Cyber-based threats against information infrastructures in the United States have generated an increasing concern for national security. According to a Congressional Research Service report, these emerging threats consist of cyber terrorism, debilitating U.S. command over the electromagnetic spectrum, facilitation of terrorist operations, cyber crimes involving theft of intellectual property, patent violations, or copyright laws, and identity theft. These threats also involve unauthorized probing of tests that target a computer’s configuration and its system defenses and, in some instances, the unauthorized viewing, copying, and extraction of data files. The low expense of access to the internet combined with the ability to operate anonymously, are strong key factors that make information operations enticing for those who are unable to combat the U.S. in conventional warfare.  Understanding these real threats against our nation enforces the need for a shift in prioritization and funding to address any future cyber security threats in all capacities.

The vulnerability of cyber security significantly impacts the state of a nation’s economic and national security.  Cyber warfare and cyber-crimes have become more frequent and sophisticated in current times.  The usage of mobile devices, social networks, and confidential information are constantly threatened as the global society integrates more services and operations with the internet. Chen McGuire, the Vice President of Symantec Corporation’s Global Government Affairs & Cybersecurity Policy, in a House Homeland Security Committee hearing stated, “the volume and sophistication of threat activity increased more than 19 percent over 2009, with Symantec identifying more than 286 million unique variations of malicious software or malware…with an estimated 431 million adult victims globally in the past year, and at an annual combined cost of $388 billion globally based on financial losses and time lost, cybercrime costs are significantly more than the global black market in marijuana, cocaine and heroin combined- which estimate at $288 billion per year.” The threat is real; the results of these attacks are costly to businesses and governmental operations.  In order to adequately address these threats, it is imperative that information sharing is increased between all stakeholders; the government, the private sector, and the individual citizen.  Effective risk-based approaches must specifically address each individual risk, while the promotion of strong private-public partnerships through innovative research and development. More importantly, accountability measurements must be demanded to prevent costly financial losses while increased protective mechanisms safeguard the rights of everyday citizens.

During the 112^th Congress, legislators have taken considerable steps to address the cybersecurity concerns. Recently, Congressman Dan Lungren (R-CA), Chairman of the Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies (CIPST), introduced H.R. 3116, the Department of Homeland Security Authorization Act of Fiscal Year 2012. This legislation addresses multiple key issues of emerging cyber threats. H.R. 3116 would require the Secretary of the Department of Homeland Security (DHS) to protect federal and critical infrastructure information systems through risk assessment; develop essential security technologies and capabilities to protect the systems, in conjunction with government and private-sector entities; develop and lead nationwide awareness and outreach on the importance of cybersecurity, ways to promote best practices, and training to support the development of the cybersecurity workforce; take other necessary lawful action to accomplish the requirements of this section; coordinate with other relevant federal, nonfederal, and international entities, including suppliers of technology for CI; designate a DHS official to lead cybersecurity activities; ensure coordination with other relevant DHS activities, including intelligence and law enforcement; and report regularly on program coordination to appropriate congressional committees, among other directives.

H.R. 3116 is a commendable first step in addressing the cyber threats that impact the lives of countless Americans daily. The Senate and the Obama Administration have also taken significant steps to address cybersecurity. Despite the strong partisanship in the nation’s capital, threats to cybersecurity should be a point of consensus and unification, as it has an immediate and egregious effect on our nation’s livelihood. Securing cyberspace will take a coordinated effort between the federal, state, and local governments, and also the private sector. As each day goes by, our nation faces new cyber threats from new actors seeking to access classified government information, while attempting the theft of personal information, in order to disrupt our quality of life.

In this digital era we are all connected.  Everyone must employ safe and secure computing practices because no individual, business, or government entity should be solely responsible for cybersecurity.  We must all understand how online computing practices have an impact on our nation’s cyber security. If we choose to ignore these warnings we will leave our cyber networks vulnerable to future catastrophic events.

Related posts:

1. National Security Experts Launch Energy Initiative
2. A High-Risk, Low Reward Strategy Could Lose the Future
3. Zbigniew Brzezinski: After America

Washington (CNN) — Longtime observers of the Middle East are baffled by allegations that high-ranking officials in the Iranian government approved a plan to assassinate Saudi Arabia Ambassador, Adel al-Jubeir, and blow up the Saudi and Israeli embassies in Washington. Commentators have described the plan as “brazen,” but “bizarre” and ‘bone-headed” might be more appropriate adjectives.

It’s difficult to comprehend either the motives or the means selected to carry out the plan outlined by the Justice Department in its criminal indictment of Manssor Arbabsiar and Gholam Shakuri. Tensions between Iran and Saudi Arabia are not new, but Iran has been both cautious and clever enough to restrain its ambitions for regional dominance.

