FROM: THE WHITE HOUSE TECHNOLOGY
March 02, 2015
Readout of the President's Meeting with Members of the Technology CEO Council
Today, President Obama met with members of the Technology CEO Council to discuss 21st century economic and security issues including trade, cybersecurity, immigration and tax reform. Growing U.S. exports to support new opportunities for our workers and businesses is a top priority for the President and the members of the Council, who reiterated their commitment to building bipartisan support for Trade Promotion Authority (TPA) as a critical first step towards strong new trade agreements with high standards in critical areas such as labor, environment, and technology services.
The President also highlighted our continued progress towards fixing our broken immigration system -- including a final rule announced last week that gives U.S. work authorization to spouses of certain high-skilled immigrant workers who are approved for a green card and waiting for one to become available. The President and the Tech CEO Council agreed that immigration reform remains an imperative for our nation and high tech sector, and that we should continue striving for comprehensive reform that will fix our broken immigration system once and for all.
The group also shared concerns on cybersecurity and agreed to work with the Administration and Congress to develop better methods to help protect our critical infrastructure and privacy. The President and the executives also discussed a shared desire to work with Congress to enact pro-growth, business tax reform.
Participants Included:
Ursula Burns, Chairman and CEO, Xerox Corp.; Chair of Tech CEO Council
Michael Dell, Chairman and CEO, Dell Inc.
Mark Durcan, CEO and Director, Micron Technology Inc.
Steve Mollenkopf, CEO, Qualcomm Inc.
Ginni Rometty, Chairman, President and CEO, IBM Corp.
Joe Tucci, Chairman and CEO, EMC Corp.
White House Participants:
Valerie Jarrett, White House Senior Advisor
Jeff Zients, Director of the White House National Economic Council
Megan Smith, Chief Technology Officer
Showing posts with label CYBERSECURITY. Show all posts
Showing posts with label CYBERSECURITY. Show all posts
Wednesday, March 4, 2015
Thursday, February 5, 2015
SEC IDENTIFIES WAYS TO PROTECT ONLINE INVESTMENT ACCOUNTS
FROM: U.S. SECURITIES AND EXCHANGE
The Securities and Exchange Commission today released publications that address cybersecurity at brokerage and advisory firms and provide suggestions to investors on ways to protect their online investment accounts.
“Cybersecurity threats know no boundaries. That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC,” said SEC Chair Mary Jo White. “Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.”
One publication, a Risk Alert from the SEC’s Office of Compliance Inspections and Examinations (OCIE), contains observations based on examinations of more than 100 broker-dealers and investment advisers. The examinations focused on how these firms:
Identify cybersecurity risks
Establish cybersecurity policies, procedures, and oversight processes
Protect their networks and information
Identify and address risks associated with remote access to client information, funds transfer requests, and third-party vendors
Detect unauthorized activity
“Our examinations assessed a cross-section of the industry as a way to inform the Commission on the current state of cybersecurity preparedness,” said OCIE Director Andrew Bowden. “We hope that investors and industry participants will also benefit from what we have learned.”
The second publication, an Investor Bulletin issued by the SEC’s Office of Investor Education and Advocacy (OIEA), provides core tips to help investors safeguard their online investment accounts, including:
Pick a “strong” password
Use two-step verification
Exercise caution when using public networks and wireless connections
“As investors increasingly use web-based investment accounts, it is critical that they take steps to safeguard those accounts,” said OIEA Director Lori J. Schock. “This bulletin provides everyday investors with a set of useful tips to help protect themselves from cyber-criminals and online fraud.”
The Securities and Exchange Commission today released publications that address cybersecurity at brokerage and advisory firms and provide suggestions to investors on ways to protect their online investment accounts.
“Cybersecurity threats know no boundaries. That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC,” said SEC Chair Mary Jo White. “Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.”
One publication, a Risk Alert from the SEC’s Office of Compliance Inspections and Examinations (OCIE), contains observations based on examinations of more than 100 broker-dealers and investment advisers. The examinations focused on how these firms:
Identify cybersecurity risks
Establish cybersecurity policies, procedures, and oversight processes
Protect their networks and information
Identify and address risks associated with remote access to client information, funds transfer requests, and third-party vendors
Detect unauthorized activity
“Our examinations assessed a cross-section of the industry as a way to inform the Commission on the current state of cybersecurity preparedness,” said OCIE Director Andrew Bowden. “We hope that investors and industry participants will also benefit from what we have learned.”
The second publication, an Investor Bulletin issued by the SEC’s Office of Investor Education and Advocacy (OIEA), provides core tips to help investors safeguard their online investment accounts, including:
Pick a “strong” password
Use two-step verification
Exercise caution when using public networks and wireless connections
“As investors increasingly use web-based investment accounts, it is critical that they take steps to safeguard those accounts,” said OIEA Director Lori J. Schock. “This bulletin provides everyday investors with a set of useful tips to help protect themselves from cyber-criminals and online fraud.”
Monday, January 19, 2015
WHITE HOUSE FACT SHEET ON U.S.-U.K. CYBERSECURITY COOPERATION
FROM: THE WHITE HOUSE
January 16, 2015
FACT SHEET: U.S.-United Kingdom Cybersecurity Cooperation
The United States and the United Kingdom agree that the cyber threat is one of the most serious economic and national security challenges that our nations face. Every day foreign governments, criminals, and hackers are attempting to probe, intrude into, and attack government and private sector systems in both of our countries. President Obama and Prime Minister Cameron have both made clear that domestic cybersecurity requires cooperation between governments and the private sector. Both leaders additionally recognized that the inherently international nature of cyber threats requires that governments around the world work together to confront those threats.
During their bilateral meetings in Washington, D.C. this week, President Obama and Prime Minister Cameron agreed to further strengthen and deepen the already extensive cybersecurity cooperation between the United States and the United Kingdom. Both leaders agreed to bolster efforts to enhance the cybersecurity of critical infrastructure in both countries, strengthen threat information sharing and intelligence cooperation on cyber issues, and support new educational exchanges between U.S. and British cybersecurity scholars and researchers.
Improving Critical Infrastructure Cybersecurity
The United States and United Kingdom are committed to our ongoing efforts to improve the cybersecurity of our critical infrastructure and respond to cyber incidents. Both governments have agreed to bolster our efforts to increase threat information sharing and conduct joint cybersecurity and network defense exercises to enhance our combined ability to respond to malicious cyber activity. Our initial joint exercise will focus on the financial sector, with a program running over the coming year. Further, we will work with industry to promote and align our cybersecurity best practices and standards, to include the U.S. Cybersecurity Framework and the United Kingdom’s Cyber Essentials scheme.
Strengthening Cooperation on Cyber Defense
The United States and the United Kingdom work closely on a range of cybersecurity and cyber defense matters. For example, the U.S. Computer Emergency Readiness Team (US-CERT) and CERT-UK collaborate on computer network defense and sharing information to address cyber threats and manage cyber incidents. To deepen this collaboration in other areas, the United Kingdom’s Government Communications Headquarters (GCHQ) and Security Service (MI5) are working with their U.S. partners – the National Security Agency and the Federal Bureau of Investigation – to further strengthen U.S.-UK collaboration on cybersecurity by establishing a joint cyber cell, with an operating presence in each country. The cell, which will allow staff from each agency to be co-located, will focus on specific cyber defense topics and enable cyber threat information and data to be shared at pace and at greater scale.
Supporting Academic Research on Cybersecurity Issues
The governments of both the United States and the United Kingdom have agreed to provide funding to support a new Fulbright Cyber Security Award. This program will provide an opportunity for some of the brightest scholars in both countries to conduct cybersecurity research for up to six months. The first cohort is expected to start in the 2016-17 academic year, and the U.S.-UK Fulbright Commission will seek applications for this cohort later this year.
In addition, the Massachusetts Institute of Technology’s Computer Science & Artificial Intelligence Laboratory (located in Cambridge, MA) has invited the University of Cambridge in the United Kingdom to take part in a “Cambridge vs. Cambridge” cybersecurity contest. This competition is intended to be the first of many international university cybersecurity competitions. The aim is to enhance cybersecurity research at the highest academic level within both countries to bolster our cyber defenses.
January 16, 2015
FACT SHEET: U.S.-United Kingdom Cybersecurity Cooperation
The United States and the United Kingdom agree that the cyber threat is one of the most serious economic and national security challenges that our nations face. Every day foreign governments, criminals, and hackers are attempting to probe, intrude into, and attack government and private sector systems in both of our countries. President Obama and Prime Minister Cameron have both made clear that domestic cybersecurity requires cooperation between governments and the private sector. Both leaders additionally recognized that the inherently international nature of cyber threats requires that governments around the world work together to confront those threats.
During their bilateral meetings in Washington, D.C. this week, President Obama and Prime Minister Cameron agreed to further strengthen and deepen the already extensive cybersecurity cooperation between the United States and the United Kingdom. Both leaders agreed to bolster efforts to enhance the cybersecurity of critical infrastructure in both countries, strengthen threat information sharing and intelligence cooperation on cyber issues, and support new educational exchanges between U.S. and British cybersecurity scholars and researchers.
Improving Critical Infrastructure Cybersecurity
The United States and United Kingdom are committed to our ongoing efforts to improve the cybersecurity of our critical infrastructure and respond to cyber incidents. Both governments have agreed to bolster our efforts to increase threat information sharing and conduct joint cybersecurity and network defense exercises to enhance our combined ability to respond to malicious cyber activity. Our initial joint exercise will focus on the financial sector, with a program running over the coming year. Further, we will work with industry to promote and align our cybersecurity best practices and standards, to include the U.S. Cybersecurity Framework and the United Kingdom’s Cyber Essentials scheme.
Strengthening Cooperation on Cyber Defense
The United States and the United Kingdom work closely on a range of cybersecurity and cyber defense matters. For example, the U.S. Computer Emergency Readiness Team (US-CERT) and CERT-UK collaborate on computer network defense and sharing information to address cyber threats and manage cyber incidents. To deepen this collaboration in other areas, the United Kingdom’s Government Communications Headquarters (GCHQ) and Security Service (MI5) are working with their U.S. partners – the National Security Agency and the Federal Bureau of Investigation – to further strengthen U.S.-UK collaboration on cybersecurity by establishing a joint cyber cell, with an operating presence in each country. The cell, which will allow staff from each agency to be co-located, will focus on specific cyber defense topics and enable cyber threat information and data to be shared at pace and at greater scale.
Supporting Academic Research on Cybersecurity Issues
The governments of both the United States and the United Kingdom have agreed to provide funding to support a new Fulbright Cyber Security Award. This program will provide an opportunity for some of the brightest scholars in both countries to conduct cybersecurity research for up to six months. The first cohort is expected to start in the 2016-17 academic year, and the U.S.-UK Fulbright Commission will seek applications for this cohort later this year.
In addition, the Massachusetts Institute of Technology’s Computer Science & Artificial Intelligence Laboratory (located in Cambridge, MA) has invited the University of Cambridge in the United Kingdom to take part in a “Cambridge vs. Cambridge” cybersecurity contest. This competition is intended to be the first of many international university cybersecurity competitions. The aim is to enhance cybersecurity research at the highest academic level within both countries to bolster our cyber defenses.
Saturday, January 17, 2015
VP BIDEN MAKES ANNOUNCEMENT REGARDING CYBERSECURITY EDUCATION FUNDING
FROM: THE WHITE HOUSE
January 15, 2015
Vice President Biden Announces $25 Million in Funding for Cybersecurity Education at HBCUs
Today, Vice President Biden, Secretary of Energy Ernest Moniz, and White House Science Advisor John Holdren are traveling to Norfolk State University in Norfolk, Virginia to announce that the Department of Energy will provide a $25 million grant over the next five years to support cybersecurity education. The new grant will support the creation of a new cybersecurity consortium consisting of 13 Historically Black Colleges and Universities (HBCUs), two national labs, and a k-12 school district.
The Vice President will make the announcement as part of a roundtable discussion with a classroom of cybersecurity leaders and students at Norfolk State University. The visit builds on the President’s announcements on cybersecurity earlier this week, focusing on the critical need to fill the growing demand for skilled cybersecurity professionals in the U.S. job market, while also diversifying the pipeline of talent in the science, technology, engineering, and mathematics (STEM) fields. The event and announcement is also an opportunity to highlight the Administration’s ongoing commitment to HBCUs.
Details on the Announcement
As highlighted by the President earlier in the week, the rapid growth of cybercrime is creating a growing need for cybersecurity professionals across a range of industries, from financial services, health care, and retail to the US government itself. By some estimates, the demand for cybersecurity workers is growing 12 times faster than the U.S. job market, and is creating well-paying jobs.
To meet this growing need, the Department of Energy is establishing the Cybersecurity Workforce Pipeline Consortium with funding from the Minority Serving Institutions Partnerships Program housed in its National Nuclear Security Administration. The Minority Service Institutions Program focuses on building a strong pipeline of talent from minority-serving institutions to DOE labs, with a mix of research collaborations, involvement of DOE scientists in mentoring, teaching and curriculum development, and direct recruitment of students.
With $25M in overall funding over five years, and with the first grants this year, the Cybersecurity Workforce Pipeline Consortium will bring together 13 HBCUs, two DOE labs, and the Charleston County School District with the goal of creating a sustainable pipeline of students focused on cybersecurity issues. The consortium has a number of core attributes:
It is designed as a system. This allows students that enter through any of the partner schools to have all consortia options available to them, to create career paths and degree options through collaboration between all the partners (labs and schools), and to open the doors to DOE sites and facilities.
