Building a Cybersecurity Lab ( Full operating capability is expected in 2012)

By Grace V. Jean

Shortly before the Russian military drove tanks into the restive region of South Ossetia last year, a cyber-attack hit neighboring Georgia, knocking government and news organization websites offline for days. In January, a similar digital assault paralyzed Kyrgyzstan’s main Internet service providers.

Cyber-attacks have become more prevalent around the world and defending against them has become harder and harder, experts say. The U.S. government’s computers, too, have become a target. They have attracted tens of thousands of onslaughts in recent years. U.S. Central Command networks in November were hit by an electronic attack thought to have Russian origins.



In an effort to beef up the country’s defenses in cyberspace, the Comprehensive National Cybersecurity Initiative, established last year by the Bush administration, seeks to reduce network vulnerabilities, protect against intrusions and anticipate future threats.

As part of the initiative, the Defense Advanced Research Projects Agency has awarded $30 million in contracts to spur the development of a facility where researchers and scientists can test their latest cybersecurity technologies.

Ultimately, the “national cyberrange” will be a hybrid of a Consumer Reports-type testing laboratory and the Army’s National Training Center, says program manager Michael VanPutte.

“We want the national cyberrange to do for cyber what the National Training Center did for the Army and the Department of Defense in joint war fighting,” the retired Army colonel says.

A researcher, for example, might have a new network protocol that he wants to try out. Network protocols are the rules that a network uses in order to communicate. The scientist could install the protocol on the national cyberrange and run it through realistic threat scenarios to assess the network’s security.

There are a number of existing test beds that provide some of the capabilities that DARPA is asking for, but none has the scale of automation or sophistication that scientists need, VanPutte says.

“To really understand the attacker, we need an environment where we can set up a large-scale defense, let the attackers go, watch it and measure, and then make changes in the environment and see if that helps or hinders security,” says VanPutte. “The cyberrange will give us that laboratory to see how we can improve security.”

Setting up a sterile environment to test cybertechnologies presently is a laborious, time-intensive process, he points out. Just as the average consumer would go about setting up a new computer from scratch — installing an operating system, hardware and software and then configuring it — scientists must do the same for their devices, but on a greater scale of hundreds of computers.

“When you get above 300 machines, it gets really hard and really time-consuming,” says VanPutte. “I’m trying to flip that paradigm.”

The cyberrange will simplify that process with graphic user interfaces and other systems that automatically configure an entire network so that scientists can concentrate on conducting their research, he explains.

Simulated users and realistic adversaries would then test the technologies against a full spectrum of threats to give a comprehensive, unbiased assessment of security, he says.

The facility is intended for use by organizations and research institutions nationwide. Scientists from academia, industry and various government and law enforcement agencies could all run trials simultaneously at a variety of classification levels.

For the military, the range will offer opportunities to test the Defense Department’s vision for future network-centric operations in a virtual reality network, VanPutte points out.

While the primary purpose of the facility is to help develop cutting edge technologies for countering cyber-attacks, its secondary goal is to foster innovation on cybertesting, itself. Many of the challenges there — slowing down and speeding up test times and replicating human behavior — are problems that the modeling and simulation community faces. “Those are all really, really hard problems that there aren’t solutions to today,” says VanPutte. “The purpose of the NCR is to build out that research and field the results back out to the testing community, to really increase the capability of all U.S. test beds, not just the national cyberrange.”

DARPA has awarded contracts to seven teams that will provide detailed engineering plans, concepts of operation and visions of how the national cyberrange will run. Proposals for building the prototype are due July 13. Officials will select one or more of the plans for a phase II contract. Depending on the outcome of prototype testing, the final contract will be awarded to build the range.

Full operating capability is expected in 2012.

U.S. Cyber Czar On The Horizon; New Legislation, Too?

U.S. Cyber Czar On The Horizon; New Legislation, Too?

Posted by John Sawyer, May 27, 2009 02:55 PM

The buzz surrounding President Obama's efforts at securing our cyber-infrastructure is audible. The release of a 60-day review of the government's cybersecurity efforts, which started back in February, is expected soon, along with the naming of a new White House official -- a "cyber czar," as some are calling the position -- who will reportedly have purview over developing a strategy for securing both government and private networks.



While we're all waiting, I'm left wondering how far government will go to help protect not only itself, but private industry. And will it be enough? I've personally seen positive changes come about as a result of HIPAA, but it has been far from a silver bullet. The lack of understanding about responsibilities regarding IT (like secure wireless networking) I've seen at smaller doctors' offices is frightening.

