The Federal government’s new cybersecurity program, dubbed “Perfect Citizen” is raising Big Brother concerns.  According to a Wall Street Journal article published in early July, the US National Security Agency (NSA) is planning to spend $100 million on this program, whose purpose is to detect cyber-attacks on private companies and government agencies that run critical infrastructure.

“Perfect Citizen” will monitor nuclear power plants, train stations, subway systems, and the electric power grid to help safeguard against a cyber-attack.  According to the Journal report, people familiar with the program explain that surveillance would be accomplished via a set of sensors.  The sensors would be deployed in computer networks for critical infrastructure and triggered in cases of unusual activity, thus suggesting an impending cyber-attack.  Additionally, information gathered from “Perfect Citizen” could serve as a data bank to help companies and agencies who call upon the NSA for help with investigations of cyber-attacks.

Some industry and government officials view the program as an “intrusion by the NSA into domestic affairs,” the Journal reports.  An article on FoxNews.com further raises the question that if the “Perfect Citizen” sensors are used to monitor cyber-attacks, “it’s easy to envision how this same network could be used for monitoring everyday citizens.”  Others, however, consider it an important step in defending against the increasing security threat.  In the Journal article, one official characterized the intrusion into privacy as “no greater than what the public already endures from traffic cameras.”

The “Perfect Citizen” program appears to have evolved from a smaller project, code-named “April Strawberry” that was used to address the problem years ago.  The current program is being expanded with funding from the Comprehensive National Cybersecurity Initiative.  However, the program is still in its early stages, and much still needs to be worked out.

The NSA classified the Journal report as “inaccurate” in a later article.  “There is no monitoring activity involved and no sensors are employed in this endeavor,” NSA spokesperson Judith Emmel told TechNewsWorld.

The White House moved to protect what they call an “Identity Ecosystem” through a new cybersecurity initiative. On June 25th, a post on the White House blog called The National Strategy for Trusted Identities in Cyberspace proposed a system developed jointly by the government and private enterprise to simplify the management of online identities. The goal would be to have users’ online reputations vetted by a participating vendor, “vouching” for them across the Internet. For example, if a user is verified through Google or Facebook, she could simply use her login to simplify an Amazon or eBay purchase.

The idea is hardly new. OpenID has been working towards a similar goal for some time, partnering with some of the biggest names on the Internet. Google, Yahoo, Verisign, and WordPress all have incorporated the OpenID interface into their systems, giving users the option to use it along side or in place of their local logins. The Open ID website even has a page welcoming the government, linking to the the draft memo for the government’s program. The primary goals of both systems are being easy to use, cost-efficient, voluntary, and secure. The potential applications for the system include digital transactions, social media conformity, and allowing “anonymous” blogging.

The plan is not without its critics. The Department of Homeland Security set up a website allowing for user-rated commenting on the proposal; the top 5 all present compelling arguments against the system. The DHS comments focus more on the natural risk of centralizing users’ personal information and better informing the public on how to protect their information. However, there has been somewhat less discussion on how a system a system designed to verify one’s identity would preserve anonymity. But, as a few tech blogs have pointed out, it doesn’t. It merely shortens the subpoena’s trip from complainant to records custodian while facially preserving anonymity to the casual reader. But given the public’s indifference towards sharing their identity by using their Facebook accounts to log-in to various sites across the Internet, is it likely to be a concern?

The Protecting Cyberspace as a National Asset Act of 2010 has passed its first hurdle.  As SC Magazine reports, The Senate Homeland Security and Governmental Affairs Committee unanimously passed an amended version of the controversial cybersecurity bill by voice vote last week.  The bill, introduced by Sens. Joe Lieberman (I-CT), Susan Collins (R-ME) and Tom Carper (D-DE), grants emergency power over critical infrastructure to the President, as well as creates cybersecurity offices in both the White House and U.S. Department of Homeland Security.  The bill’s next stop is the full Senate floor.

Critics of the bill continue to voice their opposition, believing the legislation gives the president an Internet “kill switch.” The American Civil Liberties Union, Center for Democracy and Technology, as well as numerous other privacy groups, recently sent a letter to Lieberman and other lawmakers detailing their concern.  The groups state in the letter that “while the bill makes it clear that it does not authorize electronic surveillance beyond that authorized in current law, we are concerned that the emergency actions that could be compelled could include shutting down or limiting Internet communications that might be carried over covered critical infrastructure systems.”  The groups state that the bill fails to define critical infrastructure and thus there are concerns that “it includes elements of the Internet that Americans rely on every day to engage in free speech and to access information.”