If the allegations of the assassination and bombing plot are true, and the covert operation had proved successful, Iran’s leaders would have invited retaliation on a scale far more vigorous than any they might have contemplated. Indeed, I think it’s fair to say that the Iranian landscape would likely have been substantially altered.

Assuming, however, that Ayatollah Ali Khamenei, the Supreme Leader, and President Mahmoud Ahmadinejad never authorized the action or were ever aware of it, both have great cause for concern. Elements in their covert, black bag, assassination/ terrorist unit were planning an attack that could have brought about the decapitation of their leadership, the obliteration of their ambitions to enter the nuclear weapons club and quite possibly have precipitated a global depression by engulfing the region in war. Rather than dismissing the plot as a Zionist fabrication, these leaders should be looking inward and holding accountable those who were responsible for undertaking such a dangerous and destructive mission.

While awaiting greater clarification from those responsible for moving forward with the prosecution against Arbabsiar and Shakuri, the United States should explore several options:

1. Bring the assassination and bombing plan to the United Nations Security Council and seek much tougher sanctions against Iran;

2. Encourage Saudi Arabia to review and revise its contractual arrangements with any country that refuses to support the imposition of tougher sanctions against Iran;

3. Intensify the effort to expose the activities of those nations who are circumventing the existing sanctions against Iran;

4. Make it clear to all members of the U.N. that Iran’s nuclear weapons program poses a serious threat to global stability. If a non-nuclear Iran initiated an assassination plan through a Mexican drug cartel, what would it be tempted to do once it possess a nuclear weapon?

5. Strengthen our ability to keep the Persian Gulf open should hostilities ever break out;

6. Force the administration and Congress to move forward on improving the defense posture of our friends and allies who are threatened by Iran;

7. Urge Saudi Arabia and the Gulf States to move more aggressively in constructing coordinated, regional defense and security policies; and

8. Release intelligence information, to the maximum extent possible, which exposes those in the Iranian regime responsible for this act — as a means of galvanizing support for the actions, such as additional sanctions, mentioned above.

The above options are illustrative only. Others may have more punitive measures in mind. But right now, the United States and Saudi Arabia should proceed with vigor and not permit Iran to hide its dagger behind its back in its left hand, while professing its innocence with the right.

The opinions expressed in this commentary are solely those of William S. Cohen.

Related posts:

1. Why EU Sanctions May Hurt the West More than Iran
2. Crossing the Rubicon
3. No-Fly Zone Over Libya: A Case for Multilateralism

Just a few years ago, conventional wisdom held that Google would be the vanguard of Internet freedom in China, transforming the way information flows throughout the historically closed society. But while the rapid expansion of the Internet in China has indeed served as a vital medium for political activism, Beijing has essentially kept pace with its extensive surveillance network to silence “cyber dissidents” and with its use of the Web as a pro-government propaganda machine to steer public opinion. At first glance, it appears that China’s censorship practices warrant a strong U.S. policy and a thorough condemnation from the Obama administration. But as Emily Parker, the Arthur Ross Fellow at the Asia Society, explains, U.S. technological innovation – not U.S. policy – is likely the most capable, effective, and politically sensible tool for chipping away at China’s Great Firewall.

Since Google’s departure, the Chinese government has taken action to tighten its grip on the Internet. Earlier this month, China quietly acknowledged the creation of a new “Internet news coordination bureau,” officially responsible for “guidance, coordination and other work related to the construction and management of Web culture.” And just this week, China’s legislature proposed an amendment to the Law on Guarding State Secrets that would require telecommunications companies to “detect, report and delete” leaks of “state secrets,” broadly defined by the government as “information concerning national security and interests that, if released, would harm the country’s security and interests.” These measures are just the latest pieces fastened to a massive regulatory system, much to the chagrin of the international human rights community and many of China’s 400 million Internet users.

But the Great Firewall is far from impenetrable. In fact, web-savvy citizens can circumvent it fairly easily through channels that exist beyond the government’s control like proxy servers or, more efficiently, virtual private networks (VPNs) – indispensible because they make foreign e-commerce possible. However, widespread unfettered access to “sensitive” information, like Google was expected to bring, remains elusive. But where Google Diplomacy failed, Parker believes that Twitter Diplomacy could succeed. While access to social networking sites remains blocked, an element of Twitter’s design called an open Application Programming Interface (API) allows coders to set up feeds that can be accessed at different URLs, which the government must stamp out one by one. This feature is especially significant since, according to Parker, the main objective of China’s censorship efforts is not to limit freedom of expression, but rather freedom of assembly through the use of the Internet as an “organizational tool”. And if the Twitter-driven escalation of the opposition protests in Iran last summer is any indication of the power of social networking sites to spur political action, Beijing’s recent censorship expansion should come as no surprise.

