Saturday, June 13, 2009

Cyberwar - Privacy May Be a Victim in Cyberdefense Plan - Series - NYTimes.com

http://www.nytimes.com/ 

June 13, 2009

Cyberwar - The New York Times

Privacy May Be a Victim in Cyberdefense Plan

By THOM SHANKER and DAVID E. SANGER

WASHINGTON — A plan to create a new Pentagon cybercommand is raising significant privacy and diplomatic concerns, as the Obama administration moves ahead on efforts to protect the nation from cyberattack and to prepare for possible offensive operations against adversaries’ computer networks.

President Obama has said that the new cyberdefense strategy he unveiled last month will provide protections for personal privacy and civil liberties. But senior Pentagon and military officials say that Mr. Obama’s assurances may be challenging to guarantee in practice, particularly in trying to monitor the thousands of daily attacks on security systems in the United States that have set off a race to develop better cyberweapons.

Much of the new military command’s work is expected to be carried out by the National Security Agency, whose role in intercepting the domestic end of international calls and e-mail messages after the Sept. 11, 2001, attacks, under secret orders issued by the Bush administration, has already generated intense controversy.

There is simply no way, the officials say, to effectively conduct computer operations without entering networks inside the United States, where the military is prohibited from operating, or traveling electronic paths through countries that are not themselves American targets.

The cybersecurity effort, Mr. Obama said at the White House last month, “will not — I repeat, will not — include monitoring private sector networks or Internet traffic.”

But foreign adversaries often mount their attacks through computer network hubs inside the United States, and military officials and outside experts say that threat confronts the Pentagon and the administration with difficult questions.

Military officials say there may be a need to intercept and examine some e-mail messages sent from other countries to guard against computer viruses or potential terrorist action. Advocates say the process could ultimately be accepted as the digital equivalent of customs inspections, in which passengers arriving from overseas consent to have their luggage opened for security, tax and health reasons.

“The government is in a quandary,” said Maren Leed, a defense expert at the bipartisan Center for Strategic and International Studies who was a Pentagon special assistant on cyberoperations from 2005 to 2008.

Ms. Leed said a broad debate was needed “about what constitutes an intrusion that violates privacy and, at the other extreme, what is an intrusion that may be acceptable in the face of an act of war.”

In a recent speech, Gen. James E. Cartwright, vice chairman of the Joint Chiefs of Staff and a chief architect of the new cyberstrategy, acknowledged that a major unresolved issue was how the military — which would include the National Security Agency, where much of the cyberwar expertise resides — could legally set up an early warning system.

Unlike a missile attack, which would show up on the Pentagon’s screens long before reaching American territory, a cyberattack may be visible only after it has been launched in the United States.

“How do you understand sovereignty in the cyberdomain?” General Cartwright asked. “It doesn’t tend to pay a lot of attention to geographic boundaries.”

For example, the daily attacks on the Pentagon’s own computer systems, or probes sent from Russia, China and Eastern Europe seeking chinks in the computer systems of corporations and financial institutions, are rarely seen before their effect is felt inside the United States.

Some administration officials have begun to discuss whether laws or regulations must be changed to allow law enforcement, the military or intelligence agencies greater access to networks or Internet providers when significant evidence of a national security threat was found.

Ms. Leed said that while the Defense Department and related intelligence agencies were the only organizations that had the ability to protect against such cyberattacks, “they are not the best suited, from a civil liberties perspective, to take on that responsibility.”

Under plans being completed at the Pentagon, the new cybercommand will be run by a four-star general, much the way Gen. David H. Petraeus runs the wars in Afghanistan and Iraq from Central Command in Tampa, Fla. But the expectation is that whoever is in charge of the new command will also direct the National Security Agency, an effort to solve the turf war between the spy agency and the military over who is in charge of conducting offensive operations.

While the N.S.A.’s job is chiefly one of detection and monitoring, the agency also possesses what Michael D. McConnell, the former director of national intelligence, called “the critical skill set” to respond quickly to cyberattacks. Yet the Defense Department views cyberspace as its domain as well, a new battleground after land, sea, air and space.

The complications are not limited to privacy concerns. The Pentagon is increasingly worried about the diplomatic ramifications of being forced to use the computer networks of many other nations while carrying out digital missions — the computer equivalent of the Vietnam War’s spilling over the Cambodian border in the 1960s. To battle Russian hackers, for example, it might be necessary to act through the virtual cyberterritory of Britain or Germany or any country where the attack was routed.

General Cartwright said military planners were trying to write rules of engagement for scenarios in which a cyberattack was launched from a neutral country that might have no idea what was going on. But, with time of the essence, it may not be possible, the scenarios show, to ask other nations to act against an attack that is flowing through their computers in milliseconds.

“If I pass through your country, do I have to talk to the ambassador?” General Cartwright said. “It is very difficult. Those are the questions that are now really starting to emerge vis-à-vis cyber.”

Frida Berrigan, a longtime peace activist who is a senior program associate at the New America Foundation’s arms and security initiative, expressed concerns about whether the Obama administration would be able to balance its promise to respect privacy in cyberspace even as it appeared to be militarizing cybersecurity.

“Obama was very deliberate in saying that the U.S. military and the U.S. government would not be looking at our e-mail and not tracking what we do online,” Ms. Berrigan said. “This is not to say there is not a cyberthreat out there or that cyberterrorism is not a significant concern. We should be vigilant and creative. But once again we see the Pentagon being put at the heart of it and at front lines of offering a solution.”