I should narrow my "Is it enough?" question to be a little more specific: How committed is the government to protecting not only its own networks, but those of private companies (and individuals), and to getting the word out to small businesses about what they are supposed to be doing? Who will be responsible for making sure companies, and possibly individuals, comply with any legislation brought forth as result of the report and cyber czar?

We've seen other governments try to protect its citizens and companies from security issues posed by such threats as unsecured wireless networks and inappropriate Web content. For example, at the beginning of this year, several articles covered the efforts by India's police in Mubai who were searching for and eliminating open wireless networks. The campaign was a result of terrorists using unsecured wireless networks for their communications and eavesdropping on others communications.

In addition, right now Australia is working with ISPs to test content filtering options to protect its citizens against offensive content, such as child pornography. While the country's intentions are good, it's unlikely its efforts will be effective on a wide scale considering how easy it is to bypass content filtering systems. Even it direct attempts at evasion were not much of a concern, the issue of keeping up with all of the "bad" content out there is likely to be quickly overwhelming.

I'm willing to keep my fingers crossed that the Obama administration can pull this off, even it only partially successful, but I'm not blindly hopeful. In the past (and currently), legislation aimed at IT security has been a cause for companies to cover up breaches to avoid paying costly notifications and possible fines. At this point, I'm resigned to sitting back and watching what happens. At the very least, I'm sure the report will be an interesting read.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

From now on, our digital infrastructure is a strategic national asset

By CircleID Reporter


Obama: From Now On Digital Infrastructure Treated As Strategic National Asset



In a speech today from the White House, President Obama declared that the United States' computers and digital networks are strategic national assets and that he will personally appoint a cybersecurity coordinator to oversee the effort to protect this critical infrastructure. Excerpt from President's remarks today:

"This new approach starts at the top, with this commitment from me: From now on, our digital infrastructure—the networks and computers we depend on every day—will be treated as they should be: as a strategic national asset. Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.

To give these efforts the high-level focus and attention they deserve—and as part of the new, single National Security Staff announced this week—I'm creating a new office here at the White House that will be led by the Cybersecurity Coordinator [or, as called by some, a Cyber Czar]. Because of the critical importance of this work, I will personally select this official. I'll depend on this official in all matters relating to cybersecurity, and this official will have my full support and regular access to me as we confront these challenges."

Obama setting up better security for computers!!!

By LOLITA C. BALDOR, Associated Press Writer Lolita C. Baldor, Associated Press Writer – 1 hr 17 mins ago

WASHINGTON – America has failed for too long to protect the security of its computer networks, President Barack Obama said Friday, announcing he will name a new cyber czar to press for action.

Surrounded by a slew of government officials, aides and corporate executives, Obama said the U.S. has reached a "transformational moment" when computer networks are probed and attacked millions of times a day.

"It's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation," Obama said, adding, "We're not as prepared as we should be, as a government or as a country."

He said he will soon pick the person he wants to head a new White House office of cyber security, and that person will report to the National Security Council and the National Economic Council — a nod to his contention that the country's economic prosperity depends on cybersecurity.

While the coordinator's exact title has not yet been decided, Obama addressed concerns that the person might not have the budgetary and policy-making authority needed to force change. The coordinator, he said, will have "regular access to me."

As many as a half dozen candidates — from the public and private sector — are being considered for the job, according to officials familiar with the discussions.

Obama's announcement comes as the Pentagon is poised to create a new cyber command to improve protection of military networks and coordinate its offensive and defensive cyber missions.

Government officials have grown increasingly alarmed as U.S. computer networks are repeatedly assailed by attacks and scams, ranging from nuisance hacking to more nefarious probes and attacks, including suspicions of cyber espionage by other nations, such as China. Officials earlier this year revealed there was an attack against the electrical grid, and computers at the Pentagon were infected by a virus.

Even the president was a victim.

Obama said his presidential campaign's own computer system was attacked last year, and hackers gained access to e-mails and filed, but not to contributors or financial information.

"It was a powerful reminder: In this Information Age, one of your greatest strengths — in our case, our ability to communicate to a wide range of supporters through the Internet — could also be one of your greatest vulnerabilities," said Obama.

Laying out a broad five-point plan, the president said the U.S. must provide the education required to keep pace with technology and attract and retain a cyber-savvy work force. He called for a new education campaign to raise public awareness of the challenges and threats related to cyber security.

The newly interconnected world offers great promise, but it also presents significant peril, the president said, declaring: "Cyberspace is real, and so are the risks that comes with it."

