Bill To Provide Presidental Authority to Turn Off the Internets

CNET’s Declan McCullagh recently posted an article on aspects of the Cybersecurity Act of 2009 “Bill would give President emergency control of the Internet”

The new version would allow the president to “declare a cybersecurity emergency” relating to “non-governmental” computer networks and do what’s necessary to respond to the threat. Other sections of the proposal include a federal certification program for “cybersecurity professionals,” and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.

There has been a lot of discussion and debate about how the new administration would address cybersecurity. With a string of disillusioned Cyber Czars, advisers, and a dizzying array of federal agencies vying to lead the efforts President Obama has certainly been in the unenviable position of setting the future direction to secure critical infrastructure and to ensure our prosperity.

This is a massive logistical problem, growing even more so as technology advances and becomes adopted as part of our digital fabric. Unfortunately there will be mistakes, errors in judgment, and poorly written policies that may very well lead to significant self-inflicted damage. The concept that the President, under an emergency situation, can take control of aspects of the Internet is very troubling.

Conceptually, and given the events of 9/11, it would seem logical that under a massive sustained attack on our critical infrastructure and our digital assets – both public and private – that it would be warranted for the administration to do whatever would be required to regain control and eliminate the threat. The reality is that this is extremely difficult to do and more importantly enables a malicious actor to create a situation that forces the administration to respond and in doing so create more havoc than could have been created by the malicious actors on their own.

This is a recipe for disaster and provides a very real vector for attacking the entire United States in a way that would not normally be afforded to those who wish to do us harm. Continue reading →

The US Cyber Challenge Wants You

As part of the administrations continuing efforts to actually do something tangible to improve the security posture of US critical infrastructure and to better deal with a severe lack of technical talent the CSIS (Center for Strategic and International Studies) announced the US Cyber Challenge (here) to identify and develop 10,000 cyber security specialists.

One of the fundamental deficiencies of the current US critical infrastructure protection programs (there are many of them), is the astonishing lack of qualified technical security specialists. This program aims to develop the next generation of technically advanced cyber warriors and security specialists.

The United States Cyber Challenge

The US Cyber Challenge is a national talent search and skills development program. Its purpose is to find 10,000 young Americans with the interest and skills to fill the ranks of cyber security practitioners, researchers and warriors. Some will, we hope, become the top guns in cyber security. The program will nurture and develop their skills, and enable them to get access to advanced education and exercises, and where appropriate, enable them to be recognized by employers where their skills can be of the greatest value to their nation.

Improving our private and public sector security posture will be an ongoing process as we adopt new technology innovations and as the dynamic global environment shifts between hostile and friendly actors. Recruiting the next generation of technically advanced security specialists and developing the skills today to deal with tomorrows threats is key to ensuring we have a population of talent to enable continued growth and prosperity of the United States and its citizens. Like so many times in our history, the hopes of an aging nation rest on the shoulders of America’s youth.

Continue reading →

North Korea Cyber Scape Goat of the World

Never before have so many misrepresented so much about so little…

In all my years in the security industry I do not believe I have read more misinformation than the nonsense surrounding the recent DDoS attacks. Apparently North Korea is waging Cyber Warfare, or if not an actual all out cyberwar they are behind a targeted “cyber attack”.

Let’s look at what we know…

• Multiple US and South Korean websites fell victim to sustained distributed denial of service attacks (happens all the time)
• The DDoS attack used tens of thousands of compromised hosts (I have seen bigger)
• The compromised hosts appear to have been infected using well known and easily shielded against malware (What else is new?)
• The organizations that were impacted and had taken proper measures to defend against a DDoS were not materially impacted (At least someone was thinking ahead)

This is just business as usual on the Internet – nothing to see here folks – these DDoS attacks could have been just as easily launched by an awkward prepubescent child with about 2 years of computer experience as they could have come from a coordinated, state-sponsored, North Korean attempt to test our defenses.

Just so we are clear this is no more Cyber Warfare than me running to the Mexican border and throwing 10,000 apple pies at the Mexican Federales is a coordinated US invasion of Mexico. Continue reading →

Cybergeddon: A Cyberwarfare Fable

There has been much discussion lately about “cyberwarfare”. This article “US Should go on Cyber Offensive” in the BBC represents the typical media slant on the issue… Continue reading →

Hacktivism: Offensive Computing and the Rise of the Political Hacker

As I am sure most have heard Sarah Palin’s yahoo account was recently hacked and the contents posted online.  There has been a lot of debate about the legality of such action (by both the hacker misguided youth – who couldn’t care less, although his father is probably pissed (here) – and by Palin for using a private email account for government business) neither are terribly interesting in the context of cyber security and from a political perspective it isn’t like Obama is immune to email hacking either (here). But again the mainstream media is missing the most important point – aside from the raucous cries of partisanship, which reverberate through every election, the reality is that malicious hackers may have a material impact on a US presidential election if not in 2008 then certainly within my lifetime.