However, according to a fact sheet about the bill issued by Lieberman and Collins, the President already has broad authority in the communication realm.  They say this is articulated in The Communications Act of 1934, which provides “nearly unchecked authority to the President” to close any wire communication facility or station.  Specifically, the President does not have to give advance notification to Congress to exercise his power, which can last up to six months after the “state or threat of war” has expired

The current legislation, on the other hand, will limit this authority and make it “far less likely” for a
president to use this power.  “[The cybersecurity bill] would bring presidential authority to respond to a major cyber attack into the 21st century by providing a precise, targeted and focused way for the president to defend our most sensitive infrastructure,” Lieberman and Collins state in the fact sheet.  Under the new bill, the president’s authority is limited to 30-day increments and may be extended beyond 120 days only with Congressional approval.  Additionally, the president must use the “least disruptive means feasible” in his response and his authority does not authorize the government to “take over” critical infrastructure.

According to the United States Government Accountability Office (GAO), the increasing threat of a cyber attack warrants continued efforts by the federal government to safeguard the federal information systems.

In his testimony before the Committee on Homeland Security, Gregory C. Wilshusen, Director, Information Security Issues, explained that attackers pose a significant threat, considering the opportunities available to launch an attack, the ease by which it can be accomplished, and the destruction it could cause to a nation so dependent on computerized information systems.  The fact that federal systems have experienced an increasing number of security incidents further emphasizes the need to coordinate an effective response.

According to Wilshusen, GAO has designated information security as a “high-risk” area since 1997.  However, deficiencies still exist that place federal assets at risk.  Nevertheless, opportunities are available for enhancing federal cybersecurity.  GAO has made recommendations over the years, which Wilshusen outlines in his testimony. 

Some of these recommendations include implementing comprehensive, agency-wide information security programs, correcting specific information security deficiencies related to user identification, authorization, physical security, etc, and improving the nation’s cybersecurity strategy.

Although the federal government has taken positive steps, Wilshusen states that more needs to be done.  At the present moment, Wilshusen describes federal information and systems as “vulnerable.”

While Congress debates Sen. Joseph Lieberman’s (I-CT) Protecting Cyberspace as a National Asset Act of 2010, the U.S. Military works on defending itself and the U.S. from cyber-attacks. The recently created U.S. Cyber Command has two main responsibilities: to defend all military information networks and to conduct cyber-operations against any adversary that may launch a cyber-attack against the U.S. or against U.S. interests. However, as NPR reports, in order to effectively meet its responsibilities U.S. Cyber Command needs clear rules for engaging in cyber-warfare. For example, according to the head of U.S. Cyber Command General Keith Alexander:

“‘It’s not unlike warfare where you have armed conflict in one state, and somebody attacks [into that state] from a neutral state…There are laws of land warfare that deal with that. We now have to look at that in the light of cyberspace.’”

Additionally, the U.S.’ willingness to strike preemptively, if necessary, makes the need for rules of cyber-warfare even more urgent. As former CIA General Counsel Jeffery Smith, as quoted in the same NPR report, explains:

“‘He [Gen. Alexander] needs clear guidance from the president, secretary of state, director of national intelligence, attorney general and so on, as to how cyber assets may be employed in an offensive setting, in the event the United States finds itself in a conflict…What may he, as the commander of Cyber Command, do?’”

Without rules for cyber-warfare that comply with the Constitution and federal law, the ability of the U.S. ability to protect its information networks may be seriously frustrated.

US Deputy Secretary of Defense William J. Lynn III made a visit to Canada earlier this week to discuss ways in which the two countries could work together to protect computer networks and critical infrastructure from a cyber attack.  In his remarks before the Canadian Conference of Defense Associations Institute in Ottawa, Lynn highlighted the growing threat cyber attacks pose and stressed the importance of an alliance between the two nations.

According to an article on the Department of Defense website, Lynn stressed that the speed of a cyber attack necessitates a quick response.  Further, it is imperative to identify where an attack originates, although this is a difficult task in cyberspace.  According to Lynn, therefore, international cooperation is key.  He said, “To have the highest levels of protection, you want the widest set of allies so you understand and anticipate the broadest set of threats.”

Additionally, Lynn emphasized the strong connection between the United States and Canada.  A separate article on the website discussed how the two nations are “linked together in every way.”  Whether it be the economy, military, or infrastructure, a cyber attack on one would “be felt within milliseconds” by the other and have significant consequences.

Lynn’s visit comes on the heels of the recent cybersecurity legislation proposed by Senator Joe Lieberman (ID-CT) last week.

Senator Joe Lieberman (ID-CT), along with Senators Susan Collins (R-ME) and Thomas Carper (D-DE)  introduced the Protecting Cyberspace as a National Asset Act of 2010 on June 10th.  The cybersecurity bill proposes to grant broad authority to the President and allow the government to take emergency action during a cyber attack.

The bill would create a National Center for Cybersecurity and Communications (NCCC) within the Department of Homeland Security.  The NCCC would be responsible for protecting critical infrastructure and taking emergency measures in case of an attack.  The director of the NCCC would have authority over civilian networks and would be appointed by the President.  The emergency measures, although expected to last a maximum of 30 days, could be extended indefinitely, either by the President or the NCCC’s director, if they believe the threat still exists.

