Live Feed
Good stuff so far…anyone actually think it will change anything?
There was a review of the federal government's abilities by the National Security Council and Homeland Security Council. They also are to provide recommendation to the President.
…
The "digital infrastructure" will be treated as an asset.
…
Creating a new office here at the White House that will be led by the Cybersecurity Coordinator. Will be a member of the National Security Staff as well as the staff of my National Economic Council
…
Responsible for orchestrating and integrating all cybersecurity policies for the government; working closely with the Office of Management and Budget to ensure agency budgets reflect those priorities; and, in the event of major cyber incident or attack, coordinating our response.
…
state and local governments and the private sector – to ensure an organized and unified response to future cyber incidents
…
strengthen the public/private partnerships that are critical to this endeavor
…
So a new world awaits…
So cyber infrastructure reports directly to the President?
What about power, water, sewer, pharma, transportation, etc. infrastructures?
How is the relationship and readiness can be accomplished without regulations?
How much will this cost initially, and what is the recurring cost?
What are the metrics?
Who will oversee & supervise this besides the President?
(Of course, as most of us in this industry I am paranoid as occupational hazard.)
p.s. can read
From the transcript
… we will be open and transparent …
He keeps sayin' this but I'm not seeing it.
My administration will not dictate security standards for private companies. On the contrary, we will collaborate with industry to find technology solutions that ensure our security and promote prosperity.
I'll believe it when I see it (or don't 😉 I can't imagine many companies that have extremely confidential information wanting to work with the Federal Government. I mean who would? All I've seen in recent years is new Federal agencies that restrict and violate freedoms and interfere in peoples personal lives.
Let me also be clear about what we will not do. Our pursuit of cybersecurity will not – I repeat, will not include – monitoring private sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans. Indeed, I remain firmly committed to net neutrality so we can keep the Internet as it should be – open and free.
How come I just have to hang my head? Since when in the last few years or more has the Federal Government protected civil liberties? Every time he says crap like this my mind immediately goes back to the FISA 2008 Amendments Act where he said he would go so far as to filibuster but when it came time to vote, he voted for it.
This new federal agency is just a waste of time, money and will violate everyones rights eventually. I don't trust a single thing in that speech or a single thing the federal government does to be honest.
My perspective on this
I recently investigated a case of identity theft. The investigation led me to a computer located in Europe which belonged to a student at a University. In reviewing TCP/IP traffic logs, I discovered that this computer was actually being remotely controlled by a computer located, elsewhere, in Europe.
The logs also indicated that the first computer was a participant in a BOTNET involving thousands of computers in Europe, Asia and the US.
Most of those in the US who were affected were home subscribers to DSL or other Internet services. There was stong evidence to suggest that the second, controlling, computer was actually being controlled by another computer located in the US.
As the PII theft was a Federal crime, the Federal authorities were contacted.
Wanna guess how much interest they had in the apparent BOTNET and the affected users? About as much interest as the Pope has in ordaining married men. I could not get anyone to take an interest in try to track down the source of the traffic and, due to US laws, there was almost nothing I could do even with civil subpoenas. Further, current law requires ISPs to log traffic for no more than 90 days. Which means that even if I was able to get the cooperation of the ISPs, the trail is probably cold.
I have to say, quite honestly, that if we think that we're doing anything to mitigate these threats we're kidding ourselves. It may even be harder in EU countries which have even more stringent electronic privacy laws than the US. Furthermore, the US lacks treaties with many of the countries which either originate or serve as middlemen in these transactions.
I'm not a "the sky is falling" kinda guy, but the data I had was clearly concerning. Further, it amazed me that the ISPs are not doing more to filter out this traffic as there are distinct patterns of activity that are easily spotted from 20,000 ft if you are looking for it.
I am also big on civil liberties and don't believe that such investigations necessarily require the invasion of the privacy of a large number of our citizenry since the address/port/#packets is frequently all that you need to spot suspicious activity.
I consider what we are NOT doing as being negligence and that what we don't do, we don't do to our own peril.
seanmcl, are you saying that the US Federal Government needs to take control of cybercrime, at least within the US ?
seanmcl, are you saying that the US Federal Government needs to take control of cybercrime, at least within the US ?
I'm saying that the Federal Government needs to be proactive, not reactive, to cybercrime. This does not mean that the Feds need to monitor private transactions. But we have to stop waiting for something to happen in order to fix the problem.
I know people who have received as many as five letters from different financial institutions offering them credit protection due to a breach of PII. I, myself, was a victim of one of these (ironically, one that I was investigating).
There needs to be a coordinated effort, spurred on by the government with significant cooperation from the private sector, to stem these threats. This includes closer monitoring of credit card transations by credit card companies, a more proactive stance on the part of ISPs to require that subscribers update their antimalware software and to monitor for patterns of suspicious activity, the use of blacklists by Tier 1 providers, etc.
For example, look at the history of Operation Avalanche and Landslide. 35,000 US names were in their database of subscribers but there were only 144 prosecutions for CP. Some of the remaining were not involved in CP but many others were victims of credit card fraud. Now someone tell me that the credit card companies can't look for unusual patterns of activity, never before seen sites, etc., to detect suspicious transactions?
Look at
http//
Each day this site is updated with the names/IPs of known malware sites, many of whom were part of the former Russian Business Network. Now why can't data like this be used by the ISPs to dynamically block traffic to/from these sites?
We have standards for cars in the US that apply to foreign made vehicles. Why can't we have standards for foreign ISPs? Many overseas ISPs are actually owned by governments or operate with government oversight. So tell the Ukraine that unless their ISPs start to behave, we gonna block their networks from trafficking to ours.
Many businesses have standard practices which include requiring that all systems have antimalware installed and using white lists and black lists to determine what IPs, hosts, ports, etc., can be accessed. Many businesses use proactive technologies such as Websense to monitor activity, requiring the latest hotfixes for all systems and using firewalls. Why can ISPs do the same thing?
It is not difficult to embed a small applet in an OS which would allow a network provider to determine the OS, patchlevel and software installed. If such an applet or the OS was slighly modified to provide only key security data (not personal information), ISPs could implement a procedure by which systems deemed to be insecure have limited access until they are patched.
I'm not saying that this can be done, overnight. But we have to think about the bigger picture. The Internet is not a right any more than our system of highways implies that we have the right to drive on them. We need to meet certain standards as drivers (and, in many states, vehicles must be inspected), before we are allowed on the road.
The ISP that I use for my online financial transactions services hundreds of thousands if not millions of customers. Is it unreasonable for me to require that they take reasonable steps to ensure that this network is secure?
But, currently, they do no more than what they are required to do (although some ISPs do provide antimalware software) and, IMHO, that is not enough. The current limit of 90 days on retention of traffic data, for example, is too small. A reasonable investigation can take more than 90 days to swing into full gear and by that time, it is too late.
In my investigation, I was very lucky that the university hosting the suspect computer actually had network monitoring data and was willing to let me analyse it. But I soon realized that there were no good resources out there by which I could compare my data to other known data regarding BOTNETs. There needs to be some type of clearing house, perhaps via a academic/private/public partnership, whereby such data can be analysed in the contexts of known network activity to determine if it is indicative of a known or new attack.
I realize that I am on a soapbox, here, but the simple fact is that we are doing way to little to identify and contain threats and the problem is only going to get worse.
My suspicion is that these "isolated" incidents of DNS hijackings, massive PII breaches, Conflicker worm deployments, etc., are simply dry runs for what will be a larger, more coordinated and potentially much more destructive disruption of the network than what we have ever seen. I just hope that we are ready when it does, but in my experience, we aren't.