Electric grid Archives

The Senate plans to hold a vote on comprehensive cybersecurity reforms during the first work period of 2012, according to senators on the committee with jurisdiction over federal computer protections.

In a letter sent late Wednesday, Majority Leader Harry Reid, D-Nev., informed Senate Republicans of his decision to bring legislation to the floor early next year, according to members of the Homeland Security and Governmental Affairs Committee. Reid's bill is expected to include measures proposed by the committee that would automate federal information security practices and charge the Homeland Security Department with regulating safeguards for civilian public and private networks.

Efforts to pass broad legislation this year fell victim to job creation and deficit reduction priorities. Most computer privacy and security laws were enacted before social media and smartphones increased the country's reliance on the Internet.

"Hackers, criminals, and antagonistic foreign powers are maliciously probing our cyber defenses every day on an unprecedented scale, and it is no secret they have found our defenses to be vulnerable," Committee Chairman Sen. Joe Lieberman, I-Conn., Ranking Member Sen. Susan Collins, R-Maine, and Federal Financial Management Subcommittee Chairman Sen. Tom Carper, D-Del., said in a joint statement. "Defense Secretary Leon Panetta has warned that the next Pearl Harbor 'could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.' For that reason, we are grateful Majority Leader Reid has scheduled debate on this important national and economic security legislation shortly after Congress reconvenes next year."

While breaches have been common for years, more companies and governments are publicly speaking about them to put an end to the economically-costly invasions, experts say.

"There is no such thing as 100 percent security, on or offline, but we must take action to strengthen our defenses against those who are constantly working to do us harm," the lawmakers added.

The Energy Department paid more than $2 million to recover from several recent cyberattacks, according to agency auditors.

An annual review of Energy's unclassified cybersecurity observed network weaknesses have increased 60 percent between fiscal 2010 and fiscal 2011, the department's inspector general reports. The security holes include weak access controls, software flaws and poor employee training, among other deficiencies.

"As noted by recent successful attacks at four department locations, exploitation of vulnerabilities can cause significant disruption to operations and/or increases the risk of modification or destruction of sensitive data or programs," writes Energy IG Gregory H. Friedman in an Oct. 20 evaluation. "The estimated cost to the department for the recent cyberattacks at three of the four sites was over $2 million."

Tests at 25 facilities, including headquarters, revealed 32 previously unidentified vulnerabilities plus an additional 24 left unresolved from the prior year, Friedman notes.

The report does not say where the four breaches occurred or name the specific weaknesses discovered elsewhere due to security concerns, the document states.

Friedman attributes the problems, in part, to management's failure to monitor the performance of security safeguards.

For example, the agency neglected to block unauthorized users from accessing or modifying data on Web programs. "At least 32 web applications, used to support functions such as procurement and safety, did not perform validation procedures," he writes. "Such procedures ensure that changes made to information and programs are only allowed in a specified and authorized manner and that the system's operation is not impaired by deliberate or inadvertent unauthorized manipulation, such as through software flaws and malicious code."

Defense Secretary Leon Panetta's greatest enemy in cyberspace may be U.S. cyber "revolutionaries."

While visiting the U.S. Strategic Command in Nebraska on Friday, Panetta invoked the image of Pearl Harbor, as he has done before, to warn soldiers about the threat an attack against critical infrastructure networks would pose to Americans.

Cyberattacks ranked fourth among the challenges he listed that confront today's military -- after terrorism, two ongoing wars and rogue nations.

"We're now in a very different world, where we could face a cyberattack that could be the equivalent of Pearl Harbor," he said. "I mean, cyber these days -- someone using cyber can take down our power grid system, take down our financial systems in this country, take down our government systems, taken down our banking systems. They could virtually paralyze this country."

Other security experts say cyberattacks "these days" are unlikely. Terrorists don't have the skills to launch them and the nations that have the capability are afraid the United States will retaliate with conventional weapons if they nuke a network, they say.

"For these reasons, the immediate threat in cyberspace involves espionage and crime. These are daily occurrences," James A. Lewis, a cybersecurity specialist at the Center for Strategic and International Studies told a House committee in May.

Still, Panetta seems very worried about the future threat. At his June Senate confirmation hearing, he invoked himself invoking Pearl Harbor: "I have often said that there is a strong likelihood that the next Pearl Harbor that we confront could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems. This is a real possibility in today's world."

He added, "I have a huge responsibility, if confirmed, in this new position in dealing with the cyber area through NSA and others," referring to the National Security Agency, the Pentagon's network protection branch.

Meanwhile, as Panetta tries to rouse the cyber forces, Death and Taxes writer D. J. Pangburn is digging into the Achilles heel of U.S. cybersecurity -- the shortage of forces. The United States needs some 20,000 to 30,000 programming sleuths to operate effectively in the cyber domain, according to some estimates.

