“We urge the Administration to ensure that it carries out this process in a fair and transparent manner, and that consumer voices are heard and acted on,” Susan Grant, Director of Consumer Protection at Consumer Federation of America, adds:

In an unusual move, the White House convened a press conference at 4:30 p.m. Eastern on Wednesday to announce the details, imposing an embargo – which all media outlets accepted without question – to midnight. Here are the seven rights:

• Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
• Transparency: Consumers have a right to easily understandable information about privacy and security practices.
• Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
• Security: Consumers have a right to secure and responsible handling of personal data.
• Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
• Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
• Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

Watering down

Simpson

“The real question is how much influence companies like Google, Microsoft, Yahoo and Facebook will have intheir inevitable attempt to water down the rules that are implemented and render them essentially meaningless,” says John Simpson, spokesman for Consumer Watchdog. ” I am skeptical about the ‘multi-stakeholder process’, but am willing to make a good faith effort to try it.

Simpson and others remain concerned about the Commerce Department’s role in shaping consumer privacy protections. ” Commerce’s job — quite correctly — is to promote the interests of business, not protect consumers,” he says. “If nothing else, the report demonstrates the growing concern about online privacy. Perhaps this is one of the few issues where true bipartisan action will be possible this year.”

As proposed by the White House, the bill of recognizes the need to for heightened protections for children and teens on the Internet.

“If we want to ensure that the Internet economy continues to be strong and vital, consumers need to be able to trust that the information collected about them will not be misused. This announcement sets the stage for that to begin to happen,” says Ellen Bloom, Senior Director of Federal Policy for Consumers Union, the policy and advocacy arm of Consumer Reports.

Power moves

The next steps will entail Washington D.C.-style power brokering, says Jeffrey Chester, executive director of the Center for Digital Democracy.

Chester

“The new framework largely depends on the development of voluntary codes of conduct, to be negotiated between consumer groups and companies like Google, Facebook, Microsoft, Yahoo and others, Chester says. “Consumers groups will engage in these negotiations in good faith. But we cannot accept any ‘deal’ that doesn’t really protect consumers, and merely allows the data-profiling status quo to remain.”

Another part of the White House privacy framework calls for the Digital Advertising Alliance to add to its efforts to self-police its members by improving  an existing Do Not Track mechanism many of its members already make available to consumers.

” The plan by the DAA to add Do-Not-Track to its self-regulatory system could derail a promising privacy effort by the Worldwide Web Consortium standards group (W3C) that is being designed to give consumers greater control over data collection,” contends Chester. “The new DAA scheme will enable companies to continue to collect profiling data on users, and merely prevent the delivery of targeted ads. DAA members are terrified about the development of a DNT system with teeth, which would stop so much data collection, profiling and tracking.”

California cracks down

On a parallel track, the Associated Press reports that  California is cracking down on invasive mobile apps.

California Attorney General Kamala Harris is calling for the tech giants vying in the mobile space — Apple, Google, Microsoft, Amazon Research In Motion and Hewlett-Packard  — as well as thousands of mobile app developers to give people advance warning before extracting and storing sensitive information from smartphones and tablet PCs.

Harris began discussing the need for better privacy protections with six powerful companies that have shaped the mobile computing market, spawning nearly 1 million applications over the past four years, the AP reports.

“We are assuming everyone is going to cooperate in good faith and not get cute,” Harris told AP reporter Mike Liedtke.

Harris , a Democrat, is taking her stand out west, at the same time fellow Californian, Mary Kay Bono, a Republican Congresswoman, and several other Republican lawmakers are clamoring for more details about Google and Facebook conduct online tracking. The tech giants put themselves in the spotlight by recently announcing new initiatives to extend how they index and cross-reference data about what consumer do on their PCs and mobile devices.

Google has begun rolling out a new user privacy policy that will make it easier for the search giant to correlate information about anyone who uses multiple Google services, such as Google search, plus Gmail, Google Apps, YouTube, Picasa or Google+.  Facebook is rolling out a new user interface — Timeline — that makes it easier to search and digest chronologically-assembled data about a person. Each is trying to out do each other in a race to sell more online advertising. Each insists  they  provide consumers with ample choice and control over such tracking data.

The White House on Wednesday unveiled a strongly worded “Consumer Privacy Bill of Rights’’ as the linchpin for a drive to get Congress to pass new laws protecting consumers privacy as they surf the Internet.

The announcement came as Maryland Attorney General Douglas F. Gansler and attorneys general from 35 other states sent a letter to Google complaining about a new privacy policy which will give the search giant greater latitude to track people using computers and mobile devices, with no way to opt out of being tracked.

