Category Archives: Computer Security

Cyber Tech Firms Need Integrator Partners to Broaden Their Services

Standard
Itegrator Parnter Oracle dot com

Image:  Oracle.com

“WASHINGTON TECHNOLOGY”

“Given the frequency and severity of security intrusions in the public and private sector, cybersecurity companies are now looking for more complete offerings beyond their core capabilities.

By demonstrating an ability to technically integrate with third party vendor products, these companies can show that they are able to more fully meet the needs of Federal government customers.”


“Government agencies are looking for companies that can act as general contractors, but not all companies are system Integrators. Therefore, the goal for many companies is to have the ability to provide a more expansive, holistic offering beyond just their own product portfolio.

That hasn’t traditionally been the case among cybersecurity providers. These companies have typically focused on selling their uniquely specialized products into agencies, which understandably can limit their success in responses to requests for proposals in more comprehensive programs.

For the government in particular, the approach agencies to more easily make decisions on which products to deploy in complex environments.

Let’s look at how some general technical cybersecurity integrations can add benefit to customers:

Multi-Factor Authentication (MFA) – An agency looking to deploy MFA tokens to all their employees will likely need a card management system (CMS) to enroll the certificates stored on the physical tokens. Some companies offer both tokens and a CMS, but particularly when looking for high assurance tokens that were designed with the Federal government in mind, they are unique areas of expertise. Having the ability to vet out, in advance, a working solution that can be jointly offered to a customer simplifies the overall process and allows a customer to more readily select the appropriate vendor.

Storage & Key Mgt Encryption – What’s important here is whether a storage encryption solution can work with a key manager through open standards such as the Key Management Interoperability Protocol (KMIP). This type of interoperability is another way of layering levels of security and creating an overall efficient solution for the customer. It alleviates the challenge of the customer having to validate that the products they purchase will properly integrate in their environments.

Complete offerings – In some cases a company may be missing one element to an overall holistic solution. Among encryption providers, encrypt everything is the Holy Grail. Some come very close to meeting that promise with encryption solutions for web/application servers, databases, file servers, disk encryption, virtual machines, etc. Often, however, what might be missing is the ability to encrypt email and documents. Companies should pool resources to be able to offer that level of encryption and storage with hardware for root key management, to provide an integrated solution for all available data venues.

So after being a bit late to the game on the need to create integrated offerings, cybersecurity firms have come to realize that there is more value to creating a simple means for agencies to ensure their IT security than there is to owning a narrow segment of the market.”

https://washingtontechnology.com/articles/2017/09/29/insights-schatz-cyber-integrator-role.aspx

 

Advertisements

Army To Discard $6 Billion (WIN-T) Network Investment And Start Over Without A Plan

Standard

Army Network $6B

 “DEFENSE NEWS”

“House lawmakers roasted Army officials for abruptly scrapping its acquisition strategy months after submitting its 2018 budget without a well-defined alternative. 

Whether the U.S. Army may shift a half-billion dollars from its ailing network programs and chart a new course will be up for debate as lawmakers reconcile rival House and Senate defense policy bills this month.”


“But several key lawmakers said they are not ready to let the Army reboot from a $6 billion investment without explaining what’s next.

Army officials argue the service lacks the survivable, mobile and hardened tactical network it would need on a modern battlefield. They are asking Congress to end the Mid-Tier Networking Vehicular Radio, the Command Post of the Future and the Warfighter Information Network-Tactical (WIN-T) Increment 2 at the end of fiscal year 2018 to free up money budgeted for the three.

And although at least two key lawmakers said they were supportive — chairmen of the House and Senate armed services committees — they want more information.

“I support them being willing to examine themselves and reverse course if that’s what’s appropriate,” HASC Chairman Mac Thornberry, R-Texas, said of the Army on Oct. 5. “It’s going to be up to them to prove to us that now we are on a better path, that we have learned the lessons.”

Thornberry said Army officials spoke with him in September about making the change.

“They’ll have to lay out their plans to us, but if we can have a path forward in ’18, there’s no reason to wait until ’19.”

