Posts Tagged ‘Cybersecurity’
Brief session description:
Thursday, July 26, 2012 – The US House of Representatives has passed four cybersecurity bills, and the US Senate has indicated an intent to consider cybersecurity legislation in the current session. The US Department of State is working with its global partners to develope relationships, collaborative action and norms of behavior for cyberspace. The US Department of Commerce has spearheaded a government initiative on botnets and is working with industry on botnet mitigation measures. The Department of Homeland Security is increasing its cybersecurity staffing for strategic and operational concerns. And the White House is transitioning its team on cybersecurity policy with a second cybersecurity adviser to the president. Stuxnet and Flame attacks have captured international attention. Cybersecurity remains a key theme in discussions in the United Nations, the International Telecommunications Union, the Organization for Economic Cooperation and Development, the Asia-Pacific Economic Cooperation, ICANN and the annual Global Internet Governance Forum. This workshop addressed questions such as: What are businesses, countries, and the technical community doing in this heightened era of cyber security concern? What should they be doing? What are the considerations for individual users here in the U.S. and around the world? How can all these pockets of activity help protect – and not hamper the protection of – the very medium that provides for productivity, communications, efficiencies, innovation, and expression?
Details of the session:
The session was moderated by Audrey Plonk, global security and Internet policy specialist at Intel Corporation. Panelists were:
- Tom Dukes, senior advisor, Office of the Coordinator for Cyber Issues, US Department of State
- Jeff Greene, senior policy counsel, Cyber Security and Identity, Symantec
- Kendall Burman, senior national security fellow, Center for Democracy and Technology
- Patrick Jones, senior director of security, ICANN
Panelists from the government and private sectors gathered at IGF-USA’s cybersecurity workshop to discuss how these entities are collaborating to deal with domestic cybersecurity threats and international cybersecurity issues.
This issue is especially pertinent right now. There have been a number of high-level conferences and meetings in Washington and other locales over the summer of 2012 on this topic, and, as moderator Audrey Plonk, global security and Internet policy specialist for the Intel Corporation, puts it, “Cybersecurity is the new black.”
Jeff Greene, panelist and senior policy counsel of cybersecurity and identity at Symantec, agreed. “At this time three years ago, cybersecurity was something that was mentioned in passing,” he commented. “Now the interest is exponential.”
Symantec’s business is centered on protecting enterprises from cyberthreats. Greene, who until recently worked with the Department of Homeland Security, said that according to this year’s Symantec Internet Security Threat Report, 75 percent of the enterprises Symantec deals with were threatened with a cyber attack in 2011.
He added that while the incidence of spam decreased in 2011, there has been a shift to web-based attacks. Greene also said the government and private sector are working together to reduce such threats.
“It is remarkable how much of the threat dynamic in both sectors is the same,” Greene said. “We see criminal and other malicious activity largely the same as the government does, so this is all work through government, private and international cooperation.”
Panelist Kendall Burman had a different view on government access to private sector and citizen information in terms of cybersecurity. As a senior national security fellow for the Center for Democracy and Technology, she has spent time exploring security and surveillance from the perspective of a member of a group focused on consumer privacy.
“I think that the tricky area from a civil liberties perspective is when the government is in a position of receiving that information, making sure that that information is limited to cybersecurity threats, and what the government can then do then once it receives it,” Burman said.
Panelist Tom Dukes, senior adviser for the Office of the Coordinator for Cyber Issues at the US Department of State, weighed in from a government standpoint on cybersecurity issues, including the important role of the US government in pushing other countries to increase their outreach and share their perspectives on cybersecurity issues.
“Obviously what the US says, the positions we take, are highly influential and they are certainly looked at by a great many other countries,” Dukes said.
“One thing that the US has been trying to do for the last couple years in terms of addressing cyberpolicy issues in general, cybersecurity included, is to try to take sort of a leadership role in helping shape the world debate on how we think about these issues.”
Dukes said that the US has also made progress in terms of leading a global discussion on reaching a consensus about cyber security norms. Greene said that while the U.S. would like to set its own cybersecurity policies, this could cause global problems.
“If everyone has a different set of rules, (global policymaking)’s going to be pretty difficult,” Greene said.
Panelist Patrick Jones, senior director of security for ICANN, shared his view that while US policymaking is important in terms of cybersecurity, politicians should be aware of the effects that any laws they make may have globally.
“It’s helpful for policymakers, when they’re coming up with legislation, that they think of the Internet as global and consider that the decisions they make may have technical impacts that they’re not considering that impact the way people are using the Internet today – give those a thorough understanding before decisions are made about a particular legislation,” Jones said.