One of the seven privacy rights, unveiled at a press conference by Commerce Secretary John Bryson guarantees consumers the “right to exercise control over what personal data organizations collect from them and how they use it.”

The Commerce Department will now commence a series of meetings inviting privacy advocates, consumer groups and key players in the tech and online advertising industries to hash out “enforceable privacy policies,” Bryson said.

In a statement, President Obama said, “American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online. As the Internet evolves, consumer trust is essential for the continued growth of the digital economy. “

Meanwhile, the Digital Advertising Alliance an industry trade group, announced it has begun work on a more visible and effective Do Not Track mechanism to add to a self-policing system in effect for all of the consortium’s members. The Federal Trade Commission separately has backed a call for a Do Not Track system buttressed by new federal laws.

Daniel Weitzner, the White House deputy chief technical officer, said the Obama Administration’s goal is to get Congress to draft and pass new privacy laws using the privacy bill of rights as a framework.

“We now have a much more focused blueprint” Weitzner said. “We’ll use our bully pulpit to get legislation passed based on these principals.”

The push comes as Google, Facebook and Apple have come under fire from some members of Congress and the FTC for tracking consumers as they use their PCs and mobile devices on the Internet, often without asking permission.

The Attorney Generals are seeking a delay is implementation of Google’s new privacy policy — which is set to take full effect  on March 1. The AGs now join several members of Congress and numerous privacy advocates and consumer group in protesting the fact that anyone who uses multiple Google services can not opt out of the new policy, which makes it easier for Google to cross reference activities across its most popular services, including search, Gmail, Google Apps, YouTube, Picasa and Google+.

The Obama administration recognizes that “we need to make meaningful changes to preserve consumer trust and confidence,” says Craig Spiezle, executive director of the non-profit Online Trust Association. “At the same time, we need to preserve innovation. Balancing the two is a challenge.”

Getting a divided Congress to pass any hard-edged privacy legislation is another challenge.

“The real question is how much influence companies like Google, Microsoft, Yahoo and Facebook will have in their inevitable attempt to water down the rules that are implemented and render them essentially meaningless,” says John Simpson, spokesman for Consumer Watchdog. ” I am skeptical about the ‘multi-stakeholder process’, but am willing to make a good faith effort to try it.

Simpson and others remain concerned about the Commerce Department’s role in shaping consumer privacy protections. ” Commerce’s job — quite correctly — is to promote the interests of business, not protect consumers,” he says. “If nothing else, the report demonstrates the growing concern about online privacy. Perhaps this is one of the few issues where true bipartisan action will be possible this year.”

Langevin

A spokesman for Rep. Jim Langevin, D-R.I., has just contacted LastWatchdog to point out that Langevin’s cybersecurity bill, which is the major comprehensive one in the House, is not exactly the same as the White House proposal.

The major difference is that Langevin’s bill calls for a  National Office for Cyberspace with the Office of the President to oversee the security of agency information systems and infrastructure. While the Langevin bill entrusts the Department of Homeland Security with a  significant role, this is a bit different than the White House and Senate versions, which basically center everything in DHS.

Here is a  summary of Langevin’s proposed cybersecurity  legislation, much of which passed the House last year and was held up because the Senate was planning to cover even more ground in its own bill, but that never got done:

Executive Cyberspace Coordination Act of 2011, sponsored by Rep. Jim Langevin, D-Rhode Island

Background

In 2011, the CSIS Commission on Cybersecurity for the 44th Presidency released their second report with recommendations to increase the Federal government’s ability to protect itself and the American public from increasing cyber threats. Similar to the first report released in 2008, the second edition continues to recommend that the White House take a leadership role and direct national strategy for cyberspace; the public sector enlist the help of the private sector in providing better quality software; and the American public be better engaged in what was previously a private discussion about the digital threats that could disrupt their everyday lives. The second report notes that after two years, the only significant progress has been the extent to which the American public is discovering the profound effects of the internet on their daily lives, and the importance of government efforts to ensure the safety of our networks.

Many in both the government and private sector are frustrated with the pace of progress in cybersecurity. Analysts and senior officials in Washington talk about a “cyber 9/11″ scenario, reflecting a belief that as a nation, we will be unable or unwilling to take any meaningful action on cybersecurity until after a catastrophic event. The Executive Cyberspace Coordination Act of 2011 will update our nation’s federal cyber policy and bring strong cyber protections to our nation’s power grid and other critical infrastructure.

