This draft policy (below) is based on the President’s Cyberspace Policy Review (bottom). I have embedded both your your convenience.
The U.S. government is not ready to fight a cyberwar, said Stewart Baker, a partner in the Steptoe & Johnson law firm and former assistant secretary for policy at DHS.
“There is no doubt that we are not prepared to address a major cyberattack today,” he said. “If we end up in a serious conflict with five or 10 very sophisticated countries, we will be attacked, and we will not know how to respond.
“Reported attacks on U.S. agencies increased by 400% from 2006 to 2009, said Representative Bennie Thompson, a Mississippi Democrat and committee chairman. “Whether the military or intelligence-gathering operations of foreign nations; domestic or international terrorist groups; lone-wolf, hate-driven individuals; common criminals, or thrill-seeking hackers, those attempting to infiltrate and exploit this countrys computer networks are both numerous and determined,” he said.
via Lawmakers question U.S. cybersecurity readiness – Computerworld.
A rogue Internet service provider that hosted and participated in the distribution of spam, malware, and porn has finally been shut down as a result of a request made by the FTC to a district court judge. The ISP, 3FN, has had its servers and assets seized and has been ordered to turn over $1.08 million of its proceeds to the FTC.The FTC first charged 3FN in June 2009 with a number of… really bad things. These included active recruiting of and working with criminals to distribute content such as spyware, trojan horses, phishing schemes, and pornography—including child porn.
The FTC says 3FN advertised its services to like-minded people in the “darkest corners” of the Internet, like chat rooms for spammers.3FN was accused of deploying and operating botnets and bot herders to send spam and execute denial-of-service attacks. It hosted the command-and-control servers that were responsible for the communication of information between the bot herders it recruited and the zombie computers used to mount attacks.
By LOLITA C. BALDOR (AP)
WASHINGTON — The U.S. should counter computer-based attacks swiftly and strongly and act to thwart or disable a threat even when the attacker’s identity is unknown, the director of the National Security Agency told Congress.
Lt. Gen. Keith Alexander, who is the Obama administration’s nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks.
“Even with the clear understanding that we could experience damage to our infrastructure, we must be prepared to fight through in the worst case scenario,” Alexander said in a Senate document obtained by The Associated Press.
Alexander’s answers reflect the murky nature of the Internet and the escalating threat of cyber terrorism, which defies borders, operates at the speed of light and can provide deep cover for assailants who can launch disruptive attacks from continents away, using networks of innocent computers.
U.S. computer networks are under constant cyber attacks, by direct assaults by remote sites, by probes by hackers and criminal networks and by espionage from foreign countries. President Barack Obama last year declared that the cyber threat is one of nation’s most serious economic and national security challenges.
The three-star Army general laid out his views on Cyber Command and the military’s role in protecting computer networks in a 32-page Senate questionnaire. He answered the questions in preparation for a Senate Armed Services Committee hearing Thursday on his nomination to head Cyber Command.
Alexander offered a limited but rare description of offensive U.S. cyber activities, saying the U.S. has “responded to threats, intrusions and even attacks against us in cyberspace,” and has conducted exercises and war games.
It’s unclear, Alexander added, whether or not those actions have deterred criminals, terrorists or nations.
In cyberspace, he said, it is difficult to deliver an effective response if the attacker’s identity is not known.
But commanders have clear rights to self-defense, he said. He added that while “this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles … would be lawful.”
Senators noted, in their questions, that police officers don’t have to know the identity of a shooter in order to shoot back. In cyberspace, the U.S. may be able to counter a threat, rebuff an electronic probe or disable a malicious network without knowing who is behind the attack.
The nation’s ability to protect its networks and launch counterattacks, however, is shrouded in secrecy. Alexander gave the panel a separate classified attachment that provided more details on how and when the military would launch cyber attacks and under what legal and command authorities.
Among the classified responses was his answer to whether the U.S. should first ask another government to deal with a cyber attack that came from within its borders.
He repeatedly stressed that any U.S. response to a cyber attack must be authorized by the president and must conform to international law and guiding military principles. Those guidelines require that the reaction be deemed militarily necessary and in proportion to the attack.