He assured the business community, however, that the government will not dictate how private industry should tighten digital defenses. And he made it clear that the new cyber security effort will not involve any monitoring of private networks or individual e-mail accounts.

The Internet, he said, should remain open and free.

Corporate leaders and cyber experts, however, say they are concerned that the new coordinator will not wield enough power to force reluctant government agencies to put aside turf wars or dictate how they spend the millions of dollars the U.S. pours into its digital budgets.

"Placing a strategy "czar" in the White House will hinder Congress' ability to effectively oversee federal cybersecurity activities and will do little to resolve the bureaucratic conflicts, turf battles, and confusing lines of authority that have undermined past cybersecurity efforts," said Sen. Susan Collins of Maine, the top Republican on the Homeland Security and Governmental Affairs Committee.

Experts expressed similar reservations.

"I expect that a position that has a lesser role, that doesn't have budget authority, that is reporting up through the NEC, would probably not result in the kinds of changes that really need to be made," said Gene Spafford, computer security expert and professor at Purdue University, where candidate Obama first pledged last year to make cyber a priority.

Obama said the coordinator will work with the Office of Management and Budget to ensure that agencies reflect the spending priorities needed.

Overall, computer company executives and members of Congress hailed Obama's announcement as a good first step, while warning that there is much hard work still to be done.

"Because the private sector owns and operates the vast majority of our nation's critical infrastructure, government and business have a shared responsibility to defend our networks," said Ann Beauchesne, vice president of national security at the U.S. Chamber of Commerce.


Friday, May 29th, 2009 at 10:00 am
Securing Our Digital Future

White House cyber report: http://www.whitehouse.gov/CyberReview

Melissa Hathaway, Cybersecurity Chief at the National Security Council, discusses securing our nation's digital future:

The globally-interconnected digital information and communications infrastructure known as cyberspace underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety and national security. The United States is one of the global leaders on embedding technology into our daily lives and this technology adoption has transformed the global economy and connected people in ways never imagined. My boys are 8 and 9 and use the Internet daily to do homework, blog with their friends and teacher, and email their mom; it is second nature to them. My mom and dad can read the newspapers about their daughter on-line and can reach me anywhere in the world from their cell phone to mine. And people all over the world can post and watch videos and read our blogs within minutes of completion. I can’t imagine my world without this connectivity and I would bet that you cannot either. Now consider that the same networks that provide this connectively also increasingly help control our critical infrastructure. These networks deliver power and water to our households and businesses, they enable us to access our bank accounts from almost any city in the world, and they are transforming the way our doctors provide healthcare. For all of these reasons, we need a safe Internet with a strong network infrastructure and we as a nation need to take prompt action to protect cyberspace for what we use it for today and will need in the future.

Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. The 60-day cyberspace policy review summarizes our conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future. There are opportunities for everyone—individuals, academia, industry, and governments—to contribute toward this vision. During the review we engaged in more than 40 meetings and received and read more than 100 papers that informed our recommendations. As you will see in our review there is a lot of work for us to do together and an ambitious action plan to accomplish our goals. It must begin with a national dialogue on cybersecurity and we should start with our family, friends, and colleagues.

We are late in addressing this critical national need and our response must be focused, aggressive, and well-resourced. We have garnered great momentum in the last few months, and the vision developed in our review is based on the important input we received from industry, academia, the civil liberties and privacy communities, others in the Executive Branch, State governments, Congress, and our international partners. We now have a strong and common view of what is needed to achieve change. Ensuring that cyberspace is sufficiently resilient and trustworthy to support U.S. goals of economic growth, civil liberties and privacy protections, national security, and the continued advancement of democratic institutions requires making cybersecurity a national priority.

Virginia Won't Pay Hacker's Ransom Demand

Michael Barkoviak / DailyTech

May 08, 2009

‘The state has refused to pay the $10M ransom demand.’ -

Days after it was revealed a hacker successfully compromised the Virginia Health database and stole records of more than 8 million patients; the state of Virginia announced it will not pay a requested $10 million ransom.

The database is used by pharmacies and doctors to track narcotics and painkiller prescriptions, in an attempt to reduce the amount of abuse, theft and illegal sales of popular prescription drugs.

Both the Virginia state police and FBI are looking into the matter, with Virginia Governor Timothy Kaine saying this is a “crime and it is being treated that way.”

The state has refused to pay the ransom, and will instead rely on the FBI’s investigation to locate and prosecute the people responsible for this data intrusion.

