January 6th, 2011
By: Ian Munroe
Officials from 18 countries held an impromptu, late-night meeting earlier this month at the United Nations office in Geneva, and made a decision that rattled Internet technocrats around the world.
Autocratic governments like China and Iran attended the meeting, as did several democratic ones. Despite protests by Portugal and the United States, they voted to staff a working group on the future of the Internet Governance Forum — an important theatre of discussion on matters of cyberspace — by governments alone.
The seemingly arcane move reverberated through a community of technical experts, academics and civil society groups who felt they had been unfairly excluded.
Fourteen technical organizations that help oversee how cyberspace runs wrote an open letter asking the UN Commission on Science and Technology for Development (UNCSTD) to reverse its decision. Meanwhile the Internet Society, an umbrella group that helps manage technical standards online, posted a petition to its website in protest.
“A significant fuss has been kicked up about it,” said Byron Holland, president and CEO of the Canadian Internet Registration Authority, which manages the .ca domain.
Even Google waded into the fray. Vint Cerf, a vice-president at the online behemoth and one of the pioneers of the Internet, added his name to the petition, alongside 2,600 others. He also attacked the UN decision in a Dec. 17 blog post on Google’s website.
“We don’t believe governments should be allowed to grant themselves a monopoly on Internet governance,” Cerf wrote. “The current bottoms-up, open approach works — protecting users from vested interests and enabling rapid innovation. Let’s fight to keep it that way.”
Eleven days later the UNCSTD buckled under the pressure, according to the Internet Society, and agreed to include up to 20 non-governmental groups.
The episode underscored what has become an uneasy relationship between organizations that have helped gently steer the Internet since its infancy, and UN bodies that came to focus on Internet governance during the 2000s as cyberspace continued to unfurl across the brick-and-mortar world.
“The root of the debate here is a philosophical difference between how you approach the future governance of the Internet,” Holland told CTV.ca by phone. “Everything that goes forward from that will have a very different tone or direction.”
Technocrats like Holland have also been hinting at a specific threat: that the UN could become a forum where authoritarian governments who are riled by the free flow of information work to put the breaks on its superhighway.
Cyber peace treaty
A second UN body — the International Telecommunications Union (ITU), which manages the world’s radio frequencies and orbiting satellites — has been debating who should govern the Internet for years.
Its secretary general, Hamadoun Toure, would like to spearhead the creation of a “cyber peace treaty” to prevent the Internet from becoming another domain in which countries wage war against one another, as they do by air or at sea.
“Cyber threats can reach critical infrastructure of any country, the nerve centre of any nation,” Toure said by phone from Geneva. “A sophisticated attack can bring even the most powerful nation to its knees.”
There have been several recent examples of such events. During a dispute with Russia in 2007, Estonia was hit by widespread cyber attacks that knocked out bank, newspaper and government websites. Similar denial-of-service attacks struck Georgian media and government websites a year later as Russian tanks rolled into South Ossetia.
Then last July, the discovery of the Stuxnet worm led to speculation that a foreign government was trying use malicious software to cripple Iran’s nuclear program.
But there are a number of hurdles to creating an international agreement that would discourage such attacks. One is who would forge it.
“If we were to have a roundtable on this, you would see not only governments around it. Are we mentally prepared for that, to have around the same table private sector, civil society, consumer groups and governments?” Toure said. “That is what it will take for meeting the challenges of a cyber peace treaty.”
Critics of Toure’s proposal worry that non-governmental groups would not be given an equal seat at the table, and point to the ITU’s plenipotentiary conference in October.
There, delegates discussed a Russian proposal to take over managing Internet domain names. Currently that task falls to the Internet Corporation for Assigned Names and Numbers, a private organization whose president and CEO was barred from attending the meeting.
Others say the ITU’s government-to-government approach is too slow and clunky to manage something as fast-moving as the Internet, or that it could pave the way for less open regimes to introduce new online controls.
“We have to be careful about what institutions take the lead,” said Ron Deibert, director of the Citizen Lab and the Canada Centre for Global Security Studies at the University of Toronto. “The Chinas, the Irans, the Saudi Arabias of the world want to impose a territorial vision of control over cyberspace — and if the ITU got its wishes, that’s essentially what would happen.”
In future, the debate over who should govern the Internet would do well to bear in mind its success stories like Google and Facebook, said Olaf Kolkman, director of NLnet Labs and chair of the Internet Architecture Board.
If the ease of accessing an unfettered online world helped those billion-dollar corporations evolve from tiny start-ups in garages or university dorm rooms, he suggested, then closing off the Web could lead to stagnation. It might also wall off opportunities for everyone who has yet to set foot in cyberspace.
