US launches voluntary cybersecurity plan

The US administration on Wednesday launched a cybersecurity plan which aims to use voluntary collaboration from the private sector to protect critical infrastructure from computer hackers.

The initiative stems from an executive order issued last year by President Barack Obama after repeated failures in Congress of a cybersecurity law.

The so-called cybersecurity framework allows the government to lead an information-sharing network but stops short of making mandatory the reporting of cyber threats.

The goal is to protect so-called critical infrastructure, which can include power grids, water systems and financial networks against which a cyberattack could have crippling consequences.

Obama said the voluntary framework “is a great example of how the private sector and government can, and should, work together to meet this shared challenge.”

“While I believe today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said in a statement.

“America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property.”

Voluntary tradition
A senior administration official said the framework is the result of one year of consultations with industry experts and others.

“We wanted this framework to be voluntary because it encourages the widest set of stakeholders to come forward and work with us,” the official said.

“Voluntary standards are a tradition in this country because they work.”

Obama and other officials have continued to press lawmakers for cybersecurity legislation, which could give the government broader ability to prevent and respond to computer attacks.

Lawmakers have been deadlocked on cybersecurity legislation, amid opposition from an unusual coalition of civil libertarians — who fear government snooping — and conservatives who said it would create a new bureaucracy.

US military officials have argued that legislation is needed to protect infrastructure critical to safeguarding national defense, including power grids, water systems and industries ranging from transportation to communication.

Senator Jay Rockefeller, who has spearheaded cybersecurity efforts in Congress, praised the new plan.

“The recent data breaches at Target and other retailers are a stark reminder that our networks continue to be vulnerable to cyber attacks,” Rockefeller said in a statement.

The senator added that the plan “represents the careful thinking of our country’s top security experts. It should become an essential touchstone, not just for critical infrastructure operators, but for all companies and government agencies that need to protect their systems and their data.”

But Greg Nojeim at the digital rights activist Center for Democracy & Technology said the plan is weak on privacy protection after the latest update removed specific privacy language.

“We would have preferred a framework that requires more measurable privacy protections,” Nojeim said.

Suzanne Spaulding, acting under secretary of Homeland Security, encouraged the private sector to adopt the voluntary standards.

“Both the private sector and government have a role to play in strengthening our nation’s critical infrastructure security and resilience, including cybersecurity, and it is imperative that we as a country take coordinated actions to achieve this goal,” she said in a blog post.

But the technology policy think tank Tech Freedom expressed doubt.

“The govt is producing only basic #cybersecurity standards, with little incentive for private sector to participate,” the group tweeted.

Related Topic Tags

Related Defense, Military & Aerospace Forum Discussions

View the Original article

Indra Creates An Advanced Cybersecurity Operations Center

By Indra on Wednesday, July 17th, 2013

Indra has created i-CSOC (CyberSecurity Operations Center), a new center specialized in cybersecurity operations, from which it provides protection for systems and networks for companies, organizations and institutions that require it.

Indra’s centre was founded with the aim of becoming an international benchmark. It has approximately 100 experts working together in a 500-m2 facility fitted out and equipped with the most advanced technology.

i-CSOC has a cybersecurity laboratory, which differentiates it from similar centers. From there it analyses new technologies, develops solutions and simulates attacks in secure environments. It also conducts forensic analyses of attacks and malware – after the fact – to design cybersecurity solutions.

Another feature that makes i-CSOC unique is its cyberdefence area. This area is physically separate from the rest of the center’s working space, shielded and protected from radiation and subject to strict access control, and it has a security certificate. This area provides services to defence ministries of NATO countries.

This cyberdefence capability gives i-CSOC privileged knowledge of both threats and the most effective countermeasures. Indra customers therefore have a guarantee that they are working with the most highly qualified experts.

Another innovative working area of i-CSOC is cyberintelligence, which analyses information on the web to detect reputation risks and electronic fraud.

All this knowledge enables Indra to provide a cybersecurity management service (24x7x365) to companies and government bodies at the highest level, and positions i-CSOC ahead of other centres of this type. The company monitors, operates and manages the cybersecurity vulnerabilities of its customers from this centre and provides a response capability for any incident.

Lastly, i-CSOC has a communications area that disseminates information about threats and the countermeasures to be taken. It also provides training to system administrators and trains them in a live environment in which attacks are recreated.

The creation of i-CSOC allows Indra to concentrate and strengthen all the cybersecurity knowledge it has. The company can also provide the best service at the most competitive cost. Among the most immediate benefits: the need to maintain cybersecurity experts at the customer’s facilities is reduced, which represents a significant saving; and the center serves multiple customers, which helps i-CSOC detect common vulnerabilities and problems early on.