The House-passed 2018 National Defense Authorization Act calls for WIN-T to be accelerated, and the Senate-passed version zeroes out the president’s request for WIN-T funding. The White House has defended WIN-T and some other programs the Senate NDAA would cut.

SASC Chairman John McCain, R-Ariz., and Sen. Tom Cotton, R-Ark., grilled Gen. Mark Milley, the Army chief of staff, at a May hearing and accused the Army of wasting $6 billion on WIN-T. That stance actually aids Milley’s aim to reboot Army network plans.

On Sept. 9, McCain met with Milley on Capitol Hill and asked him how he proposes the WIN-T funding be redistributed.

“We told them to send us what they want to do with it, and we will examine it, but we had to act to cut it off,” McCain said of the meeting.

McCain said his support for the Army’s next move “depends on what they want to use it for. WIN-T has been a total failure.”

Proposed changes could be handled as an Army request to reprogram the 2018 funding or as part of the NDAA depending on the timing, McCain said.

The Army envisions scenarios in which it fights a near-peer enemy in contested environments that require small units, operating independently and moving constantly to avoid defeat.

Yet the first increment of WIN-T, while fielded, can only function — transmitting voice, video and data — when a unit is stopped. The WIN-T’s second increment is meant to provide an on-the-move capability, but it has struggled.

The latest annual report from the Pentagon’s office of developmental test and evaluation faults WIN-T’s technical performance, usability and vulnerability to enemy jamming.

At a hearing of the HASC Tactical Air and Land Forces Subcommittee on Sept. 28 to question Army officials over its new plans, Chairman Michael Turner, R-Ohio, expressed deep skepticism the Army would get it right this time.

In a subsequent interview with Defense News, Turner said the goal is to provide new troops technology at least as advanced as what they were had in high school, and not to be eclipsed by adversaries who “have modernized and put at risk our ability to operate.”

“The question is what are we going to do, not just what are we not going to do,” Turner said.

Turner pushed back at the idea WIN-T had been a failure, noting it had been delivered, tested and fielded.

“The issue is not that it’s not working; the issue is: What are our goals and objectives, what are our technology needs, and how do you achieve those?” Turner said, “And the Army’s going to need to have an answer at least in scoping and in implementation, while they explain the nearly $6 billion that’s already been spent.”

https://www.defensenews.com/2017/10/05/lawmakers-if-us-army-ends-6b-in-network-programs-whats-next/

DHS Science & Technology Directorate Leading the Way on Cyber Innovation

Standard

Homland Security Cyber Innovation

“FIFTH DOMAIN” By Chris Cummiskey

“One of the greatest impediments to taking innovative ideas and putting them into action is the federal acquisition process.

The Cybersecurity Division (CSD) R&D Execution Model has been utilized since 2004 to successfully transition over 40 cyber products with the help of private sector companies.”


“It isn’t often that the words innovation and government find their way into the same sentence. When they do, it is often to decry the lack of innovation in government practices. Silicon Valley and other corporate leaders have long lamented that the federal government just doesn’t seem to understand what it takes to bring innovation to government programs.

One office in the federal government is having an outsized, positive impact on bringing private sector innovation to government cybersecurity problem solving. The Cybersecurity Division (CSD) of the Science & Technology Directorate at the Department of Homeland Security has figured out how to crack the code in swiftly delivering cutting edge cyber technologies to the operators in the field. Some of these programs include: cybersecurity for law enforcement, identity management, mobile security and network system security.

The mission of CSD is to develop and deliver new technologies and to defend and secure existing and future systems and networks. With the ongoing assault on federal networks from nation-states and criminal syndicates, the mission of CSD is more important than ever.

CSD has figured out how to build a successful, actionable strategy that produces real results for DHS components. Their paradigm for delivering innovative cyber solutions includes key areas such as a streamlined process for R&D execution and technology transition, international engagement and the Silicon Valley Innovation Program (SVIP).