“If we can preserve the spirit of openness moving forward,” Kolkman wrote in an email, “we will see much of the innovation coming from developing countries, and the billions of people who have yet to come online but who will change the shape of the Internet when they do.”
June 20, 2010
by Hugh Collins
Newly proposed legislation would give the federal government authority to seize and even switch off the Internet during a national crisis.
The bill, put forward Thursday by Sen. Joe Lieberman, I-Conn., would allow the Department of Homeland Security to issue emergency orders to companies providing services such as search engines, software and broadband Internet, according to CBS. Companies that didn’t comply would face a fine.
“The Internet can also be a dangerous place, with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets,” Lieberman said. “Our economic security, national security and public safety are now all at risk from new kinds of enemies: cyberwarriors, cyberspies, cyberterrorists and cybercriminals.”
Governments worldwide are increasingly aware of the threat posed by cyberattacks. In 2007, the Baltic state of Estonia was paralyzed by a cyberattack that froze the websites of businesses and government agencies for days. Estonia now hosts NATO’s Cooperative Cyber Defence Centre of Excellence.
Lieberman’s bill also calls for the creation of a National Center for Cybersecurity and Communications within the Department of Homeland Security, CBS reported. The center would monitor the “security status” of websites and broadband providers to provide “situational awareness of the security status” of Internet within the United States.
The National Center for Cybersecurity and Communications would also be able to require certain Internet companies to share information with the federal government.
There’s something in the proposed legislation for the private sector, too: Companies would have immunity from civil lawsuits for compensation related to actions they took on orders from the federal government.
However, the bill has been fiercely criticized online by Internet freedom advocates.
“This legislation should be met with resistance until it fails,” journalist blogger Jamie DeLoma wrote. “Implementing the proposed plan would do nothing more than cause chaos and limit the information available.”
The ideas in the proposal are not entirely new. In August, technology website CNET obtained a pair of draft Senate proposals that would have allowed the president to declare a “cybersecurity emergency” and “order the disconnection” of certain networks and websites.
June 3, 2010
Federal News Radio
We’re learning more about the cybersecurity package forming in the Senate. Wired.com reports Sen. Joe Lieberman, (I-Conn.) wants to give the federal government the power to take over civilian networks’ security, if there’s an “imminent cyber threat.” It’s part of a draft bill, co-sponsored by Senators Lieberman and Susan Collins, that provides DHS with the authority to ensure that critical infrastructure stays up and running in the face of a looming hack attack.
May 28, 2010
Federal News Radio
Cybersecurity Update – Tune in weekdays at 30 minutes past the hour for the latest cybersecurity news on The Federal Drive with Tom Temin and Amy Morris (6-10 a.m.) and The DorobekInsider with Chris Dorobek (3-7 p.m.). Listen live at FederalNewsRadio.com or on the radio at 1500 and 820 AM in the Washington, D.C. metro area.
February 22, 2010
Los Angeles Times
By Bob Drogin
The crisis began when college basketball fans downloaded a free March Madness application to their smart phones. The app hid spyware that stole passwords, intercepted e-mails and created havoc.
Soon 60 million cellphones were dead. The Internet crashed, finance and commerce collapsed, and most of the nation’s electric grid went dark. White House aides discussed putting the Army in American cities.
That, spiced up with bombs and hurricanes, formed the doomsday scenario when 10 former White House advisors and other top officials joined forces Tuesday in a rare public cyber war game designed to highlight the potential vulnerability of the nation’s digital infrastructure to crippling attack.
The results were hardly reassuring.
“We’re in uncharted territory here,” was the most common refrain during a three-hour simulated crisis meeting of the National Security Council, the crux of the Cyber Shockwave exercise.
Joe Lockhart, former press secretary to President Clinton, urged his fellow panelists to be bold. “Trust me,” he said, “you will be judged on this when this is over, and for years to come.”
The panelists apparently took him to heart and, as the scenario unfolded, tossed out ways to maintain order — including nationalizing industries, rationing fuel and snatching suspects overseas.
The public rarely gets a peek at government war games. If Tuesday’s no-cliche-left-behind version at times resembled a sci-fi thriller, no one doubts that the peril to telecommunications and other crucial computer-run systems is real and growing.
Dennis C. Blair, the director of national intelligence, this month warned the Senate Intelligence Committee, “Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication.”
Google, for example, recently disclosed what it called a “highly sophisticated and targeted attack” originating in China in mid-December on its search engine infrastructure and e-mail, as well as on at least 20 other companies. China’s government denied any role in the shadow attacks.
Attacks on government networks are also ubiquitous. According to a 2008 report by the nonprofit Center for Strategic and International Studies, NASA and the departments of Defense, Homeland Security and Commerce “all suffered major intrusions by unknown foreign entities” the previous year.
