Tag: data security
Fiorina: Cybersecurity ‘Has To Be A Central Part Of Any Homeland Security Strategy’

Fiorina: Cybersecurity ‘Has To Be A Central Part Of Any Homeland Security Strategy’

By Ben Brody, Bloomberg News (TNS)

WASHINGTON — Despite a Republican presidential field that (mostly) says the U.S. needs to get more aggressive on national security, the candidates have been muted on recent revelations that China has pilfered a massive cache of personal information on millions of U.S. government employees.

But cybersecurity should be a “huge” part of the general security conversation, and now is the right time to talk about it, according to Carly Fiorina, who is among those seeking the Republican nomination.

The former Hewlett-Packard CEO, who has had firsthand experience with cybersecurity issues, sent out a statement in reaction to the hack at the government’s Office of Personnel Management, which could have exposed data from up to 14 million current and former government employees, including 127-page applications for security clearances. Bloomberg invited her to expand.

“This has to be a central part of any homeland security strategy,” Fiorina said in the interview. “The Chinese have had a long-term effort to hack into our databases and systems, which suggests that we should have been on guard for a very long time.

“I’m outraged about this,” she added. “It is yet another example of the complete breakdown of government competence.”

Speaking on the condition of anonymity to discuss intelligence matters, U.S. officials investigating the intrusions at OPM and a number of government contractors have confirmed that the hacks have been traced to the Chinese intelligence service.

As a Republican presidential hopeful, Fiorina has political reasons to cast doubts on the competence of President Barack Obama’s Democratic administration. Her background as a technology executive also makes talking about cybersecurity an opportunity for her to distinguish herself in the crowded field.

Her experience, however, is indisputable. She served on civilian advisory boards for the CIA and National Security Agency. She was also instrumental in securing a literal truckload of servers for the NSA in the weeks after 9/11, according to the National Review.

So what would be her first concrete policy suggestion for preventing another hack? Centralize the government’s cybersecurity operation and put it in the Department of Defense or the Office of the Director of National Intelligence.

“You have to have a consolidated command that has the accountability, the responsibility, for protecting the security of all government systems and databases,” she said. “You can’t have this piecemealed throughout government.”

On this, she seems to agree with the president, who directed the government to centralize cybersecurity efforts after a 2009 report found that “the federal government is not organized to address this growing problem effectively now or in the future” and that “responsibilities for cybersecurity are distributed across a wide array of federal departments and agencies, many with overlapping authorities, and none with sufficient decision authority. … ”

The effort is far from complete, though. Even the deployment of hack detection and prevention is still ongoing and a patchwork of agencies, from the NSA and the Department of Homeland Security to the FBI are taking responsibility for the security of government computers.

Fiorina also spoke about streamlining government bureaucracy.

“You have to have exceedingly competent people who are there because of their particular expertise, not simply there because they’ve been in government long enough to get there,” she said. “Not everybody has the skills to do this work.”

In addition to a centralizing cybersecurity, Fiorina said the government should work with the private sector to detect and repel attacks, although Congress has hampered this by declining to pass legislation that would protect companies that report breaches to the government from legal action.

“Everything in our nation now is dependent in very real ways in network-centric technologies,” she said. “While that gives us great capability, it also gives us great vulnerability.”

(c)2015 Bloomberg News. Distributed by Tribune Content Agency, LLC.

Photo: Gage Skidmore via Flickr

Cybersecurity Measures Inch Forward, But Critics Doubt Their Effectiveness

Cybersecurity Measures Inch Forward, But Critics Doubt Their Effectiveness

By Ryan Lucas, CQ-Roll Call (TNS)

WASHINGTON — Lawmakers are pushing measures they say will help boost the nation’s security from cyberattacks, but experts warn the efforts will do little to shield the country from increasingly sophisticated online hacking.

The growing need to protect the government’s computers and private databases from cybertheft and espionage grabbed headlines this month after the Office of Personnel Management revealed that the records of more than 4 million current and former government employees had been compromised by hackers. That attack, the latest in a series to hit federal systems, private health care providers, retailers and even Sony Pictures, has put pressure on the Obama administration and Congress to bolster Internet security.