R&D Execution and Technology Transition

 As a former chief acquisition officer at DHS, I certainly understand why there needs to be federal acquisition regulations. The challenge is these regulations can be used to stifle the government’s ability to drive innovation. I am encouraged by the efforts to overcome these obstacles by federal acquisition executives like DHS Chief Procurement Officer Soraya Correa – who is leading the fight to overcome these hurdles.

Under the leadership of Dr. Doug Maughan, CSD has created a process with the help of procurement executives that swiftly establishes cyber capabilities and requirements with input from the actual users. They have designed a program that accelerates the acquisition process to seed companies to work on discreet cyber problems.  The model sets up a continuous process that starts with workshops and a pre-solicitation dialogue and ends with concrete technologies and products that can be utilized by the operators in the various DHS components. To date the program has generated cyber technologies in forensics, mobile device security, malware analysis and hardware enabled zero-day protections and many others.

International Engagement

Maughan often states that cybersecurity is a global sport. As such, many of the challenges that face the United States are often encountered first by other countries. Maughan and his team have worked diligently to leverage international funding for R&D and investment. CSD is regularly featured at global cyber gatherings and conferences on subjects ranging from international cyber standard setting to sharing R&D requirements for the global entrepreneur and innovation communities.

Silicon Valley Innovation Project (SVIP)

It seems like the federal government has been trying to get a foothold in Silicon Valley for decades. Every president and many of their cabinet secretaries in recent memory have professed a desire to harness the power of innovation that emanates from this West Coast enclave. One of the knocks on the federal government is that it just doesn’t move fast enough to keep pace with the innovation community. Maughan and the folks at CSD recognize these historic impediments and have moved deftly to build a Silicon Valley Innovation Project (SVIP) that is delivering real results. To help solve the hardest cyber problems facing DHS components like the Coast Guard, Customs and Border Protection, the United States Secret Service and the Transportation Safety Administration, SVIP is working with Silicon Valley leaders to educate, fund and test in key cyber areas. The program is currently focusing on K9 wearables, big data, financial cybersecurity technology, drones and identity. The SVIP has developed an agile funding model that awards up to $800,000 for a span of up to 24 months. While traditional procurement processes can take months, the SVIP engages in a rolling application process where companies are invited to pitch their cyber solutions with award decisions usually made the same day. The benefits of this approach include: speed to market, extensive partnering and mentoring opportunities for the companies and market validation.

Conclusion

Moving innovative cyber solutions from the private sector to the federal government will always be a challenge. The speed of innovation and technological advancement confounds federal budget and acquisition processes. What Maughan and CSD have proven is that with the right approach these systems can complement one another. This is a huge service to the men and women in homeland and cybersecurity that wake up every day to protect our country from an ever-increasing stream of threats.”

https://www.fifthdomain.com/opinion/2017/09/26/dhs-office-leading-the-way-on-federal-cyber-innovation-commentary/

ABOUT THE AUTHOR:

Chris Cummiskey is a former acting under secretary/deputy under secretary for management and chief acquisition officer at the U.S. Department of Homeland Security.

Vindictive Army Contractor Planted Virus Costing Taxpayers Millions

Standard

 

Defense Contractor Virus

An Army investigation found that a defense contractor inserted a “logic bomb” into a computer program used to handle pay and personnel actions for reservists. Five of the servers associated with the program are located at Fort Bragg, North Carolina. (Senior Airman Franklin R. Ramos/Air Force)

“ARMY TIMES”

A defense contractor was found guilty Wednesday of knowingly transmitting malicious code with the intent of causing damage to an Army computer, the U.S. Attorney’s Office for the Eastern District of North Carolina said in a statement Thursday.

Mittesh Das, a 48-year-old resident of Atlanta, unloaded the computer virus in November 2014 — days before the company he was contracted under was supposed to hand over operations to a different firm.

The Army projected the total labor cost to remove the computer virus and restore the corrupted information as roughly $2.6 million.”


“The code affected a national-level computer program the Army Reserve uses to handle pay and personnel actions for nearly 200,000 reservists, according to the statement. Five of the servers associated with the program were located at Fort Bragg, North Carolina.