It has a range of participating higher education institutions. With Norfolk State University as a the lead, the consortium includes a K-12 school district, a two-year technical college, as well as four-year public and private universities that offer graduate degrees.
Built to change to evolving employer needs: To be successful in the long term, this program is designed to be sufficiently flexible in its organization to reflect the unique regional priorities that Universities have in faculty research and developing STEM disciplines and skills, and DOE site targets for research and critical skill development.
Diversifying the pipeline by working with leading minority-serving institutions: As the President stated in Executive Order 13532, “Promoting Excellence, Innovation, and Sustainability at Historically Black Colleges and Universities” in February 2010, America’s HBCUs, for over 150 years, have produced many of the Nation’s leaders in science, business, government, academia, and the military, and have provided generations of American men and women with hope and educational opportunity.
January 15, 2015
Vice President Biden Announces $25 Million in Funding for Cybersecurity Education at HBCUs
Today, Vice President Biden, Secretary of Energy Ernest Moniz, and White House Science Advisor John Holdren are traveling to Norfolk State University in Norfolk, Virginia to announce that the Department of Energy will provide a $25 million grant over the next five years to support cybersecurity education. The new grant will support the creation of a new cybersecurity consortium consisting of 13 Historically Black Colleges and Universities (HBCUs), two national labs, and a k-12 school district.
The Vice President will make the announcement as part of a roundtable discussion with a classroom of cybersecurity leaders and students at Norfolk State University. The visit builds on the President’s announcements on cybersecurity earlier this week, focusing on the critical need to fill the growing demand for skilled cybersecurity professionals in the U.S. job market, while also diversifying the pipeline of talent in the science, technology, engineering, and mathematics (STEM) fields. The event and announcement is also an opportunity to highlight the Administration’s ongoing commitment to HBCUs.
Details on the Announcement
As highlighted by the President earlier in the week, the rapid growth of cybercrime is creating a growing need for cybersecurity professionals across a range of industries, from financial services, health care, and retail to the US government itself. By some estimates, the demand for cybersecurity workers is growing 12 times faster than the U.S. job market, and is creating well-paying jobs.
To meet this growing need, the Department of Energy is establishing the Cybersecurity Workforce Pipeline Consortium with funding from the Minority Serving Institutions Partnerships Program housed in its National Nuclear Security Administration. The Minority Service Institutions Program focuses on building a strong pipeline of talent from minority-serving institutions to DOE labs, with a mix of research collaborations, involvement of DOE scientists in mentoring, teaching and curriculum development, and direct recruitment of students.
With $25M in overall funding over five years, and with the first grants this year, the Cybersecurity Workforce Pipeline Consortium will bring together 13 HBCUs, two DOE labs, and the Charleston County School District with the goal of creating a sustainable pipeline of students focused on cybersecurity issues. The consortium has a number of core attributes:
It is designed as a system. This allows students that enter through any of the partner schools to have all consortia options available to them, to create career paths and degree options through collaboration between all the partners (labs and schools), and to open the doors to DOE sites and facilities.
It has a range of participating higher education institutions. With Norfolk State University as a the lead, the consortium includes a K-12 school district, a two-year technical college, as well as four-year public and private universities that offer graduate degrees.
Built to change to evolving employer needs: To be successful in the long term, this program is designed to be sufficiently flexible in its organization to reflect the unique regional priorities that Universities have in faculty research and developing STEM disciplines and skills, and DOE site targets for research and critical skill development.
Diversifying the pipeline by working with leading minority-serving institutions: As the President stated in Executive Order 13532, “Promoting Excellence, Innovation, and Sustainability at Historically Black Colleges and Universities” in February 2010, America’s HBCUs, for over 150 years, have produced many of the Nation’s leaders in science, business, government, academia, and the military, and have provided generations of American men and women with hope and educational opportunity.
Tuesday, December 16, 2014
HOMELAND SECURITY CHIEF'S STATEMENT ON PASSAGE OF CYBERSECURITY LEGISLATION
FROM: U.S. DEPARTMENT OF HOMELAND SECURITY
Statement by Secretary Johnson on the Passage of Critical Cybersecurity Legislation
Release Date: December 11, 2014
For Immediate Release
Congress passed four pieces of legislation critical to cybersecurity.
S. 2519, the National Cybersecurity Protection Act of 2014, passed by the Senate yesterday and the House today, will enhance the ability of the Department of Homeland Security to work with the private sector on cybersecurity. The bill provides explicit authority for this Department to provide assistance to the private sector in identifying vulnerabilities and restoring their networks following an attack. The bill also establishes in law this Department's National Cybersecurity and Communications Integration Center as a federal civilian interface with the private sector for purposes of cybersecurity information sharing.
S. 2521, the Federal Information Security Modernization Act of 2014, passed by the Senate Monday and the House yesterday, codifies the responsibility of this Department to assist other federal civilian departments and agencies in each of their own cybersecurity activities, and administer implementation of government-wide cyber security policies.
S. 1691, the Border Patrol Agent Pay Reform Act of 2014 (passed yesterday; about which I issued a separate statement earlier today) includes language to enhance this Department’s ability to hire and pay a cybersecurity workforce. Similarly, H.R. 2952, the Cybersecurity Workforce Assessment Act, provides that this Department undertake an assessment of its cybersecurity workforce and update Congress on the steps taken to enhance it.
On behalf of the men and women of this Department, I appreciate the bipartisan support by Congress for our cybersecurity mission. I also thank Congress for passage of H.R. 4007, the Protecting and Securing Chemical Facilities from Terrorists Act of 2014, which authorizes and improves the Chemical Facility Anti-Terrorism Standards program administered by this Department. Congress this week has shown great overall support for this Department and its missions.
I thank the Congress for its bipartisan support for these bills. I also salute the leadership of Senators Tom Carper and Tom Coburn, and Representatives Michael McCaul, Patrick Meehan, Bennie Thompson, and Yvette Clarke, and their staffs, in pushing these bills through to passage, and for their support of the men and women of the Department of Homeland Security.
Statement by Secretary Johnson on the Passage of Critical Cybersecurity Legislation
Release Date: December 11, 2014
For Immediate Release
Congress passed four pieces of legislation critical to cybersecurity.
S. 2519, the National Cybersecurity Protection Act of 2014, passed by the Senate yesterday and the House today, will enhance the ability of the Department of Homeland Security to work with the private sector on cybersecurity. The bill provides explicit authority for this Department to provide assistance to the private sector in identifying vulnerabilities and restoring their networks following an attack. The bill also establishes in law this Department's National Cybersecurity and Communications Integration Center as a federal civilian interface with the private sector for purposes of cybersecurity information sharing.
S. 2521, the Federal Information Security Modernization Act of 2014, passed by the Senate Monday and the House yesterday, codifies the responsibility of this Department to assist other federal civilian departments and agencies in each of their own cybersecurity activities, and administer implementation of government-wide cyber security policies.
S. 1691, the Border Patrol Agent Pay Reform Act of 2014 (passed yesterday; about which I issued a separate statement earlier today) includes language to enhance this Department’s ability to hire and pay a cybersecurity workforce. Similarly, H.R. 2952, the Cybersecurity Workforce Assessment Act, provides that this Department undertake an assessment of its cybersecurity workforce and update Congress on the steps taken to enhance it.
On behalf of the men and women of this Department, I appreciate the bipartisan support by Congress for our cybersecurity mission. I also thank Congress for passage of H.R. 4007, the Protecting and Securing Chemical Facilities from Terrorists Act of 2014, which authorizes and improves the Chemical Facility Anti-Terrorism Standards program administered by this Department. Congress this week has shown great overall support for this Department and its missions.
I thank the Congress for its bipartisan support for these bills. I also salute the leadership of Senators Tom Carper and Tom Coburn, and Representatives Michael McCaul, Patrick Meehan, Bennie Thompson, and Yvette Clarke, and their staffs, in pushing these bills through to passage, and for their support of the men and women of the Department of Homeland Security.
Saturday, December 6, 2014
ASSISTANT AG CALDWELL MAKES SPEECH AT CYBERCRIME 2020 SYMPOSIUM
FROM: U.S. JUSTICE DEPARTMENT
Assistant Attorney General Leslie R. Caldwell Speaks at Cybercrime 2020 Symposium
Washington, DCUnited States ~ Thursday, December 4, 2014
Good morning and welcome to the Criminal Division’s inaugural symposium on cybercrime. Before we start, I would like to thank Dean Treanor and the Georgetown Law Center for being such gracious partners in planning and holding this event.
I would also like to thank the moderators and panelists for traveling from across the country to contribute their expertise to today’s discussions. We have assembled an impressive array of experts from the private sector, academia, privacy groups, and all three branches of government, and I am looking forward to the diverse perspectives they will be sharing with us today.
A special welcome and thanks to Troels Orting, our keynote speaker, who has traveled the farthest to be with us today. Troels is the Director of Europol’s European Cybercrime Center or “EC3,” which is headquartered at the Hague in the Netherlands. In recent months, the Criminal Division, U.S. Attorneys’ Offices, federal investigators, and private companies have executed some of the most elaborate law enforcement operations ever attempted in the cybercrime arena. Troels and EC3 have been instrumental to the success of those operations.
You’ll hear more about that in a moment, but I wanted to make sure I expressed my personal appreciation to him and EC3. I believe that such robust cooperation within the international law enforcement community is the necessary future of cybercrime investigations. I anticipate that the Department of Justice and EC3 will be allies for years to come.
Today’s symposium is focused on the future of technology and online crime, so I expect that you will be hearing a lot about “change” and “evolution.” I want to briefly discuss the state of affairs today, and how I see cybercrime evolving over the coming years.
I also want to take this opportunity to talk about changes within the Criminal Division and our evolving efforts to deter, investigate, and prosecute cyber criminals and to protect the country’s computer networks from cyber threats in the first instance.
In that regard, I will highlight two ways in which we are addressing the growing threat:
First, we are mounting increasingly innovative and cooperative, international law enforcement operations to disrupt cyber criminal organizations across the globe;
Second, we are increasing our efforts to prevent cyber attacks by providing resources for our public and private partners to enhance cyber security across the board. In furtherance of this effort, we are creating a dedicated Cybersecurity Unit within the Criminal Division, which I will discuss more in a moment.
As I mentioned, I will start with a few words about the Internet and technology, how they are influencing the crimes we see today, and how we anticipate they will shape the crimes of tomorrow.
By now it has become obvious not only to those of us who gather at events like this but to the entire world: the Internet and related technologies have changed the way we work, play, and live. Everyone in this room is carrying a cell phone, tablet, or some other device that is connected to the Internet right now. The vast majority of Americans have made technology part of their everyday lives.
This boom in Internet-driven technology brings with it new opportunities for innovation, productivity, and entertainment. It is helping people connect locally and globally through email, social networking, and various other forms of communication. It is helping our businesses compete in expanding markets. It is giving us ready access to a seemingly endless stream of information, resources, and services unlike anything that preceded it. From big companies to tiny start-ups, innovation is taking place around the world at a dizzying pace.
Unfortunately, there is also a flip side to these advances. A tool that has become so vital to families, consumers, businesses, and governments was also bound to become a target for criminals. Not surprisingly, cyber criminals are taking advantage of the same advances in technology to perpetrate more complex and extensive crimes. Indeed, according to data from the 2013 Norton Report, there will be more than 14,000 additional victims of online crime by the time I have finished this speech.
For the foreseeable future, cybercrime will increase in both volume and sophistication. By exploiting technology, the most skilled cyber criminals will be capable of committing crimes on a scale that will result in more lost data, greater damage to the security of networks, and greater risk to Internet users. We are already getting glimpses of this new criminal tide.
Last year, two cyber intrusions targeting the banking system inflicted $45 million in losses on the global financial system in a matter of hours. Let me emphasize, that figure is not a speculative estimate or a projection. That is the sum total of money that the perpetrators withdrew from banks around the world by breaking into bank computers and removing limits on the amount of money they could withdraw from ATM machines. That crime dwarfed the biggest bank heists in U.S. history several times over, and the masterminds never had to worry about security guards, dye-packs, or silent alarms. In fact, they never had to leave home.
Our dependence on technology is also ushering in a new era of online breaches. Ever larger networks are processing more consumer data in an effort to make our purchases simpler and less time consuming. These networks transmit vast amounts of personal and financial data, and enterprising hackers are targeting them to produce data breaches that dwarf anything we’ve seen before. Individual breaches regularly put at risk the financial information of tens of millions of consumers. This threatens consumer confidence and has devastating consequences for companies who have fallen victim.
We have also witnessed the rise of another type of intrusion that causes harms less simple to quantify. Rather than stealing money or valuable financial data, these breaches have robbed people of their privacy. Some hackers have become virtual home invaders, using malware to tap into personal webcams located in homes around the world so they can spy on our most intimate moments. Other hackers have broken into online storage accounts and personal devices to snatch personal photos or communications for money or prurient thrills.
So, how is the Department responding to these new types of online threats and challenges? In the case of the $45 million dollar cyber heist I mentioned, we were able to promptly find, arrest and prosecute some of those responsible. Thus far, 13 defendants have been convicted for their participation in the scheme. The Criminal Division and U.S. Attorneys’ Offices are bringing the lessons of this successful prosecution and others to the investigations of recent breaches that have been in the news.