Ms. Berrigan said that just as the counterinsurgency wars in Iraq and Afghanistan had proved that “there is no front line anymore, and no demilitarized zone anymore, then if the Pentagon and the military services see cyberspace as a battlefield domain, then the lines protecting privacy and our civil liberties get blurred very, very quickly.”

Cyberwar - Privacy May Be a Victim in Cyberdefense Plan - Series - NYTimes.com

Sky News Australia - Swine Flu (http://ping.fm/MxFyz)
Linda McGlasson (InfoSec_Girl) on Twitter (http://ping.fm/hScio)

Friday, June 12, 2009

Summer Reading for Security Pros: Schneier or Sagan? | Security - InfoWorld (http://ping.fm/menhW)
Internet Security Alliance Updates 6-12-09 : Information Security Resources (http://ping.fm/g99L7)
How Facebook and Twitter Are Changing Data Privacy Rules ( - Internet - Security ) (http://ow.ly/dQuf)

Thursday, June 11, 2009

WHO Declares Swine flu a Pandemic. Now What?

From: www.csoonline.com

The World Health Organization has raised its pandemic alert level to 6, making swine flu the first true pandemic in more than 40 years. Here's what it means for your company.

WHO Declares Swine flu a Pandemic. Now What?

clip_image001

by Bill Brenner, Senior Editor, CSO

June 11, 2009

The World Health Organization (WHO) has officially declared swine flu the first pandemic in more than 40 years.

The news arrived with none of the panic that swirled in the air when news of the virus first emerged in late April. But security experts say there are still actions emergency planners should be taking to ensure order if later waves of the H1N1 virus prove more deadly.

By raising the pandemic level to Phase 6, WHO has confirmed that sustained human-to-human transmission of the virus is happening at the community-level in multiple countries. To date, the virus has appeared in 74 countries, including Mexico, the US, UK, Australia, Japan, and Chile. There have been approximately 28,000 cases with 141 deaths so far, though the move to Phase 6 does not necessarily mean swine flu is causing more severe illness or more deaths.

But it does mean the world is threatened by an unpredictable virus that could grow weaker or stronger with time. History has shown that pandemics often start with a mild first wave, followed in the fall and winter by a more lethal wave. The best example of this was the Spanish Influenza of 1918-19, which killed roughly 50 million to 100 million people worldwide.

Emergency preparedness experts say there's no cause for panic, but that history serves as a reminder that organizations should always be thinking about how to keep the machinery moving in the event something big and unexpected happens. [See: Now That the Hype Is Over, Keep Planning]

For emergency planners, there are both physical and cyber security challenges to think about regarding swine flu and other potential pandemic viruses.

On the physical side, private entities should be hammering out a game plan for who would do what and where if the government decided to restrict our movements to contain an outbreak, says Kevin Nixon, an emergency planning expert who has testified before Congress and served on infrastructure security boards and committees including the Disaster Recovery Workgroup for the Office of Homeland Security, and the Federal Trade Commission.

"Companies and employers that have not done so are being urged to establish a business continuity plan should the government direct state and local governments to immediately enforce their community containment plans," Nixon says. [Podcast: How to Prepare for a Swine flu Pandemic]

If the Federal government does direct states and communities to implement their emergency plans, recommendations, based on the severity of the pandemic, may include:

  • Asking ill people to voluntarily remain at home and not go to work or out in the community for about 7-10 days or until they are well and can no longer spread the infection to others (ill individuals may be treated with influenza antiviral medications, as appropriate, if these medications are effective and available.
  • Asking members of households with a person who is ill to voluntarily remain at home for about 7 days (household members may be provided with antiviral medications, if these medications are effective and sufficient in quantity and feasible mechanisms for their distribution have been developed).
  • Dismissing students from schools (including public and private schools as well as colleges and universities) and school-based activities and closure of childcare programs for up to 12 weeks, coupled with protecting children and teenagers through social distancing in the community, to include reductions of out-of-school social contacts and community mixing. Childcare programs discussed in this guidance include centers or facilities that provide care to any number of children in a nonresidential setting, large family childcare homes that provide care for seven or more children in the home of the provider, and small family childcare homes that provide care to six or fewer children in the home of the provider.
  • Recommending social distancing of adults in the community, which may include cancellation of large public gatherings; changing workplace environments and schedules to decrease social density and preserve a healthy workplace to the greatest extent possible without disrupting essential services; ensuring work-leave policies to align incentives and facilitate adherence with the measures outlined above. [Source: swine flu: How to Make Biz Continuity Plans, by Kevin Nixon]

On the IT security side, organizations need to be thinking about how to stay on top of things like log monitoring and patch management in the event of sickness among the IT security staff.

Kevin Coleman, a strategic management consultant at Technolytics, says companies should also plan for limitations on business travel and even bringing in extra cleaning crews and keeping employees at home if they complain of so much as a sniffle.

"Encourage anyone who feels the least bit sick to stay home," Coleman says. "If an employee can do all the work from home on company laptops and VPNs that they do in the office, there's no reason to have them come in. If you can limit exposure from the get-go, why wouldn't you?"

Meantime, Coleman said, companies should ramp up the cleaning crew activity that's already going on, mostly after office hours. Bringing in extra cleaning crews to wipe down heavily-touched surfaces like doors, walls, phones and keyboards is money well spent, he said.

"Employees can also do their part to limit the spread of flu by carrying around antibacterial hand wipes," he said, noting that some of his clients have already pulled back on the amount of business travel employees can do.

It's far from certain that we're in for a deadly 1918-style pandemic. Either way, security experts say going over the scenarios and building a game plan is time well spent.

© CXO Media Inc.

clip_image002

Subscribe to CSO Newsletters

Wednesday, June 10, 2009

#links

#links
Powered By Blogger