“Cyber-sabotage is not a ‘prank.’ It is a very serious crime with real victims and real costs. In this case, the crime cost taxpayers $2.6 million,” said John Stuart Bruce, United States Attorney for the Eastern District of North Carolina.

Das was indicted on April 5, 2016, for the offense that occurred in 2014.

In December 2014, the Army Times reported on incidents of delayed payments to Army reservists. The delay — which averaged about 17 days — was attributed to a glitch in the Regional Level Application Software, said Lt. Col. William Ritter, a spokesman for the Reserve. That software’s functions included processing pay and orders, as well as transfers, awards and promotions, Ritter added.

The Justice Department was pleased with the outcome of the indictment, said Director Daniel Andrews of the Computer Crime Investigative Unit, U.S. Army Criminal Investigation Command.

“Let this be a warning to anyone who thinks they can commit a crime in cyberspace and not get caught. We have highly trained and specialized investigators who will work around the clock to uncover the truth and preserve Army readiness,” Andrews said in the statement.”

http://www.armytimes.com/news/your-army/2017/09/22/man-who-planted-virus-in-an-army-computer-program-cost-taxpayers-millions/

 

Is LinkedIn Trying to Protect Your Data — Or Hoard It?

Standard
Linked In Data

(David Paul Morris/Bloomberg)

“WASHINGTON POST”

“When you create a public profile on a social network such as LinkedIn, it isn’t just your friends and contacts who can see that data. For better or for worse, other companies can legally download that information and use it for themselves, too.

That’s according to a federal judge who ruled Monday against LinkedIn, the professional networking site, in a case that has big implications for corporate power and consumer privacy in the tech-driven economy.

LinkedIn had claimed that another company, hiQ Labs, was illegally downloading information about LinkedIn users to help drive its business. The issue was a concern for LinkedIn, which is owned by Microsoft, in part because many of today’s tech companies depend on customer data to compete and even outmaneuver their rivals. As a result, being able to control that information and determine who else can see it is of paramount importance to firms like these.

“Microsoft is further transforming LinkedIn into a data-driven marketing powerhouse that harvests all its data to drive ad revenues,” said Jeffrey Chester, executive director of the Center for Digital Democracy.

Where LinkedIn and hiQ clashed was over hiQ’s product, which almost exclusively depends on LinkedIn’s data, according to U.S. District Judge Edward Chen. HiQ essentially helps employers predict, using the data, which of their employees are likely to leave for other jobs. While this HR tool might sound relatively boring to you and me, it’s key to industries whose success depends on recruiting and retaining the best talent. A Gallup survey last year found that 93 percent of job-switchers left their old company for a new one; just 7 percent took a new job within the same organization.

HiQ has raised more than $12 million since its founding in 2012. LinkedIn itself is making moves to develop a similar capability, Chen said, meaning that LinkedIn’s attempt to block hiQ from accessing its data could be interpreted as a self-interested move to kneecap a competitor. If hiQ can’t get the professional data it needs to fuel its analytic engine, its business could “go under,” Chen said.

To allow hiQ access to LinkedIn’s data would be a gross violation of LinkedIn users’ privacy, LinkedIn argued. But Chen didn’t buy it, saying that LinkedIn already chooses to provide data to third parties of its own accord. What’s more, he added, people who make their profiles public on LinkedIn probably want their information seen by others, which undermines LinkedIn’s claim to be protecting user privacy.

Allowing LinkedIn to selectively block members of the public from accessing public profiles — under penalty of the country’s anti-hacking laws, no less — “could pose an ominous threat to public discourse and the free flow of information promised by the Internet,” wrote Chen in his ruling.

LinkedIn vowed to keep fighting in court.

“We’re disappointed in the court’s ruling,” it said in a statement. “This case is not over. We will continue to fight to protect our members’ ability to control the information they make available on LinkedIn.”

The case raises deep questions about who truly represents users’ interests. From one perspective, LinkedIn is duty-bound to protect its customers’ data and prevent it from falling into the wrong hands — perhaps all the more so if, as it appears with hiQ, the information could give employers more leverage over their workers.