On Capitol Hill, senators have traded barbs about a bill that would encourage private companies and the government to share information about cyberthreats and data breaches, and create liability protection for firms that do so. The House passed similar legislation earlier this year.

The theory behind these measures is simple: If companies are able to share cyberthreat indicators, other firms and the government can move quickly to secure their systems from the same threat.

The sponsor of the Senate bill, Intelligence Chairman Richard M. Burr, has touted the legislation as a way to thwart cyberattacks while also ensuring privacy rights.

“We can no longer simply watch Americans’ personal information continue to be compromised,” the North Carolina Republican has said. “This bill is long needed and will help us combat threats to our country and our economy.”

Critics of the information-sharing legislation, including Internet-security experts and privacy-rights advocates, contest both of those premises.

On the security side, many argue that information sharing will do little to plug gaps in the nation’s cyberdefenses.

“This really only addresses only a fraction of a fraction of the problem,” said Martin Libicki, senior management scientist at the Rand Corp. “What I think is more troubling is that this (information sharing) is being treated as a panacea.”

Libicki challenged the basic premise of information sharing: that if one company can detect and capture the threat signature of an attack, then it can share it with others. One of the problems with that idea, Libicki said, is it presumes hackers won’t change the threat signatures — the unique components of malicious computer code — to evade detection.

“That’s a big presumption,” he said.

It also assumes companies will want to share information about cyberthreats. But with reputations and stock prices at stake, that’s not always the case — even if a company enjoys the sort of liability and anti-trust protections offered by the legislation.

In April, more than 60 Internet-security researchers and professionals sent a letter to the leaders of the House and Senate Intelligence committees to express their opposition to all three information-sharing bills. They said the legislation permits overly broad sharing and would not contribute to greater cybersecurity.

Some in the Internet-security field, however, don’t paint information sharing in entirely dark tones.

Denise Zheng, a senior fellow the Center for Strategic and International Studies, said having access to the contextual information of an attack — the intent, the motive, the general tactics — is useful.

“It’s a step in the right direction. It will encourage or incentivize information sharing. But information sharing is just one piece of the equation,” Zheng said. “After you get access to the information about the threat, you have to take action, and the bill doesn’t do anything to compel action.”

In the wake of the Edward Snowden leaks about the National Security Agency’s programs, a cloud of privacy and civil liberties concerns invariably hangs over any cybersecurity legislation.

Lawmakers tried to address some of the privacy concerns by mandating personal information be scratched out of any data before it is sent to a government agency. One of the House bills even calls for two rounds of personal information scrubbing.

Despite those measures, concerns remain over where the information shared with the government will end up and to what purpose it will be put.

The Senate bill would permit the government to channel the cyberthreat information it receives from companies toward run-of-the-mill law enforcement investigations unrelated to cybersecurity, said Greg Nojeim, chief counsel at the Center for Democracy and Technology, which advocates for Internet privacy rights and legal controls on government surveillance.

“So for example, the Department of Justice could pool the information it receives under this program and mine it repeatedly for use in criminal investigations,” Nojeim said.

Among Congress’ sharpest critics of the bill is Sen. Ron Wyden. The Oregon Democrat was the sole member of the Senate Intelligence Committee to vote against the measure at the committee level.

“If you have a cyber bill without real privacy protections, it’s not really a cybersecurity bill, it’s a surveillance bill,” Wyden told reporters this week.

On the Senate side, the information sharing bill made its way to the floor this month, where Majority Leader Mitch McConnell allowed it to be offered as an amendment to the annual defense policy bill, HR 1735.

That infuriated many Democrats, who want the bill presented as stand-alone legislation so that it can be the subject to debate and amendments. Senate Armed Services Chairman John McCain (R-AZ) eventually withdrew the amendment after it failed to achieve the 60 votes needed to overcome a Democratic filibuster.

(c)2015 CQ-Roll Call, Inc., All Rights Reserved. Distributed by Tribune Content Agency, LLC.

Photo: Bob Micah via Flickr