One of the final points of discussion during the workshop was the differences between cybersecurity and information security.
In the discussion it was noted that cybersecurity, in the US view on Internet governance, deals primarily with protection from Internet threats. Information security, in the Russian and Chinese view, also includes censoring the civic sector and content from many Western media and knowledge organizations.
Dukes said there are two considerations for openness and freedom of information that convince most leaders in the world to find common ground in the fairly liberal US position on cybersecurity issues.
First is the basic human rights aspect of the argument; many countries accept that people should, whenever possible within the bounds of public safety, have certain rights of free speech, communication and assembly. Most countries agree that this should apply online.
Dukes’ second point is the economic benefit of keeping the Internet as open and free-flowing as possible. “Many evolving world countries are really desperate to find ways that they can harness the power of the Internet to increase economic opportunity, to increase GDP, to increase development and growth,” he said. “Those arguments seem to be very pragmatic, but it’s hard for countries to disagree with that.”
— Mary Kate Brogan
IGF-USA 2012 Case Vignettes: Turning Principles into Practice – Or Not: Internet Governance/ICANN; Consumer Privacy; Cyber Security; Dialogues about Lessons Learned
Brief session description:
Thursday, July 26, 2012 – This workshop was aimed at examining the role principles are playing in framing debates, achieving consensus and influencing change – or not. Proposals for Internet principles are popping up everywhere, from national to regional and global discussions, on a wide range of issues. In 2011, IGF-USA examined a number of principles in a session titled “A Plethora of Principles.” This session follows on that one. Session planners noted that it’s not enough to simply develop a set of principles, the question is: how are principles actually implemented how are they inspiring change? Are they new voluntary codes of conduct, new regulations, new laws? Principles can become a baseline for gaining high-level agreements. They may go beyond the expectations possible through legislation or regulation, so some argue that principles should be written to be aspirational. Some argue for legislation, regulation or enforcement mechanisms to ‘hold industry accountable’ to promises made in principles designed as sets of commitments. This workshop examined three case vignettes: 1) How the principles of a white paper were incorporated into ICANN’s formation and what the status of these principles are today within ICANN’s mission and core activities; 2) how consumer privacy principles have fared in global and national settings in terms of these points ‘turning into practice’; and 3) how cybersecurity/botnet principles are faring.
Details of the session:
The moderator for this session was Shane Tews, vice president for global public policy and government relations at Verisign. Panelists included:
- Becky Burr, chief privacy officer, Neustar Inc.: Turning White Paper Principles into actuality in ICANN
- Menessha Mithal, associate director of the division of privacy and identity protection, Federal Trade Commission: Consumer privacy principles
- Eric Burger, director of the Georgetown University Center for Secure Communications: Cybersecurity and botnets
- Carl Kalapesi, co-author of the World Economic Forum’s report Rethinking Personal Data: Strengthening Trust: the World Economic Forum perspective
Before an informal agreement, policy or formal regulation is adopted, passed or approved it takes its initial steps as an idea. The trick lies in bringing it from a formative state to something actionable, otherwise it may languish as a suggested goal, followed by and adhered to by no one.
During the IGF-USA panel titled “Turning Principles into Practice – or Not” participants shared successful case studies as examples of how to create actionable practices out of ethereal goals. Citing processes ranging from US efforts to counteract botnets to domain name system governance and to consumer privacy, three panelists and one respondent drew from their own experiences in discussing ways in which people might successfully bridge the gap between idea and action.
Meneesha Mithal, associate director of the Federal Trade Commission’s Division of Privacy and Identity Protection, weighed in on the efficacy of principles versus regulation by offering a series method to act on a problem.
“It’s not really a binary thing – I think there’s a sliding scale here in how you implement principles and regulation,” she said. She cited corporate self-regulatory codes, the work of international standard-setting bodies, multistakeholder processes, safe harbors and legislation as possible means for action.
Mithal highlighted online privacy policies as an example of the need for a sliding scale. The status quo has been to adhere to the concepts of notice and choice on the part of consumers; this has resulted in corporations’ creation of lengthy, complicated privacy policies that go unread by the consumers they are meant to inform. Recently, pressure has been placed on companies to provide more transparent, effective means of informing customers about privacy policies.
“If it had been in a legislative context, it would have been difficult for us to amend laws,” Mithal said, though she admitted that such flexible agreements are “sometimes not enough when you talk about having rights that are enforceable.”
And Mithal did note that, given the current climate surrounding the discussion of online privacy, it’s still the time for a degree of broad-based privacy legislation in America.