While arrests and prosecutions are our primary goal, we recognize that it is increasingly common for sophisticated cyber criminals to base themselves overseas in countries where they are not so easily reached. Consequently, we have adjusted our tactics in two significant ways. We are engaging in larger, international law enforcement operations to target criminals around the globe. And, we are acting up front to stop the harm that these cyber criminals are causing, even before we can get them into custody. A prime example of this has been our approach to “botnets.”
“Botnets” are networks of computers that have been secretly infected by malware and controlled by criminals. Some botnets are millions of computers strong. Once created, they can be used without a computer owner’s knowledge to engage in a variety of criminal activities, including siphoning off personal and financial data, conducting disruptive cyber attacks, and distributing malware to infect other computers.
One particularly destructive botnet—called Gameover Zeus—was used by criminals to steal millions of dollars from businesses and consumers and to extort additional millions of dollars in a “ransomware” scheme. Ransomware is malware that secretly encrypts your hard drive and then demands payments to restore access to your own files and data. Ransomware called “Cryptolocker” was distributed through the Gameover Zeus Botnet, which infected hundreds of thousands of computers, approximately half of which were located in the United States. It generated more than $27 million in ransom payments for its creators, including Russian hacker Evgeniy Bogachev, in just the first two months after it emerged.
But through carefully choreographed international law enforcement coordination, we not only identified and obtained a 14-count indictment against Bogachev, but also obtained injunctions and court orders to dismantle the network of computers he used to orchestrate his scheme. The Justice Department, U.S. law enforcement, numerous private sector partners, and foreign partners in more than 10 countries, as well as EC3, mounted court-authorized operations that allowed us to wrest control of the botnet away from the criminals, disable it, and start to repair the damage it caused.
This afternoon, you will hear from David Hickton, the U.S. Attorney for the Western District of Pennsylvania, whose office worked with CCIPS to spearhead this effort. This case serves as a model of both international cooperation and our ability to mitigate the damage caused by cyber criminals even before making an arrest.
In another international operation, just a few weeks ago, we targeted so-called “dark market” websites selling illegal goods and services online. These websites were operating on the “Tor” network, a special network of computers on the Internet designed to conceal the locations of individuals who use it. The websites we targeted traded in illegal narcotics; firearms; stolen credit card data; counterfeit currency; fake passports and other identification documents; and computer-hacking tools and services. Using court-authorized legal process and mutual legal assistance treaty requests, the Department, the FBI, and international partners from approximately 16 foreign nations working under the umbrella of EC3 seized over 400 Tor addresses associated with dozens of websites, as well as multiple computer servers hosting these websites.
Once again, international cooperation among the world’s law enforcement agencies was pivotal to the success of this global operation. And, once again, we were able to disrupt cybercrime in manners other than traditional arrest and prosecution.
In addition to undertaking these innovative international operations and takedowns, the Criminal Division is also re-orienting itself to better address the complex nature of cyber threats on multiple fronts.
High-tech crimes are not new to the Criminal Division. We have been investigating and prosecuting computer crimes since the Division created the Computer Crime and Intellectual Property Section, or “CCIPS,” in 1996. As I have already described, CCIPS prosecutors have led complex computer crimes investigations for years, and this work will continue.
Through CCIPS, the Criminal Division has also supported and expanded our U.S. Attorneys’ Offices’ expertise and capacity to tackle the most complex cybercrimes. CCIPS has worked over the last 12 years to build the Computer Hacking and Intellectual Property or “CHIP” Network with U.S. Attorneys’ Offices across the nation, which is now over 270 prosecutors strong. That network has fostered a close partnership between CCIPS and the U.S. Attorneys’ Offices in addressing the nation’s most sophisticated computer crimes. In addition, over the last two years, the CHIP Network was used as the model for the National Security Cyber Specialists’ network, a partnership among the National Security Division, the U.S. Attorneys’ Offices, and CCIPS that focuses on cyber threats to national security.
As the threats increase daily, however, I want to make sure that cyber security is receiving the dedicated attention it requires. It is important that we address cyber threats on multiple fronts, with both a robust enforcement strategy as well as a broad prevention strategy. I am, therefore, announcing today the creation of the Cybersecurity Unit within CCIPS. The Cybersecurity Unit will have responsibility on behalf of the Criminal Division for a variety of efforts we are undertaking to enhance public and private cyber security efforts.
Given the growing complexity and volume of cyber attacks, as well as the intricate rubric of laws and investigatory tools needed to thwart the attacks, the Cybersecurity Unit will play an important role in this field. Prosecutors from the Cybersecurity Unit will provide a central hub for expert advice and legal guidance regarding the criminal electronic surveillance statutes for both U.S. and international law enforcement conducting complex cyber investigations to ensure that the powerful law enforcement tools are effectively used to bring the perpetrators to justice while also protecting the privacy of every day Americans. The Cybersecurity Unit will work hand-in-hand with law enforcement and will also work with private sector partners and Congress. This new unit will strive to ensure that the advancing cyber security legislation is shaped to most effectively protect our nation’s computer networks and individual victims from cyber attacks.
As you know, the private sector has proved to be an increasingly important partner in our fight against all types of online crime, but particularly cyber security-related matters. Prosecutors from the Cybersecurity Unit will be engaging in extensive outreach to facilitate cooperative relationships with our private sector partners. This is a fight that the government cannot and will not wage alone.
As just one example of the kind of outreach we can do, earlier this year, we heard concerns expressed by communications service providers about uncertainty over whether the Electronic Communications Privacy Act prohibits sharing certain cyber threat information. This uncertainty limited the lawful sharing of information that could better protect networks from cyber threats. In response, we produced a white paper in May to address these concerns and publicly released our analysis of the issue. We will continue to engage in this open dialogue about emerging issues and to clear roadblocks like this one.
Finally, we will be engaging with the public at-large about cyber security issues. Over the past several years, but especially this past year, I have noticed a growing public distrust of law enforcement surveillance and high-tech investigative techniques. This kind of mistrust can hamper investigations and cyber security efforts. Most of this mistrust, however, comes from misconceptions about the technical abilities of the law enforcement tools and the manners in which they are used. I hope to engage the public directly on these issues and to allay concerns.
CCIPS already plays an important role in this regard, and I expect that to expand with the Cybersecurity Unit. CCIPS’s manuals on laws governing searching and seizing computers, electronic surveillance, and prosecuting computer crimes are probably the most comprehensive materials on those topics you will find anywhere. To ensure transparency and wide access to this helpful information, those manuals are publicly available on CCIPS’s website, cybercrime.gov.
I would like to start the public dialogue, however, by briefly addressing an overarching misconception: the apparent belief that privacy and civil liberties are afterthoughts to criminal investigators. In fact, almost every decision we make during an investigation requires us to weigh the effect on privacy and civil liberties, and we take that responsibility seriously. Privacy concerns are not just tacked onto our investigations, they are baked in. Privacy concerns are in the laws that set the ground rules for us to follow; the Departmental policies that govern our investigative and prosecutorial conduct; the accountability we must embrace when we present our evidence to a judge, a jury, and the public in an open courtroom; and in the proud culture of the Department.
We not only carefully consider privacy implications throughout our investigations, but we also dedicate significant resources to protecting the privacy of Americans from hackers who steal our financial and credit card information, online predators that stalk and exploit our children, and cyber thieves who steal the trade secrets of innovative American entrepreneurs. As just an example our efforts, we recently announced the conviction of a Danish citizen who marketed and sold StealthGenie, a spyware application or “app” that could remotely monitor calls, texts, videos and other communications on mobile phones without detection. This app was marketed to individuals who wanted to spy on spouses and lovers suspected of infidelity.
Additionally, earlier this year, the FBI and the U.S. Attorney for the Southern District of New York announced charges against the owner of “Blackshades,” which sold the Blackshades Remote Access Tool. EC3 again played a substantial role in this worldwide takedown, which resulted in the arrests of more than 90 people across the globe. The Blackshades tool was used by hackers to gain access to victims’ personal computers to secretly steal files and account information, browse personal photos, and even to monitor the victims through their own webcams. This software tool illustrates one of the scariest capabilities of hackers to date, as the Blackshades product or a similar tool was used by one hacker to secretly capture naked photos of teens and young women, including Miss Teen USA. The hacker then used the photos to extort his victims—with threats that he would post the photos on the Internet—into sending additional nude photos and videos.
These are just two examples of our work to investigate and prosecute criminals who invade the privacy of unsuspecting citizens. We hope that continuing to host symposiums like this one—and other outreach efforts—will help combat misconceptions about the Department’s efforts to protect the privacy of Americans. Outreach allows us to participate in the growing public debate about evolving technology. The open debate will benefit from the information that we can contribute about how technology is being used by criminals, how we are leveraging technology to investigate and disrupt criminal activity, and how technology can be leveraged in the public and private sectors to enhance cyber security. Without that information, misconceptions and inaccuracies can take root and hamper enforcement efforts as well as cyber security programs.
Georgetown and the Department designed today’s event to bring diverse viewpoints together. Our aim is to make sure that a range of perspectives are presented. Of course, there will be limits to what Department representatives can publicly discuss for a variety of reasons, including the potential of harming an ongoing investigation, the need to protect individuals who are the subjects of investigations, and statutory and Departmental restrictions on disclosure of certain information. Regardless, we are excited to add our voice to the debate and grateful to Georgetown and to all of you for supporting this event. We hope it will be the first of many.
Thank you.
Assistant Attorney General Leslie R. Caldwell Speaks at Cybercrime 2020 Symposium
Washington, DCUnited States ~ Thursday, December 4, 2014
Good morning and welcome to the Criminal Division’s inaugural symposium on cybercrime. Before we start, I would like to thank Dean Treanor and the Georgetown Law Center for being such gracious partners in planning and holding this event.
I would also like to thank the moderators and panelists for traveling from across the country to contribute their expertise to today’s discussions. We have assembled an impressive array of experts from the private sector, academia, privacy groups, and all three branches of government, and I am looking forward to the diverse perspectives they will be sharing with us today.
A special welcome and thanks to Troels Orting, our keynote speaker, who has traveled the farthest to be with us today. Troels is the Director of Europol’s European Cybercrime Center or “EC3,” which is headquartered at the Hague in the Netherlands. In recent months, the Criminal Division, U.S. Attorneys’ Offices, federal investigators, and private companies have executed some of the most elaborate law enforcement operations ever attempted in the cybercrime arena. Troels and EC3 have been instrumental to the success of those operations.
You’ll hear more about that in a moment, but I wanted to make sure I expressed my personal appreciation to him and EC3. I believe that such robust cooperation within the international law enforcement community is the necessary future of cybercrime investigations. I anticipate that the Department of Justice and EC3 will be allies for years to come.
Today’s symposium is focused on the future of technology and online crime, so I expect that you will be hearing a lot about “change” and “evolution.” I want to briefly discuss the state of affairs today, and how I see cybercrime evolving over the coming years.
I also want to take this opportunity to talk about changes within the Criminal Division and our evolving efforts to deter, investigate, and prosecute cyber criminals and to protect the country’s computer networks from cyber threats in the first instance.
In that regard, I will highlight two ways in which we are addressing the growing threat:
First, we are mounting increasingly innovative and cooperative, international law enforcement operations to disrupt cyber criminal organizations across the globe;
Second, we are increasing our efforts to prevent cyber attacks by providing resources for our public and private partners to enhance cyber security across the board. In furtherance of this effort, we are creating a dedicated Cybersecurity Unit within the Criminal Division, which I will discuss more in a moment.
As I mentioned, I will start with a few words about the Internet and technology, how they are influencing the crimes we see today, and how we anticipate they will shape the crimes of tomorrow.
By now it has become obvious not only to those of us who gather at events like this but to the entire world: the Internet and related technologies have changed the way we work, play, and live. Everyone in this room is carrying a cell phone, tablet, or some other device that is connected to the Internet right now. The vast majority of Americans have made technology part of their everyday lives.
This boom in Internet-driven technology brings with it new opportunities for innovation, productivity, and entertainment. It is helping people connect locally and globally through email, social networking, and various other forms of communication. It is helping our businesses compete in expanding markets. It is giving us ready access to a seemingly endless stream of information, resources, and services unlike anything that preceded it. From big companies to tiny start-ups, innovation is taking place around the world at a dizzying pace.
Unfortunately, there is also a flip side to these advances. A tool that has become so vital to families, consumers, businesses, and governments was also bound to become a target for criminals. Not surprisingly, cyber criminals are taking advantage of the same advances in technology to perpetrate more complex and extensive crimes. Indeed, according to data from the 2013 Norton Report, there will be more than 14,000 additional victims of online crime by the time I have finished this speech.
For the foreseeable future, cybercrime will increase in both volume and sophistication. By exploiting technology, the most skilled cyber criminals will be capable of committing crimes on a scale that will result in more lost data, greater damage to the security of networks, and greater risk to Internet users. We are already getting glimpses of this new criminal tide.
Last year, two cyber intrusions targeting the banking system inflicted $45 million in losses on the global financial system in a matter of hours. Let me emphasize, that figure is not a speculative estimate or a projection. That is the sum total of money that the perpetrators withdrew from banks around the world by breaking into bank computers and removing limits on the amount of money they could withdraw from ATM machines. That crime dwarfed the biggest bank heists in U.S. history several times over, and the masterminds never had to worry about security guards, dye-packs, or silent alarms. In fact, they never had to leave home.