Increased access to VPNs and advancements in social networking allow Chinese citizens, themselves, to dissolve the Great Firewall from within. As Parker says, “what’s important is that these are fundamentally technological approaches, not overtly political ones.” It is important to remember that the U.S. and China have a complex, delicate, and deeply interdependent relationship, so if Internet freedom is to become a central political issue in China it must not be a result of direct U.S. political involvement. Such an approach would almost certainly provoke a nationalist backlash while lending credibility to Chinese government claims of American “imposition of value systems”.

Like many social and economic trends in China today, the natural appetite for freedom of information is converging with the incompatible constraints of a repressive government. Eventually, this convergence may reach a tipping point, and if it does, a stronger society will probably emerge. But if the United States hopes to play a role in nudging China toward that tipping point, it will most likely do so from Silicon Valley, not from Washington.

Related posts:

1. To Sanction or Not To Sanction: A report from Myanmar

But there is a flipside to this coin. Our collective security is now in more danger than ever for the very same reason the cyber revolution is such an amazing achievement – we are all interconnected. Virtually every aspect of our lives has an uninterruptable link to the cyber world. Our electricity, water, oil, telecommunications, banking, public transportation, air traffic control, and defense systems all rely on computer networks. “For all these reasons,” President Obama has said, “it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.”

The international threat posed by cyber warfare is not hypothetical – it is very real and, more importantly, it is already upon us. South Korea has reported that its military computer networks now receive an average of 95,000 attempted cyber attacks daily. Israel recently admitted that it suffered a “massive” cyber attack during the Gaza military offensive in January. In April 2007, Estonia endured a prolonged siege of the websites for its parliament, banks, ministries, and police. This “Estonian Cyberwar” was carried out by Russian nationalist hackers during a heated confrontation over the relocation of The Bronze Soldier of Tallinn, a prominent Soviet-era monument. Similarly, in the days leading up to the Russia-Georgia conflict last July, many Georgian government web sites were paralyzed by cyber attacks. China and Russia have long been suspected of backing a large ring of state-sponsored cyber warfare, and Israel, India, Pakistan, and the United States have all allegedly launched offensive attacks as well. And now, in the midst of Iran’s post-election upheaval, Foreign Ministry spokesman Hasan Qashqavi has accused Western media outlets, particularly CNN and BBC, of facilitating the barrage of cyber attacks on various Iranian government web sites.

The US has not been impervious to its share of cyber attacks either. In April, The Wall Street Journal reported a breach (believed to be carried out by Chinese hackers) of the Pentagon’s largest weapons program – the $300 billion Joint Strike Fighter stealth aircraft. In fact, the Department of Defense detected 360 million attempted cyber attacks on its networks last year and the Pentagon has reportedly spent $100 million just to repair the damage incurred in the past six months. Army Lt. Gen. Keith Alexander, director of the NSA, has said “I’d like to say that our networks are secure, but that would not be correct.”

Clearly, President Obama’s recent announcement of a comprehensive national cybersecurity strategy was long overdue. The plan calls for the appointment of a White House Cyber Security Coordinator to oversee the government’s protection of all private sector networks. The strategy also includes the creation of a military Cyber Command to defend the Pentagon’s computer networks and to unify the cyber security effort across the armed services.

But with Obama expected to announce the identity of his “cyber czar” any day now, and with the DOD just having put the finishing touches on its Cyber Command, there remains many areas of contention. The struggle for control of the White House office has prompted a bitter turf war across many departments, although for now a tentative compromise has been reached between the NSA and the National Economic Council. Yesterday, Defense Secretary Robert Gates finally signed off on the Cyber Command after weeks of indecision among concerns that it will represent “the militarization of cyberspace”. Critics have expressed fear that the DOD and NSA will dominate other federal agencies’ cyber security responsibilities. Rod Beckstrom, former chief of the Homeland Security Department’s National Cyber Security Center, resigned in March, citing his fear that the growing reliance on the NSA poses “threats to our democratic processes.” Indeed, the most daunting task of all may be striking a balance between ensuring security and protecting privacy.

And so the questions abound. How should cyber security control be distributed across federal agencies? Will cyber attacks become the new weapon of choice for terrorists? Is this destined to become the next great revolution in modern warfare? Has cyber war attained that status already? What would it mean for America’s military dominance if a handful of computer geeks are soon able to rival an army? What steps, if any, can be taken to ensure our security without infringing on civil liberties?