National Office for Cyberspace

The bill establishes a National Office for Cyberspace (NOC) within the Executive Office of the President to coordinate and oversee the security of agency information systems and infrastructure. This office will have strong budgetary oversight powers that are backed by financial pay-for-performance authorities, while remaining accountable to Congress. Federal agencies will be responsible for reporting on their information security threats, practices and history to the NOC before submission of their budgets to OMB. The Director of the NOC would be appointed by the President, subject to Senate confirmation, and will also have a seat on the National Security Council. This will allow the Director to review agency information security budgets and make recommendations back to the Agencies as well as the President.

Increased coordination for Departments of Defense and Homeland Security

Recognizing the need for closer cooperation between the Departments of Defense and Homeland Security, the bill brings both agency partners to the table to better coordinate their resources but under the appropriate authority of the Office of the President.

Closing Gaps in Authority to Protect Critical Infrastructure

Homeland Security Presidential Directive-7 provides authority to the Secretary of Homeland Security to coordinate the protection of critical infrastructure. This bill clarifies this authority to include the creation, verification, and enforcement of measures with respect to the protection of the information systems that control critical infrastructure. This does not give DHS control over private systems, but it allows them to establish risk-informed security practices and standards for critical infrastructure.

Secure Federal Acquisition Policies

The bill requires the development of secure acquisition policies to be used in the procurement of information technology products and services, including a vulnerability assessment for any major system and its significant items of supply prior to development.

Establishing Cyber Challenge Programs for Students

Given the great deficiency of advanced cybersecurity capabilities in today’s workforce, it is imperative that the government support educational programs designed to engage students in the skill sets that they will need to keep our country competitive and safe online into the future.

Enhancing the Public Private Partnership for Critical Infrastructure

The bill requires DHS to work with the Department of Defense and Commerce, the National Institute of Standards and Technology and the sector specific Federal regulatory agencies to establish standards to protect critical infrastructure. These efforts will also be carried out with the consultation of appropriate private sector bodies, including private owners and operators of the infrastructure affected. This will ensure that standards are based on the recommendations of cyber experts as well as those with first hand knowledge of the reality of the challenges facing each industry.

Agency Annual Independent Audit

The bill requires agencies to obtain an annual independent audit of their information security programs to determine their overall effectiveness and compliance with FISMA requirements. Audits would also be required of contractors responsible for managing agency systems or programs on their behalf.

Agency Automated and Continuous Monitoring

This legislation sets forth requirements for agencies to undertake automated and continuous monitoring of their systems to ensure compliance and identify deficiencies and potential risks caused by cyber incidents or threats to an agency’s information technology assets. These activities are intended to move agencies away from current manually intensive, compliance focused, periodic assessments.

Enhancing the Public Private Partnership for Critical Infrastructure

The bill requires DHS to work with the Department of Defense and Commerce, the National Institute of Standards and Technology and the sector specific Federal regulatory agencies to establish standards to protect critical infrastructure. These efforts will also be carried out with the consultation of appropriate private sector bodies, including private owners and operators of the infrastructure affected. This will ensure that standards are based on the recommendations of cyber experts as well as those with first hand knowledge of the reality of the challenges facing each industry.

The recent rash of disclosures about cyberspying — aimed at undermining the United States — comes as the White House is making its third attempt to push through a historic federal cybersecurity law.

The timing is no coincidence, some cybersecurity analysts say. After two previous bills went nowhere, the White House needs to garner public support for a new law that could equip America for cyberwarfare.

UPDATE -Click here: DHS has slightly reduced role in Langevin bill vs. White House and Senate versions

Adams

“The best way to do that is to get folks worried that we’re under attack from some foreign state like China or North Korea,” says Ed Adams, CEO of Security Innovation, which integrates security systems for government agencies. “Most people don’t realize how much of this is premeditated.”

Recent disclosures of cyberattacks against the International Monetary Fund, Google and several defense contractors coincided with an unprecedented pronouncement last week by CIA Director Leon Panetta, who warned a U.S. Senate panel that the U.S. needs to take “defensive measures as well as aggressive measures” to win at cyberwarfare.

The bill is gaining bipartisan support in Congress. It would establish a framework for distributing billions of dollars for new cybersecurity systems, while placing responsibility for securing cyberspace with the Department of Homeland Security.

Langevin

In an op-ed piece Tuesday in The Hill, Rep. Jim Langevin, D-R.I., the bill’s chief sponsor, underscored the need to engage Americans “in a continuous dialogue about threats we face and steps taken to protect them.”