According to the Hill, the Lieberman bill will likely be the subject of much debate.  The scope of the emergency measures will likely raise constitutional issues and the decision to place such a large amount of power in the Department of Homeland Security may also meet opposition.

It will be interesting to keep watch over the developments.  It seems that cybersecurity is currently a hot topic on Capitol Hill.  In 2009, Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME) proposed the Cybersecurity Act of 2009.

To see a brief clip of Senator Lieberman’s announcement click here.

 Albert Gonzalez, a self taught computer hacker from Miami was sentenced to 20 years in prison. Gonzalez was behind one of the largest credit and debit card thefts in United States history. Working under the names “soupnazi,” “segvec,” and “j4guar,” Gonzalez’s  theft cost companies, banks and insurers almost $200 million.   

Gonzalez served as a federal informant after being arrested for hacking in 2003. But then, last year, Gonzalez pleaded guilty to breaking into the computer of major retailers (some of which were BJ’s, Barnes & Noble, OfficeMax, Dave and Busters, TJX).

 Gonzalez was indicted  for conspiracy to commit wire fraud,  after authorities said that he and two other men would drive past retailers with laptop computers and tap into the unsecure wireless signals.  Then, the three men would install a “sniffer program” which got the information of credit and debit cards as they were entered into the computers of the retailer. Then, the trio would sell those numbers overseas on the black market and by taking a lot of money out of ATMs. The AUSAs assigned to his case, Stephen Heymann, said he thought Gonzalez stole tens of millions of cards.  It is thought that Gonzalez made over $2.8 million with which he purchased a Tiffany’s ring, Rolex watches, a car, and a condo in Miami.

 Judge Patti Saris sentenced him to the middle of the 15-25 year range that was agreed upon in a plea agreement between the prosecutors and Gonzalez.  Originally the prosecutors wanted the maximum, 25 year sentence while Gonzalez’s attorney asked for 15. Judge Saris sentenced Gonzalez to two 20 year terms to run concurrently, one for the case in Massachusetts including OfficeMax, TJX, etc and the other for the New York Case involving Dave and Buster’s.  She also sentenced him to three years of supervised release after completing his prisont term where he shall have no access to a computer.  Under the plea deal, Gonzalez has to forfeit over $2.7 million o the $2.8 million that he stole as well as give up the condo, car, ring and Rolex watches. The judge set a separate hearing during the summer to determine the amount of restitution Gonzalez will have to pay to the retailers, although the judge did recognize that he probably would be unable to pay what she expects to order.

 After being sentenced, Gonzalez blamed his behavior on an addiction to internet pursuits and sobbed while apologizing to his family.  Defense counsel cited a report from a psychiatrist claiming that Gonzalez has an Internet addiction and that the computer “is his drug.” Furthermore, after becoming an informant, the authorities say that over the next five years he hacked into many systems while “helping” the government.

 Gonzalez is also scheduled to be sentenced by another judge in Boston regarding a case in New Jersey where Gonzalez hacked into a 7-Eleven, Heartland and a Hannaford Bros supermarket.

A former TSA contractor, Douglas Duchak, is being charged with injecting codes of a malicious nature into the government network used for screening people at the airport. The code was allegedly designed to disrupt and damage the data on the servers. The network that was attacked is the same network that stores the information from the government about the terrorist watchlist, criminal histories of travelers, and so on. A week before the malicious code was transferred, Duchak was told that his job would be terminated. Although Duchak pled not guilty and was released on bonds, he was charged with two counts of attempting to cause damage to protected computers. The maximum sentence for this crime is 10 years and $250,000 for each count. Duchak’s defense is that the system that he worked on was in a beta stage and was being used for testing statistical analysis and was not in any way connected with security.

As we become increasingly more dependent on the Internet, the threat of cyber attacks has become a pressing concern. Dennis C Blair, the director of National Intelligence, has said to the Senate Intelligence Committee that “malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication.”

In a recent simulated cyber attack, a “March Madness” application was made available for smart phones, which was downloaded by many college basketball fans.  While the users thought that they were simply following their favorite teams, their passwords were being stolen and their emails intercepted. The March Madness application hid a spyware program that could hack into these smart phones.  The madness that ensued transcended the basketball games on the court. This spyware affected over 60 million cellphones and various electric grids across the nation. The simulated cyber attack was named “Cyber Shockwave.”

After the exercise, former White House advisors and other officials joined together in order to discuss the vulnerabilities of our nation’s digital infrastructure. In order to discuss such vulnerabilities, these leaders participated in a three hour simulated crisis meeting. The event was run by the Bipartisan Policy Center in Washington DC. None of the panelists knew what the scenario was in advance and they were supposed to act as they would if the scenario was real. However, the results of this meeting hardly assuaged anyone’s woes of the dangers of cyber attacks.  Although each advisor suggested various solutions to the fake attack, there was no overarching idea of how to prevent such an attack.