The current state of cyber security is abysmal, the lack of confidence in the US political process has been strained and this election has played the social *ism cards, such as terrorism, racism, sexism, ageism, and lipstick on a pigism, more than any other in recent history. You know it is getting ugly when a Republican political strategist like Karl Rove states that the Republicans have “gone too far” (here), this is like Ted Bundy telling Joseph Francis, the creator of “Girls Gone Wild”, that he mistreats women.

The conditions are ripe for digital election manipulation in multiple forms, this is not to say that voter manipulation is new, nor is hactivism (here), what is new is the impact it may have on a US presidential election. So what has changed and why now?

1. Information integrity: First and foremost there has been a sea change in how information is shared, manipulated, and redirected. Traditional media is now facing extinction against a flood of new media outlets, from blogs to social media to social networking, information flow is fast and pervasive. The problem with an information rich environment is the quality of the information is dramatically reduced. In the frenzy to quickly post a story fact-checking may be haphazard, if done at all, and something may propagate from rumor on a blog to discussion on chat rooms to the front page of a global media’s online edition in a matter of hours. Imagine this “information” sharing during the critical moments of a campaign – it would have a material impact on when, how, and even if some citizens vote.

2. Counterfeit reality: Photoshop and similar technologies have dramatically expanded the ability for people to manipulate images, in many cases to the point that it becomes nearly impossible, without sophisticated methods, to determine the validity of such images. Just like in years past there has been no shortage of political Photoshop, for the most part these have been more for humorous purposes, but it wouldn’t be difficult to imagine counterfeit reality being used to demean a candidate, misrepresent a situation, or create an international incident (here)

3. Vote manipulation: The most significant  impact hackers may have on a political election is manipulation of the actual votes themselves. There have been many stories of security problems related to electronic voting machines and at the end of 2007 California Secretary of State, Debra Bowen, withdrew approval for multiple electronic voting machines citing significant security concerns (here). Although some may argue that the impact would be isolated since the theory is that these voting systems would only be deployed in an air-gap network, the reality is that electronic media is generally transferred, correlated and eventually archived and throughout this process additional attack vectors become available.

None of this is new; propaganda, voter fraud, data modification, counterfeit reality, and all manner of manipulation have been used for centuries, what has changed is that the electronic medium introduces levels of speed, pervasiveness and quality of fraudulent material that is very difficult to replicate in traditional mediums. I have no doubt that we will see a significant electronic “incident” occur during either this or an upcoming presidential election.

<update 9/19/2008: Although not terribly relevant, apparently Bill “Papa Bear” O’Reilly, the Fox News savior of the downtrodden and misaligned conservative right and Stephen Colbert inspiration, has been hacked for making disparaging comments about Palin being hacked (here) – ha!>

I Support Barack Obama for President

<political commentary below – if you are not interested stop reading>

I generally try to avoid discussing politics, religion or operating system preference, as these issues tend to drive highly charged emotions. For the most part this is a security industry blog, but it is also a representation of my thoughts and feelings, and after thinking through the options I feel like supporting Barack Obama for President (here)

Prior to the 2004 Democratic Convention I wasn’t familiar with Senator Obama, but I was captivated as he gave the Keynote. I remember turning to some friends and saying “that guy is going to be President one day”, honestly I barely remember who the Democrat’s were endorsing, but I will never forget Senator Obama’s speech.

Sitting on the sidelines and lamenting the loss of our freedoms, the loss of four-thousand dedicated men and women of the US military, watching the collapse of the housing industry, record oil prices, and a looming economic disaster is no longer an option. As citizens of the United States we have the ultimate  resposibility to do everything in our power to ensure the freedoms our founding fathers fought for, and every generation since has bled for, remain ours to pass on to our children.

This freedom starts with a voice, yours and mine. A single voice, a single vote combined with others to create the winds of change – regardless of your political beliefs, whether they be republican, democratic or somewhere in between, just remember that it is not only your right to vote, it is your responsibility.