Eric Burger, a professor of computer science at Georgetown University, spoke on the topic of botnets, those dangerous cyber networks that secretly invade and wrest control of computers from consumers, leaving them subservient to the whims of hackers looking for a challenge, or criminals looking for the power to distribute sizable amounts of malware.
Given the sheer number of stakeholders – ISPs concerned about the drain on their profits and the liability problems the strain of illegal information shared by the botnets, individual users concerned over whether their computers have been compromised and government agencies searching for a solution – Burger said that the swift adoption of principles is the ideal response.
Among those principles are sharing responsibility for the response to botnets, admitting that it’s a global problem, reporting and sharing lessons learned from deployed countermeasures, educating users on the problem and the preservation of flexibility to ensure innovation. But Burger did admit the process of arriving at this set of principles wasn’t without its faults. “Very few of the users were involved in this,” he said, citing “heavy government and industry involvement, but very little on the user side,” creating a need to look back in a year or two to examine whether the principles had been met and whether they had been effective in responding to the swarm of botnets.
Becky Burr, chief privacy officer and deputy general counsel at Neustar, previously served as the director of the Office of International Affairs at the National Telecommunications and Information Administration, where she had a hands-on role in the US recognition of ICANN (NTIA). She issued a play-by-play of the lengthy series of efforts to turn ICANN from a series of proposed responses into a legitimate governing entity, which was largely aided by a single paragraph in a framework issued by President Bill Clinton’s administration in 1997.
Written as a response to the growing need for the establishment of groundwork on Internet commerce and domain names, the paper called for a global, competitive, market-based system for registering domain names, which would encourage Internet governance to move from the bottom-up. The next day, the NTIA issued the so-called “Green Paper” which echoed many of the principles of the administration’s framework and drew extensive feedback from around the world, including negative feedback over the suggestion that the US government add up to five gTLDs during the transitional period.
After reflection on the feedback to both the white and green papers, and a series of workshops among multiple stakeholders to flesh out the principles of stability, competition, private-sector leadership, bottom-up governance and realistic representation of the affect communities, ICANN held its first public meeting Nov. 14, 1998, underwent several reforms in 2002, and ever since, in Burr’s words, “is still the best idea, or at least no one’s figured out a better idea.”
“The bottom line is to iterate, make sure you articulate your principles and try to find some built-in self-correcting model,” Burr said.
While Burr’s play-by-play described how a relatively independent, formal institution was formed to offer DNS governance, Carl Kalapesi, a project manager at the World Economic Forum, offered a more informal approach, relying on the informal obligations tied to agreeing with principles to enforce adherence.
“Legislative approaches by their nature take a very, very long time,” Kalapesi said. He vigorously supported the importance of principles in offering “a common vision of where we want to get to,” which leaders can sign onto in order to get the ball rolling.
He offered the example of the “Principles of Cyber Resilience,” offered to CEOs at last year’s World Economic Forum with the goal of making them more accountable for the protection of their own networks and sites while still allowing them flexibility to combat problems in a way that best suited their own work-flow and supply chains.
Central to Kalapesi’s argument in favor of principle-based solutions is their flexibility.
“Half of the uses of data didn’t exist when the data was collected – we didn’t know what they were going to do with it,” he said, alluding to the concerns over the use of private data by the likes of Google and Facebook, which accelerate and evolve at a rate with which formal legislation could never keep up.
Burr later echoed this point in theorizing that 1998′s Child Online Protection Act might soon be obsolete, but Mithal remained firm that a “government backstop” should be in place to ensure that there’s something other than the vague notion of “market forces” to respond to companies who step back from their agreements.
— Morgan Little
The online world and the Internet are continuing to expand at exponential rates. As more and more users and more applications move into the online world with the expansion of broadband and mobile, concerns about online crimes and malicious threats to the Internet and to users also grow. This workshop was established to examine the range and scope of online crimes and malicious use of the Domain Name System. For instance, scam artists host websites with false information or a phisher registers a domain intended to resemble a famous brand. Consumers and businesses can be victims of abuse, and legitimate service providers are seeing crime and fraud in the network. The use of DNS security (DNSSEC) is part of a mitigation strategy.
Details of the session:
Every time an individual pulls up a webpage or website, the Domain Name System is used.
Moderators and industry leaders met at an IGF-USA 2010 workshop titled E-Crimes and Malicious Use in the DNS: Implications and Observations.
Panelists participating in the discussion noted that malicious use and criminal behavior in the DNS is not acceptable, but they did not come up with any clear conclusions regarding new ways to better control these problems.