But LinkedIn’s position requires that it have a tremendous say over how users’ own information can be used and distributed. Concentrating power in this way benefits not only LinkedIn, but also the owners of other platforms such as Facebook, Google and other sites that host user-supplied content.

“If LinkedIn’s view of the law is correct, nothing would prevent Facebook from barring hiQ in the same way LinkedIn has,” said Chen.

That’s why this case is so important: How it turns out could set a precedent for the entire Internet, and a global economy that depends on data.”

https://www.washingtonpost.com/news/the-switch/wp/2017/08/15/is-linkedin-trying-to-protect-your-data-or-hoard-it/?utm_term=.9d95e9c0d196

 

“Who’s Who” in Cyberspace Operations (CSO)? DARPA Asks

Standard
DARPA Who's Who

(Photo credit: DARPA)

Defense Advanced Research Projects Agency Wants to Know

“FIFTH DOMAIN”

“DARPA wants to know who can do what when it comes to cyber research.

The agency wants to compile an up-to-date list of companies capable of participating in research projects in cyberspace operations (CSO).

“Ideally, respondents will include both potential performers currently holding security clearances and those who may be granted clearances based on technical capabilities and eligibility,” DARPA said.

“Often, these projects are classified and can only be solicited from a limited number of sources,” noted the FedBizOps request for information. “DARPA must maintain up-to-date knowledge about potential performers to maximize the number of sources that can be solicited for classified, highly specialized, CSO R&D initiatives.”

Interested parties should submit a white paper that includes a list of their personnel with CSO experiences, any security clearances those employees have, and a narrative description of their relevant skills. Companies should also list any relevant facilities, including secure areas.”

https://www.fifthdomain.com/dod/2017/08/29/darpa-wants-whos-who-of-cyberspace/

 

 

DARPA Wants Bots To Protect Us From Cyber Adversaries

Standard
Bots for Cyber Protection

MOPIC/SHUTTERSTOCK.COM

“DEFENSE ONE”

“The military research unit is looking for technology and software that can identify networks that have been infiltrated—and neutralize them.

[They are]  looking for ways to automate protection against cyber adversaries, preventing incidents like the WannaCry ransomware attack that took down parts of the United Kingdom’s National Health Service networks.

The Defense Advanced Research Projects Agency is gathering proposals for software that can automatically neutralize botnets, armies of compromised devices that can be used to carry out attacks, according to a new broad agency announcement.

The “Harnessing Autonomy for Countering Cyber-adversary Systems” program is also looking for systems that can exploit vulnerabilities in compromised networks to protect those networks, making cyber adversaries—both state and non-state—less effective.

This isn’t the first time DARPA has investigated automated cybersecurity. In the 2016 Cyber Grand Challenge, participants were tasked with building systems that could thwart attacks without human intervention.

The businesses awarded contracts under the HACCS program will also come up with ways to measure how successful that technology is, incorporating how accurate the systems are in identifying botnet infections and the types of devices harnessed by the botnet.

It’s not enough to simply fortify Defense Department networks, the solicitation says, because botnets might operate without the owner of that network knowing. The Defense Department needs a way to initiate an immediate response even if the owner is not “actively participating in the neutralization process,” according to the announcement.

One way to build such an autonomous system might be to teach it to mimic the way human operators neutralize attacks in cyber exercises, according to a HACCS slide deck.

DARPA is not concerned about how stealthy the technology is in neutralizing botnets, the deck notes, but an effective system should only work on the networks that actually are compromised instead of taking the “kitchen sink” approach.

Some internet privacy advocates noted that law enforcement’s efforts to quietly neutralize botnets could violate the privacy of those who own the compromised devices, especially if the Federal Bureau of Investigation doesn’t inform them that they’re accessing their devices in their attempts to thwart attacks.