Indra is the number one multinational consultancy and technology company in Spain and a leader in Europe and Latin America. Innovation is the cornerstone of its business and sustainability. The company has allocated more than €550 million to R&D&i in the last three years, making it one of the leading companies in Europe in its sector in terms of investment. With sales of approximately €3,000 million, nearly 60% of its revenue comes from international markets. The company employs 42,000 professionals and has customers in 128 countries.

Related Topic Tags

Related Defense, Military & Aerospace Forum Discussions

View the Original article

Army releases new leaders’ handbook on cybersecurity

By Army News Service on Tuesday, June 4th, 2013

The Army published a new handbook this month to provide leaders of all levels with the information and tools needed to address today’s cybersecurity challenges, and to ensure organizations adopt the necessary practices to protect their information and the Army network.

“We must change our culture, enforce compliance, and ensure that people are accountable for proper security procedures,” Secretary of the Army John McHugh said in a Feb. 1 memo mandating Information Assurance/Cybersecurity awareness training.

Currently, all Army commands are developing Information Assurance/Cybersecurity awareness training to address areas of weakness identified by the Army Information Assurance Self-Assessment Tool. During the Army Cybersecurity Awareness Week, Oct. 15-18, commanders will train personnel based on command plans and highlight the importance of individual responsibilities.

“Beyond required security training, we need you to make certain that all of your Soldiers, civilians, and contractors understand the threat they pose to operational security by not complying with IA/Cybersecurity policies and practices,” McHugh said, addressing all Army leaders.

McHugh also directed all commands to incorporate Information Assurance into their command inspection programs.

More information and guidance are on the Army Information Assurance One-Stop Shop portal which is CAC accessible.

Related Topic Tags

Related Defense, Military & Aerospace Forum Discussions

View the Original article

White House mulls move as cybersecurity bill fails

By Agence France-Presse on Monday, November 19th, 2012

The White House said Thursday it was considering an executive order on cybersecurity after legislation on infrastructure protection failed again in the Senate.

“The president is determined to protect our nation against cyber threats,” said Caitlin Hayden, spokeswoman for the White House National Security Council after Wednesday’s failure in the Senate of a bill aimed at protecting US “critical infrastructure” from cyber attacks.

Hayden said the White House was exploring ways “to more effectively secure the nation’s critical infrastructure by working collaboratively with the private sector” and that this may result in an executive order.

She said such an order “is not a substitute for new legislation” and “doesn’t create new powers or authorities (but) it does set policy under existing law.”

In the lame-duck session, the bill backed by President Barack Obama failed to get the 60 votes needed to proceed under Senate rules. It was backed by a 51-47 vote.

The failure of the bill for the second time in three months prompted political sniping from supporters and detractors.

“Once again, Senate Republicans have chosen to filibuster much-needed cybersecurity legislation and, in so doing, have ignored the advice of the country’s most senior military and national security officials,” said Senator Jay Rockefeller, a key backer of the measure.

“Republican members have once again sided with the Chamber of Commerce, and not our military officials, on a national security issue.”

Republican Senator Charles Grassley, however, claimed the bill was “flawed” and failed to see adequate debate.

“No one disputes the need for Congress to address cybersecurity,” Grassley said.

“However, members do disagree with the notion this problem requires legislation that increases the size of the federal government bureaucracy and places new burdens and regulation on businesses.”

The measure was blocked amid opposition from an unusual coalition of civil libertarians — who feared it could allow too much government snooping — and conservatives who said it would create a new bureaucracy.

US military officials have argued that legislation is needed to protect infrastructure critical to safeguarding national defense, including power grids, water systems and industries ranging from transportation to communication.

Senator Susan Collins, a Republican who supported the bill, said the issue remains of critical importance.

“Every day that we wait, our country becomes more vulnerable to a serious cyber attack, indeed a catastrophic attack,” she said in a statement.

“Experts have also repeatedly warned that the computer systems that run our critical infrastructure — our electric grid, pipelines, water systems, financial networks, and transportation systems — are vulnerable to a major cyber attack.”

Some industry leaders expressed disappointment on the failure of the bill.

“Stalemate doesn’t make the issue go away,” said Software Alliance president Robert Holleyman.

“There is no getting around the fact that we need to bolster America’s cybersecurity capabilities. We urge both parties to put this issue at the top of the agenda in the next Congress.”

The Electronic Frontier Foundation, which promotes online freedoms, called the Senate bill “dangerously vague” and a threat to privacy.