In that vein, the FBI will help investigate what’s believed to be the theft of e-mails and other documents related to the IMF’s role in stabilizing currency exchange rates and keeping global trade in balance.

“This is part of a wave of economic espionage putting additional pressure on the U.S. economy,” says Alan Paller, research director at SANS Institute, a cybersecurity think tank.

Mike Baker, president and co-founder of consultancy Diligence, agrees that the threats are palpable. The data thieves’  agenda could involve terrorists or military goals, such as disrupting critical  infrastructure, or economic cheating to influence currency exchange rates.

“At the end of the day if I’ve got more information than you, then I’m going to win — however I define winning,” says Baker.

The recent breach disclosures, which include losses of strategically important data at EMC’s RSA security division, Lockheed Martin, L-3 Communications and Northrop Grumman,  help provide  supporting evidence for the importance of a strong cybersecurity bill, says Harry Sverdlove, chief technology officer at security firm Bit9.

Sverdlove

“One of the provisions of the cybersecurity bill proposed by the White House is a federal data breach notification statute. Almost every state already has its own data breach notification law, but in today’s global economy, having a consistent set of guidelines that can be enforced across the nation is essential,” says Sverdlove.

Google recently voluntarily revealed that hackers pilfered information from the Gmail accounts of hundreds of high-profile individuals, including U.S. government officials. “The dialogue around cybersecurity has definitely become politicized and militarized,” says Dave Jevans, chairman of IronKey, which secures data and online access.

By pinpointing Jinan, China, as the origination point of the Gmail hack, Google “elevated the awareness of the enemy,” says  Sverdlove. “That could influence both the cybersecurity bill … (and) the rules of engagement for cyberwarfare being debated by the Pentagon,” says Sverdlove.

Sverdlove, for one, isn’t convinced that the traditionally tight-lipped  IMF was manipulated into making its disclosure to support the push for a new U.S. cybersecurity law.  Says Sverdlove:

When Google announced that the Gmail accounts of specific and highly influential individuals had been hacked, I speculated that the timing was designed to influence public policy. Google made their disclosure in the midst of news on the recent breaches at defense contractors Lockheed Martin, L-3 Communications, and Northrop Grumman. In that case, while the cyber attacks on the defense contractors were described as sophisticated and, at least in the Lockheed Martin case, related to the data breach at RSA months earlier, no one was publicly identifying the source of the attacks.

In the IMF case, however, I don’t believe an international organization within the United Nations has such overt and nation specific motives. More likely, assuming the timing was a conscious decision, the disclosure was more about hiding amidst the noise; there have been so many high profile attacks recently that, while this one might be the most frightening from a global impact perspective, it also just becomes one in a long list of recent breaches (RSA, Lockheed Martin, Citigroup, Sony, PBS, Gmail, …).

SEATTLE — Stop. Think. Connect.

That’s what a high-powered coalition of federal agencies, tech companies, retailers and non-profit groups want you to do every time you use the Internet.

Today, the group launched a milestone public awareness campaign. The goal: to engrain “stop-think-connect” as deeply into culture as the seatbelt reminder “click-it-or-ticket” and Smokey Bear’s quote, “Only you can prevent forest fires.”

“Cybersecurity is a shared responsibility for all of us,” says Joe Sullivan, Facebook’s chief security officer. “People will have a better experience on the Internet if they do some basic things.”

The campaign stems directly from President Obama’s May 2009 pronouncement that the U.S. will assume a leadership role in making the Internet safer.

Overseen by the Department of Homeland Security, the coalition includes Microsoft, Facebook, Google, Intel, AT&T, Visa, PayPal, Wal-Mart, Costco, the Department of Justice and the IRS among its 28 founding members.

For the common good

Kaiser

The members understand that each of their respective organizations stands to benefit from a unified effort to advance public awareness about Internet threats, says Michael Kaiser, executive director of the non-profit National Cyber Security Alliance. Each will incorporate the stop-think-connect slogan and theme into existing and new public education initiatives.

Facebook, for instance, is preparing a seven-question quiz, which it will make available sometime this month on its security issues page and home page. It will also donate 35 million ad impressions to promote the quiz, which espouses best practices for passwords and browser use.

This is all intended to slow down cybercriminals, who are having a field day. One estimate puts identity theft losses, much of it due to online scams, at $4.5 billion in the past two years, making it the fastest-growing crime in America, says Kaiser.

