Cybersecurity czar debated in USA — as Europe seeks top cyber cop
Posted on | May 15, 2009 | 1 comment
Four weeks have gone by since Melissa Hathaway delivered her 60-day review of U.S. cybersecurity policy to President Obama. At this point, Obama would shock the tech security, military and intelligence communities if he does not name a cybersecurity czar.
Still, there has been no public comment from the White House. The hold up at least in part appears to be due to a protracted internal discussion about where a presidential cybersecurity adviser ought to be positioned in the White House hierarchy.
Should he or she be a senior deputy in the National Security Council? Or maybe the Office of Science and Technology Policy? How about the National Economic Council?
“It might seem like Inside Baseball, but it’s actually very important,” says Amit Yoran, Chairman and CEO of NetWitness and former director of the National Cyber Security Division of the Department of Homeland Security. “Where this senior executive sits in the White House structure will set the level of empowerment. It will dictate whether he or she is fully empowered to do bold and aggressive things, or plays a backseat to other issues.”
Europe seeks a Mr. Cybersecurity
Another indicator that Obama almost certainly will name a cybersecurity czar: the European Union is now wondering if it, too, should have a top cyber cop. During her last weekly video message, Vivane Redding, the EU’s Commissioner for Information Society and Media, suggested Europe could use a “Mr. Cybersecurity” as soon as possible.
“Europe needs a ‘Mr. Cybersecurity’ as we have a ‘Mr. Foreign Affairs,’” said Reding. She vowed to fight for a “cybercop in charge of the coordination of our forces and of developing tactical plans to improve our level of resilience. ”
Eli Jellenc, a social scientist who toils as an international affairs analyst for VeriSign iDefense, tracks Europe closely and is an expert at reading between the lines of politick-speak. He notes that Reding was purposely vague about whether Europe’s Mr. Cybersecurity should report to her, which would make instant use of Reding’s hard-won political clout, or be established as a new autonomous player, left to scrape up political capital on his or her own.
“It’s unclear under what structure the czar would sit right now,” he says. “That’s kind of telling. It is an acknowledgment that they haven’t yet developed much of their own ideas tailored to the unique institutional framework of the EU.”
Unlike the USA, the EU has nothing even remotely resembling an executive branch controlled by a powerful president. Everything in the EU comes by consensus, which can take years to hammer together. By comparison, a 60-day cybersecurity review and few weeks presidential deliberation doesn’t seem so bad.
“At this point Europe is largely following the lead of the U.S. so as not to appear that they’ve completely ignored the debate,” says Jellenc. “But what they’re doing is hardly innovative or well thought out. And to be fair, it need not be incredibly well thought out; it’s good that they’re broaching the topic and getting policy makers to discuss it.”
Cyber threats continue to mount
As policy makers debate, cyber criminals continue to infect e-mail, web pages and popular social networks with data stealing programs and financial scams. And cyber spies continue to mount asymetrical attacks targeting databases at companies and government agencies, aiming to swipe sensitive commercial and military data.
In a case the shows Chinese spies still use old-school tactics, a mid-level Pentagon insider has been charged with conspiracy to communicate classified information to China. The allegations against James Wilbur Fondren, Jr., detailed here, depict a tale of one-on-one social engineering taking place over a long period of time to get a military insider, with Top Secret clearance, to deliver sensitive data to China.
This is another example of China intensively carrying out a long-standing policy to extract as much commercial and military data from the U.S. and other Western nations as it can, says Rick Howard, Director Security Intelligence at VeriSign iDefense.
Last month, intelligence officials leaked information to Wall Street Journal D.C.-bureau reporter Siobhan Gorman about how China and Russia have established deep footholds inside the networks that control the U.S. electrical grid and how cyberspies accessed data relating to the design of the F-35 Joint Strike Fighter.
“The Chinese have had a cyber espionage campaign against the U.S. since at least 1998, ” says Howard.” They don’t think they can win tank-on-tank, so they’ve stated that they’re going to win at cyber warfare and information warfare.”
According to the affidavit filed in support of the criminal complaint, Fondren, 62, retired as Air Force Lieutenant Colonel in 1996 and became a consultant. One of his clients was Tai Shen Kuo, a naturalized U.S. citizen from Taiwan. Upon being hired as a civilian Pentagon employee in 2001, Fondren was granted Top Secret security clearance — and continued to provide consulting services to Kuo.
This relationship led to Fondren using his access to classified databases to supply Kuo with eight “opinion papers” containing classified data as recently as 2008. The price: $350 to $800 apiece. Kuo, in turn, was paid $50,000 to pass the papers along to a Chinese government official, according to the affidavit.
Technology is readily available that can meticulously restrict access to databases. But it can be complicated and expensive. “Perimeter defenses, while important, are no longer sufficient,” says Phil Neray, vice-president of security strategy at database security firm Guardium. “Your people are the new perimeter. The new perimeter is data. If they had the proper controls in place, they would have seen this guy accessing all these sensitive files that probably were not required for his job.”
Neray says most organizations continue to give privileged users “carte blanche to all of their sensitive information.”
–Byron Acohido
Comments
1 Comment »
RSS feed for comments on this post.
The U.S. Government cannot succeed in securing cyberspace in isolation, but it also cannot entirely delegate or abrogate its role in securing the Nation from a cyber incident or accident. Here are the details of Obama’s plan http://personafile.com/PXew
Comment by Security Desk — 5/29/2009 @ 2:38 pm