Thread: Federal Agencies Pursue Cybersecurity Common Ground

Federal Agencies Pursue Cybersecurity Common Ground

NIST is working with defense and intelligence agencies to develop cybersecurity specifications that could be applied across government.

By J. Nicholas Hoover
InformationWeek
August 24, 2009 02:39 PM

The National Institute of Standards and Technology's recently released recommendations for cybersecurity are the first step in a plan to create a common security framework for civilian, military, and intelligence agencies.

The 237-page final version of NIST's Special Publication 800-53, "Recommended Security Controls for Federal Information Systems and Organizations," was released earlier this month. In parallel with that, NIST has been working with defense and intelligence agencies on certification and accreditation, enterprise-wide risk management, procedures to assess cybersecurity controls, and risk assessment. Documents addressing those areas are due over the next few months.

More Security InsightsWhite Papers
Virtual Enterprise Requires a Network that is More Than Good Enough
Top 5 Tips for Email and Web Security
WebcastsWeb Attacks: How Hackers Create and Spread Malware
How to Avoid the Costly Pitfalls of PCI Servers, Real Risks
Sun's Future Under OracleVideos
Nanotechnology advancement could lead to smaller, faster, more energy efficient computer chips.

NIST only has a mandate to create security standards for civilian federal agencies, but the intelligence and defense communities have been working with civilian agencies in recent years. In doing so, they're collaborating to create a common set of cybersecurity controls that, among other things, would provide a more consistent market for the industry.

"This way we can work off a single playbook," says NIST senior computer scientist and information security researcher Ron Ross, who drives cybersecurity standards as the lead of NIST's Federal Information Security Management Act implementation project.

Coordination among NIST and the intelligence and defense communities began three years ago when former Department of Defense CIO John Grimes and former Office of the Director of National Intelligence CIO Dale Meyerrose worked together on transforming the certification and accreditation processes for technology products.

NIST got involved and suggested that the three constituencies broaden the scope of their work to include higher-level security controls. Prior to that, the Department of Defense, the federal intelligence community, and NIST were accustomed to developing their own security control recommendations.

In pursuing common standards, Ross says, the government can create standard ways to share information and partner on IT projects, including cybersecurity. He sees standardization as a potential catalyst for developing new cybersecurity products and services for the government market, as vendors would be working from one set of requirements.

The next document NIST will release with help from the intelligence and defense communities will be a revision of Special Publication 800-37, certification and accreditation guidelines published in 2004. A draft of that revision was published 12 months ago. The new document makes certification and accreditation of IT systems more of a continuous process than a one-time activity. Ross expects a final draft of 800-37 in September.

After that, NIST will release what Ross calls a "capstone document" that defines and requires enterprise risk management at various levels within government agencies, including information systems. The document will require that agencies have an individual or board that carries out risk management. A draft of that document will likely be out by the end of the year.

Despite the collaboration, there remains good reason for cybersecurity divergence among military, intelligence, and civilian agencies in some areas. The Department of Defense systems integral to military operations and national security might require a different level of physical security than civilian systems, while real-time intelligence traveling long distances over networks might require different encryption standards than Bureau of Land Management e-mail. In such areas, NIST will allow for differences in approach.

InformationWeek Analytics has published an independent analysis on strategic security. Download the report here (registration required).

http://www.informationweek.com/news/gov ... =219401209

Is this in preparation for giving Obama control over the internet?

Internet companies and civil liberties groups were alarmed this spring when a U.S. Senate bill proposed handing the White House the power to disconnect private-sector computers from the Internet.

They're not much happier about a revised version that aides to Sen. Jay Rockefeller, a West Virginia Democrat, have spent months drafting behind closed doors. CNET News has obtained a copy of the 55-page draft of S.773 (excerpt), which still appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.

The new version would allow the president to "declare a cybersecurity emergency" relating to "non-governmental" computer networks and do what's necessary to respond to the threat. Other sections of the proposal include a federal certification program for "cybersecurity professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.

http://news.cnet.com/8301-13578_3-10320096-38.html

Originally Posted by ReggieMay

Is this in preparation for giving Obama control over the internet?

Internet companies and civil liberties groups were alarmed this spring when a U.S. Senate bill proposed handing the White House the power to disconnect private-sector computers from the Internet.

They're not much happier about a revised version that aides to Sen. Jay Rockefeller, a West Virginia Democrat, have spent months drafting behind closed doors. CNET News has obtained a copy of the 55-page draft of S.773 (excerpt), which still appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.

The new version would allow the president to "declare a cybersecurity emergency" relating to "non-governmental" computer networks and do what's necessary to respond to the threat. Other sections of the proposal include a federal certification program for "cybersecurity professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.

http://news.cnet.com/8301-13578_3-10320096-38.html

ReggieMay, following is the entire article you referenced. Thanks to you and JohnDoe2 for posting this info!


Bill would give president emergency control of Internet

August 28, 2009
by Declan McCullagh
CNET News

Internet companies and civil liberties groups were alarmed this spring when a U.S. Senate bill proposed handing the White House the power to disconnect private-sector computers from the Internet.