Our dependence on technology is also ushering in a new era of online breaches. Ever larger networks are processing more consumer data in an effort to make our purchases simpler and less time consuming. These networks transmit vast amounts of personal and financial data, and enterprising hackers are targeting them to produce data breaches that dwarf anything we’ve seen before. Individual breaches regularly put at risk the financial information of tens of millions of consumers. This threatens consumer confidence and has devastating consequences for companies who have fallen victim.
We have also witnessed the rise of another type of intrusion that causes harms less simple to quantify. Rather than stealing money or valuable financial data, these breaches have robbed people of their privacy. Some hackers have become virtual home invaders, using malware to tap into personal webcams located in homes around the world so they can spy on our most intimate moments. Other hackers have broken into online storage accounts and personal devices to snatch personal photos or communications for money or prurient thrills.
So, how is the Department responding to these new types of online threats and challenges? In the case of the $45 million dollar cyber heist I mentioned, we were able to promptly find, arrest and prosecute some of those responsible. Thus far, 13 defendants have been convicted for their participation in the scheme. The Criminal Division and U.S. Attorneys’ Offices are bringing the lessons of this successful prosecution and others to the investigations of recent breaches that have been in the news.
While arrests and prosecutions are our primary goal, we recognize that it is increasingly common for sophisticated cyber criminals to base themselves overseas in countries where they are not so easily reached. Consequently, we have adjusted our tactics in two significant ways. We are engaging in larger, international law enforcement operations to target criminals around the globe. And, we are acting up front to stop the harm that these cyber criminals are causing, even before we can get them into custody. A prime example of this has been our approach to “botnets.”
“Botnets” are networks of computers that have been secretly infected by malware and controlled by criminals. Some botnets are millions of computers strong. Once created, they can be used without a computer owner’s knowledge to engage in a variety of criminal activities, including siphoning off personal and financial data, conducting disruptive cyber attacks, and distributing malware to infect other computers.
One particularly destructive botnet—called Gameover Zeus—was used by criminals to steal millions of dollars from businesses and consumers and to extort additional millions of dollars in a “ransomware” scheme. Ransomware is malware that secretly encrypts your hard drive and then demands payments to restore access to your own files and data. Ransomware called “Cryptolocker” was distributed through the Gameover Zeus Botnet, which infected hundreds of thousands of computers, approximately half of which were located in the United States. It generated more than $27 million in ransom payments for its creators, including Russian hacker Evgeniy Bogachev, in just the first two months after it emerged.
But through carefully choreographed international law enforcement coordination, we not only identified and obtained a 14-count indictment against Bogachev, but also obtained injunctions and court orders to dismantle the network of computers he used to orchestrate his scheme. The Justice Department, U.S. law enforcement, numerous private sector partners, and foreign partners in more than 10 countries, as well as EC3, mounted court-authorized operations that allowed us to wrest control of the botnet away from the criminals, disable it, and start to repair the damage it caused.
This afternoon, you will hear from David Hickton, the U.S. Attorney for the Western District of Pennsylvania, whose office worked with CCIPS to spearhead this effort. This case serves as a model of both international cooperation and our ability to mitigate the damage caused by cyber criminals even before making an arrest.
In another international operation, just a few weeks ago, we targeted so-called “dark market” websites selling illegal goods and services online. These websites were operating on the “Tor” network, a special network of computers on the Internet designed to conceal the locations of individuals who use it. The websites we targeted traded in illegal narcotics; firearms; stolen credit card data; counterfeit currency; fake passports and other identification documents; and computer-hacking tools and services. Using court-authorized legal process and mutual legal assistance treaty requests, the Department, the FBI, and international partners from approximately 16 foreign nations working under the umbrella of EC3 seized over 400 Tor addresses associated with dozens of websites, as well as multiple computer servers hosting these websites.
Once again, international cooperation among the world’s law enforcement agencies was pivotal to the success of this global operation. And, once again, we were able to disrupt cybercrime in manners other than traditional arrest and prosecution.
In addition to undertaking these innovative international operations and takedowns, the Criminal Division is also re-orienting itself to better address the complex nature of cyber threats on multiple fronts.
High-tech crimes are not new to the Criminal Division. We have been investigating and prosecuting computer crimes since the Division created the Computer Crime and Intellectual Property Section, or “CCIPS,” in 1996. As I have already described, CCIPS prosecutors have led complex computer crimes investigations for years, and this work will continue.
Through CCIPS, the Criminal Division has also supported and expanded our U.S. Attorneys’ Offices’ expertise and capacity to tackle the most complex cybercrimes. CCIPS has worked over the last 12 years to build the Computer Hacking and Intellectual Property or “CHIP” Network with U.S. Attorneys’ Offices across the nation, which is now over 270 prosecutors strong. That network has fostered a close partnership between CCIPS and the U.S. Attorneys’ Offices in addressing the nation’s most sophisticated computer crimes. In addition, over the last two years, the CHIP Network was used as the model for the National Security Cyber Specialists’ network, a partnership among the National Security Division, the U.S. Attorneys’ Offices, and CCIPS that focuses on cyber threats to national security.
As the threats increase daily, however, I want to make sure that cyber security is receiving the dedicated attention it requires. It is important that we address cyber threats on multiple fronts, with both a robust enforcement strategy as well as a broad prevention strategy. I am, therefore, announcing today the creation of the Cybersecurity Unit within CCIPS. The Cybersecurity Unit will have responsibility on behalf of the Criminal Division for a variety of efforts we are undertaking to enhance public and private cyber security efforts.
Given the growing complexity and volume of cyber attacks, as well as the intricate rubric of laws and investigatory tools needed to thwart the attacks, the Cybersecurity Unit will play an important role in this field. Prosecutors from the Cybersecurity Unit will provide a central hub for expert advice and legal guidance regarding the criminal electronic surveillance statutes for both U.S. and international law enforcement conducting complex cyber investigations to ensure that the powerful law enforcement tools are effectively used to bring the perpetrators to justice while also protecting the privacy of every day Americans. The Cybersecurity Unit will work hand-in-hand with law enforcement and will also work with private sector partners and Congress. This new unit will strive to ensure that the advancing cyber security legislation is shaped to most effectively protect our nation’s computer networks and individual victims from cyber attacks.
As you know, the private sector has proved to be an increasingly important partner in our fight against all types of online crime, but particularly cyber security-related matters. Prosecutors from the Cybersecurity Unit will be engaging in extensive outreach to facilitate cooperative relationships with our private sector partners. This is a fight that the government cannot and will not wage alone.
As just one example of the kind of outreach we can do, earlier this year, we heard concerns expressed by communications service providers about uncertainty over whether the Electronic Communications Privacy Act prohibits sharing certain cyber threat information. This uncertainty limited the lawful sharing of information that could better protect networks from cyber threats. In response, we produced a white paper in May to address these concerns and publicly released our analysis of the issue. We will continue to engage in this open dialogue about emerging issues and to clear roadblocks like this one.
Finally, we will be engaging with the public at-large about cyber security issues. Over the past several years, but especially this past year, I have noticed a growing public distrust of law enforcement surveillance and high-tech investigative techniques. This kind of mistrust can hamper investigations and cyber security efforts. Most of this mistrust, however, comes from misconceptions about the technical abilities of the law enforcement tools and the manners in which they are used. I hope to engage the public directly on these issues and to allay concerns.
CCIPS already plays an important role in this regard, and I expect that to expand with the Cybersecurity Unit. CCIPS’s manuals on laws governing searching and seizing computers, electronic surveillance, and prosecuting computer crimes are probably the most comprehensive materials on those topics you will find anywhere. To ensure transparency and wide access to this helpful information, those manuals are publicly available on CCIPS’s website, cybercrime.gov.
I would like to start the public dialogue, however, by briefly addressing an overarching misconception: the apparent belief that privacy and civil liberties are afterthoughts to criminal investigators. In fact, almost every decision we make during an investigation requires us to weigh the effect on privacy and civil liberties, and we take that responsibility seriously. Privacy concerns are not just tacked onto our investigations, they are baked in. Privacy concerns are in the laws that set the ground rules for us to follow; the Departmental policies that govern our investigative and prosecutorial conduct; the accountability we must embrace when we present our evidence to a judge, a jury, and the public in an open courtroom; and in the proud culture of the Department.
We not only carefully consider privacy implications throughout our investigations, but we also dedicate significant resources to protecting the privacy of Americans from hackers who steal our financial and credit card information, online predators that stalk and exploit our children, and cyber thieves who steal the trade secrets of innovative American entrepreneurs. As just an example our efforts, we recently announced the conviction of a Danish citizen who marketed and sold StealthGenie, a spyware application or “app” that could remotely monitor calls, texts, videos and other communications on mobile phones without detection. This app was marketed to individuals who wanted to spy on spouses and lovers suspected of infidelity.
Additionally, earlier this year, the FBI and the U.S. Attorney for the Southern District of New York announced charges against the owner of “Blackshades,” which sold the Blackshades Remote Access Tool. EC3 again played a substantial role in this worldwide takedown, which resulted in the arrests of more than 90 people across the globe. The Blackshades tool was used by hackers to gain access to victims’ personal computers to secretly steal files and account information, browse personal photos, and even to monitor the victims through their own webcams. This software tool illustrates one of the scariest capabilities of hackers to date, as the Blackshades product or a similar tool was used by one hacker to secretly capture naked photos of teens and young women, including Miss Teen USA. The hacker then used the photos to extort his victims—with threats that he would post the photos on the Internet—into sending additional nude photos and videos.
These are just two examples of our work to investigate and prosecute criminals who invade the privacy of unsuspecting citizens. We hope that continuing to host symposiums like this one—and other outreach efforts—will help combat misconceptions about the Department’s efforts to protect the privacy of Americans. Outreach allows us to participate in the growing public debate about evolving technology. The open debate will benefit from the information that we can contribute about how technology is being used by criminals, how we are leveraging technology to investigate and disrupt criminal activity, and how technology can be leveraged in the public and private sectors to enhance cyber security. Without that information, misconceptions and inaccuracies can take root and hamper enforcement efforts as well as cyber security programs.
Georgetown and the Department designed today’s event to bring diverse viewpoints together. Our aim is to make sure that a range of perspectives are presented. Of course, there will be limits to what Department representatives can publicly discuss for a variety of reasons, including the potential of harming an ongoing investigation, the need to protect individuals who are the subjects of investigations, and statutory and Departmental restrictions on disclosure of certain information. Regardless, we are excited to add our voice to the debate and grateful to Georgetown and to all of you for supporting this event. We hope it will be the first of many.
Thank you.
Monday, November 3, 2014
NSF FUNDS SIMULATIONS TO TRAIN STUDENTS IN CYBERSECURITY
FROM: NATIONAL SCIENCE FOUNDATION
Cybersecurity: It's about way more than countering hackers
Growing professionals in cybersecurity means supporting an interdisciplinary approach that develops sophisticated thinkers
It's tense in the situation room. A cyber attack on the electrical grid in New York City has plunged Manhattan into darkness on a day that happens to be the coldest in the year. Concurrently, the cellular phone network has been attacked, silencing smartphones and sowing confusion and panic. A foreign power has claimed responsibility for the attacks and says more are coming. Your job is to look at geopolitical factors, intelligence feeds, military movements and clues in cyberspace to predict what may be happening next. Your goal is to make a recommendation to the President.
This scenario is thankfully not real, but it is the kind of simulation planned for students in the cybersecurity program at California State University, San Bernardino (CSUSB). With funding from the National Science Foundation's (NSF) CyberCorps®: Scholarships for Service (SFS) program, undergraduate and graduate students take an interdisciplinary approach to cybersecurity.
"We provide an environment where business students can work with engineers on drones, and students from political science can work on predictive modeling," said Principal Investigator (PI) Tony Coulson. "Our students can major in business, public administration, criminal justice, computer science, intelligence, all with cyber security as an option. We produce students who can problem-solve--people who can understand politics and finance as well as computer science."
Cybersecurity is a field that has received a lot of attention in recent years because of hacking episodes that have compromised networks, and in turn, the personal information of citizens who depend on a safe cyberspace to do such activities as banking and shopping. Following such a breach, attention is generally focused on identifying the hackers and their methods.
Among the options for students supported through San Bernardino's SFS program is being educated in cyber intelligence to deal proactively with cyber threats--to predict malicious behavior before it happens. Doing so draws not only on a background in computer and information science, but also on an understanding of human behavior and psychology and the political and economic environment. About 50 students have gone through the program, including completing internship requirements, and Coulson reports 100 percent placement with employers.
"The San Bernardino project is one of 166 active projects around the country fully or partly funded by SFS," said SFS Lead Program Director Victor Piotrowski. "Cybersecurity is a dynamic and evolving field, and the country needs talented people with the skills to protect U.S. interests around the world. Through SFS, we prepare students for high-paying careers in government, and increase the capacity of institutions to offer quality course work in this area."
A condition of students' receiving support through SFS is that they put their skills to work in a government agency for a period equal to the duration of their scholarship. Coulson says that after completing the program at CSUSB, students often have to choose from multiple offers. The program boasts having students placed in many areas of government.
"CSUSB students have a depth of skills and often pick their dream jobs," said Coulson, including a student who got a job at his first-choice agency--the National Archives.
San Bernardino is a poor community, and the good jobs available to SFS graduates can make a huge difference to them and their families. To promote their success in finding and keeping employment, the professional development offered to students goes beyond their academic work to include business etiquette, mentoring, how to succeed at an internship, and how to conduct oneself successfully in an office. The goal is to produce a graduate ready to be hired.
