To the New President: Secure Cyberspace

Share

As the transition period leading to the new presidency is almost coming to an end, everyone will probably have multiple requests to the president, and of those is to increase cyber defence. In this optic, a new report created by the “CSIS Commission on Cybersecurity for the 44th Presidency[1]” has release its recommendations on how to secure cyberspace. They consist of:

  • Create a Comprehensive National Security Strategy for Cyberspace
  • Organizing for Cybersecurity
  • Rebuilding Partnership with the Private Sector
  • Regulate for Cybersecurity
  • Identity Management for Cybersecurity
  • Modernize Authorities
  • Build for the Future

This report comes 5 years after the “National Strategy to Secure Cyberspace” document released in 2003 by the National Advisory board which goal was to “engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact[2]“. The CSIS’ document doesn’t mention the previous efforts by the National Advisory Board but declares the previous efforts of the Bush administration as “good but not sufficient[3]“.

As usual, it remains difficult to see how much of this report is based on real facts or just a way to secure funds from the new president by linking potential damage to the cyberspace infrastructure to the economy . It states that “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009[4]“. It uses the cyber attack that occurred on various American networks in 2007 as an example[5].

While they may be some part of fear mongering in this report, we should not completely put aside threats mentioned in this report. As cyber warfare is mostly a war happening without much fanfare and therefore happens in the shadows, it is hard to really determine what’s going on. Since there is no open war between modern countries, we won’t see any cyber warfare for the time being. For the moment, cyberspace will be used for spying mostly and this is what this document mostly addresses.

The unclassified e-mail of the secretary of defense was hacked … A senior official at the Department of State told us the department had lost “terabytes” of information,” declares the report, also: “Senior representatives from the intelligence community told us that they had conclusive evidence, covertly obtained from foreign sources, that U.S. companies have lost  billions in intellectual properties.

Unfortunately, “senior representatives“, “conclusive evidence” and “foreign sources” are so vague that it’s impossible to validate the scope of the problem…or even believe it. Another document though[6], mentioned in the present reading give some examples of the uses of terrorists for cyberspace. It mentions among others the “Muslim Hackers Club” website and the information posted to it, and the use of stolen credit cards and bank account information to finance the Bali attack in 2002[7].

The authors are putting a lot of emphasis on treating cybersecurity as a priority on the same levels as WMD and any other subject that requires national attention therefore requiring that the federal government take charge of the national cybersecurity instead of IT departments. It proposes that:

1)      Standards for computer security be enforce for to the industry such as manufacturing plants and power plants.

2)      Cyberspace security be overlook by a cybersecurity chief and that security agencies such as the National Cyber Security Center (NCSC) and the Joint Inter-Agency Cyber Task Force (JIACTF) be merged into one.

A central office in charge of enforcing computer security standards will have to be formed later or sooner. Fortunately this will be sooner. Information Technology departments should not only have a national reference on the standards to achieve, but also have the opportunity to know how to implements those standards by having government-accredited security companies implementing those standards to networks of various industries. I also believe this new agency should periodically test the security of those networks, as I presume, should already be done. The reports propose that instead of a new agency, the Whitehouse be in charge of the national cybersecurity with an assistant to the president.

The difficulty in this resides in the fact that only one weak link is sufficient to be able to attack the entire system. Therefore, it is necessary to screen the entire critical infrastructure in order to be efficiently secured. And since this implies that systems are often connected internationally for large industries, it means an international consensus.

One thing is for sure, is that all the existing computer-security related need to be consolidated in order to focus on a common goal, and that is the protection of cyberspace. As the report states, it also need to be working hand-to-hand with the private sector in order to have a quick reaction to emergencies. Unfortunately this is only another report amongst other. Maybe a more tech-savvy president such as Barack Obama will catch on quicker to this threat. Until then, the battle still rages on in the shadows of the Internet…

See also

“Obama urged to create White House cybersecurity chief “, Dan Goodin, The Register, December 8, 2008, http://www.theregister.co.uk/2008/12/08/cyber_security_report/ (accessed on December 10, 2008)