Online safety has yet to be elevated to a major public safety issue, akin to the way society views drunk driving, forest fires and seat belt usage, he says.

The coalition selected “stop-think-connect” after a year-long process of research, focus groups, polling and government-industry collaboration. That research confirmed that most folks view cybersecurity as a personal responsibility and that any public safety message must address the individual. The founding members voted to go with a message that could be used globally to effect a “big cultural change,” says Kaiser.

The group strove to “simplify the messaging and speak in one voice,” says Facebook’s Sullivan. “If we’re using the same terminology, it’s going to make the whole process much more effective.”

Apple conspicuously absent

One absence at launch: Apple, which has risen to become one the world’s most highly valued companies, measured by its stock price, on the strength of Internet-connected products such as the iPhone and iPad.

Company spokeswoman Natalie Kerris declined comment.

However, the door remains wide open for Apple and others to join the coalition, says Kaiser.

“It takes a group of leaders to start a movement,” says Kaiser. “I’m optimistic others will join the effort. We’re trying to solve the problem for the benefit of all concerned, not just for the benefit of any individual company.”

By Byron Acohido

Students grades 5 through 8 can compete for a cash prizes, as well tech gear from AMD and Microsoft.  Another competition is geared for college-age contestants; a top cash prize of $25,000 awaits the creator of the top technology with “high potential to reach underserved communities, such as games built for basic mobile phones that address urgent educational needs among at-risk youth.

This is another piece of the puzzle that should help shape a new generation of cybersecurity professionals highly trained and motivated to defend the Internet. This program joins the ongoing Collegiate Cyber Defense Competition and The University of Maryland University College  first-of-its kind cybersecurity bachelor’s and master’s academic  degree program that’s just getting underway this month.

LastWatchdog caught up with Allyson Peerman, corporate vice president of AMD Public Affairs and president of the AMD Foundation, just after the President announced the competition.

LW: So the concept here is to boost the cool factor of the sciences?

Peerman: The concept is to make learning about science and math more appealing for students, and a very effective way to get kids excited is through video game development. If kids think the contest is cool, that’s an added bonus.

LW: At the end of the day, how will you measure if these contests are a success?

Peerman: I think the success of this contest will be measured by whether we excite kids about learning math and science. Long term, if some of the contestants opt to pursue higher education and careers in math, science and engineering, then that’s an even bigger win.

LW: The U.S. leads the world in, well, chip technology, among other things. Yet we lag in teaching the basic sciences to our youngsters. How do you explain that?

Peerman: Young people are craving relevance in their math and science education, and I think we need to find ways to do a better job of providing that relevance. Some of the best in-school and out-of-school programs are helping kids make that connection and helping make it fun. That’s one of the reasons AMD Changing the Game has been so effective; the programs we’ve supported and enabled are making math and science relevant and fun for kids. It’s all about meeting young people where they are and inserting the learning on their own turf; in this case it’s through video games.

LW: Do most CEOs of the top tech companies get that this is important?

Peerman: Absolutely. Tech industry CEOs know better than anyone how important it is to have a workforce that’s deeply steeped in math and science education. At AMD, for example, our success as a company directly depends on the strength of our engineering talent pool. AMD’s primary co-sponsors for the National STEM Video Game Challenge are both tech companies, as well. And if you look at the roster of 100 member companies that joined Change the Equation, the tech industry is very well represented.

LW: How important has it been to have the President get out in front of this?

Peerman: It’s hugely important for the President to set the tone and raise the conversation to a level where it’s getting a lot of focus. People have been talking about improving STEM education in the United States for years, but we need concerted, cooperative efforts by enterprise, non-profits and public entities to move the needle. This is a national priority, it’s a priority for corporations and it’s a priority for students.

By Byron Acohido

By Patricia Titus

The 2009 proposed bill, introduced by Sen. John Rockefeller (D-W. Va.) and Sen. Olympia Snowe (R-Maine), clearly called for a Presidential internet kill switch and spawned visuals of President Obama sitting in the Oval Office with his hand hovering over an “easy button.”

Several industry groups spent countless hours debating the language of that earlier bill and its implications, offering guidance to the members and staffers writing the legislation. In response to this, Sen. Joseph Lieberman (ID-CT) softened the language in his bill and added good clarifying terms. In my estimation, there is currently no language that would suggest an “internet kill switch” is being placed in the hands of the President. Rather the language allows decision making within the executive branch to protect our national interests and critical infrastructure, and achieve this through consensus.