“We’re looking forward to having a more informed debate about cybersecurity next session, and hope Congress will bear in mind the serious privacy interests of individual Internet users,” said EFF attorney Lee Tien.

“We don’t need to water down existing privacy law to address the challenges of cybersecurity.”

In a related matter, the White House confirmed reports this week that Obama signed a directive which can help the US military thwart cyber attacks.

“This step is part of the administration’s focus on cybersecurity as a top priority. The cyber threat has evolved since 2004, and we have new experiences to take into account,” a senior US official said.

“The directive itself is classified, so we cannot discuss all of the elements contained in it,” the official said, adding that it “establishes principles and processes for the use of cyber operations so that cyber tools are integrated with the full array of national security tools we have at our disposal.”

Related Topic Tags

Related Defense, Military & Aerospace Forum Discussions

View the Original article

US scholarships aim to close cybersecurity gap

By Agence France-Presse on Monday, October 1st, 2012

For students seeking to become cyber warriors, the US government has a sweet deal.

Full tuition, expenses and a stipend will be paid at any of dozens of universities for students to get specialized cybersecurity training, in exchange for an equal number of years working for a federal agency.

The CyberCorps program launched in 2000 highlights how desperate the US government is to get people with the special skills to keep computer networks secure.

Backers of the program say it is having a modest impact in meeting the country’s growing cybersecurity needs.

“We have a large number of people who are students of cybersecurity, report writers, analysts,” Alan Paller, research director at the SANS Institute and head of a task force advising the Department of Homeland Security on cyber skills.

“And we have a very small group who are the hunters. They are the ones who find out how the bad things happen and how to stop it.”

Paller said there is intense competition for the small number of highly trained individuals.

“Every single company is searching for these hunters,” he said.

Since the program was launched a decade ago, more than 2,000 students have received scholarships from the program, which is now available through 46 US universities.

Victor Piotrowski, program director for the CyberCorps, said the effort is aimed at boosting a “very small pool of people who have cybersecurity training.”

The program funded through the National Science Foundation currently provides graduates around 150 students each year. But that is small compared with China which trains “a thousand times more” people, according to Piotrowski.

It is difficult to find people with science and technology background, but cybersecurity adds more requirements — those working for US government agencies must be US citizens, without any criminal records.

Piotrowski said each year some 40 to 60 federal agencies compete for about 150 graduates, virtually ensuring a job for each.

“I can’t think of any other profession which attracts so many agencies,” he said.

Highlighting the shortage, Piotrowski said some graduates — who are required to work in government for the same number of years for which they receive a scholarship — sometimes get job offers from the private sector which allow them to bypass that requirement by paying back the government.

But Piotrowski said it’s not necessarily bad if students move on to the private sector.

He said a large number of graduates go to top-secret jobs at places like the National Security Agency, but that all organizations need cybersecurity, from the Federal Reserve to utility companies.

“The argument is that defending cybersecurity is not only a government effort,” he said. “We are only as strong as the weakest link. So by that reasoning it is not a loss.”

The program offers aid similar to that of Reserve Officer Training Corps, which offers student aid for those going into the military.

Andreae Pohlman, a recent graduate of the program at George Washington University who is set to begin a government job, said the training included real-life attack and defense simulations which included some surprises.

In one competition, “We didn’t know there were already back doors in our machines. We thought we were winning the whole time.”

This offered a valuable lesson, she said: “It’s important to get experience and exposure about the type of exploitation tools out there.”

Mischel Kwon, another George Washington cybersecurity graduate who went on to head the US Computer Emergency Readiness Team before starting her own consulting firm, said awareness is a major issue.

“A lot of the problem is understanding we have a problem,” she said.

“The workforce needs to grow and I think CyberCorps is a great way of doing that. We need to educate executives and company boards and help heads of agencies understand this is a priority that needs to be funded.”

Patrick Kelly graduated from the GWU program and now teaches there in addition to his work at a federal agency.

Kelly said he tries to get students to learn about a range of possible threats like “phishing” e-mails, physical attacks and data thefts from portable thumb drives.

But he said the bad guys are constantly changing tactics.

“It’s getting more severe,” he said. “There is now an ability to automate attacks. The number of attacks and successful ones are going up exponentially, you’re always playing catch-up.”

Piotrowski said that the program has little trouble securing funding from Congress. In fact, he said lawmakers added $20 million to the $25 million requested a year ago.

“We don’t have a problem defending the program,” he said.

Paller said there is a growing concern that “the next war will be in cyberspace” and that the US is ill prepared.