Proposals for DARPA’s four-year program, whose budget is undisclosed, are due Sep. 29.”

http://www.defenseone.com/technology/2017/08/darpa-wants-bots-protect-us-cyber-adversaries/140565/?oref=d-river

 

All the Ways the U.S. Government Cyber Security Falls Flat

Standard

Gov Cyber Security Falls Flat

“WIRED”

“[An] analysis of 552 local, state, and federal organizations [was] conducted by risk management firm Security Scorecard.

The report goes beyond the truism of government cyber security shortcomings to outline its weakest areas, potentially offering a road map to change.”


“DATA BREACHES AND hacks of US government networks, once novel and shocking, have become a problematic fact of life over the past few years. So it makes sense that a cyber security analysis placed the government at 16 out of 18 in a ranking of industries, ahead of only telecommunications and education. Health care, transportation, financial services, retail, and pretty much everything else ranked above it.

Security Scorecard found that the government particularly lags on replacing outdated software, patching current software, individual endpoint defense (particularly when it comes to exposed Internet of Things devices), and IP address reputation—meaning that many IP addresses designated for government use or associated with the government through a third party are blacklisted, or show suspicious activity indicating that they may be compromised. A wide range of issues plague government agencies—but they’re largely fixable.

“There’s a lot of low-hanging fruit when it comes to the government sector overall,” says Alex Heid, SecurityScorecard’s chief research officer. “They’ll implement a technology when it’s very new and then it’ll just sit there and age. This creates a mix of emerging technologies, which might be misconfigured, or not everything is known about them yet, with legacy technologies that have known vulnerabilities and exploitable conditions.”

After a few years of high-profile government hacks—the devastating breach of the Office of Personnel Management chief among them—the sector as a whole has made some modest strides on defense, moving up from last place in a 2016 SecurityScorecard report. Even OPM has gained some ground, though findings (and a government review) indicate that it still has a long way to go. Agencies that control and dole out money—like the Federal Reserve, Congressional Budget Office, and National Highway Traffic Safety Administration—tend to have much more robust digital security, as do intelligence and weapons agencies like the Secret Service and Defense Logistics Agency. Even the Internal Revenue Service, which has been plagued by leaksover the past few years, has shown marked improvement, spurred by necessity.

SecurityScorecard gathers data for analyses through techniques like mapping IP addresses across the web. Part of this analysis involves attributing the addresses to organizations, not just by looking at which IPs are allocated to which groups, but by determining which organizations use which IP addresses in practice. This means that the report didn’t just assess blocks allocated to the government, it also tracked addresses associated with contract third parties, like cloud and web application providers. The group also scans to see what web applications and system software organizations run, and compare this information to vulnerability databases to determine which organizations should upgrade and patch their platforms more rigorously. Additionally, SecurityScorecard collects leaked data troves of usernames and passwords, and monitors both public and private dark-web forums.

The report found that government agencies tend to struggle with basic security hygiene issues, like password reuse on administrative accounts, and management of devices exposed to the public internet, from laptops and smartphones to IoT units. “There were more IoT connections available from government networks than I would have expected,” Heid says. “Even things like emergency management systems platforms from the mid 2000s were available to the public.” When systems are unwittingly exposed online, hackers can find credentials to gain access, or use software vulnerabilities to break in. Sometimes this process takes attackers very little effort, because if an organization doesn’t realize that something is exposed online, it may not have made the effort to secure it.

For government groups, the report found that digital security weaknesses and pain points track fairly consistently regardless of the size of an organization. (Shout out to the Wisconsin Court System and the City of Indianapolis for strong cybersecurity showings.) That means that despite the large number of issues across the board, the same types of strategies can potentially be applied widely in an effective way. The question now, Heid says, is how effectively legislation can guide government IT and cybersecurity policy. There’s a mixed track record on that at best, but in the meantime breaches and market forces are slowly driving progress.

“It boils down to the conception of information security as an afterthought,” Heid says. “‘We’ve got operations to handle and we’ll deal with the problems as they arise’ is essentially how it’s been implemented into government. But for some agencies they end up having losses in the millions of dollars. People start wearing kneepads after they fall off the skate board a few times.”

https://www.wired.com/story/us-government-cybersecurity/

 

Estonia Lesson Learned: “Every Country Should Have a Cyber War”

Standard

cyber-war-or-business-as-usual-10-728

“DEFENSE ONE”

” Estonia’s biggest turning point was 10 years ago, when the country came under sustained cyberattack.

