The recent disclosure of top-secret information about the National Security Agency's controversial cyber intelligence program PRISM remains a hot topic for discussion. Here in the United States, 47 senators attended the June 13 briefing by NSA Director Gen. Keith Alexander and others, including representatives from Office of the Director of National Intelligence and the FBI. Not much new has come out after that briefing, but the polarizing discussion has spread around the globe.
U.S. allies in the U.K. met to discuss this NSA practice. British Foreign Secretary William Hague emphatically stated that all data obtained by the U.K. from the U.S. that involved British citizens was subjected to proper U.K. statutory controls and safeguards.
Another meeting took place in the European Union that resulted in strong backlash. During that meeting some called for immediate investigations into the matter. Many asked for clarification as to what specific EU data was collected by the NSA. One individual went as far as to state that those companies that provided the NSA EU data or access to data may have violated EU law and that should be pursued.
The individual went on to add that the EU must make sure the U.S. respects the privacy rights (and laws) of EU citizens. Still others question what type of a partner the United States is when they are spying on EU citizens' communications.
Edward Snowden revealed documents that detail the eavesdropping on then-Russian President Dmitry Medvedev's phone calls, and the monitoring of emails and BlackBerry traffic of Russian delegates. This is said to have taken place during the 2009 London G-20 Summit as the foreign dignitaries visited and used the infrastructure of Internet cafés set up specifically for this purpose. It should be noted that the British intelligence service Government Communications Headquarters was named in these monitoring and intercept allegations.
So when President Obama headed to Europe June 17-19 for the G-8 Summit -- where he met with current Russian President Vladimir Putin -- the backlash was almost inevitable. Public dissent was particularly strong in Germany, where politicians are demanding answers as some believe the NSA program possible infringement on the rights of German citizens.
And the United States should probably brace for more. One can easily see how the public disclosure of this controversial program could become the excuse used for monitoring and other acts of cyber aggression that target the United States. It is only a matter of time.
Posted on Jun 20, 2013 at 12:48 PM1 comments
The electronic spying controversy has captured the news media and the attention of lawmakers in Washington, as well as much of the American public. The polarization on this topic is clearly evident just listening to the coverage on five of the major TV networks: NBC, ABC, CNN, CBS and FOX. Surprisingly, support for this program is not split along party lines.
What is not very surprising to many that are involved in or have been involved in the intelligence community is the change in President Barack Obama’s opinion and attitude from earlier in his political career. I once heard a story that when a senior government official was first briefed on the current state of threat he stopped the briefing halfway through and dropped his head in his hands.
Just imagine what the cyber threat environment looks like from the top (NSA Director Gen. Keith Alexander or President Obama), compared to the mental picture of that environment the general public currently has.
There has to be some degree of trust by the American public. That being said, trust is earned—not freely given. Gaining, or as some would say regaining, that trust must be a priority for the administration and the intelligence community. And, as we’ve seen over the last week, that job just got a lot tougher.
What is likely to be the biggest leak of classified information in history will have far-reaching implications, of which most will not be evident or known to the public. It is a huge blow to the security of the nation.
However, the damage does not stop there. America’s allies are watching this very closely, and wondering if they, too, will be damaged by the fallout. They have to ask, how safe is the intelligence they collect and provide the U.S. in light of what has just taken place?
Posted on Jun 14, 2013 at 4:34 AM3 comments
Cyber breaches have become all too common, and there is a growing belief that they are inevitable. I’m sure we have all read about the material impact of these events, but there is another set of implications that has not been covered.
Few people would dispute the monetary impact that a cyber breach has on the organization experiencing the event. Numbers are thrown about that suggest the financial impact of a breach is between $2,000 and $2,500 per record. While much attention has been given to that aspect of the crime, far less attention has been paid to the hidden impact.
In examining a few incidents that I have worked on, there is also an emotional impact on individuals. For example, think of the user that received a phishing email, falls for it and clicks on the link. That individual became ground zero for the cyber attack, and his/her actions resulted in their computer being infected and the spreading of malicious code through all the emails sent to colleagues, business partners and friends.
FACT: In 2013, Radicati Group estimates there will be over 900 million corporate email accounts. That is a target rich environment to be sure. (Think of all the information in corporate emails.)
Once detected, the e-forensics work begins and eventually a computer is identified as ground-zero. The individual assigned to that computer is immediately on edge and may even have a feeling that their personal space has been violated. They wonder, did I do something wrong or will I be fired over this? In some cases the word gets out the malware originated from their online actions. Practical jokes, name calling and ridicule is an all too common occurrence.
Now consider the IT security department if the systems they protect are compromised and the organization experiences loss of customers, possibly fines and penalties, as well as the cost of repairs and credit monitoring. Those individuals feel a sense of defeat; a cyber adversary has beaten them. Many also wonder if they will be fired.
The implications of a breach go far beyond what we commonly see in the headlines. The true cost must be taken into consideration when assessing the proper level of security for these systems.
Posted on Jun 05, 2013 at 2:46 PM1 comments
One of the most frequent questions I receive as a result of my blog postings deals with how to properly assess cyber security within the context of the cyber threat environment. The biggest misconception out there deals with penetration testing.
“Pen-testing” is not the first step. It plays a critical part in the overall cyber security program, but cyber security assessments must be far more robust.
When this question is asked, I recommend ISO 27000 series (http://www.27000.org/), and I also include ISO 28000 as the foundation upon which to assess an organization’s current defensive cyber posture. These standards were created by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC), and are updated regularly.
Naturally, we have added a few things to the 27000 and 28000 standards. It is amazing how many people have heard of the quality standard ISO 9000, but have not heard about the ISO security series of standards.
This ISO set of standards addresses information security management from multiple perspectives. Using these standards cyber security evaluators can ask a series of questions and determine the current cyber security measures that an organization has put in place. Answers to each assessment question are recorded and given a rating of 1 (low/incomplete) to 5 (high/complete), and a graphically depicted scorecard is created that illustrates the results.
As the assessment is repeated on an annual or semi-annual basis, the previous score for each area is shown and contrasted with the current score. This allows quick interpretation of changes, both positive and negative, in the organization’s security posture.
While a perfect cyber security assessment does not exist, using the internationally recognized ISO set of standards provides a solid foundation upon which organization’s can build. Many organizations start with a scaled down version of the standards due to just how bad many score when looking at the complete standard.
It is worth your time to look at ISO 27000, and to keep in mind that there is a big difference between compliance requirements and security standards like those issued by ISO.
Posted on May 28, 2013 at 12:55 PM0 comments