We are pretty darn good at figuring out how to do attacks,” he said. “But we are much more vulnerable to these attacks than everyone else.”

Related Topic Tags

Related Defense, Military & Aerospace Forum Discussions

View the Original article

Unique Program to Educate Next Generation of US Cybersecurity Leaders

By Northrop Grumman on Monday, June 11th, 2012

University of Maryland and Northrop Grumman create nation’s first cybersecurity honors program for undergraduates
The University of Maryland and the Northrop Grumman Corporation (NYSE:NOC) will launch a landmark honors program designed to educate a new generation of advanced cybersecurity professionals. The unique program, Advanced Cybersecurity Experience for Students (ACES), will immerse undergraduate students in all aspects of the field to meet growing manpower needs in the nation and the State of Maryland.

ACES will engage a highly talented, diverse group of students—majors in computer science, engineering, business, public policy and the social sciences—in an intensive living-learning environment that focuses on the multifaceted aspects of cybersecurity and develops team-building skills. Students will take on an advanced, cross-disciplinary curriculum developed through industry consultation, and will interact directly with industry and government cybersecurity mentors. Students enrolled in the program will have the option of interning with Northrop Grumman and preparing for security clearance. ACES will produce skilled, experienced cybersecurity leaders highly sought by corporate and government organizations.

The Northrop Grumman Corporation will provide a grant of $1.1 million to launch the program, which will begin in the fall of 2013, and support it for an additional two years. The University of Maryland will match that amount.

The ACES Program will serve as an inaugural Regional Workforce Project of The Business-Higher Education Forum (BHEF), of which University System of Maryland Chancellor William E. (“Brit”) Kirwan is Chair, and Northrop Grumman Chairman, Chief Executive Officer and President Wes Bush is Vice Chair.

Stated Patrick O’Shea, University of Maryland Vice President for Research, “Together with industry leader Northrop Grumman, we have developed the ACES Honors Program to produce a new generation of experts prepared to take on real-world cybersecurity challenges. We expect that ACES, like our other honors programs, will become a national model for preparing young people to excel in emerging, multidisciplinary fields.”

Finding employees fully prepared to take on complex cybersecurity issues is a major challenge for corporations and government agencies. Northrop Grumman’s Wes Bush said, “We are fully committed to developing solutions to help eliminate the nation’s shortage of critical STEM-educated talent and by partnering with the University of Maryland, we will address workforce challenges in the increasingly important field of cybersecurity. The university has an outstanding track record for developing innovative educational programs to answer real-world needs, excellent research capabilities through its Maryland Cybersecurity Center, and close relationships with the many federal agencies and corporations in the Washington, D.C., area likewise concerned about cybersecurity.”

“The need for STEM professionals throughout the United States is critical and partnerships with industry leaders represent one of the most effective approaches we can take to enhance STEM education while meeting STEM workforce needs,” stated Kirwan. “The University System of Maryland and Northrop Grumman have been working together to address our mutual challenges. As Chair of BHEF, I believe this new Industry-Higher Education partnership model can replicate the success we have seen in Maryland across the U.S. These regional projects represent innovative, collaborative approaches enabling us to get to solutions in order to tackle our nation’s toughest workforce challenges.”

Brian Fitzgerald, CEO of BHEF remarked, “ACES is a perfect example of how industry and higher education can partner to make meaningful change to our nation’s workforce challenges. As one of the ten current BHEF STEM Regional Workforce Projects, this deeper collaboration exemplifies how BHEF members are no longer ‘admiring the problem,’ but providing real solutions. By creating the platform that engages undergraduate students during the critical first two years of college, keeps them in the education pipeline of these high-demand fields, and ultimately prepares them and keeps them for a long-term career, the University System of Maryland and Northrop Grumman are a national example that others can follow.”

ACES will consist of an intensive curriculum, which will include general cybersecurity offerings, as well as a variety of other topics, including cybersecurity forensics, reverse engineering, secure coding, criminology, and law and public policy. In year-long capstone courses, teams of seniors will apply their knowledge and skills in solving complex cybersecurity problems. Summer internships will augment coursework with real-world projects and develop a pipeline of talented students. Throughout, Northrop Grumman will provide guest lecturers, participate in an industry advisory board, pose real-world problems for students to solve, and provide advisors and mentors for capstone projects.

The ACES program is slated to accept its first students at the College Park campus in fall 2013. Over time, through distance education programs, online course offerings, transfer of students, and competitions, universities across the University System of Maryland will participate in the program.

Related Topic Tags

Related Defense, Military & Aerospace Forum Discussions

View the Original article