In addition to traditional essay-based projects, students have to complete a very hands-on final exam, requiring that they pick locks and use digital and biometric information to hack into a network. According to Coulson, they enjoy the challenge.
Along with running the SFS project, Coulson is co-PI on another NSF-supported project, CyberWatch West, funded through the Advanced Technological Education program (ATE).
"Despite Silicon Valley being on the West coast, and California having the largest population of community colleges in the country, there are very few cybersecurity programs here," said Coulson.
So CyberWatch West aims to help community colleges, K-12 schools and universities link together in 13 western states to develop faculty and students in cybersecurity. The project is a resource for faculty to identify curriculum pathways and outreach, find mentors and engage students in competitions, events and presentations.
"There's such a need in the Los Angeles and Orange County areas," said Coulson. There are something like 2,500 open positions, and we're graduating 200 kids."
Bringing together cybersecurity, law and digital forensics
Also responding to the need for a cybersecurity workforce prepared to deal with today's complex problems is an SFS project for undergraduates and graduate students at the University of Illinois, Urbana-Champaign (UIUC). The project has graduated 25 students who are already working in government (reflecting another 100 percentage placement rate), and another 20 are set to graduate next May.
Since last year, this project offers scholarships to law students as well as engineering and computer science students. According to PI Roy Campbell, few lawyers understand cybersecurity and few computer scientists understand the legal framework involved in prosecuting and preventing cyber crimes.
The first law student to be accepted in the program, Whitney Merrill, is a recent law school graduate currently practicing as an attorney while completing her master's in computer science at UIUC. She found the combination of cybersecurity and law in the UIUC program to be valuable.
"The two fields are fiercely intertwined," said Merrill. "Understanding both fields allows me to better serve and advocate for my clients. Additionally, I hope to be able to help the two communities more effectively communicate with each other to create tools and a body of law that reflects accurately an understanding of both law and technology."
Merrill found the program challenging at first.
"But my interest and love for the subject matter made the challenging workload (29 credits last semester) enjoyable," she added. "Working towards a mastery in both fields has also helped me to spot legal issues where I would not have before."
Next summer Merrill will be working as a summer intern at the Federal Trade Commission in their Division of Privacy and Identity Protection. She graduates in December 2015.
With additional NSF support, a new related program in digital forensics at UIUC has the goal of building a curriculum that will teach students about cybersecurity in the context of the law enforcement, the judicial system, and privacy laws.
"Digital forensics is not the sort of area a computer scientist can just jump into," Campbell said. "It's not just malware or outcropping of hacking techniques. It has to be done in a deliberate way to produce evidence that would be acceptable to courts and other entities."
Co-PI Masooda Bashir says digital forensics gets to the heart of the multidisciplinary nature of cybersecurity.
"If you think about the amount of digital information that is being generated, exchanged, and stored daily you begin to understand the impact that the field of Digital Forensics is going to have in the coming years, " she said. "But Digital Forensics (DF) is not only a technical discipline, but a multidisciplinary profession that draws on a range of other fields, including law and courtroom procedure, forensic science, criminal justice and psychology."
She added, " I believe it is through integration of such relevant nontechnical disciplines into the DF education we can help students develop the comprehensive understanding that they will need in order to conduct examinations and analyses whose processes and findings are not just technically sound, but legal, ethical, admissible in court, and otherwise effective in achieving the desired real-world goal."
As the new program evolves, Masooda is drawing on her background as a computer scientist/psychologist to add the psychology of cybercrime to the curriculum. She's also working on a project examining cybersecurity competitions to understand their impact on the cybersecurity workforce and also to better understand the psychological factors and motivations of cyber security specialist and hackers.
Students with an interest in cybersecurity can start planning now
The U.S. Office of Personnel Management maintains a website where students can get information of SFS and the institutions that are participating in it. Meanwhile, PIs can update their project pages and agency officials can check resumes for students with the qualifications they need.
In the evolving field of cybersecurity, individuals with technical skills and knowledge of the social and legal context for what they do will continue to be highly desirable workers
Cybersecurity: It's about way more than countering hackers
Growing professionals in cybersecurity means supporting an interdisciplinary approach that develops sophisticated thinkers
It's tense in the situation room. A cyber attack on the electrical grid in New York City has plunged Manhattan into darkness on a day that happens to be the coldest in the year. Concurrently, the cellular phone network has been attacked, silencing smartphones and sowing confusion and panic. A foreign power has claimed responsibility for the attacks and says more are coming. Your job is to look at geopolitical factors, intelligence feeds, military movements and clues in cyberspace to predict what may be happening next. Your goal is to make a recommendation to the President.
This scenario is thankfully not real, but it is the kind of simulation planned for students in the cybersecurity program at California State University, San Bernardino (CSUSB). With funding from the National Science Foundation's (NSF) CyberCorps®: Scholarships for Service (SFS) program, undergraduate and graduate students take an interdisciplinary approach to cybersecurity.
"We provide an environment where business students can work with engineers on drones, and students from political science can work on predictive modeling," said Principal Investigator (PI) Tony Coulson. "Our students can major in business, public administration, criminal justice, computer science, intelligence, all with cyber security as an option. We produce students who can problem-solve--people who can understand politics and finance as well as computer science."
Cybersecurity is a field that has received a lot of attention in recent years because of hacking episodes that have compromised networks, and in turn, the personal information of citizens who depend on a safe cyberspace to do such activities as banking and shopping. Following such a breach, attention is generally focused on identifying the hackers and their methods.
Among the options for students supported through San Bernardino's SFS program is being educated in cyber intelligence to deal proactively with cyber threats--to predict malicious behavior before it happens. Doing so draws not only on a background in computer and information science, but also on an understanding of human behavior and psychology and the political and economic environment. About 50 students have gone through the program, including completing internship requirements, and Coulson reports 100 percent placement with employers.
"The San Bernardino project is one of 166 active projects around the country fully or partly funded by SFS," said SFS Lead Program Director Victor Piotrowski. "Cybersecurity is a dynamic and evolving field, and the country needs talented people with the skills to protect U.S. interests around the world. Through SFS, we prepare students for high-paying careers in government, and increase the capacity of institutions to offer quality course work in this area."
A condition of students' receiving support through SFS is that they put their skills to work in a government agency for a period equal to the duration of their scholarship. Coulson says that after completing the program at CSUSB, students often have to choose from multiple offers. The program boasts having students placed in many areas of government.
"CSUSB students have a depth of skills and often pick their dream jobs," said Coulson, including a student who got a job at his first-choice agency--the National Archives.
San Bernardino is a poor community, and the good jobs available to SFS graduates can make a huge difference to them and their families. To promote their success in finding and keeping employment, the professional development offered to students goes beyond their academic work to include business etiquette, mentoring, how to succeed at an internship, and how to conduct oneself successfully in an office. The goal is to produce a graduate ready to be hired.
In addition to traditional essay-based projects, students have to complete a very hands-on final exam, requiring that they pick locks and use digital and biometric information to hack into a network. According to Coulson, they enjoy the challenge.
Along with running the SFS project, Coulson is co-PI on another NSF-supported project, CyberWatch West, funded through the Advanced Technological Education program (ATE).
"Despite Silicon Valley being on the West coast, and California having the largest population of community colleges in the country, there are very few cybersecurity programs here," said Coulson.
So CyberWatch West aims to help community colleges, K-12 schools and universities link together in 13 western states to develop faculty and students in cybersecurity. The project is a resource for faculty to identify curriculum pathways and outreach, find mentors and engage students in competitions, events and presentations.
"There's such a need in the Los Angeles and Orange County areas," said Coulson. There are something like 2,500 open positions, and we're graduating 200 kids."
Bringing together cybersecurity, law and digital forensics
Also responding to the need for a cybersecurity workforce prepared to deal with today's complex problems is an SFS project for undergraduates and graduate students at the University of Illinois, Urbana-Champaign (UIUC). The project has graduated 25 students who are already working in government (reflecting another 100 percentage placement rate), and another 20 are set to graduate next May.
Since last year, this project offers scholarships to law students as well as engineering and computer science students. According to PI Roy Campbell, few lawyers understand cybersecurity and few computer scientists understand the legal framework involved in prosecuting and preventing cyber crimes.
The first law student to be accepted in the program, Whitney Merrill, is a recent law school graduate currently practicing as an attorney while completing her master's in computer science at UIUC. She found the combination of cybersecurity and law in the UIUC program to be valuable.
"The two fields are fiercely intertwined," said Merrill. "Understanding both fields allows me to better serve and advocate for my clients. Additionally, I hope to be able to help the two communities more effectively communicate with each other to create tools and a body of law that reflects accurately an understanding of both law and technology."
Merrill found the program challenging at first.
"But my interest and love for the subject matter made the challenging workload (29 credits last semester) enjoyable," she added. "Working towards a mastery in both fields has also helped me to spot legal issues where I would not have before."
Next summer Merrill will be working as a summer intern at the Federal Trade Commission in their Division of Privacy and Identity Protection. She graduates in December 2015.
With additional NSF support, a new related program in digital forensics at UIUC has the goal of building a curriculum that will teach students about cybersecurity in the context of the law enforcement, the judicial system, and privacy laws.
"Digital forensics is not the sort of area a computer scientist can just jump into," Campbell said. "It's not just malware or outcropping of hacking techniques. It has to be done in a deliberate way to produce evidence that would be acceptable to courts and other entities."
Co-PI Masooda Bashir says digital forensics gets to the heart of the multidisciplinary nature of cybersecurity.
"If you think about the amount of digital information that is being generated, exchanged, and stored daily you begin to understand the impact that the field of Digital Forensics is going to have in the coming years, " she said. "But Digital Forensics (DF) is not only a technical discipline, but a multidisciplinary profession that draws on a range of other fields, including law and courtroom procedure, forensic science, criminal justice and psychology."
She added, " I believe it is through integration of such relevant nontechnical disciplines into the DF education we can help students develop the comprehensive understanding that they will need in order to conduct examinations and analyses whose processes and findings are not just technically sound, but legal, ethical, admissible in court, and otherwise effective in achieving the desired real-world goal."
As the new program evolves, Masooda is drawing on her background as a computer scientist/psychologist to add the psychology of cybercrime to the curriculum. She's also working on a project examining cybersecurity competitions to understand their impact on the cybersecurity workforce and also to better understand the psychological factors and motivations of cyber security specialist and hackers.
Students with an interest in cybersecurity can start planning now
The U.S. Office of Personnel Management maintains a website where students can get information of SFS and the institutions that are participating in it. Meanwhile, PIs can update their project pages and agency officials can check resumes for students with the qualifications they need.
In the evolving field of cybersecurity, individuals with technical skills and knowledge of the social and legal context for what they do will continue to be highly desirable workers
Thursday, October 30, 2014
ASSISTANT AG CARLIN MAKES REMARKS AT U.S. CHAMBER OF COMMERCE CYBERSECURITY SUMMIT
FROM: U.S. JUSTICE DEPARTMENT
Remarks by Assistant Attorney General John Carlin at the U.S. Chamber of Commerce Third Annual Cybersecurity Summit
Washington, DCUnited States ~ Tuesday, October 28, 2014
Remarks as Prepared for Delivery
In establishing an annual gathering focused on cybersecurity challenges, the Chamber of Commerce continues to demonstrate its commitment to keeping our nation secure, and to lowering barriers for American businesses to compete fairly in our global economy. The fact that this is your third annual cybersecurity summit is a testament to the growing magnitude of these threats and your commitment to make cybersecurity central to your business plans.
This is an important issue, and one I know the Chamber has emphasized as part of its National Cybersecurity Awareness Campaign, which kicked off in May. In the campaign roundtable events leading up to today’s summit, the Chamber stressed the importance of cyber risk management and reporting cyber incidents to law enforcement. I couldn’t agree with these two recommendations more. Today’s event is our opportunity to discuss how we can take these steps and others to best protect ourselves and our nation.
Cybersecurity threats affect us all – and they affect our privacy, our safety, and our economic vitality. They present collective risk; disrupting them is our collective responsibility. The attackers we face range in sophistication. And when it comes to nation states and terrorists, it is not fair to let the private sector face these threats alone. The government ought to help, and we do.
At the National Security Division, we focus on tackling cyber threats to the national security – in other words, those posed by terrorists and state-sponsored actors. As I will talk about a bit later, we have restructured our division to focus on bringing all tools to bear against these threats.
Likewise, Chamber members have a particularly important role to play in our strategy.
You are living through these consequences with alarming frequency: according to Brookings, 97 percent of Fortune 500 companies have been hacked. PwC released a report this week finding that the number of detected cyberattacks in 2014 increased 48 percent over 2013. As FBI Director James Comey said, “there are two kinds of big companies in America: those who have been hacked . . . and those who don't know they've been hacked.”
We are on notice. We are all targets. I would venture to say everyone in this room has, in their professional or private life, been affected by a cybersecurity breach. At best – a minor inconvenience. A re-issued credit card. At worst – devastation to your company’s reputation, loss of customer trust, and injury to your bottom line.
Without taking proper steps – it is a question of when, not if, a major public breach will happen to you. And with that will come questions about whether you did enough to protect your company, your customers, and your information.
Have you thought ahead to the day when you will have to face your customers, your employees, your board, and your shareholders. When you will have to notify them that someone has infiltrated your company and stolen your most valuable or private information? If that day was today, could you tell them that you’ve done everything in your power to protect your company’s future? Had you warned them of the risks? Would you be able to say that you minimized the damage?