Pangburn last week published an open letter calling on attendees of DEF CON, an annual hacker conference, not to sell out by talking to NSA scouts there.

This weekend, government officials were scheduled to recruit future cyber warriors at a "Meet the Feds" kids' workshop and elsewhere on the grounds of Las Vegas' Rio Hotel.

Pangburn argues that "in the future, hackers will be integral to dissent -- in a sense, you already are in light of WikiLeaks, Anonymous and LulzSec," hacktivist groups that post U.S. secrets online. He adds, "We hope that most of you stay out of the NSA's monolithic spy palace to keep the [Word We Can't Print Here] in our government honest. . . you have the capabilities to check power or even threaten its very existence."

On Saturday, Anonymous apparently followed Pangburn's marching orders. The group claims to have plastered the Web with 70 U.S. law enforcement agencies' private emails and other confidential materials:

"A recent [Homeland Security Department] bulletin has called us 'script kiddies' that lack 'any capability to inflict damage to critical infrastructure yet we continue to get in and out of any system we please," states an accompanying message purportedly from the hacktivists. "GIVE UP. You are losing the cyberwar, and the attacks against the governments, militaries and corporations of the world will continue to escalate. Hackers, join us to make 2011 the year of leaks and revolutions."

The Pentagon and foreign partners will follow the Cold War construct of "shared warning" to pursue enemies in cyberspace, Deputy Defense Secretary William J. Lynn III said on Thursday at the International Workshop on Global Security in Paris.

Neither America nor its international partners have faced a true cyber attack from a nation state -- the kind that generates severe economic or physical damage -- but, the "more immediate concern" is the threat of a terrorist group developing destructive cyber tools or buying them off the black market, he said.

"Just as our air and space defenses are linked with those of our allies to provide warning of airborne and missile attacks, so too can we cooperatively monitor our computer networks for cyber intrusions," Lynn said. Defense is finalizing a strategy that will direct each service on how to train, equip and command its forces for cyber missions, he said.

A consensus on cyber response is emerging at the North Atlantic Treaty Organization, Lynn added.

"NATO is unanimous in acknowledging the need to elevate its treatment of network security," he said. "A commitment to take NATO's Cyber Incident Response Center to full operating capability by 2012 is a significant step in the right direction. And at last week's ministerial, NATO ministers approved final cyber policy guidance."

Lynn stressed that public-private partnerships must also be part of military cyber missions, since 90 percent of U.S. Defense communications travel over the same commercial networks that service civilians.

Critical infrastructure networks -- the systems supporting the transportation, energy and financial sectors -- must be protected by defense and non-defense agencies, he said. "Protecting the networks that undergird critical infrastructure must be part of our national security and homeland defense missions," Lynn said.

As a start, the Pentagon is sharing classified intelligence on cyber threats with military contractors and their internet service providers to help defense companies bolster their computer systems, he added.

Iran's efforts to disconnect its Internet from the rest of cyberspace have gained urgency amid fears of another Stuxnet worm and other perceived moves by the U.S. government to exert influence through the Web, a report suggests.

Iran watchers said the discovery of Stuxnet put more momentum into an initiative to build up a "national Internet" that would block access to non-Iranian sites, the Wall Street Journal reports.

Stuxnet, a computer worm designed to disrupt Iran's nuclear program, is widely believed to have been created by Israel and the United States. Stuxnet's mysterious origins point to, among other places, the CIA., Energy Department research laboratories and Homeland Security, a New York Times investigation suggested.

The State Department's support of tools to circumvent online censorship -- including State Secretary Hillary Clinton's promise to make Internet freedom a foreign policy priority -- have heightened concerns about U.S. attempts to influence Iran through the Internet.

State has appropriated $50 million to help promote Internet freedom since 2008, with $22 million officially spent so far, National Journal reported.

Whether Iran can actually achieve its ambitious censorship aims, warnings of a renewed push should be a reminder that agencies need to tread carefully when playing in today's politicized technological landscapes.

The White House as early as this week is expected to send Congress draft legislation for a far-reaching cybersecurity bill that stops short of addressing the sticky subject of classified systems, sources tell Nextgov. The consensus among experts consulted in the drafting of the legislation is that the proposal will demarcate civilian agencies' roles in protecting computer networks -- but not so-called national security networks that carry classified information.

There has been discord among lawmakers and agencies over whether the Defense Department, with its vast resources and expertise, should be responsible for defending the nation's networks or whether the Homeland Security Department, as the protector of critical infrastructure, should be charged with responding to cyberattacks.

One side says civilian departments, like DHS, are not equipped to fend off cyberterrorists intent on infiltrating military secrets. The breach that allegedly led to the airing of diplomatic and defense information on whistleblower website WikiLeaks underscored the challenge of sealing off sensitive weapons and foreign affairs data. But civil liberties proponents and some in industry say the Pentagon should not be monitoring private networks.