Noting that there is no international consensus on the definition of use of force, in or out of cyberspace, Alexander said uncertainty creates the potential for disagreements among nations.
Alexander echoed other experts who warn that the U.S. is unprepared for a cyber attack. He said the first priority is to make sure the nation can defend its networks, which are now a “strategic vulnerability.”
Alexander said the biggest challenge facing the development of Cyber Command will be improving the defense of military networks, which will require better real-time knowledge of intrusions.
He added that it will be difficult for the military to gain superiority in cyberspace, but the goal is “realistic.”
Alexander, 58, is a native of Syracuse, N.Y., and a graduate of the U.S. Military Academy.
On the Net:
Lt. Gen. Keith Alexander: http://www.nsa.gov/about/leadership/bio_alexander.shtml
How can you tell the difference between a real report about online vulnerabilities and someone who is trying to scare you about the security of the internet because they have an agenda, such as landing lucrative, secret contracts from the government?
Here’s a simple test: Count the number of times they use the adjective “cyber.” Nobody uses the word “cyber” anymore, except people trying to scare you and trying to make the internet seem scary or foreign. (Think, for instance, of the term “cyberbullying,” which is somehow much more crazy and new and in need of legislation than “online bullying.”)
…
Amit Yoran, a respected security expert who runs a company that sells computer security services to the government, wrote a long post on a Forbes blog this week to defend the concept of “cyberwar,” in no small part because this blog ranted about how that term is used to hype militarization of the internet and feed a new and very dangerous arms race.
…
Yoran and Forbes also fail to mention that his company, NetWitness, markets computer security equipment to the government and has a vested interest in the outcome of this debate.
…
That kind of rhetoric doesn’t launch sensationalist — and often demonstrably false — scare stories in opinion-making outlets like 60 Minutes, The New York Times, The Wall Street Journal, The Washington Post and the National Journal.
No, when that kind of fear-mongering is needed to loosen the purse strings for computer security, only one word will do.
Cyber.
And it’s even better when repeated ad nauseum in front of Congress and at the country’s top security conferences by former and current government officials, even if those people couldn’t even enable MAC address filtering on their own wireless routers.
via Check the Hype — There’s No Such Thing As ‘Cyber’ | Threat Level | Wired.com.
Internet filtering: 2009 in review | Berkman Center.
From the OpenNet Initiative blog:
The OpenNet Initiative is proud to release its 2009 Year in Review, a look into instances of filtering, surveillance, and information warfare around the world in 2009.
The events of 2009 demonstrated a global rise in third-generation Internet controls. Within the first two weeks of January 2009, both Pakistan and Thailand had ordered the filtering of several Web sites, and Germany announced plans to filter certain types of pornography, garnering outrage from free speech activists. By mid-year, the events surrounding the elections in Iran had taken center stage, prompting Iranian authorities to crack down on Internet use and sparking outrage throughout the world, which then rippled through social media.
The OpenNet Initiative estimates that at the end of 2009, 32% of all Internet users were accessing a filtered version of the Internet.
Monday, February 8, 6:00pm
John Chipman Gray Room, Second Floor of Pound Hall, Harvard Law School (Map)
RSVP required for those attending in person via this form
This event will be webcast live at 6:00 pm ET and archived on our site shortly after.
Free and Open to the Public
Cyber Détente
by Jonathan Mayer, posted on January 20, 2010 – 11:48pm
Late last year the Obama administration reopened talks with Russia over the militarization of cyberspace and assented to cybersecurity discussion in the United Nations First Committee (Disarmament and National Security). My intention in this three-part series is to probe Russian and American foreign policy on cyberwarfare and advance the thesis that the Russians are negotiating for specific strategic or diplomatic gains, while the Americans are primarily procedurally invested owing to the “reset” in Russian relations and changing perceptions of cyberwarfare.
Cross-posted from Freedom to Tinker.
This first post rebuts the Russians’ purported rationale for talks: avoiding a security dilemma.
via Cyber Détente | Stanford Center for Internet and Society.