The moderator of the event was Jim Galvin, director of strategic relationships and technical standards for Afilias. Panelists included Garth Bruen, founder of KnujOn; Doug Isenberg, attorney at law with GigaLaw Firm; Shaundra Watson, counsel for international consumer protection at the Federal Trade Commission; John Berryhill, intellectual property lawyer; Bobbie Flaim, special agent with the FBI; Margie Milam, senior policy advisor for ICANN; and Matt Serlin, senior director of domain management at MarkMonitor.
The panelists agreed the abuse of the DNS is not a regional issue nor is it confined to a particular sector of the Internet. The crimes occur across multiple jurisdictions and affect a variety of individuals.
Some shared anecdotes about incidents where collaboration with other entities gave way to resolving a major DNS violation.
-Anna Johnson, http://www.imaginingtheinternet.org
Cybersecurity is a multifaceted issue that requires attention to various strategic and operational efforts to make progress. Five overarching areas for focus are 1) development of a national strategy; 2) collaboration between government and industry; 3) cybercrime; 4) incident response; and 5) building a culture of cybersecurity/awareness. This session was scheduled to explore how the U.S. is addressing each of these, where there are opportunities for improvement and obstacles to progress, where the U.S. needs to work with international partners, and how cybersecurity contributes to Internet governance globally. Session moderators were Liesyl Franz, vice president for information security and global public policy at TechAmerica, and Audrey Plonk, global security and Internet policy specialist at Intel Corporation.
Details of the session:
Panelists and moderators discussed cybersecurity at one of the first morning workshops at the 2010 Internet Governance Forum-USA at Georgetown University Law Center. Co-moderator Liesyl Franz introduced the workshop and set the scene by presenting the session’s five overarching areas of focus, including national strategy, collaboration between government and industry to foster cybersecurity, combating cybercrime, incident response and building a culture of cybersecurity and awareness.
Developing a national strategy
The United States’ national strategy for cybersecurity has constantly evolved over the past 15 years. In the 1990s, the Critical Infrastructure Protection Board was created to address issues tied to cybersecurity. A few years later the United States created the Department of Homeland Security. These organizations worked to create the National Strategy to Secure Cyberspace, which was put into place in 2003.
“We’ve moved even beyond the 2003 strategy towards a more comprehensive strategy that is really trying to encompass all the departments and agencies in the United States federal government and deal with the international aspects,” said co-moderator Audrey Plonk, global security and Internet policy specialist at Intel Corporation. “Having a high level of strategy is very important.”
The Obama administration conducted a “clean-slate” review to assess U.S. policy, strategy and standards regarding security and operations in cyberspace in the summer of 2009. That report, aimed at addressing economic, national security, public safety and privacy interests can be found here: http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf
Collaboration between government and industry
The panelists noted that a national strategy is dependent on the collaboration of many people, including industry bodies and government agencies.
Cheri McGuire, director for critical infrastructure and cybersecurity at Microsoft and chair of the Information Technology Sector Coordinating Council, said that the public/private partnership relies on several key principles.
“One principle is trust,” McGuire said. “There is a long history of lack of trust between industry and government. This adds a unique factor to when government invited industry to the table to work collaboratively on cybersecurity issues.”
She noted that many public and private partnerships from the past can be used as a lesson on how to conduct successful partnerships today. “There is no one right model, there is no one right way to do this,” McGuire said. “There are a lot of lessons learned – that the many of us who are involved in the public and private debate have learned – that can be used to create the framework for these partnerships.”
The IT-SCC was established in 2006 to encourage cooperation between tech industry entities in addressing infrastructure protection, response and recovery. To read more, see http://www.it-scc.org/.
“Cybercrime runs the gamut of most of the bad things that humans do to each other,” said Don Codling, unit chief at the Federal Bureau of Investigation. “Think of everything from slavery, to human trafficking, to embezzlement, to fraud. You can even hire a hit man online.”
Codling said the domestic approach of the FBI regarding cybercrime almost instantly turns into a global effort. Due to the nature of the Internet, how records are stored and how financial transactions are performed, almost all major crimes become global instantly.
“We are members of the global community,” Codling said. “The global law enforcement community has coalesced rapidly and said we have similar problems. We need to work together.”
To read more about the FBI’s cyber mission, see: http://www.fbi.gov/cyberinvest/cyberhome.htm. For background from the U.S. Justice Department on international aspects of computer crime, see this page: http://www.justice.gov/criminal/cybercrime/intl.html
Incident response seen as vital
Scott Algeier, executive director of the IT Information Sharing and Analysis Center, said it is important for there to be open communication in order for people to share their expertise. He noted that when industry partners share information people are able to analyze the different trends that many different companies are experiencing.