Do you have a plan?
It’s a pretty daunting scenario. So it is no surprise that surveys of general counsels identify cybersecurity as the number one issue on their minds today. But surveys show that over a quarter of Fortune 500 companies still don’t have an established response to cyber intrusions.
This is risky business. We know that we will never achieve impenetrable defenses. That we will remain vulnerable. But you can take steps to mitigate the risk, protect yourselves and your companies, and ultimately, the cybersecurity of the United States.
We have identified four essential components of corporate cyber risk management.
First – equip and educate yourself. Make sure you have a comprehensive—and comprehensible— cyber incident response plan.
And review it. I have spoken with many CEOs and general counsels who have said they have not reviewed, or cannot decipher, their company’s plan. We must do better. These are C-suite decisions. You cannot manage your corporate risk if you do not understand it.
Make sure it addresses the “who,” the “what,” and the “when.”
Who is involved and who needs to be notified?
What will you disclose?
When will you notify clients, law enforcement, and the general public?
Second – know that your business contacts create risk. Malicious actors can exploit your outside vendors—no matter how resilient you think your defenses may be. Consider guidelines to govern third-party access to your network and ensure that your contracts require vendors to adopt appropriate cybersecurity practices.
Third – protect your bottom line. Companies are increasingly considering cyber insurance, and you should consider how this may fit into your risk management strategy. Cyber insurance may offer financial protection, and may also incentivize companies to audit their system’s defenses.
Finally – do not go it alone. Some of our attackers are linked to deep state military budgets. And when they are, it’s not a fair fight for you to take on alone. We must work together.
So working with us can be one more component of your risk-management strategy. As more breaches are publicly acknowledged, the public will ask how quickly and effectively you responded.
As leaders, you will have to answer to your shareholders, board members, customers, the media and the public. You will want to say you did everything you could to mitigate your financial loss. Your company’s bottom line, and your financial reputation, will depend on it. And we can help. We can provide you with information to protect your networks, and we may be able to take actions to disrupt and deter the attackers that you cannot take by yourself. So you are on the front lines of these battles, but we are with you. We are committed to working with you to protect your networks, identify perpetrators, disrupt their efforts, and hold them accountable. At the Department of Justice, this is among our top priorities.
At the National Security Division, we recently appointed new senior leadership to strengthen our capacity to protect national assets from cyberattacks and economic espionage. We created and trained the nation-wide National Security Cyber Specialists’ – or NSCS – Network to focus on combating cyber threats to the national security.
At DOJ, we follow the facts and evidence where they lead – whether to a disgruntled employee or lone hacker working in obscurity; to an organized crime syndicate in Russia; or even to a uniformed member of the Chinese military.
And indictments and prosecutions are a public and powerful way in which we the people, governed by the rule of law, legitimize and prove our allegations. As Attorney General Holder said in May, “enough is enough.” We are aware of no nation that publicly states that theft of information for commercial gain is acceptable. And that’s because it’s not. Nevertheless, in the shadows of their flags, some may encourage and support corporate theft for the profit of state-owned enterprises. We will continue to denounce these actions, including by bringing criminal charges. And we won’t stop until the crimes stop. A core part of the government’s response must be disruption and deterrence, in order to raise the costs to people who commit these thefts and to deter others from emulating their actions.
Of course, we recognize that the criminal justice system is just one tool in our toolbox. In addition to prosecutions, we are working in conjunction with key government partners to explore how to apply designations, sanctions, trade pressure, and other options, to confront new cyber challenges.
These changes will help us fulfill our collective responsibility. And they will help us work with you.
Which is important because we rely on cooperation from the private sector to bring many of these cases, from identifying the malware and its functions, to pinpointing the location of servers commanding botnets, to assisting victims in removing the malicious software from their computers.
Take as one example the take-down of Gameover Zeus and disruption of the Cryptolocker ransomware – a big success for our colleagues in the Criminal Division’s Computer Crimes and Intellectual Property Section and the Western District of Pennsylvania. This take-down would not have been possible without close cooperation. The FBI’s Robert Anderson called it the “the largest fusion of law enforcement and industry partner cooperation ever undertaken in support of an FBI cyber operation.”
We recognize that one of the best ways to protect the nation is to support you in your own efforts. In 2013, federal agents informed over 3,000 companies that their computer systems were hacked. And every day, the FBI works with companies targeted by malicious activity, ranging from low-tech denial of service attacks to sophisticated intrusions by elite, state-supported military hacking units.
But, we’re not limited to helping you solely in the aftermath of an intrusion.
Nor do we see our role as only a collector of information.
We also share sensitive information with you so you can defend against attacks in real time, and engage in disruption efforts. In the past year alone, the FBI presented over three dozen classified, sector-specific threat briefings to companies like yours.
The information we share with you may enhance your ability to deter future intrusions. And your engagement with law enforcement can help us connect the dots between your breach and a broader threat.
We may be able to help identify what was stolen from you, locate the perpetrator of the attack, and in certain cases, be able to disrupt planned attacks or mitigate the effects of past intrusions.
Given the importance of this cooperation, the Department of Justice is committed to lowering the barriers to sharing information. Through extensive one-on-one meetings with in-house legal teams, we learned what you perceive to be the legal hurdles to cooperation, and are addressing them.
We’ve clarified that certain laws - such as the Stored Communications Act and antitrust statutes – are not impediments to sharing information with the government in certain situations.
We understand that trust is an essential predicate to voluntary reporting. And in our work with you, we strive to protect your sensitive data – including trade secrets, details of network architecture, and PII.
Bottom line, we can help you manage your risk, and you can help us keep our nation safe.
The 9/11 Commission recently concluded that “we are at September 10th levels in terms of cyber preparedness,” and warned that “history may be repeating itself in the cyber realm.” We must band together to keep that from happening.
At the department, we want to arm ourselves for the threats of today, but prepare ourselves for those that are just over the horizon.
Think about the tools that cyber criminals use – intrusion software, ransomware, and botnets. When used by cyber criminals, these tools are generally used for financial gain. But these tools can also be used to disrupt and destroy. Terrorists have stated they want to exploit cybersecurity vulnerabilities to harm our way of life. Al Qaeda announced its intent to conduct cyberattacks against civilian targets such as the electric grid and financial system.
The Department of Homeland Security recently confirmed it is investigating two dozen cybersecurity flaws in medical devices and hospital equipment that could be exploited to injure or kill a patient with a few strokes on a keyboard. The threats are real.
We must acknowledge that terrorists want to acquire these cyber capabilities and, if they succeed, will not hesitate to deploy them. It is a race against time, and one with high-stakes consequences.
At the department, we are also looking at the gaps that may exist in our authorities. Many of our laws – long on the books – were not written with cyberspace in mind. They don’t necessarily contemplate remote access or extraterritorial crimes, they don’t facilitate multi-jurisdictional investigation, and they don’t always empower us to bring our authorities to bear swiftly and effectively. But we are committed to working with the relevant law- and rule-makers who support modernizing these laws. New cyber legislation, in several different areas, is needed.
I want to conclude my remarks by discussing the changing perceptions of being hacked. Among consumers and industry, there is a growing understanding that companies are going to get breached. But that doesn’t mean you should turn the other way. There is an enormous downside to taking an “ostrich approach” to cyber threats. Consumers expect that companies will adopt industry standards for cybersecurity. And when intrusions happen, consumers expect companies to respond promptly, acknowledge the intrusion publicly, and cooperate with law enforcement to mitigate the damage.
The Chamber of Commerce and its members are uniquely positioned to drive corporate change; to ensure that your companies and your partners treat cyber breaches as more than mere technical problems; to recognize that security operations are not insulated from business operations; and to discuss with your boards, your employees, and your industries the importance of cybersecurity risk management.
As we face ever more threats in cyberspace, let’s incorporate public-private cooperation into our cyber tool kit. The threats aren’t letting up, and neither will we. Thank you very much for inviting me.
Wednesday, June 18, 2014
CYBERSPACE AND FUTURE WAR 2025
FROM: U.S. DEFENSE DEPARTMENT
Cybercom Chief: Cyberspace Operations Key to Future Warfare
By Cheryl Pellerin
American Forces Press Service
Cybercom Commander Navy Adm. Michael S. Rogers, who also is director of the National Security Agency, was the keynote speaker at a June 12 meeting here at a cyber seminar hosted by the Association of the U.S. Army’s Institute of Land Warfare.
The theme was Army Networks and Cybersecurity in 2025.
“In the world of 2025, I believe the ability of Army formations to operate within the cyber domain, offensively and defensively, will be a core mission set for the U.S. Army and its operational forces,” Rogers told the audience. The Cybercom commander said that by 2025 the military services will have ingrained into their culture the reality that networks and cyber are a commander's business.
The admiral, who most recently served as commander of the U.S. Fleet Cyber Command and the U.S. 10th Fleet, said this has been a major cultural challenge in the Navy.
“In the year 2025, I believe … Army commanders will maneuver offensive and defensive capability much today as they maneuver ground forces,” Rogers said, adding that command and control, key terrain, commander's intent, synchronization with the broader commander's intent, and a broader commander's operational concept of operations will be cornerstones of Army cyber operations by then.
“In 2025,” he said, “the ability to integrate cyber into a broader operational concept is going to be key. Treating cyber as something so specialized, … so unique -- something that resides outside the broader operational framework -- I think that is a very flawed concept.”
Between now and 2025, Rogers said, a primary challenge will be integrating cyber and its defensive and offensive capabilities into a broader operational construct that enables commanders to apply another broader set of tools in achieving their operational missions.
When he thinks about how Cybercom and the services will get to 2025, Rogers said, he tries to keep three points in mind.
The first, he said, is that cyber is operations. Commanders must own the cyber mission set, the admiral said, integrating it into the operational vision and becoming knowledgeable about the broad capabilities of a unit, formation or organization and its potential vulnerabilities.
“I think it's going to be foundational to the warfighting construct of the future,” Rogers said, adding that the challenge is as much cultural as technical.
“To make this work, in the end, it's about our ability to synchronize the capabilities of a team,” he added, “from our junior-most individuals to our senior-most individuals, from capabilities resident within [the services] and as a department, to the [external] partnerships we're going to have to form.”
The second point Rogers said he keeps in mind is that requirements of the future include a joint network backbone for all of the Defense Department.
“I never understood why Army, Navy, Air Force, Marine Corps and, arguably, our Coast Guard teammates … were spending a lot of time and money [to independently] create, maintain, build and operate a global communications backbone,” Rogers said. Instead, he added, “make the services responsible for the last tactical mile of [a DOD-wide backbone that spans the globe], down to mobile and tactical users, whether they're in a garrison scenario or whether they're out maneuvering in the field, on an aircraft, on a ship or in a squadron.”
The third point, Rogers said, is that people and partnerships are key.
“Don’t ever forget that, in the end, [operationalizing cyberspace by 2025] is all about people and partnerships,” the admiral said. “It's about our ability to create a workforce that understands the vision, has the tools and capabilities they need to execute this vision, and is integrated into the broader effort.”
The partnership piece is a key area, he added, “because we, the Department of Defense, are not the cutting edge when it comes to networks, [communications] or information technology.”
“We are a user of technology that is largely generated by individuals and organizations that reside outside the DOD. … I don't see that trend changing between now and 2025,” he added.
As Cybercom commander and operational commander for the cyberspace mission set, the admiral said, focusing on five Cyber Command priorities will help military commanders build the joint force for 2025.
The priorities are:
-- Building a trained and ready operational cyber force;
-- Building a joint defensible network whose architecture has core design characteristics of defensibility, redundancy and resilience;
-- Creating shared situational awareness in cyberspace;
-- Creating command and control and operational concepts for use in cyberspace; and
-- Being mindful of policy and administrative changes needed to operate in cyberspace.
Addressing the department’s ability to compete on the open market for exceptional cyber talent, Rogers said, cyber is no different from any other DOD mission in terms of going after talented individuals.
“If the view is that pay is the primary criteria to get people with cyber expertise to join the department, I don't think that's going to work for us,” he added. “We’ll compete because of what makes us different. We will appeal to men and women who have an ethos of service [and] who believe in the idea of being part of something bigger than themselves.”
“We're going to compete for the same people because, quite frankly, we're going to give them the opportunity to apply their knowledge in a way that you can't legally do on the outside,” he added, prompting chuckles from the audience.
“I think we're going to do well,” the admiral said. “[Over the past 10 years], we have exceeded my wildest expectations in terms of our abilities to recruit and retain a high-end cyber workforce, because we’ve been able to focus on why they want to be with us as opposed to why they don't want to be with us.”
Saturday, April 26, 2014
HAGEL URGES U.S., CANADA, MEXICO WORK TOGETHER ON THREAT ASSESSMENT AND CYBERSECURITY
FROM: U.S. DEFENSE DEPARTMENT
Right: Secretary of Defense Chuck Hagel lays a wreath with Mexican Ministers of National Defense Gen. Salvador Cienfuegos Zepeda and Adm. Vidal Francisco Soberón Sanz at the Squadron 201 Memorial in Mexico City, April 24, 2014. Hagel participated in the wreath-laying ceremony after attending the second North American Defense Ministerial trilateral meeting among defense ministers of Mexico, Canada and the United States to discuss issues of mutual importance. DOD Photo by Erin A. Kirk-Cuomo.