The Lieberman bill highlights the need for a public/private partnership to help set policy to define what constitutes a cyber attack. This is where many of us are skeptical. For years we’ve been hearing the term “public/private partnership” or “P-cubed.” We’ve already seen several examples of failed P-cubed. Without this critical governance partnership, the job of successfully negotiating these policies will surely fail. Lack of a cohesive plan could be catastrophic for the country. Imagine if a portion of critical infrastructure were taken off the internet, resulting in an interruption of international trade communications. Economic stability could be placed at risk, and the cascading effect could have far reaching implications for years to come.

Organizations that own our critical infrastructure must be held accountable to immediately determine which stakeholders from both the public and private sector need to participate in negotiations. Representatives from every relevant sector of government and industry should participate in comprehensive discussions to determine appropriate actions to be taken by the President and to provide guidance. Perhaps involvement from think tanks would add great value.

Also, we cannot allow the international community to be cut out of this discussion; there could be great implications for them as well.

As always, the devil is in the details. But without participation by both the government and the private sector, this legislation will surely fail. We currently have a surfeit of cyber security legislation, yet we seem to lack the ability to make much of it stick. With the pending recess and elections, it’s possible all this work will lead to nothing. Our country will remain at risk while our new legislators come up to speed.

Speaking at the award ceremony, Obama alluded to ESET as helping  to  strengthen ” public/private partnerships both cooperatively on the domestic as well as the international side.”

DHS handed out seven awards to organizations, business and one individual. This is all  part of DHS working toward crafting a comprehensive national cybersecurity plan, which it is slated to officially unveiled in October as a part of Cybersecurity Awareness Month.

Since 2008, ESET has been rallying San Diego-area  consumer advocates, business owners, law enforcement investigators, government regulators and elected officials to form partnerships to boost cybersecurity awareness and best practices.

“The journey to get to this point was beyond exciting,” says ESET’s Liz Fraumann, Director of Cybersecurity Awareness & Education. “With 200 stakeholders representing all segments of the greater San Diego community we are well on our way to achieving our mission of ‘making San Diego a place where we can all live, work and play in a cybersecure city.’ ”

By Byron Acohido

Wanted:

Perks: Employer has search monopoly — and warm leads at top spy organizations.

That’s one takeaway of reports that Google has asked the secretive National Security Agency to help track down the cyberattackers who recently breached its network. More on this below.

Reporter Ellen Nakashima’s front page story in the Washington Post yesterday, 04Feb2010, has rekindled simmering concerns about corporations collaborating in the shadows with the government’s top sleuth agency. Nakashima’s report used Deep Throat sources to flush out a substantive development in the finest tradition of Woodward and Bernstein.

You may recall how privacy and civil liberties activists raised a hew and cry in 2006 after an investigation, by USA TODAY’S ace telecom reporter Leslie Cauley, revealed how the NSA secretly analyzed phone records of tens of millions of Americans.

High potential for abuse

At the time, public backlash was directed mainly at telecom giants AT&T, Verizon and BellSouth for so readily giving up their customers’ private phone records to a government agency.

In a similar vein, Google, the world’s dominant search service, amasses data on the surfing habits of most Internet users, and stores vast amounts of sensitive data belonging to users of its popular Gmail and Google Apps online services, says Amrit Williams, CTO of security firm Big Fix.

Because the NSA is an “opaque intelligence organization . . .the potential for abuse of private information at the intelligence or government level is very high,” he says.

Google CEO Eric Schmidt did little to allay the fears of privacy and civil liberty advocates in this interview last December with CNBC financial reporter Maria Bartiromo. Schmidt says on camera:

The reality is that search engines, including Google, do retain this information for some time and it’s important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.

It’s understandable the Google and other corporations might covet the NSA’s expertise at quelling cyber attacks; the agency possess unsurpassed intelligence gathering technologies and know how, says Jody Westby, CEO of consulting firm Global Cyber Risk and a distinguished fellow at the Carnegie Mellon CyLab think tank.

Mysterious agenda

Yet the cyber attackers who breached Google’s network and some 30 other tech, financial and media corporations in late December and early January used conventional messaging trickery and infection methods. So much so that security firm McAfee with in a couple of days of Google’s crying foul went public with extensive analysis of the distinctive  attacks, dubbed “Operation Aurora.”

So why tap the NSA when top-notch forensics is readily available from dozens of tech security firms?

“Company’s don’t usually run and ask the government to get involve in their business,” says Westby. “The attacks may be more sophisticated than we think. I think they (Google) is really trying to preserve their brand.”