February 12, 2010
By Kurt Nimmo
The Bipartisan Policy Center (BPC) plans to simulate a cyber attack on America’s infrastructure on February 16, 2010. Dubbed Cyber ShockWave, the simulation “will provide an unprecedented look at how the government would develop a real-time response to a large-scale cyber crisis affecting much of the nation,” according to a BPC press release issued today.
The “cyber attack is going to be war-gamed, in public, for all the country to see. It will be quite realistic, featuring senior intelligence and national security officials, including former directors of intelligence agencies and combatant commands and homeland security advisers,” writes Marc Ambinder for The Atlantic.
The sponsors of the event include companies with financial stakes in the future of cyber defense — General Dynamics is one — but also companies whose transactions are the lifeblood to the American economy, and who want to foster a greater sense of urgency among the public and policymakers.
In other words, a handful of well-placed corporations stand to make a fortune on the prospect of a cyber attack. In addition, a message will be sent to the Senate warning that it should pass “cybersecurity” legislation (a 2009 Senate bill would have given Obama the authority to shut down the internet).
General Dynamics is a leading death merchant at the very heart of the military industrial complex Eisenhower warned us about a few decades ago during the contrived so-called Cold War. “When it comes to military spending, the tradition of the ‘iron triangle’ — Congress, the Pentagon, and defense industries — joining to push costly weaponry is nothing new,” Brad Knickerbocker wrote for The Christian Science Monitor.
BPC directors hail from Lockheed Martin, L-3 Communications (a spook merchant), JPMorgan Securities, and the Rockefeller connected Aspen Institute.
The BPC effort to scare the American people and Congress into accepting the unlikely threat of cyber enemies taking down the country is part of an ignoble tradition consisting primarily of frightening taxpayers out of their hard-earned dollars. Instead of Osama bin Laden and the CIA-created al-Qaeda, this time around the culprits are Russia and China.
“Participants include John Negroponte, the first DNI, who will be the fictional Secretary of State. (Intel insiders will enjoy this role change.) Ex-DHS Secretary Michael Chertoff will be the National Security Adviser. Fran Townsend, the former White House Homeland Security Adviser, will be the secretary of DHS. Former CIA deputy director John McLaughlin will be the Director of National Intelligence. Other big-name participants include Jamie Gorelick, Stewart Baker, Joe Lockhart and Bennet Johnson,” writes Ambinder.
The BPC advisory board consists of seasoned establishment insiders, including Howard Baker, Tom Daschle, Bob Dole, and George Mitchell.
In short, a mix of neocons and neolibs at the very epicenter of the establishment.
Last July, the BPC, “[b]uilding on the [sic] highly acclaimed work of the 9/11 Commission,” announced the launch of the National Security Preparedness Group “to further examine the changing threats to the United States.” Under the leadership of “9/11 Commission Chair, Thomas H. Kean, and Vice Chair, Lee H. Hamilton, the NSPG will focus its efforts on national intelligence, terrorism, and security issues, continuing the work of the National Commission on Terrorist Attacks Upon the United States (9/11 Commission) and its successor, the 9/11 Public Discourse Project,” according to a BPC press release published by PR Newswire.
The above BPC promotion video insinuates that the cyber threat will likely come from China and Russia.
China’s alleged cyber attack last month was blown out of proportion by Google, the government, and the corporate media. The mischaracterized attack against Google went down a few weeks before the search engine corporation announced plans to merge with the NSA, aka “No Such Agency.”.
“The attack on Google involved attempts to access the Gmail accounts of Chinese human rights activists, but only two accounts were accessed and the contents of e-mails were not exposed — only account information like the date the account was created, Google said,” Elinor Mills wrote for CNet News on January 13. “Separately, Google discovered that accounts of dozens of Gmail users in the U.S., China, and Europe who are human rights advocates ‘appear to have been routinely accessed by third parties,’ not through a security breach at Google, but most likely as a result of phishing scams or malware placed on the users’ computers, the company said.” Google later admitted its products and customer data were not affected by the attack.
February 4th, 2010
The United States is at risk of a crippling cyber attack that could “wreak havoc” on the country because the “technological balance” makes it much easier to launch a cyber strike than defend against it, Director of National Intelligence Dennis Blair said Wednesday.
Blair, speaking to the House Intelligence Committee, said U.S. tools are not yet up to the task to fully protect against such an attack.
“What we don’t quite understand as seriously as we should is the extent of malicious cyberactivity that grows, that is growing now at unprecedented rates, extraordinary sophistication,” Blair said. “And the dynamic of cyberspace, when you look at the technological balance, right now it favors those who want to use the Internet for malicious purposes over those who want to use it for legal and lawful purposes.”
Blair said the United States must “deal with that reality,” and warned of the catastrophic consequences of a major attack.
