Tuesday, May 3, 2011

Final Blog Post

When I created my Cyber Security blog, I had no idea what direction I would take with it. Cyber Security is a very broad topic that can cover broad issues and also get down into small, extremely technical ones. Since the first purpose of the blog is to have it be read and understood, I decided to make my blog user-friendly by eliminating overly technical stories, language, and terminology. The second purpose of a blog is to create a point of discussion. So, I tried to focus on topics that had multiple viewpoints and defensible positions. These types of topics tended to fall into two categories: public or private security and scope of government involvement.

The issue of who is a better provider, the public or private sector, is not unique to cyber security. In fact, it is at the core of many of our country's most heatedly debate topics, such as health care and education. There are differing viewpoints on which sector is better suited to provide for our country. Proponents of the private sector argue that it is more efficient and less costly. While the public sector contends that public services are held accountable by the voting public, while corporations are accountable to no one but the stockholders -- and even then with mixed results.

In a few articles I discussed the planned expansion of federal power through the creation of an "internet killswitch" and "national cyber ID's". Most of the comments I received were weary of expanding the power of the government. I received comments questioning the federal governments capability to execute these tasks efficiently and comments fearing that we were heading closer to an Orwellian style dictatorship.

The second theme focused on the scope of government involvement in creating our security. I looked at NSA spying to gather critical intelligence and possible government involvement in cyber wars across the globe. While no one likes the idea of a massive government spying dragnet in our country, there are those who feel that since they have nothing to hide, they do not mind giving up some of their privacy if it means enhanced security. The idea is that if you are not making phone calls to anonymous cell phones in Afghanistan, the government has no reason to look into you. The fact that there are many people that hold this sentiment proves how lucky we are to live in the United States. I doubt there are many people who feel the same way in China, for example.

Lastly, I looked at the United States and Israel's possible involvement in the Stuxnet worm, the world's first precision-targeted cyber missile. This is also a tricky subject. Surely an attack on another nations infrastructure, whether cyber or physical, should be considered an act of war. On the other hand, no one wants to see Iran posses a nuclear weapon. This effectively set their development team back five years and did not inflict any civilian causalities or any collateral damage that would affect the civilian population. However, it must also be taken into account that Iran maintained that their nuclear plants were entirely peaceful and only for the purpose of generating power.

Cyber Security is a complex issue. It evolves so fast that it is nearly impossible to keep up with. People have varying opinions on which policies are best, but it is so unpredictable that it is hard to say, maybe even often in retrospect, who was right and who was wrong. The best we can do is stay educated about the threats and preventative measures and make our best assessment on what we think will provide the most security.

Tuesday, April 26, 2011

Iran Targeted in Second Cyber Attack

A second virus, called “Stars”, has targeted Iran’s nuclear enrichment facilities. Iran’s security officials said the virus only caused minor damage before it was discovered, isolated, and moved to a lab for study. The semi-official government news agency in Iran, Mehr made the following announcement about the virus:

“The particular characteristics of the Stars virus have been discovered. The virus is congruous and harmonious with the (computer) system and in the initial phase it does minor damage and might be mistaken for some executive files of government organizations.”

The report went on to blame Israel and the United States for the virus, as they did for the Stuxnet virus in early January. The Stuxnet virus, however, was not detected until it had infected nearly 80% of their system and had already caused major physical damage to the plant. The Stuxnet virus was able to take control of the plant, while simultaneously telling the plant’s monitoring staff that everything was fine. The virus caused 1,000 centrifuges to spin so fast that they broke before anyone even realized anything was wrong.

Nuclear enrichment facilities would be targeted by those concerned with Iran’s ability to create an atomic bomb. Enriched uranium provides fuel for nuclear power plants, which provide energy. Uranium enriched to a much higher degree, however, provides essential materials for nuclear weapons.

The Stuxnet virus is much too sophisticated to have been created by a simple hacker. Analysts have concluded that the virus could only have been created by a nation-state with intimate knowledge of Iran’s nuclear facilities. Although the United States and Israel have not admitted to the creation of the virus, the U.S. oversaw the creation of a simulation of Iran’s enrichment facility in a nuclear plant in southern Israel that used centrifuges identical to Iran’s.

So now I want your input. In an age of complicated diplomatic relations, when mandates and sanctions are not always effective tools for foreign policy, how should we view acts of cyber warfare against infrastructure? Should it be considered an act of war?

Source: http://www.reuters.com/article/2011/04/25/us-iran-computer-virus-idUSTRE73O1OL20110425

Wednesday, April 20, 2011

National Cyber ID

The federal agency called the National Agency for Trusted Identities in Cyberspace, or the NSTIC, an acronym you have probably never heard of, is making important decisions that may affect the way that you go on-line. The agency is seeking to promote safety and security of on-line transactions because identity theft incurred by a consumer on-line can take 130 hours and over $600 to resolve. The agency wants to create a unique log-on ID for each person in America that they can use securely for everything they do on-line, from banking to shopping to many other things. Obama made the following justifications for the plan:

"By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation"

He went on to stress that the program will be in no way mandatory, and consumers will still be able to choose to do certain transactions on their National ID and certain transactions anonymously.