Gunter Ollman, head of research at security firm Damballa, says there is a “a high probability” that Chinese nationals were involved. Whether anyone can prove the Chinese government was behind the attacks is another matter. Attacks that trace back to China are “state sponsored, endorsed or, at the very least, ignored by the Chinese government,” observes Ollman.

Given that long-held conventional wisdom, Jeff Chester, executive director of the Center for Digital Democracy, wonders what a search company that collects and distributes public and private data for commercial reasons might gain by turning to a U.S. spy agency for help.

Selling to spy agencies

He points out that Google is actively seeking an experienced sales rep at its Washington D.C. offices whose job will be to sell to the intelligence community. According to Google’s job description, whoever gets the job selling its wares to spy agencies must:

• Be responsible for the entire sales process from Prospecting to Close.
• Lead Generation/outbound calling and warm lead follow up.
• Understand Customer Needs and requirements.
• Present and articulate advanced product features and benefits of Google Enterprise solutions.
• Provide on-line demonstrations.
• Close Sales and achieve sales quotas. Be able to sell and differentiate in a competitive environment.

“Another real problem is that Google is working to curry favor with the NSA, CIA, DoD and others in order to sell its services and make greater profits,” says Chester.

Big Fix CTO Williams offers this takeaway:

The NSA is also one of the nations most secretive and opaque intelligence organizations and creating a balance between the information and enablement they can provide to private sector companies, such as Google, and the impact this may have on personal privacy is the major concern. The potential for abuse of private information at the intelligence or government level is very high. Some may argue that national security is more important than personal privacy and that if you have nothing to hide you have nothing to fear, but imagine the impact on one’s willingness to speak frankly about life threatening medical or legal issues if one felt that the privacy, that we as US citizens are guaranteed and hold so dear, will be compromised for the sake of security.

The United States has always struggled with finding a balance between national security and civil liberties, the question that we need to pose today is are we ready to compromise our liberty for the perception of short-term safety, especially knowing that this relationship sets a very dangerous precedent for the future involvement of Government within evolving commercial technologies of the tomorrow?

A Google spokesperson pointed out the company’s Jan. 12 public statement about cyberattacks and censorhips in China and declined further comment.

By Byron Acohido

“It isn’t just China,” says Matt Moynahan CEO of applications security firm Veracode. “They are the most aggressive. But all large governments are doing this, as are organized non-government actors.”

Indeed, China, Russia, North Korea, Iran, Israel, France, the United States and the United Kingdom are widely known to possess state-of-the-art cyber espionage know-how which is put to use gathering  economic and military intelligence. Details of covert cyber-ops get discussed at numerous conferences attended by military brass, federal regulators, law enforcement officials, privacy advocates and tech security analysts.

“The consensus discussion is that everybody is busy spying on everybody else,” says Jody Westby, CEO of consulting firm Global Cyber Risk and a distinguished fellow at the Carnegie Mellon CyLab think tank.  “These countries are doing it to us, but we’re also doing it to them.”

With little fanfare, Secretary of Defense Robert Gates, underscored as much on 24Jun2009. Gates stood up a new Department of Defense subcommand focused on cybersecurity under the U.S. Strategic Command.

“This is about trying to figure out how we, within this department, within the United States military, can better coordinate the day-to-day defense, protection and operation of the department’s computer networks,” Pentagon Press Secretary Geoff Morrell told reporters at the time.

And last month, on 22Dec2009, when many of us were doing last minute gift shopping, President Obama named Howard Schmidt to the newly created post of White House cybersecurity adviser. Schmidt’s assignment: coordinate economic and military cybersecurity policy.

Schmidt, former Microsoft exec and Bush Administration appointee, is the cyber czar Obama said he would name in a watershed 29May2009 speech. He is the linchpin personnel piece to Obama’s plan for taking a leadership role in making the Internet safer.

Cyber black-ops

The cyber-espionage slice of the Internet underground traces its beginnings back to 1993 when the Russians first began developing black-ops teams to concentrate on intelligence gathering using the Internet, says Alan Paller, managing director of The Sans Institute think tank.

China was fully into cyber-spying by 2003 when a Chinese black-ops team, designated Titan Rain, roamed deep inside U.S. Department of Defense networks. By 2006, corporations in the U.S. and Europe were heavily infiltrated by China and other nation-states, says Paller.

A watershed warning came in December 2007. Jonathan Evans, Britain’s Director-General of MI5, cautioned 300 senior execs to guard against Internet assaults from “Chinese state organizations.” Such attacks, Evans warned, are designed to “defeat best-practice IT security systems.”