Hagel Urges Trilateral Work for Threat Assessment, Cybersecurity
By Cheryl Pellerin
American Forces Press Service
ABOARD A MILITARY AIRCRAFT, April 25, 2014 – At the second North American Defense Ministerial, with his counterparts from Canada and Mexico, Defense Secretary Chuck Hagel urged a quick start to trilateral work on continental threat assessment and cybersecurity, and closer work among the three nations on humanitarian assistance and disaster relief.
The secretary also offered to host the next defense ministerial in Washington in 2016 to continue the important trilateral dialogue.
Meeting in Mexico City yesterday during his first forum with Canadian Defense Minister Rob Nicholson and Mexico’s Secretary of National Defense Gen. Salvador Cienfuegos Zepeda and Naval Secretary Adm. Vidal Francisco Soberón Sanz, Hagel observed in prepared remarks that a dynamic defense partnership that builds on successes and shared interests, and respects sovereignty concerns, will create a more resilient North America.
“Our presence here today and our commitment to advancing our defense partnership is a recognition that together we can more effectively address the complex security threats facing our countries,” the secretary said during the ministerial plenary session.
Beginning with common challenges, Hagel said the ministers should support a Canadian proposal to produce a digest of collective defense activities and policies.
Similar to an effort begun after the inaugural 2012 North American Defense Ministerial to develop an updated continental threat assessment, he added, such a digest could provide a starting point to coordinate efforts to avoid duplication and maximize scarce resources.
The initial effort to develop a continental threat assessment was a good start to identifying common threats and interests, the secretary said.
“There is merit to updating that assessment to reflect current and future threats and deepen our understanding of our security challenges. I propose that we establish a working group to provide principals an updated, non-binding, continental threat assessment within a year after this ministerial,” Hagel said. “It’s something we can assess when we next meet at the ministerial level.”
Cybersecurity is another common challenge that knows no borders, the secretary said.
Each U.S. defense institution works individually to address potential cyber threats, he said, adding that the Defense Department has worked to elevate the importance of cybersecurity in the National Security Strategy.
In its recently released Quadrennial Defense Review, the department said it would dedicate more resources to cybersecurity, Hagel noted.
“While our defense institutions do not have the lead in our respective countries for cybersecurity, we all share a common interest in [protecting] military communications,” the secretary said. “I propose that we establish a cyber working group to identify potential opportunities to work together to share best practices and lessons learned.”
On humanitarian assistance and disaster relief, Hagel said natural disasters also recognize no national borders and defense institutions provide critical support to lead civilian agencies under such circumstances.
“Each of our nations faces constrained defense budgets [but] the demand for military support to civilian agencies continues to increase as we experience more frequent and larger-scale natural disasters,” the secretary said.
“This was a key … subject of discussion at the [Association of Southeast Asian Nations, or] ASEAN Defense Ministers meeting I attended earlier this month in Hawaii. We are making important progress with our Southeast Asian partners in coordinating military responses to disasters,” Hagel told the ministers, “and I am pleased that we are beginning to do the same in our hemisphere.”
Recalling relief efforts after Hurricane Mitch in 1998, the 2010 Haiti earthquake and the 2004 Indonesian 9.1-magnitude earthquake whose Indian Ocean tsunami killed as many as 230,000 people, the secretary said these natural disasters demonstrate the challenges any one country faces in trying to meet enormous demands for humanitarian assistance in the wake of such events.
The capabilities and experience militaries collectively bring in response to natural disasters can’t be overstated, he added.
“I would like to see our three countries work more closely together in the area of humanitarian assistance and disaster relief,” Hagel said.
“We should commit to focusing attention on developing our capacity to coordinate, with a goal of maximizing our resources,” the secretary added. “This is an area that would benefit from establishment of a permanent working group tasked with identifying areas of cooperation and implementing coordination protocols as we move forward.”
During their meetings, the ministers agreed with a working group determination that combating transnational crime at the strategic level is best addressed by the security group under the North American Leaders Summit process.
But, Hagel said, “We need to ensure that coordination at the tactical and operational levels continues.”
A Canadian proposal to establish and serve as the initial chair of a permanent secretariat was an important step toward institutionalizing the North American Defense Ministerial, Hagel said.
As members of a regional organization, the secretary said, the ministers should work individually to strengthen hemispheric forums such as the Organization of American States’ Inter-American Defense Board, an international committee of defense officials who develop collaborative approaches on defense and security issues facing North, Central and South American countries, and the Conference of Defense Ministers of the Americas, created in 1995 to provide a forum of debate for Northern Hemisphere countries.
“The upcoming October conference of defense ministers in Peru will address hemispheric defense cooperation in key areas such as humanitarian assistance and disaster relief, search and rescue, and military health,” Hagel added.
After the meeting, in comments to the press, Hagel said, “These kinds of dialogues and conferences are important for many reasons but especially important it gives the ministers themselves an opportunity to personally exchange ideas and thoughts about our world, about our common interests and about our common challenges.”
The secretary said he and the other ministers have tasked their defense agencies to go forward and put together plans and programs based on initiatives agreed to during the meeting.
After the ministerial, Hagel joined Zepeda and Sanz at a somber wreath-laying ceremony for some of the 250,000 Mexican citizens who served in the U.S. armed forces during World War II.
The memorial to El Escuadron 201 in Mexico City's Chapultepec Park celebrates the 36 experienced combat pilots and the 250 or so electricians, mechanics, radiomen and armament specialists who made up the ground crew of Mexican Fighter Squadron 201, called the Aztec Eagles, who fought alongside U.S. troops in the last months of World War II in Europe.
The squadron left Mexico for the United States in July 1944 and received five months or more of training at facilities around the country. It was the first time Mexican troops had been trained for overseas combat.
The 300 volunteers of the Aztec Eagles were attached to the U.S. Army Air Forces 5th Air Force's 58th Fighter Group during the liberation of the main Philippine island of Luzon in the summer of 1945.
The pilots flew P-47D "Thunderbolt" single-seat fighter aircraft, carrying out tactical air-support missions, according to a 2003 American Forces Press Service article and interview with former Aztec Eagles pilot, retired Mexican air force Col. Carlos Garduno, who said the pilots flew close-air support missions for American and Filipino infantry troops on the ground.
The Aztec Eagles flew 59 combat missions, totaling more than 1,290 hours of flight time, participating in the allied effort to bomb Luzon and Formosa, now Taiwan, to push the Japanese out of those islands.
Immediately after the wreath-laying ceremony, Hagel told a press gathering that the memorial is “a pretty special monument to a country that participated with the allies, with the United States, in World War II.”
He added, “[It was] a brave thing that Mexico did. The service rendered, represented by this memorial, should be remembered.”
The secretary said he was honored to be part of the ceremony and shared a personal connection to the Aztec Eagles and their service to the nation.
“I know what memorials mean to countries and how they reflect their history and their sacrifices, Hagel said. “In fact, the 201st … that represented the expeditionary force of Mexico was attached to an Army Air Corps unit in the Pacific that my father served in, in World War II, with the 13th Army Air Corps.
“So I have some family and special recognition as to what this unit meant and also a personal appreciation,” he continued. “And on behalf of the United States I want to thank the country of Mexico for their contributions to all of our efforts in World War II.”
Thursday, January 30, 2014
GSA, DOD REPORT ON ACQUISITION AND CYBERSECURITY ALIGNMENT
FROM: GENERAL SERVICES ADMINISTRATION
GSA and DoD Announce Acquisition Cybersecurity and Resilience Recommendations
Washington, DC --- The U.S. General Services Administration (GSA) Administrator Dan Tangherlini, and the Secretary of Defense, Chuck Hagel, today announced six planned reforms to improve the cybersecurity and resilience of the Federal Acquisition System.
The jointly issued Department of Defense (DoD) and GSA report, Improving Cybersecurity and Resilience through Acquisition, was submitted to the President in accordance with Section 8(e) of Executive Order (EO) 13636.
Recommended Reforms
The report provides a path forward to aligning Federal cybersecurity risk management and acquisition processes. It provides strategic recommendations for addressing relevant issues, suggests how challenges might be resolved, and identifies important considerations for the implementation of the recommendations.
The six recommended reforms are the following:
Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions
Include cybersecurity in acquisition trainings
Develop common cybersecurity definitions for federal acquisitions
Institute a federal acquisition cyber risk management strategy
Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources
Increase government accountability for cyber risk management
The report is one component of the government-wide implementation of EO 13636 and Presidential Policy Directive (PPD) 21, and was prepared by a working group comprised of subject matter experts selected from across the Federal government.
The working group benefitted from a high level of engagement from public and private sector stakeholders, and the report provides realistic recommendations that will improve the cybersecurity and resilience of the nation when implemented.
DoD and GSA are committed to implementing the recommendations through integration with the numerous ongoing related activities like supply chain threat assessments and anti-counterfeiting.
The agencies will use a structured approach, with continued dedication to stakeholder engagement, and develop a repeatable process to address cyber risks in the development, acquisition, sustainment, and disposal lifecycles for all Federal procurements. The implementation will also harmonize the recommendations with existing risk management processes under Federal Information Security Management Act and OMB guidance.
GSA Administrator Dan Tangherlini weighs in:
“The ultimate goal of the recommendations is to strengthen the federal government’s cybersecurity by improving management of the people, processes, and technology affected by the Federal Acquisition System. GSA and the Department of Defense will use continue to engage stakeholders to develop a repeatable process to address cyber risks in the development, acquisition, sustainment, and disposal lifecycles for all Federal procurements.”
A request for public comment on the draft implementation plan will be published in the Federal Register next month.
GSA and DoD Announce Acquisition Cybersecurity and Resilience Recommendations
Washington, DC --- The U.S. General Services Administration (GSA) Administrator Dan Tangherlini, and the Secretary of Defense, Chuck Hagel, today announced six planned reforms to improve the cybersecurity and resilience of the Federal Acquisition System.
The jointly issued Department of Defense (DoD) and GSA report, Improving Cybersecurity and Resilience through Acquisition, was submitted to the President in accordance with Section 8(e) of Executive Order (EO) 13636.
Recommended Reforms
The report provides a path forward to aligning Federal cybersecurity risk management and acquisition processes. It provides strategic recommendations for addressing relevant issues, suggests how challenges might be resolved, and identifies important considerations for the implementation of the recommendations.
The six recommended reforms are the following:
Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions
Include cybersecurity in acquisition trainings
Develop common cybersecurity definitions for federal acquisitions
Institute a federal acquisition cyber risk management strategy
Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources
Increase government accountability for cyber risk management
The report is one component of the government-wide implementation of EO 13636 and Presidential Policy Directive (PPD) 21, and was prepared by a working group comprised of subject matter experts selected from across the Federal government.
The working group benefitted from a high level of engagement from public and private sector stakeholders, and the report provides realistic recommendations that will improve the cybersecurity and resilience of the nation when implemented.
DoD and GSA are committed to implementing the recommendations through integration with the numerous ongoing related activities like supply chain threat assessments and anti-counterfeiting.
The agencies will use a structured approach, with continued dedication to stakeholder engagement, and develop a repeatable process to address cyber risks in the development, acquisition, sustainment, and disposal lifecycles for all Federal procurements. The implementation will also harmonize the recommendations with existing risk management processes under Federal Information Security Management Act and OMB guidance.
GSA Administrator Dan Tangherlini weighs in:
“The ultimate goal of the recommendations is to strengthen the federal government’s cybersecurity by improving management of the people, processes, and technology affected by the Federal Acquisition System. GSA and the Department of Defense will use continue to engage stakeholders to develop a repeatable process to address cyber risks in the development, acquisition, sustainment, and disposal lifecycles for all Federal procurements.”
A request for public comment on the draft implementation plan will be published in the Federal Register next month.
Wednesday, November 20, 2013
JOINT STATEMENT FOLLOWING EU-US JUSTICE AND HOME AFFAIRS MINISTERIAL MEETING
FROM: U.S. JUSTICE DEPARTMENT
Monday, November 18, 2013
Joint Statement Following the EU-US Justice and Home Affairs Ministerial Meeting
Attorney General Eric Holder and Acting Department of Homeland Security (DHS) Secretary Rand Beers today hosted an EU/U.S. Justice and Home Affairs Ministerial with their counterparts in the European Union: Lithuanian Minister of Justice Juozas Bernatonis and Lithuanian Vice Minister of Interior Elvinas Jankevicius representing the Lithuanian Presidency of the Council of the EU; Greek Minister of Justice, Transparency and Human Rights Charalampos Athanasiou representing the incoming Greek Presidency of the EU; and European Commission Vice President Viviane Reding and Commissioner Cecilia Malmström representing the EU Commission.
The U.S. and EU together released the following statement on the meeting:
“Our meeting was constructive and productive. We discussed a broad array of issues critical to the European Union and the United States, including: addressing the problem of sexual abuse of children online; coordinating work on counter-terrorism and security issues; countering violent extremism; expanding cooperation in criminal matters; joint efforts in the areas of cybercrime and cybersecurity; and mobility, migration and border issues. In addition, we discussed the rights of victims of crime, the rights of persons with disabilities and the prosecution of hate crimes.
Of special note, we discussed the threat posed by foreign fighters going to third countries, in particular Syria, and the possible response to address it. We intend to promote close information sharing between our respective agencies, as well as coordinated initiatives in third countries. We also discussed efforts of the U.S. and the EU in countering violent extremism, and agreed to intensify our cooperation.
Our meeting also addressed data protection, and issues related to alleged activities of U.S. intelligence agencies. We together recognize that this has led to regrettable tensions in the transatlantic relationship, which we seek to lessen. In order to protect all our citizens, it is of the utmost importance to address these issues by restoring trust and reinforcing our cooperation on justice and home affairs issues.