The shock of a cyberwar united the community to take action.  Estonians don’t see cybersecurity as a phenomenon,  it’s about being empowered by technology, not controlled by it.”


“Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves.

In 1991, Estonia was part of the dying communist empire. Its economy was run by central planners in Moscow, less than half of all households had a phone line, and goods were so scarce that people had to line up for food.

Skip ahead 26 years, and Estonians don’t even have to queue to vote. They do that online.

In just over two decades, Estonia has become one of the world’s most digitally innovative and efficient countries. In fact, Estonians conduct all their civic responsibilities online. Offices and paper forms have become obsolete as state-issued digital identities allow all citizens to carry out any financial or government transaction from their laptops or cellphones. And that gives them an edge when it comes to cybersecurity.

Estonia’s journey down the digital road has been astonishingly fast. When it gained independence from the Soviet Union in 1991, it had almost no money and few natural resources. But it did have one advantage: It was the designated center for software and computer production for the USSR. After achieving independence, the country had a pool of tech expertise for them to build on.

During these early years of independence, Estonia needed to create the means for a new economy. And it wasn’t going to be easy. The country’s tiny population of just 1.3 million is spread over a relatively vast countryside. Outside the capital Tallinn, there’s an average of just four people per square kilometer. The new government didn’t have the resources to extend government offices or banking facilities to small towns and villages, so it decided to encourage self-service, and spread internet access across the country in order to do so.

To achieve this, the government set up an investment group to build computer networking and infrastructure. By 1997, almost every school was connected to the internet, and by 2004, 300 wifi access points had been established, bringing the internet even to small villages—and mostly for free.

In 2007, Estonia was in the middle of a political fight with Moscow over plans to remove a Soviet war memorial from a park in Tallinn. Suddenly, it was hit with three weeks of D-DoS (designated denial of service) attacks. When this happens, multiple sources send multiple online requests, flooding a service or system and making it unable to function. It’s the digital equivalent of crowding an entrance to a building so that no one can come in or out.

As a result, the internet shut down as websites were bombarded with traffic. Russia denied any involvement, but Estonia didn’t believe it.

“War is the continuation of policy by other means,” Estonian president Kersti Kaljulaid told a NATO cyber-conference in Tallinn in June 2017. “Ten years on, it is clear that the decision made by Estonia not to withdraw but stay and fight for the security of our cyberspace was indeed the right one.”

The attacks made Estonia more determined than ever to develop its digital economy and make it safe from future attacks. “I think every country should have a cyber war,” says Taavi Kotka, the government’s former chief information officer. “Citizens get knowledge about what an attack means, about how phishing works, how D-DoS works, and they start to understand and live with that. People aren’t afraid if they know they can survive something. It’s the same thing as electricity going off: Okay, it’s an inconvenience, but you know how to deal with it.”

In Estonia, people are not afraid of cyber warfare, nor are they afraid of sharing personal data across public and private institutions. Go to a hospital, and the nurse or doctor can call up your entire health records from any doctor you ever visited without the need to call their offices and asking them to send files.

Full marks for convenience, simplicity, and efficiency. But what about the dangers of nameless bureaucrats accessing your personal data? Isn’t there a risk of future governments abusing the system and using your intimate details against you? Isn’t this inviting an Orwellian nightmare?

Estonia says no. Unlike an authoritarian state like the old Soviet Union, government transparency is built into the system. While all your private data is online, only you can give permission for any data to be accessed. And you can check who has accessed what. If a doctor you don’t know has viewed your records, it will be traceable, and you can have them sacked. As one software developer Quartz spoke to said, “You become your own Big Brother.”