Since the breach last week, the Department of Health Professions shut down its computer network, and all data has been successfully backed up. The DHP has issued a statement saying it can “assure the public that all precautions are being taken for DHP operations to continue safely and securely.”

Hackers’ attempts to steal personal information or hold data for ransom has increased in popularity, with hackers routinely stealing Social Security Numbers and other personal information so it can be sold to identity thieves. There is a growing concern over foreign-based hacker groups that are bankrolled by countries such as China and Russia, who are targeting U.S.-based computer networks.

The FBI hasn’t said if they believe this data intrusion to be the work of foreign hackers, but it’s a link they’re likely looking into during the investigation.

Click here to view more details

Who should be in charge of U.S. cybersecurity operations?

SANS Tells Congress: Feds' Checkbook Is Cyberdefense 'Weapon'
Security experts in Senate hearing today debate whether the White House or Department of Homeland Security should head up U.S. cybersecurity strategy and operations

Apr 28, 2009 | 01:51 PM
By Kelly Jackson Higgins
DarkReading

Whether the White House or the Department of Homeland Security should have the lead role in coordinating U.S. cybersecurity operations was the hot-button question during a Senate hearing today, but securing the nation's infrastructure must start by harnessing the federal government's massive IT buying power, according to the testimony.

Alan Paller, director of research for SANS, told the Senate Committee on Homeland Security and Governmental Affairs that Congress can mitigate the cyberthreat by refocusing the government's cybersecurity from "report-writing" to real-time, automated defenses by strategically deploying the feds' $70 billion annual IT budget.

"The idea of [cybersecurity] leadership isn't if it's the White House or DHS. It's whether you use the $70 billion you spend per year to make the nation safer," Paller told members of the Senate Committee on Homeland Security and Governmental Affairs.

Paller was among three witnesses who testified that a White House official, not DHS, should oversee and coordinate the nation's cybersecurity policy and deployment. James Lewis, director and senior fellow for technology and public policy at the Center for Strategic and International Studies, and Tom Kellermann, vice president of security awareness for Core Security Technologies, concurred. A fourth witness on the panel, Stewart Baker, former assistant secretary at DHS, and now partner at law firm Steptoe & Johnson LLP, was the only one who disagreed.

The feds need to flex their buying muscle to pressure security and software vendors to provide more secure products and versions of products, Paller said. Buying more secure systems "trickles down" because software vendors will then offer more secure products, plus it saves money in the end, he said.

Paller gave the example of the Air Force urging Microsoft to build a more secure version of Windows for its use after the National Security Agency's red team discovered major vulnerabilities in the Air Force's systems. The Air Force saved more than $100 million in procurement costs by deploying a more secure configuration of the Microsoft operating system, he said.

"Microsoft now sells a more secure version to utilities and the defense industry," Paller said. "Once hardware and software get built more securely, there's nothing stopping [vendors] to sell them to everyone."

Paller said Congress' biggest job is to ensure that agencies buy IT products with built-in security. "Technology buyers cannot cost-effectively secure the technology they purchase," he said. "Keep telling agencies to buy security baked-in. That's your great weapon."

Meanwhile, former DHS executive Baker told the committee that creating a new National Office for Cyberspace, as recommended by the CSIS Commission on Cybersecurity for the 44th Presidency, would face the same challenges and problems the DHS experienced in its cybersecurity efforts from the get-go. The Cybersecurity Act of 2009, which was recently introduced in the Senate, also would create a new executive-level office for cybersecurity management.

"DHS's execution of its responsibilities has certainly not been perfect, but it has spent much of the last year improving on its record. It has able new leadership and a head start on creating the capabilities it needs. I would be inclined to build on that foundation rather than starting over," he said.

Core's Kellermann, meanwhile, who served on the CSIS Commission on Cybersecurity for the 44th Presidency, told the committee that a common problem across the federal government is that CIOs lead IT spending decisions, rather than CISOs. "A CIO is focused on productivity and access, whereas the CISO's [perspective] is different," he said.

Kellermann also pointed out that the goal of major cyberattackers is not to disrupt service, but to remain under the radar. "The enemy wants to remain persistent and clandestine, infiltrating your systems. He wants to remain on a mission and to control the integrity of your data and to manipulate you," he said.

And a missing link for DHS thus far, SANS' Paller said, is a "red button," or the ability to pull the plug on agencies that don't implement federal IT security regulations. "If the US-CERT says the Department of Commerce is doing a poor job [in security], and Commerce [refuses to do anything], DHS can't do anything about it," Paller said. "You want them to have the ability to pull the plug on agencies' computers. This is something Congress has not yet wanted to do."