However, I believe it is always important to be skeptical of such programs, as the scope is hardly ever limited to the original intentions. Your Social Security number, for example, was originally created only for the purpose of paying and receiving Social Security. The scope of that number has been greatly exceeded and is now used to track all sorts of information about you. Although the National ID program is voluntary now, in the worst future case, it could eventually be a requirement of any access of the internet at all and give the government the ability for total on-line tracking of your activity. So I want your thoughts: should the federal government get into the game of on-line commerce and banking security or should this be left to private companies?

Source:http://www.digitaltrends.com/computing/obama-aims-to-fight-identity-theft-with-new-online-id-plan/

Tuesday, March 29, 2011

NSA Spying: How Much Privacy Are We Willing to Sacrifice?

The National Security Agency has been engaging in massive dragnet spying on American internet traffic since 2001. It has been doing so, with the cooperation of major telecommunications carriers, such as AT&T, where a whistle-blower there provided evidence that the NSA has installed a splitter that was handing over wholesale voice and data traffic to the NSA for the purpose of data mining. The Electronic Frontier Foundation comments:

"The undisputed documents show that AT&T installed a fiberoptic splitter at its facility at 611 Folsom Street in San Francisco that makes copies of all emails, web browsing, and other Internet traffic to and from AT&T customers, and provides those copies to the NSA. This copying includes both domestic and international Internet activities of AT&T customers. As one expert observed, 'this isn’t a wiretap, it’s a country-tap.'"

The EFF brought a lawsuit against AT&T for this wiretap in 2006, however, the case was dismissed in 2009 after the FISA Amendments Act, signed into law by President Bush in 2008, retroactively made all of this previously illegal wiretapping legal and provided retroactive immunity.

So, the wiretap remains. The NSA was never held accountable for committing illegal spying on Americans through legal and political maneuvering. Furthermore, previously illegal wiretapping is now legally sanctioned.

My questions are these: What is your opinion on the necessity of this type of domestic spying? Should we trust a government agency with this amount of unchecked power?

For more information on the AT&T splitter, check out this Frontline report.

Wednesday, February 23, 2011

Security vs Privacy/Freeddom: The Internet Freedom Act


Security is often increased at the cost of personal privacy and freedom. Anticipating opposition to reduced privacy and freedom, lawmakers and agencies often employ Orwellian doublespeak to garner support, examples include: The Patriot Act (takes away privacy), Department of Defense (starts wars), and No Child Left Behind (diminishes funding for public education).

So when Senators Lieberman(I) and Collins(R) introduce a bill called "Cybersecurity and Internet Freedom Act", there is reason for further investigation. Most of the bill is uncontroversial, such as recruiting federal cybersecurity agents and funding research for secure internet protocols. However, the bill also gives the President the ability to "issue a declaration of a national cyberemergency". During this time, the executive branch could restrict access to, from, and between portions of the internet, as well as demand that companies deemed "critical to the nation's infrastructure...immediately comply with any emergency measure or action". The bill places no explicit restrictions or oversight on the executive branch, only implicitly allows judicial review.

The aim of the bill is to protect our critical infrastructure (water, power, financial, etc) in the event of a cyber attack on the country. But is this the right approach? Jim Harper, information policy expert, offers this analysis: "Get critical infrastructure onto the Internet and get the government into the cyber security business. That’s a recipe for disaster. The right answer is to warn the operators of key infrastructure to keep critical functions off the Internet and let markets and tort law hold them responsible should they fail to maintain themselves operational."

I believe people are right to question the ability of the executive branch to carry out this duty fairly and efficiently. Earlier this month, the DHS erroneously seized 84,000 domains and replaced their content with a banner informing them and their visitors that the site had possibly violated child pornography laws. In December, federal employees (including soldiers) were warned that viewing or linking to wikileaks cables was explicitly breaking the law.

At the same time, hackers that have been traced back to China have attacked computer systems of both the Canadian Government and U.S. Oil Firms. The threat of an attack is definitely not fabricated.

So, I ask you, what freedom/privacy should we be willing to give up for infrastructure security? Are we protecting our infrastructure in the right way?

Sources:
http://news.cnet.com/8301-31921_3-20033717-281.html?tag=mantle_skin;content
http://blogs.wsj.com/digits/2011/02/18/new-cyber-security-bill-kills-the-kill-switch/?KEYWORDS=Cybersecurity+and+Internet+Freedom+Act
http://blog.ericreasons.com/2009/04/from-senator-who-wishes-internet-was.html

Tuesday, February 8, 2011

Introduction


Richard Clarke, in his recent novel Cyber War, defines Cyber Warfare as "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption". The U.S. Deputy Secretary of Defense, William Lynn, has stated that "the Pentagon has formally recognized cyberspace as a new domain in warfare . . . [which] has become just as critical to military operations as land, sea, air, and space." So, how much is known about this new domain in warfare? Despite being less visible than other forms of warfare, it has the potential of being equally damaging to a nation's confidence, economy, and infrastructure. This blog will follow the major events and developments of this new domain in warfare. Along the way, I will comment on how well prepared the United States is for this upcoming war, how this will change our daily lives and policies, and what we are sacrificing to achieve greater security. Thank you for reading, and I always appreciate your comments and contributions!