman |
| 202-486-5874 | |
| rhousman@cybersecureinstitute.org |
In the time it takes to read this release 360 people will have their identities stolen and cyber attacks will cost the American economy $859,969.
CYBER SECURE INSTITUTE LAUNCHED;
ADVOCATE FOR EFFECTIVE CYBERSECURITY; TECH DRIVER
Washington, D.C. - December 9, 2008 - The Cyber Secure Institute, an analysis and advocacy organization focused on raising the bar for cybersecurity, today announced its launch. The Cyber Secure Institute will focus on five main objectives:
Raise awareness of cyber threats.
- Advocate for stronger Cyber SecureTM standards for IT security.
- Push for all cybersecurity technologies to be independently validated against widely accepted, internationally and nationally recognized standards.
- Recognize IT technologies that meet rigorous Cyber SecureTM standards.
- Advocate for the deployment of best available Cyber SecureTM technologies - technologies independently tested and certified capable of withstanding even hostile and sophisticated attack.
The Institute is unique in that it is not a trade association or industry group. It was formed to serve as the voice for truly effective cybersecurity.
Rob Housman, the Institute's Executive Director, said "We formed the Cyber Secure Institute because this is a critical time for cybersecurity. The FBI reports major cyber attacks are increasing. The Chinese military has repeatedly hacked the White House's systems. Numerous studies highlight the cyber-vulnerabilities of our critical infrastructure. Millions of Americans have had their identities stolen, their money taken and their personal information hacked. At the same time, there is a growing commitment to deal with this threat. President-elect Obama is focused on the issue. The House leadership has formed a Cybersecurity Caucus. There is an opportunity here to make a big difference."
"However, we can't address this threat through cybersecurity as we now know it - endless after-the-fact struggles to close gaps exposed in inherently insecure technologies," Housman added. "If we continue this constant cycle of hack and patch we will never be secure."
"We need to shift from 'hack and patch' cybersecurity to developing and deploying Cyber Secure systems and technologies. The Institute's goal is to drive the development and deployment of Cyber Secure technologies," Housman said.
More information about the Cyber Secure Institute can be found at: www.cybersecureinstitute.org
# # #
MEDIA RESOURCES
 |
 |
| Ad for Homeland Defense Journal PDF Download |
Ad for Homeland Defense Journal PDF Download |
INQUIRIES
For Media Inquiries:
202.289.7999 or media@cybersecureinstitute.org