Data is protected through a framework known as X-road, which helps exchange decentralized data between big government databases. X-road has built-in security measures that encrypt traffic and time-stamps so that the data cannot be manipulated. Taimar Peterkop, from Estonia’s Information System Authority, says that the security measures built into E-identity databases are all but impenetrable by outsiders. “Estonia takes data integrity very seriously because our society is so digitized,” he says. “If someone manipulates citizens’ data, that’s a challenge for us. We use blockchain-based technology to ensure the data is as it should be.”

When it comes to security, Peterkop says humans are usually the weak link. “Cybersecurity starts with us. If you have weak cyber hygiene, that’s a problem. We need to raise awareness and educate people about using strong authentication methods,” he says. For example, Estonia has public-education campaigns about how to use your smart devices wisely.

It seems like glaringly obvious advice, but a look at the recent USelection shows that basic cyber hygiene has been an after-thought, even for the powerful. When Democratic nominee Hilary Clinton’s campaign chief John Podesta’s Gmail account was hacked, Wikileaks founder Julian Assange claimed Podesta’s password was simply the word “password.” The campaign denied this claim and said they fell victim to a phishing scam. Whatever the case, it was an avoidable security breach that should never have occurred.

Peterkop also says that consumers need to ask more questions about the Internet of Things, especially when it comes to everyday household products and devices. “There is so much pressure to come up with new products in a hurry, so security measures are an after-thought,” he says. “As consumers, it’s essential that we start paying attention to it. We don’t do enough risk mitigation. Basically every TV is a computer now.” These issues are present already: A recent document dump from Wikileaks points to hacking tools that directly relate to Samsung televisions.

Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves. As well as creating a paperless public service, Estonia is now backing up government data on secure servers offsite in Luxembourg. It has also prioritized tougher international action for cyber-crime and encouraged private companies to review security measures and have stronger agreements with server providers.”

http://www.defenseone.com/technology/2017/08/every-country-should-have-cyber-war-what-estonia-learned-russian-hacking/140217/?oref=d-mostread

 

A New Tool for Looking at Federal Cybersecurity Spending

Standard
cyber Spending

Image:  “Taxpayers for Common Sense”

“THE PROJECT ON GOVERNMENT OVERSIGHT”

“A new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.”


“More and more of what the federal government does relies on complex computer systems and networks. This high tech infrastructure makes the government work better by making services more efficient and accessible.

But that digital revolution also comes with big risks—just think back to the massive data breach at the Office of Personnel Management disclosed in 2015, when hackers compromised sensitive information about tens of millions of Americans. Last year, there were at least “30,899 cyber incidents that led to the compromise of information or system functionality” at federal agencies, according to a White House report released in March. The number of attacks on federal computer systems have risen sharply over the last decade.

So how much is the government spending to protect itself (and us) in this brave new world?

Unfortunately, the answer is “we don’t really know.” But a new tool from nonpartisan watchdog group Taxpayers for Common Sense provides perhaps the most comprehensive analysis of federal cybersecurity spending.

Last week, Taxpayers released a new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.

Taxpayers used public budget documents to build the database, but it wasn’t easy. “There is no government-wide standard definition or method of accounting for what qualifies as cyber funding and, therefore, no way to fully track it,” the organization explains on its methodology page. Agencies also use a variety of different approaches to tackle the issue, making it even harder to pin down their spending. Then, there is the government’s murky “black budget” of classified spending. So Taxpayers “settled on providing the best picture [it] could develop from extensive research of government programs” that are unclassified, spending two years searching through thousands of budget documents for terms like “information security” and “information assurance.”

Taxpayers found the amount spent on cybersecurity has quadrupled over 11 years. The group was able to tally $7 billion in unclassified cybersecurity spending in 2007, as compared to $28 billion in 2016. But some of that growth could be attributed to improvements in how the government tracks cybersecurity funding.

The resulting snapshot isn’t perfect, but it’s an impressive start—and a necessary one. After all, you can’t figure out what bang the government gets for its cybersecurity buck if you don’t know where those bucks go.”

http://www.pogo.org/blog/2017/08/a-new-tool-for-looking-at-federal-cybersecurity-spending.html