“Attacks against networks that control the critical infrastructure in this country … could wreak havoc,” Blair said. “Cyber defenders right now, it’s simply the facts of the matter, have to spend more and work harder than the attackers do, and our efforts frankly are not strong enough to recognize, deal with that reality.”
He said one critical “factor” is that more and more foreign companies are supplying software and hardware for government and private sector networks.
“This increases the potential for subversion of the information in … those systems,” Blair said.
Blair also told Congress Wednesday that the Internet is providing the fuel for the growing problem of “homegrown radicalization.”
“That … has been one of the most dangerous uses of the Internet,” Blair said, explaining that foreign groups are using the Internet to organize attacks, give instructions and arrange financing.
Intelligence officials are on the Hill to discuss the annual threat assessment, which is garnering particular interest in the wake of the failed bombing of a Northwest Airlines flight bound for Detroit on Christmas Day.
Senior intelligence officials told Congress Tuesday that Al Qaeda could try to carry out an attack in the United States in the next three to six months.
CIA Director Leon Panetta said Al Qaeda is sending operatives to the United States to carry out new attacks from inside the country and inspiring homegrown extremists.
Obama has promised to make cyber security a priority in his administration, but the president’s new budget asks for a decrease in funds for the Homeland Security Department’s cybersecurity division.
The government’s first quadrennial homeland security review states high consequence and large-scale cyberattacks could massively disable or hurt international financial, commercial and physical infrastructure.
The report, obtained by The Associated Press, said these types of cyber attacks could cripple the movement of people and goods around the world and bring vital social and economic programs to a halt.
December 14, 2009
By Joseph Menn
For more than a decade the common currency among cybercriminals has been pilfered credit card numbers, but some underground hackers have learned how to drain money directly from corporate bank accounts.
There has been a big rise in such frauds, raising the stakes in the war between financial institutions and criminals and costing some bank clients half a million dollars – or more.
Facebook backtracks on privacy – Dec-11
Facebook must be weary of changing the rules – Dec-11
Tech blog – Dec-01
The cyberhackers “are clearly ahead of the defence in terms of antivirus solutions, firewall solutions, etc,” Jeffrey Troy, chief of the FBI’s cybercrime section, told the Financial Times. Online bank thefts in 2009 had seen “a very dramatic increase from past years”.
Law enforcement warnings, recent reports from private security experts and lawsuits are focusing attention on the issue. Some professionals, citing the ongoing boom in virus infections through such social networks as Facebook and Twitter, fear the trends could combine in 2010.
Mr Troy estimated that criminals took about $40m from bank accounts this year, primarily targeting the small and mid-sized businesses that are themselves customers of small and mid-sized banks.
Such banks and their clients were less likely than their biggest competitors to have the highest-grade security procedures.
Targets have fallen victim to “spear phishing” and other tricks. In spear phishing, a misleading e-mail, instant message or social networking communication is aimed at one company or even a single person within that company, frequently a top executive. The message can be tailored convincingly with details of interest to that individual.
As with many generic phishing attacks that go to millions of users, the point is often to get the recipient to click on a link that installs software for surreptitiously logging keystrokes, so that passwords and account numbers can be recorded and transmitted over the internet to the hacker.
Aiming at small groups means that security programs that look for copies of previously reported attacks are less likely to recognise the software.
One of the most prevalent programs for stealing banking passwords, Zeus, can be bought and modified by anyone for about $700, Cisco Systems said in annual security study released this week.
Through both phishing and silent installs via compromised websites, Zeus has landed on some 3.6m machines. Another virus, URLZone, can rewrite online banking statements so that pilfered money does not appear to be missing.
Some businesses have lost hundreds of thousands of dollars to thieves employing such tools. While banks typically indemnify consumers for online fraud losses that are spotted quickly, they can take a harder line against corporate clients. Such disputes are coming into the open with the first lawsuits over banking breaches.
This month a Baton Rouge equipment seller called JM Test Systems sued US bank Capital One. The suit says JM Test noticed an unauthorised $45,640 wire transfer to a Moscow bank a day after it went through.
Although the company complained immediately and Capital One pledged to investigate, it allegedly failed to freeze the account and a second fraudulent withdrawal of $51,556 went through six days later. The bank has refunded less than $8,000 of the losses, according to the suit, which accuses Capital One of having unreasonably lax procedures. The bank declined to comment, citing the litigation.
Banks were modifying their systems, said Mr Troy, but they had problems with authenticating account holders.
The same problem exists on the internet – and has been exacerbated with the trend toward shortened web links that deliberately compress – and disguise – the address of websites as they are passed along in e-mails or other messages.
Many social media users placed such trust in material posted by friends and colleagues “that they don’t stop to consider the dangers of clicking on an unidentifiable link”, Cisco found.