U.S. Is Losing Global Cyberwar, Commission Says.

[andre kesteloot]

*U.S. Is Losing Global Cyberwar, Commission Says.* 
<mailbox:///C%7C/Documents%20and%20Settings/Andre/Application%20Data/Thunderbird/Profiles/4j7ohae6.default/Mail/Local%20Folders/Inbox?number=276689568#toc_cyberwar> 
The U.S. faces a cybersecurity threat of such magnitude that the next 
President should move quickly to create a Center for Cybersecurity 
Operations and appoint a special White House advisor to oversee it. 
Those are among the recommendations in a 44-page report by the U.S. 
Commission on Cybersecurity. The bipartisan panel includes executives, 
high-ranking military officers and intelligence officials, leading 
specialists in computer security, and two members of Congress.

To compile the report, which is entitled "Securing Cyberspace in the 
44th Presidency," commission members say they reviewed tens of thousands 
of pages of undisclosed documentation, visited forensics labs and the 
National Security Agency, and were briefed in closed-door sessions by 
top officials from Pentagon, CIA, and British spy agency MI5. From their 
research, they concluded that the U.S. badly needs a comprehensive 
cybersecurity policy to replace an outdated checklist of security 
requirements for government agencies under the existing Federal 
Information Security Management Act.

The report calls for the creation of a Center for Cybersecurity 
Operations that would act as a new regulator of computer security in 
both the public and private sector. Active policing of government and 
corporate networks would include new rules and a "red team" to test 
computers for vulnerabilities now being exploited with increasing 
sophistication and frequency by identity and credit card thieves, bank 
fraudsters, crime rings, and electronic spies. "We're playing a giant 
game of chess now and we're losing badly," says commission member Tom 
Kellermann, a former World Bank security official who now is 
vice-president of security at Boston-based Core Strategy.

Kellermann should know: He had a hand in crafting the nation's 
cybersecurity strategy in 2003. But as he tells it, government efforts 
led by the Homeland Security Dept. have been stymied by bureaucratic 
confusion and an unwillingness by agencies and corporations to share 
information about cyber break-ins. The commission's report catalogues 
incidents afflicting financial institutions, large corporations, and 
government agencies, including some first detailed publicly over the 
last year in various BusinessWeek articles. In an ominous note for the 
private sector, the commission notes that "senior representatives from 
the intelligence community told us they had conclusive evidence covertly 
obtained from foreign sources that U.S. companies have lost billions in 
intellectual property." For more on the spread of malicious software, 
read Saturday's New York Times article, "Thieves Winning Online War, 
Maybe Even in Your Computer."

Kellermann describes a behind-the-scenes effort by several members of 
the commission, some of whom are advisors on President-elect Barack 
Obama's transition team, to convince him of the need for action "to stop 
the hemorrhaging of national secrets, proprietary information, and 
personal data. We need to begin to deal with this cancer." Informal 
briefings by members of the commission, starting last July, seem to have 
affected Obama's thinking, sources say. Those who worry about the 
problem are heartened by his July 16 vow to "declare our 
cyber-infrastructure a strategic asset" and to "bring together 
government, industry, and academia to determine the best ways to guard 
the infrastructure that supports our power." At the time, the candidate 
also pledged that, if elected, he would appoint a "national cyber 
advisor" who would report directly to the President.

As the world's corporations, governments, military forces, and computer 
users have gravitated to the Web, so have competitors, adversaries, 
criminals, and spies, including government-backed electronic operatives 
establishing footholds for potential attacks, according to groups such 
as the congressionally created U.S.-China Economic & Security Review 
Commission, which warned on Nov. 21 of the threat from China 

"The damage from cyber attack is real," states the cybersecurity group's 
report, referring to intrusions last year at the departments of Defense, 
State, Homeland Security, and Commerce, and at NASA and the National 
Defense University.

The report continues: "The Secretary of Defense's unclassified e-mail 
was hacked and DOD officials told us that the department's computers are 
probed hundreds of thousands of times each day; a senior official at 
State told us the department has lost 'terabytes' of information; 
Homeland Security suffered 'break-ins' in several of its divisions, 
including the Transportation Security Agency; Commerce was forced to 
take the Bureau of Industry and Security offline for several months; 
NASA had to impose e-mail restrictions before shuttle launches and 
allegedly has seen designs for new launchers compromised. Recently, the 
White House itself had to deal with unidentifiable intrusions in its 
networks."

The report mentions some of the most severe threats, such as those being 
faced by U.S. war fighters in Iraq and Afghanistan, only hypothetically. 
It notes, for instance, that "the U.S. has a 'blue-force tracking' that 
tells commanders where friendly forces are located," and then goes on to 
posit a scenario under which an opponent could turn some of the blue 
signals to red, a color used to flag adversaries' forces. The 
implication is that an intruder might, for instance, provoke a so-called 
friendly-fire incident in which U.S. fighters mistakenly target U.S. 
personnel.

At least six members of the commission approached by BusinessWeek 
declined to share specifics of the most recent intrusions into the 
computers of companies, the Pentagon, the U.S. Central Command, and 
important centers of military operations such as Bagram Air Base in 
Afghanistan. Defense and intelligence officials also declined to 
describe the operational impacts of that massive penetration of 
corporate and military networks, but they did confirm that it culminated 
Nov. 22 in the raising of U.S. Strategic Command's threat level - known 
as INFOCON - which entailed banning plug-in devices such as thumb drives 
throughout the U.S. military and in some allied forces. Emergency 
briefings were also given to Obama and President Bush.

As first reported Nov. 28 by Los Angeles Times in "Cyber-Attack on 
Defense Department Computers Raises Concerns,", the intrusion and 
compromise of the U.S. military networks began with a piece of malicious 
software - or malware - known as agent.btz, which has also afflicted 
corporate networks in recent months, U.S. military officials and private 
cybersecurity specialists confirmed. Such intrusions have grown 
increasingly sophisticated and difficult to trace to their origins. The 
latest generation of malware, developed by gangs and governments with 
large sums of money at their disposal, can easily cloak its activities 
and capabilities.

Complicating the cleanup is not only the nature of the malicious 
software, but the sheer scale of the task: The U.S. military has around 
7 million vulnerable electronic devices. U.S. military officials tell 
BusinessWeek that assuring themselves that they have cleansed their 
computers of the intruders that gained a foothold via agent.btz has 
grown increasingly uncertain and expensive. Forensics examinations and 
the reprogramming of each computer - which continues in the Pentagon, in 
Central Command headquarters in Tampa, and in military installations in 
Afghanistan - costs around $5,000 to $7,000 per machine, sources said.

Kellermann and other computer security consultants declined to discuss 
the threat to the U.S. military, though several said they were 
intimately familiar with it. But Kellermann said it was yet another 
example of how "the cyber security threat has really gotten out of 
control. But it's not only a national security threat. It's an economic 
security threat." [Epstein/BusinessWeek 
<http://www.businessweek.com/bwdaily/dnflash/content/dec2008/db2008127_817606.htm>/8December2008] 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.amrad.org/pipermail/tacos/attachments/20081216/7213938d/attachment.htm