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl


[1] “Securing Cyberspace for the 44th Presidency”, CSIS Commission on Cybersecurity for the 44th Presidency, December 8, 2008, http://www.csis.org/component/option,com_csis_pubs/task,view/id,5157/ (accessed on December 10, 2008)

[2] “The National Strategy to Secure Cyberspace”, National Advisory Board, February 2003, p. VII

[3] “Securing Cyberspace for the 44th Presidency”, CSIS Commission on Cybersecurity for the 44th Presidency, December 8, 2008, p.15

[4] Ibid. p.11

[5] “Pentagon shuts down systems after cyberattack’, Robert McMillan, InfoWorld, June 21, 2007, http://www.infoworld.com/article/07/06/21/Pentagon-shuts-down-systems-after-cyberattack_1.html(accessed on December 10, 2008)

[6] “Threats Posed by the Internet”, CSIS Commission on Cybersecurity for the 44th Presidency, October 2, 2008, http://www.csis.org/component/option,com_csis_pubs/task,view/id,5146/type,1/ (accessed on December 10, 2008)

[7] “Bali death toll set at 202”, BBC News, February 19, 2002, http://news.bbc.co.uk/2/hi/asia-pacific/2778923.stm (accessed on December 10, 2008)

Cybercrime Rose by 9% in Britain

Share

The BBC reports that cybercrime rose by 9% in Britain[1]. This is according to Online Identity firm Garlik which release its 2008 Cybercrime Report. The report contains interesting statistics. Among others, identity theft drop from 92 000 offenses in 2006 to 84 700, a 8% drop[2]. Financial fraud rose by 24% and is expected to increase for 2008-2009, mainly due to the financial crisis going on. The report cites the leaked letter from the Home Office indicating a possible rise in crime[3]. This is really no surprise.

Always according to the report, the top three stolen documents for identity theft were non-UK passports, utility bills and UK passports[4]. As for financial cybercrimes, losses from UK victims amounted to £535million (1 billion $CAN, 869 millions $US), up 25% from 2006. The reports further states this interesting bit of information:

“… personal details and identity information are traded online with the 15 Research conducted by Garlik’s team of researchers investigating the presence of illegal trading networks on the Internet, number of trading networks more than doubling (from 27 to 57) over the past nine months. In a typical day, around 520 individual information traders are identified with 19,217 traders being identified this year. Of these, around 700 are ‘long term’ traders …[5]

Cybercrime in the UK rose by more than 9% in 2007
Cybercrime in the UK rose by more than 9% in 2007

That’s 57 trading network and around 20 000 traders, which, at least for me, is a big number. But the report doesn’t specify how those traders were identified though. The 700 “long-term” traders are seemed to be identified only with their online alias. Therefore if the “20 000 traders” is counted using aliases, this number might be higher than the actual number of traders.

The reports do not goes into great details on how the criminals get the information, but it does mention Trojans, phishing and SQL injections as a way to retrieve the information. As for the damage caused by these for UK companies, 830 000 companies report a computer-related incident last year. Viruses accounted for 21% of those incidents and are on the decline.

Fortunately, the report also mention lack of data protection from the government but fail to give any number, since it’s outside the scope of the document. But shouldn’t it be considered so? Shouldn’t this be considered as criminal negligence? After all, lost data impact lives and can lead to disaster for the victims of this negligence…

Garlik also describe interesting statistics about online harassment. The complete report can be found here: http://www.garlik.com/static_pdfs/cybercrime_report_2008.pdf


[1] “Cybercrime wave sweeping Britain”, BBC News, October 30, 2008,  http://news.bbc.co.uk/2/hi/technology/7697704.stm (accessed October 30, 2008)

[2] “UK Cybercrime Report 2008”, Stefan Fafinski, Neshan Minassian, Garlik, September 2008, p. 5

[3] “Leaked letter predicts crime rise”, BBC News, September 1, 2008,  http://news.bbc.co.uk/2/hi/uk_news/politics/7591072.stm (accessed on October 30, 2008)

[4] “UK Cybercrime Report 2008”, Stefan Fafinski, Neshan Minassian, Garlik, September 2008, p. 12

[5] Idem, p. 16