About a year ago, the administration began the interagency process of achieving unanimity on cybersecurity reforms.

Senate Majority Leader Harry Reid, D-Nev., and the chairmen of the multiple Senate committees with jurisdiction over computer security want to pass a comprehensive bill that would address everything from the security of government networks to online identity theft.

Last week, at a hearing on a draft measure to protect the nation's power supply from breaches, senators and federal officials agreed that Energy should have the authority to order utilities to take action when there is an emergency threat to the electricity grid. The draft legislation is one of many standalone proposals serving as a placeholder until the Senate and White House have reached accord. It calls for Defense to craft a plan for safeguarding power supplies at military facilities against imminent cyber threats in Alaska, Hawaii and Guam.

White House officials said there has been no announcement on timing for the release of a legislative framework.

The House Republican charged with coordinating cyber legislation across the chamber's committees has proposed a measure that would examine the threat to military installations posed by the Defense Department's inability to monitor utility networks.

At present, lawmakers, executive branch agencies and civil rights advocates are at loggerheads about whether the Pentagon should have the power to protect private networks. Congress is waiting for the White House to offer some direction before acting on comprehensive cybersecurity legislation but the Obama administration has yet to release a year-long interagency review.

Rep. Mac Thornberry, R-Texas, in his capacity as chairman of the House Armed Services Subcommittee on Emerging Threats and Capabilities, is backing language scheduled for a vote on Wednesday that would order a study "on the threat to the readiness of military installations from possible cyber attacks on civilian critical infrastructure."

The committee "is concerned that the department remains indirectly vulnerable to cyber attack on critical pieces of civilian infrastructure not under the department's protection," states the panel's portion of the fiscal 2012 National Defense Authorization bill, H.R. 1540. Due to the location and structure of military installations, they often rely on their surrounding communities' power grids, public utilities and telecommunications services -- many of which "are poorly protected or completely unprotected from potential cyber attacks."

The legislation also would establish a cyber fellowship similar to a exchange student program for international troops. Thornberry said the initiative supports the NATO Cooperative Cyber Defense Center of Excellence, an institution based in Estonia that is working to foster global cybersecurity collaboration.

The U.S. program would allow a foreign military member to temporarily join a Defense Department organization for education and training in information security.

We'll have more on U.S.-Estonia cyber relations in a separate story later today.

The House Appropriations Committee intends to cut cybersecurity funding by $60 million for the last remaining seven months of the fiscal year.

The committee on Friday introduced H.R. 1, the largest discretionary funding reduction in congressional history, which would take money away from the Homeland Security program that coordinates nationwide efforts to safeguard critical infrastructure and communications.

Under the Republican-led committee's plan, the infrastructure protection and information security program would get $806 million rather than the $866 million that DHS requested.

Part of the rollback would rescind $6 million in unobligated balances from so-called next generation networks for providing national security and emergency preparedness communications, in the event someone or something cuts off connectivity.

Meanwhile, House Homeland Security Ranking Democrat Bennie Thompson, D-Miss., estimates that another Republican-backed measure, H.R. 408, aimed at scaling back federal spending in fiscal 2012 to fiscal 2006 levels, would slash the cyber and infrastructure protection program by $275 million.

On Friday, Thompson released a report that said the reduction would mean "ground would be lost on efforts to identify, address and mitigate cybersecurity and physical vulnerabilities to federal and private sector networks."

The following post was written by Nextgov reporter Aliya Sternstein.

In the interest of serving the greater public good, the Energy Department recently disclosed an analysis of the cybersecurity vulnerabilities of private and government electric power grids. Typically cyber weaknesses at private utilities -- and even in specific government energy programs -- are kept close to the vest.

But as the May report states, "although information found in individual stakeholder [system] vulnerability assessment reports is protected from disclosure, the security of the nation's energy infrastructure as a whole can be improved by sharing information on common security problems with those responsible for developing and operating" systems that control the nation's energy infrastructure.

Idaho National Laboratory, the department branch, that performed the tests identified the most prevalent issues plaguing system owners without naming the individual assets. Typical insecure coding practices accounted for many of the security flaws, according to the report:

Assessments reported large [industrial control system] attack surfaces created by excessive open ports allowed through firewalls and unsecure and excessive services listening on them. Well-known unsecure coding practices account for most of the ICS software vulnerabilities, which result in system access vulnerability or denial of service (DoS).

However, poor patch management provides more likely attack targets because the vulnerabilities are public and attack tools are available for them. Once ICS network access is obtained, status data and control commands can be manipulated as they are communicated by unsecured ICS protocols.

Steven Aftergood, who directs the project on government secrecy for the Federation of American Scientists, noted on his Secrecy News blog that the findings aren't earth-shattering but "by describing the issues in some detail, the new report may help to demystify the cyber security problem and to provide a common vocabulary for publicly addressing it."