They’re not much happier about a revised version that aides to Sen. Jay Rockefeller, a West Virginia Democrat, have spent months drafting behind closed doors. CNET News has obtained a copy of the 55-page draft of S.773 (excerpt), which still appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.

The new version would allow the president to “declare a cybersecurity emergencyâ€

Related:


"Emergency Control" of the Internet


by Tom Burghardt
August 30, 2009
Antifascist Calling



You have to hand it to congressional Democrats. Mendacious grifters whose national security agenda is virtually indistinguishable from Bushist Republicans, when it comes to rearranging proverbial deck chairs on the Titanic, the party of "change" is second to none in the "all terrorism all the time" department.

While promising to restore the "rule of law," "protect civil liberties" while "keeping America safe," in practice, congressional Democrats like well-coiffed Republican clones across the aisle, are crafting legislation that would do Dick Cheney proud!

As the Cybersecurity Act of 2009 (S.773) wends its way through Congress, civil liberties' advocates are decrying provisions that would hand the President unlimited power to disconnect private-sector computers from the internet.

CNET reported August 28, that the latest iteration of the bill "would allow the president to 'declare a cybersecurity emergency' relating to 'non-governmental' computer networks and do what's necessary to respond to the threat."

Drafted by Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME), "best friends forever" of the National Security Agency (NSA) and the telecommunications industry, they were key enablers of Bush-era warrantless wiretapping and privacy-killing data mining programs that continue apace under Obama.

As The New York Times revealed in June, a former NSA analyst described a secret database "code-named Pinwale, that archived foreign and domestic e-mail messages." The former analyst "described being trained in 2005 for a program in which the agency routinely examined large volumes of Americans' e-mail messages without court warrants. Two intelligence officials confirmed that the program was still in operation."

Antifascist Calling has noted on more than one occasion, that with "cyberterrorism" morphing into al-Qaeda 2.0, administration policies designed to increase the scope of national security state surveillance of private communications will soon eclipse the intrusiveness of Bushist programs.

As Cindy Cohn, the Legal Director of the Electronic Frontier Foundation (EFF) wrote earlier this month, commenting on this summer's public relations blitz by former NSA boss Michael Hayden and Office of Legal Counsel torture-enabler John Yoo's defense of the so-called Presidential Surveillance Program,

While the details are unknown, credible evidence indicates that billions of everyday communications of ordinary Americans are swept up by government computers and run through a process that includes both data-mining and review of content, to try to figure out whether any of us were involved in illegal or terrorist-related activity. That means that even the most personal and private of our electronic communications--between doctors and patients, between husbands and wives, or between children and parents--are subject to review by computer algorithms programmed by government bureaucrats or by the bureaucrats themselves. (Cindy Cohn, "Lawless Surveillance, Warrantless Rationales," American Constitution Society, August 17, 2009)

Both Rockefeller and Snowe are representative of the state's "bipartisan consensus" when it comes to increasing the power of the intelligence and security apparatus and were instrumental in ramming through retroactive immunity for telecoms who illegally spy on the American people. If last year's "debate" over the grotesque FISA Amendments Act (FAA) is an indication of how things will go after Congress' summer recess, despite hand-wringing by congressional "liberals," S.773 seems destined for passage. CNET revealed:

When Rockefeller, the chairman of the Senate Commerce committee, and Olympia Snowe (R-Maine) introduced the original bill in April, they claimed it was vital to protect national cybersecurity. "We must protect our critical infrastructure at all costs--from our water to our electricity, to banking, traffic lights and electronic health records," Rockefeller said. (Declan McCullagh, "Bill Would Give President Emergency Control of Internet," CNET News, August 28, 2009)

But as we witness practically on a daily basis, hysterical demands for "protection" from various "dark actors" inevitably invokes an aggressive response from militarized state security apparatchiks and their private partners.

As Antifascist Calling reported in July (see: "Behind the Cyberattacks on America and South Korea. 'Rogue' Hacker, Black Op or Both?"), when North Korea was accused of launching a widespread computer attack on U.S. government, South Korean and financial web sites, right-wing terrorism and security specialists perched at Stratfor and the American Enterprise Institute (AEI)--without a shred of evidence--linked the cyber blitz to a flurry of missile tests and the underground detonation of a nuclear device by North Korea.

Adding to the noise, Rep. Peter Hoekstra (R-MI), the ranking Republican on the House Intelligence Committee went so far as to urge President Obama to respond--by launching a cyberattack against the bankrupt Stalinist regime.

Despite provocative rhetoric and false charges that might have led to war with disastrous consequences for the people of East Asia, as it turned out an unknown sociopath used an updated version of the MyDoom e-mail worm to deploy a botnet in the attack. As Computerworld reported, the botnet "does not use typical antivirus evasion techniques and does not appear to have been written by a professional malware writer." Hardly a clarion call for bombing Dear Leader and countless thousands of Koreans to smithereens!