“By sharing information, we give each other a larger capability,” Algeier said. “We are able to say ‘this is a neat trend we are seeing,’ and analyze all of the information that we are receiving.”
Computer emergency readiness teams work to assess attacks and vulnerabilities. The US-CERT site is http://www.justice.gov/criminal/cybercrime/intl.html.
Building a culture of cybersecurity and awareness
Franz said the five overarching elements covered in the session are all dependent on each other.
“I don’t want to focus on five elements and that they each do their own thing,” Franz said. “But instead emphasize that it is important to collaborate between these elements.”
“Cybersecurity means preserving this open, free Internet that we have learned to value so much,” said Greg Nojeim, senior counsel and director at the Project on Freedom, Security and Technology of the Center for Democracy and Technology (http://www.cdt.org/about). “We are only just beginning to realize what it would be like if it was all taken away. Security allows you to use the Internet freely.”
Nojeim said correctly balancing the needs for security and privacy online is important. He added that an increase in transparency could make people really understand the need for security.
“A lot of the cybersecurity efforts necessarily have to take place behind the scenes, but I think that openness is one key to a successful program,” Nojeim said. “It builds trust, it helps companies know what happens to the information that they share.”
All panelists agreed that there will never be a time where there is no cybercrime.
“I don’t think there is a perfect system – what we have to find is what is reasonable security and the proper balance between privacy and freedom of speech and safety and cybersecurity,” said Adam Palmer, Norton lead cybersecurity advisor for Symantec Corporation, a security systems company.
-Rebecca Smith, http://www.imaginingtheinternet.org
The blame goes to all parties involved. Every time a phishing scam succeeds, an account is broken into or money stolen right from a bank account, while it’s ultimately the fault of the perpetrator of the crime, those who created the security software, the regulators who are supposed to be on watch and the individual user who gives out their private information are all complicit in cybercrime. That was the viewpoint of participants in a cybercrime panel at IGF-USA Oct. 2, 2009, in Washington, D.C.
President Barack Obama has, both during the campaign and in the initial stages of his presidency, said that he is looking to make cybersecurity a major focus of his administration, and part of this effort has led to this month serving as cybersecurity awareness month, but where should that awareness be cultivated?
“Whatever the U.S. policy is, it’s inextricably intertwined with the global policy,” said Christopher Painter, acting senior director for cybersecurity at the National Security Council.
But how can that policy be enforced? Threats to the integrity of the world’s online networks can emerge from anywhere at any time, and are nearly impossible to both prevent and punish.
“There is no static cyber threat, there is no one place to focus,”said Jennifer Warren, vice president of technology policy and regulation and government and regulatory affairs at Lockheed Martin Global Telecommunications.
Don Blumenthal, the senior principal with Global Cyber Risk, stood firm by the need for landmark cases to serve as a disincentive for criminals who look at the history of online law enforcement and see that there are few punitive dangers waiting before them.
But if everyone on the panel can agree that there’s a need for more punitive measures, an acknowledgment that everyone, both individual, corporate, governmental and internationally needs to work together in preventing cybercrime and the critical need for more education in regard to teaching the public about the steps that they can take to try and staunch the flood of online security threats; why hasn’t anything been done yet?
Security professionals are good at making sure that nothing happens. – Ken Silva, chief technology officer at VeriSign.
At every step of the way, people on every rung of the online ladder point the finger at a group either beneath or above them. Teachers, saying they have too much on their plate, encourage students to engage with the Internet without teaching them any safety precautions, thinking that the technology will take care of it. The techies create their software, knowing full well, as Silva sternly said, that the static password system that serves as the predominant backbone of most citizens’ security measures, has been out of date since its inception years ago. And the government, who the techies look toward with hopes of enforcement, have their hands tied due to lacks of funds, manpower and the shifty international waters that impede progress in quickly catching and apprehending criminals.
Several ideas were floated during the panel’s discussion, including a newfound emphasis on the K-12 education on cybersecurity, a nationwide campaign to build up a public consciousness of the need for more active individual activism in maintaining cybersecurity similar to that of Smokey the Bear and putting together a universal set of standards as to what cybercrimes are so that some progress could be made in instituting some international laws to assist in tracking and apprehending international security threats (which comprise a majority of security breaches in the U.S.).
But all of the panelists involved in this discussion knew full well that to implement even one of these measures would require a degree of consensus and effort that, so far, has been remarkably difficult to come by.
-Morgan Little, http://www.imaginingtheinternet.org