Evans said at the time ” ‘If you’re doing business in China, your company’s network and your company’s lawyer’s network are very likely being penetrated,’ ” says Paller.

Cyber-intruders today routinely go after corporations, their law firms — and even their public relations firms, according to an Evans-like warning issued by the FBI last November. “They’re after the corporate playbook,” says Paller.

Google’s patience runs out in 4 years

It took Google this week threatening to pull the plug on its China operations, to shed a bright  light on the rising collateral damage caused by unchecked cyber espionage –  for  economic and military strategic gain. Since agreeing to submit to China’s censors in exchange for opening a beachhead office in Beijing in January 2006,  Google CEO Eric Schmidt has stated on numerous occasions, as recently as October, 2009:  “China has 5,000 years of history, Google has 5,000 years of patience.”

In Chinese culture, the numbers five, eight and nine are auspicious. The number four is associated with death and considered extremely unlucky. On Tuesday, 12Jan2010,  after just four years in Beijing,  Google’s patience died.  Citing irritation over cyberattacks it loosely linked to censorship dictates, the search giant said it will no longer adhere to censorship rules as they stood.

Google chief legal counsel David Drummond issued a press release with  details about how Google got hacked and why its patience had run out:

• In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.  First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses . . .   Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists…
• … These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results… over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The power of ‘no mas’

Google had stepped  forward and made  the same choice boxer Roberto Duran made, when Duran could tolerate no more elusive footwork and peppering blows from Sugar Ray Leonard. This  seemed to give permission for other Western companies to speak up. Subsequently, Adobe, Northrup and Juniper came forward to disclose that they, too, were similarly targeted and breached by presumed Chinese attackers.

Then on Thursday, 14Jan2010, security firm McAfee contacted LastWatchdog with information that several of its customers had been likewise  hit. McAfee CTO George Kurtz told me his  researchers had isolated a sample of the attack sequence and malicious codes used.

According to Kurtz, the attackers began by sending emails and instant messages personally addressed to senior technical managers, enticing them to click on a corrupted Web page link. Clicking on the link activated a freshly-discovered security hole in Internet Explorer web browser, which Microsoft embeds on all Windows PCs. Through this hole the attackers installed a program that allowed them to  take control of the PC.

They then  “began probing the network for high value intellectual property,” says Kurtz. Extracted data was sent to servers hosted by Rackspace, a San Antonio, Tex, web hosting company, and then transferred again to other servers.

This type of hybrid attack wasn’t at all innovative, nor was the attackers’ use of a security hole that exists in all versions of Microsoft’s Internet Explorer Web browser. This is referred to as a zero-day vulnerability. Microsoft has patched hundreds of zero-day vulnerabilities since 2004. The software giant said Thursday it has begun work on a patch for the latest zero-day — the one intruders used to extract data from Google.

There’s a constant flow of fresh zero-days because computer code is complex. Researchers, known as Whitehats, continually flush them out so they can be patched. Meanwhile, bad guy programmers, called Blackhats, do the same to sell them to cyber-intruders — for up to $100,000, according to Moynahan — who use them to steal data before any patches exist.

While their methodology was ordinary, the tools and techniques used by the cyberspies who breached its customers’ networks  were no amateurs. “It wasn’t a 13-year-old king who pounded out a quick Trojan,” says Kurtz. “There were no corners cut in targeting these specific companies and in escaping detection as long as possible.

CYBERsitter’s intellectual property stolen, its law firm targeted

At roughly the same time  McAfee’s researchers were reverse engineering the Google attack, a live case of Chinese hackers going after a law firms unfolded in Los Angeles.

Gregory Fayer,  a lawyer at L.A. firm Gipson Hoffman & Pancione received an obviously faked email purporting to come from his managing partner. Fayer told LastWatchdog that  more than a dozen employees at the firm had received similar faked e-mail messages on Monday, 11Jan2010.

A week earlier, Fayer had filed a $2.2 billion lawsuit against China on behalf of Santa Barbara-based CYBERsitter, maker of a Web browser filter parents buy to keep their kids off porn sites. The lawsuit accused China of copying CYBERsitter’s proprietary program and using it lock, stock and barrell in a misguided  state-sponsored child-protection censorship service, called Green Dam.

“The Trojan emails were located within China — the ISP routing shows there was a Chinese source, ” says Fayer. ” I’m not sure I can say a lot beyond that. We feel reasonably confident at this point that there was a connection with China.”

By Byron Acohido