For now, the questions vastly outnumber the answers. There seem to be just two certainties – that the cyber war environment is rapidly evolving, and that we are unprepared to face its potential challenges. As Obama has said, “America’s economic prosperity in the 21st century will depend on cyber security.” Yet for far too long, the cyber security effort has lagged well behind this unique and unprecedented threat. The administration has taken a positive stride toward safeguarding the nation’s networks, but the controversy and debate rages on. Hopefully, these measures represent the first step toward a responsible, coordinated, and robust security strategy for an unpredictable future. Only time will tell.

No related posts.

Although President Obama may have found a way to keep his BlackBerry, he will not be able to use it while executing his new job.  He might eventually be able to move to a phone-PDA certified by the National Security Agency to handle Top Secret voice, email, and website communications, but at the moment, the government is understandably wary of using handhelds for storing and transmitting classified information.

The threat of hackers and cyber thieves is very real and can be extremely dangerous.  If a “Group” (terrorist organization, nation, state, non-state actors-pick your poison) could coordinate a cyber attack with some type of physical intrusion or ground offensive, the “Group” could do some serious damage.  An example of such a scenario would be the controversy surrounding Russia’s invasion of Georgia last August.  Georgia had been experiencing distributed denial of service (DDoS) attacks targeting its government websites before and during the hostilities.  These attacks disrupted Georgia’s communications, but no direct evidence links the Russian government to having orchestrated the attacks.  It is also worth noting that a similar cyber attack happened in Estonia last year during tensions between Moscow and the Baltic state.  Czech Business Weekly states, “while no one is pointing fingers openly at Russia, all heads are turned in that direction.”  But, like the cyberattack on Georgia, no conclusive evidence points to the Russian Government.  In the case of Estonia, no ground offensive was necessary to effectively shutdown servers and major infrastructure-including the banking industry-setting off massive panic and a “cyber-riot” that plunged the tech-savvy country in the cyber dark for over two weeks.

Although this scenario is unlikely to happen in the United States, America is certainly not immune to cyber attacks.  America’s information systems have been targeted for decades.  In 2007, the Pentagon’s systems were hacked. Although China was “blamed” for the attack via indirect channels, there is no conclusive evidence that they where behind the breach.  Obama and McCain’s Campaign computers were hacked mid-summer 2008 by “a foreign government or organization” looking for proposed policy information.  In November 2008, the Department of Defense acknowledged their systems had been infected by a virus and, subsequently, banned the use of all thumb drives.  Just think: electricity, water, transportation, all major infrastructures, are run by computer.  A well placed virus can cause a system to malfunction quickly.

Is this making anyone else a bit nervous?

But, good news!  Obama just outlined his Cyber-Security Strategy.  The outline of this strategy is embedded in a Homeland Security Agenda;  it highlights six major categories in which the Obama Administration wants to focus:  (The whole document is worth a look.)

• Strengthen Federal Leadership on Cyber Security
• Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure
• Protect the IT Infrastructure That Keeps America’s Economy Safe
• Prevent Corporate Cyber-Espionage
• Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit
• Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches

The strategy seems to be pulling mostly from the bipartisan CSIS Commission on Cybersecurity’s recommendations released last year.  But there are more than a few hiccups, which I hope will be addressed when the logistics of the Cyber Security Strategy are revealed.  (First on the list is to decide if you are going to make Cyber Security one word or two…)

Some questions come to mind:  Putting aside the huge question of funding the projects, will the soon-to-be created post of National Cyber Advisor be from the private industry or from a government agency?  Will the new programs be housed within existing government agencies or will they actually create a Cybersecurity BatCave somewhere?  If so, what government agency has jurisdiction?  How will this BatCave communicate with other government and intelligence agencies?  Will this place be staffed with employees/agents who have arresting powers-international and domestic-or a compilation of other agency experts?  (Note:  this tactic didn’t work all that well when creating the DHS.)  Basically, how will the agencies who already have division who deal with cybercrime-NSA, FBI, and DHS to name a few-react to this new strategy?  Will this new cyber emphasis (though badly needed) actually get the resources it needs to be effective?  And probably most importantly:  How will the Cybersecurity BatCave itself be secured against cyber attacks?  Having all the cybersecurity and vulnerability attack data in one place is a lot of eggs to have in one basket.

There are obviously lots of questions that need to be answered, but having Hillary Clinton list “cyber” as a weapon of mass destruction during her confirmation hearings (instead of it being known as a weapon of mass disruption) is a step in the right direction…we just need to get going as soon as possible.

No related posts.