The EU and the U.S. are allies. Since 9/11 and subsequent terrorist attacks in Europe, the EU and U.S. have stepped up cooperation, including in the areas of police and criminal justice. Sharing relevant information, including personal data, while ensuring a high level of protection, is an essential element of this cooperation, and it must continue.
We are therefore, as a matter of urgency, committed to advancing rapidly in the negotiations for a meaningful and comprehensive data protection umbrella agreement in the field of law enforcement. The agreement would act as a basis to facilitate transfers of data in the context of police and judicial cooperation in criminal matters, by ensuring a high level of personal data protection for U.S. and EU citizens. We are committed to working to resolve the remaining issues raised by both sides, including judicial redress (a critical issue for the EU). Our aim is to complete the negotiations on the agreement ahead of summer 2014.
We also underline the value of the EU-U.S. Mutual Legal Assistance Agreement. We reiterate our commitment to ensure that it is used broadly and effectively for evidence purposes in criminal proceedings. There were also discussions on the need to clarify that personal data held by private entities in the territory of the other party will not be accessed by law enforcement agencies outside of legally authorized channels. We also agree to review the functioning of the Mutual Legal Assistance Agreement, as contemplated in the Agreement, and to consult each other whenever needed.
We take stock of the work done by the joint EU-U.S. ad hoc Working Group. We underline the importance of the ongoing reviews in the U.S. of U.S. Intelligence collection activities, including the review of activities by the Privacy and Civil Liberties Oversight Board (PCLOB) and the President’s Review Group on Intelligence and Communications Technology (Review Group). The access that has been given to the EU side of the ad hoc Working Group to officials in the U.S. intelligence community, the PCLOB, the Review Group, and U.S. congressional intelligence committees will help restore trust. This included constructive discussions about oversight practices in the U.S. The EU welcomes that the U.S. is considering adopting additional safeguards in the intelligence context that also would benefit EU citizens.
As these ongoing processes continue, they contribute to restoring trust, and to ensuring that we continue our vital law enforcement cooperation in order to protect EU and U.S. citizens.”
Monday, November 18, 2013
Joint Statement Following the EU-US Justice and Home Affairs Ministerial Meeting
Attorney General Eric Holder and Acting Department of Homeland Security (DHS) Secretary Rand Beers today hosted an EU/U.S. Justice and Home Affairs Ministerial with their counterparts in the European Union: Lithuanian Minister of Justice Juozas Bernatonis and Lithuanian Vice Minister of Interior Elvinas Jankevicius representing the Lithuanian Presidency of the Council of the EU; Greek Minister of Justice, Transparency and Human Rights Charalampos Athanasiou representing the incoming Greek Presidency of the EU; and European Commission Vice President Viviane Reding and Commissioner Cecilia Malmström representing the EU Commission.
The U.S. and EU together released the following statement on the meeting:
“Our meeting was constructive and productive. We discussed a broad array of issues critical to the European Union and the United States, including: addressing the problem of sexual abuse of children online; coordinating work on counter-terrorism and security issues; countering violent extremism; expanding cooperation in criminal matters; joint efforts in the areas of cybercrime and cybersecurity; and mobility, migration and border issues. In addition, we discussed the rights of victims of crime, the rights of persons with disabilities and the prosecution of hate crimes.
Of special note, we discussed the threat posed by foreign fighters going to third countries, in particular Syria, and the possible response to address it. We intend to promote close information sharing between our respective agencies, as well as coordinated initiatives in third countries. We also discussed efforts of the U.S. and the EU in countering violent extremism, and agreed to intensify our cooperation.
Our meeting also addressed data protection, and issues related to alleged activities of U.S. intelligence agencies. We together recognize that this has led to regrettable tensions in the transatlantic relationship, which we seek to lessen. In order to protect all our citizens, it is of the utmost importance to address these issues by restoring trust and reinforcing our cooperation on justice and home affairs issues.
The EU and the U.S. are allies. Since 9/11 and subsequent terrorist attacks in Europe, the EU and U.S. have stepped up cooperation, including in the areas of police and criminal justice. Sharing relevant information, including personal data, while ensuring a high level of protection, is an essential element of this cooperation, and it must continue.
We are therefore, as a matter of urgency, committed to advancing rapidly in the negotiations for a meaningful and comprehensive data protection umbrella agreement in the field of law enforcement. The agreement would act as a basis to facilitate transfers of data in the context of police and judicial cooperation in criminal matters, by ensuring a high level of personal data protection for U.S. and EU citizens. We are committed to working to resolve the remaining issues raised by both sides, including judicial redress (a critical issue for the EU). Our aim is to complete the negotiations on the agreement ahead of summer 2014.
We also underline the value of the EU-U.S. Mutual Legal Assistance Agreement. We reiterate our commitment to ensure that it is used broadly and effectively for evidence purposes in criminal proceedings. There were also discussions on the need to clarify that personal data held by private entities in the territory of the other party will not be accessed by law enforcement agencies outside of legally authorized channels. We also agree to review the functioning of the Mutual Legal Assistance Agreement, as contemplated in the Agreement, and to consult each other whenever needed.
We take stock of the work done by the joint EU-U.S. ad hoc Working Group. We underline the importance of the ongoing reviews in the U.S. of U.S. Intelligence collection activities, including the review of activities by the Privacy and Civil Liberties Oversight Board (PCLOB) and the President’s Review Group on Intelligence and Communications Technology (Review Group). The access that has been given to the EU side of the ad hoc Working Group to officials in the U.S. intelligence community, the PCLOB, the Review Group, and U.S. congressional intelligence committees will help restore trust. This included constructive discussions about oversight practices in the U.S. The EU welcomes that the U.S. is considering adopting additional safeguards in the intelligence context that also would benefit EU citizens.
As these ongoing processes continue, they contribute to restoring trust, and to ensuring that we continue our vital law enforcement cooperation in order to protect EU and U.S. citizens.”
Thursday, February 21, 2013
QUANTUM CRYPTOGRAPHY AND ELECTRIC GRID CYBERSECURITY
 |
| Photo caption: The miniature transmitter communicates with a trusted authority to generate random cryptographic keys to encode and decode information. Photo Credit: Los Alamos National Laboratory. |
Quantum Cryptography Put to Work for Electric Grid Security
LOS ALAMOS, N.M., Feb. 14, 2013—Recently a Los Alamos National Laboratory quantum cryptography (QC) team successfully completed the first-ever demonstration of securing control data for electric grids using quantum cryptography.
The demonstration was performed in the electric grid test bed that is part of the Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) project at the University of Illinois Urbana-Champaign (UIUC) that was set up under the Department of Energy’s Cyber Security for Energy Delivery Systems program in the Office of Electricity Delivery and Energy Reliability.
Novel methods for controlling the electric grid are needed to accommodate new energy sources such as renewables whose availability can fluctuate on short time scales. This requires transmission of data to and from control centers; but for grid-control use, data must be both trustworthy and delivered without delays. The simultaneous requirements of strong authentication and low latency are difficult to meet with standard cryptographic techniques. New technologies that further strengthen existing cybersecurity protections are needed.
Quantum cryptography provides a means of detecting and defeating an adversary who might try to intercept or attack the communications. Single photons are used to produce secure random numbers between users, and these random numbers are then used to authenticate and encrypt the grid control data and commands. Because the random numbers are produced securely, they act as cryptographic key material for data authentication and encryption algorithms.
At the heart of the quantum-secured communications system is a unique, miniaturized QC transmitter invention, known as a QKarD, that is five orders of magnitude smaller than any competing QC device. Jane Nordholt, the Los Alamos principal investigator, put it this way: "This project shows that quantum cryptography is compatible with electric-grid control communications, providing strong security assurances rooted in the laws of physics, without introducing excessive delays in data delivery."
A late-2012 demonstration at UIUC showed that quantum cryptography provides the necessary strong security assurances with latencies (typically 250 microseconds, including 120 microseconds to traverse the 25 kilometers of optical fiber connecting the two nodes) that are at least two orders of magnitude smaller than requirements. Further, the team’s quantum-secured communications system demonstrated that this capability could be deployed with only a single optical fiber to carry the quantum, single-photon communications signals; data packets; and commands. "Moreover, our system is scalable to multiple monitors and several control centers," said Richard Hughes, the co-principal investigator from Los Alamos.
The TCIPG cyber-physical test bed provides a realistic environment to explore cutting-edge research and prove emerging smart grid technology in a fully customizable environment. In this demonstration, high-fidelity power simulation was leveraged using the real-time digital simulator to enable hardware in the loop power simulation to drive real phasor measurement units (PMUs), devices, deployed on today's electric grid that monitor its operation.
"The simulator provides a mechanism for proving technology in real-world scenarios," said Tim Yardley, assistant director of test bed services. "We're not just using perfect or simulated data, so the results demonstrate true feasibility."
The power simulation was running a well-known power-bus model that was perturbed by introducing faults, which drove the analog inputs on the connected hardware PMU. The PMU then communicated via the standard protocol to the quantum cryptography equipment, which handled the key generation, communication and encryption/decryption of the connection traversing 25 kilometers of fiber. A phasor data concentrator then collected and visualized the data.
"This demonstration represents not only a realistic power model, but also leveraged hardware, software and standard communication protocols that are already widely deployed in the energy sector," said William H. Sanders, the Donald Biggar Willett Professor of Engineering at UIUC and principal investigator for TCIPG. "The success of the demonstration emphasizes the power of the TCIPG cyber-physical test bed and the strength of the quantum cryptography technology developed by Los Alamos."
The Los Alamos team submitted 23 U. S. and foreign patent applications for the inventions that make quantum-secured communications possible. The Los Alamos Technology Transfer Division has already received two licensing inquiries from companies in the electric grid control sector, and the office plans an industry workshop for early 2013 when the team’s patents will be made available for licensing.
The Los Alamos team is seeking funding to develop a next-generation QKarD using integrated electro-photonics methods, which would be even smaller, more highly integrated, and open the door to a manufacturing process that would result in much lower unit costs.
Tuesday, February 19, 2013
CYBERSECURITY AND U.S. CYBER COMMAND
 |
| CYBER COMMANDER GEN. ALEXANDER |
Cybercom Commander Calls Cybersecurity Order First Step
By Army Sgt. 1st Class Tyrone C. Marshall Jr.
American Forces Press Service
WASHINGTON, Feb. 13, 2013 - The cybersecurity policy President Barack Obama announced during his annual State of the Union address is a step toward protecting the nation's critical infrastructure, the commander of U.S. Cyber Command said here today.
Army Gen. Keith B. Alexander, also director of the National Security Agency, joined senior U.S. officials from the White House and the Commerce and Homeland Security departments to discuss strengthening the cybersecurity of the country's critical infrastructure.
"We need a way of sharing information between government and industry -- both for information sharing and hardening our networks," he said. "I think what we're doing in the executive order tackles, perhaps, the most difficult issue facing our country: How do we harden these networks when, across all of industry and government, those networks are in various states of array? We've got to have a way of reaching out with industry and with government to solve that kind of problem."
The general said the new cybersecurity policy is important to strengthening the country's defenses against cyberattacks. "The systems and assets that our nation depends on for our economy, for our government, even for our national defense, are overwhelmingly owned and operated by industry," he explained. "We have pushed hard for information sharing."
Private-sector companies have the information they need to defend their own networks in a timely manner, he said. "However, information sharing alone will not solve this problem," he added. "Our infrastructure is fragile." The executive order Obama signed to put the new cybersecurity policy into effect sets up a process for government and industry to start to address the problem, the general said.
But although the president's new executive order helps to bring about some solutions, Alexander said, it isn't comprehensive.
"This executive order is only a down payment on what we need to address the threat," he said. "This executive order can only move us so far, and it's not a substitute for legislation. We need legislation, and we need it quickly, to defend our nation. Agreeing on the right legislation actions for much-needed cybersecurity standards is challenging."
The executive order is a step forward, though, because it creates a voluntary process for industry and government to establish that framework, Alexander said.
"In particular, with so much of the critical infrastructure owned and operated by the private sector, the government is often unaware of the malicious activity targeting our critical infrastructure," he said. "These blind spots prevent us from being positioned to help the critical infrastructure defend itself, and it prevents us from knowing when we need to defend the nation."
The general noted government can share threat information with the private sector under this executive order and existing laws, but a "real-time" defensive posture for the military's critical networks will require legislation removing barriers to private-to-public sharing of attacks and intrusions into private-sector networks.
"Legislation is also necessary to create incentives for better voluntary cooperation in cyber standards, developments and implementation," he said, "and to update and modernize government authorities to address these new cyber threats."
Alexander warned that potential cyber threats to the United States are very real, pointing to recent examples.
"You only have to look at the distributed denial-of-service attacks that we've seen on Wall Street, the destructive attacks we've seen against Saudi Aramco and RasGas, to see what's coming at our nation," Alexander said. Now is the time for action, he said, and the new executive order takes a step in implementing that action.
In his role as director of the NSA, Alexander said, he is fully committed to the development of the cybersecurity framework.
"We do play a vital role in all of this, and in protecting DOD networks and supporting our combatant commands and defending the nation from cyber-attacks," he said. "But we can't do it all. No one agency here can do it all. It takes a team in the government."
And the government cannot do it by itself, either, he added. "We have to have government and industry working together as a team," he said.
Subscribe to:
Posts (Atom)