In this context, the Cybersecurity Act of 2009 goes much further than protecting "critical infrastructure" from over-hyped cyberattacks.

Among other measures, Section 18, "Cybersecurity Responsibilities and Authority," hands the Executive Branch, specifically The President, the power to "declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network." This does not simply apply to federal networks, but may very well extend to the private communications ("critical infrastructure information system or network") of citizens who might organize against some egregious act by the state, say a nuclear strike against a nation deemed responsible for launching a cyberattack against the United States, as suggested in May by the head of U.S. Strategic Command (STRATCOM) General Kevin Chilton.

As I reported in June (see: "Cyber Command Launched. U.S. Strategic Command to Oversee Offensive Military Operations"), the military's newly-launched U.S. Cyber Command (CYBERCOM) is a "subordinate unified command" overseen by STRATCOM. Would "message force multipliers" embedded in the media or Pentagon public diplomacy specialists carrying out psychological operations (PSYOPS) here in the heimat, become the sole conduit for critical news and information during said "national emergency"?

Additionally, under Section 18's authority The President "shall designate an agency to be responsible for coordinating the response and restoration of any Federal Government or United States critical infrastructure information system or network affected by a cybersecurity emergency declaration under paragraph (2)." What agency might Senator Rockefeller have in mind for "coordinating the response"? As Antifascist Calling revealed in April (see: "Pentagon's Cyber Command to Be Based at NSA's Fort Meade"), CYBERCOM will be based at NSA headquarters and led by Lt. General Keith Alexander, the current NSA director who will oversee Pentagon efforts to coordinate both defensive and offensive cyber operations.

How might an out-of-control Executive Branch seize the initiative during an alleged "national emergency"? Paragraph 6 spells this out in no uncertain terms: "The President may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security."

The draconian bill has drawn a sharp rebuke from both civil libertarians and the telecommunications industry. Larry Clinton, the president of the Internet Security Alliance (ISA) told CNET: "It is unclear what authority Sen. Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill."

And Wayne Crews, the director of technology studies at the rightist Competitive Enterprise Institute (CEI) told Federal Computer Week: "From American telecommunications to the power grid, virtually anything networked to some other computer is potentially fair game to [President Barack] Obama to exercise 'emergency powers'."

True enough as far as it goes, these "free market" cheerleaders are extremely solicitous however, when it comes to government defense and security contracts that benefit their clients; so long as the public is spared the burden of exercising effective control as cold cash greases the sweaty palm of the market's "invisible hand"!

As Antifascist Calling revealed in June (see: "Obama's Cybersecurity Plan: Bring on the Contractors!"), the ISA is no ordinary lobby shop. According to a self-promotional blurb on their web site, ISA "was created to provide a forum for information sharing" and "represents corporate security interests before legislators and regulators."

Amongst ISA sponsors one finds AIG (yes, that AIG!) Verizon, Raytheon, VeriSign, the National Association of Manufacturers, Nortel, Northrop Grumman, Tata, and Mellon. State partners include the U.S. Department of Homeland Security, Congress, and the Department of Commerce.

Indeed ISA and CEI, are firm believers in the mantra that "the diversity of the internet places its security inescapably in the hands of the private sector," and that "regulation for consumer protection" that rely on "government mandates" to "address cyber infrastructure issues" will be "ineffective and counter-productive both from a national security and economic perspective." CEI and ISA's solution? Let's have another gulp of that tasty "market incentives" kool-aid!

In other words, hand over the cash in the form of taxpayer largess and we'll happily (and profitably!) continue to violate the rights of the American people by monitoring their Internet communications and surveilling their every move through nifty apps hardwired into wireless devices as the Electronic Frontier Foundation revealed in a new report on locational privacy.

Unfortunately, Clinton, Crews and their well-heeled partners seem to have forgotten an elementary lesson of history: a national security state such as ours will invariably unwind its tentacles into every corner of life unless challenged by a countervailing force--a pissed-off, mobilized citizenry.

Now that national security "change" chickens are coming home to roost, both CEI and ISA seem incredulous: you mean us? How's that for irony!

Lee Tien, a senior staff attorney with EFF told CNET that changes to the original version of the bill do not address pressing privacy concerns.

Tien told the publication: "The language has changed but it doesn't contain any real additional limits. It simply switches the more direct and obvious language they had originally to the more ambiguous (version)...The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administrative process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it."

McCullagh avers: "Translation: If your company is deemed 'critical,' a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network."

And there you have it, a "cybersecurity" blacklist to accompany a potential state takeover of the Internet during a "national emergency." What will they think of next!

Global Research
http://www.globalresearch.ca/index.php? ... &aid=14964

Originally Posted by carolinamtnwoman

ReggieMay, following is the entire article you referenced. Thanks to you and JohnDoe2 for posting this info!

Your welcome. I like finding info that the MSM isn't covering much and helping to get it out there.

Remember, it was Jay Rockefeller who questioned whether the internet should ever have been invented.

Video:

http://www.youtube.com/watch?v=i8PCmLPPVnA