Wednesday, April 28, 2010

CIA Director Says Cyber Attack Could Be Next Pearl Harbor

WASHINGTON D.C.—Central Intelligence Agency director Leon Panetta told 300Sacramento Metro Chamber Cap-to-Cap delegates that the next “Pearl Harbor” is likely to be an attack on the United States’ power, financial, military and other Internet systems.

Panetta addressed the Sacramento delegation that includes 43 elected officials and hundreds of business and civic leaders who are in Washington D.C. for the annual program that advocates for the region’s most pressing policy issues. He spoke on Monday, April 19, during the Cap-to-Cap opening breakfast.

“Cyber terrorism” is a new area of concern for the CIA, Panetta said. The United States faces thousands of cyber attacks daily on its Internet networks. The attacks are originating in Russia, China, Iran and from even hackers.
“The next Pearl Harbor is likely to be a cyber attacking going after our grid…and that can literally cripple this country,” Panetta said. “This is a whole new area of threat.”

But cyber terrorism is just one of four primary missions for Panetta, who took over directing the CIA last year after appointment by President Obama. The CIA is also focusing on counter-terrorism, reducing the proliferation of weapons of mass destruction and fighting narcotics trafficking.

Al Qaeda is becoming a viscous target, and as CIA and military operations tamp it down in Pakistan, Afghanistan and Iraq, the terrorist elements are moving to places like Somalia, Yemen and North Africa—as well changing its tactics, he said.

“The president’s direction…is we must dismantle and destroy Al Qaeda and its known elements,” he said. “It’s a fundamental mission….The primary effort takes place in Pakistan and tribal areas. We are now focused on Afghanistan and have increased our presence there.”

Thursday, April 15, 2010

NSA director to testify at Senate hearing on cyber command unit

In an effort to protect the military's computer networks, the Obama administration is planning to put the leader of the nation's largest electronic spying agency in charge of a new military organization capable of launching attacks against enemy networks and power grids.

If confirmed by Senate, Lt. Gen. Keith Alexander, director of the National Security Agency, would take charge of the Pentagon's newly formed cyber command and preside over a virtual army of computer technicians and network warfare specialists.

But even as the Obama administration presses the importance of cybersecurity and hails its nominee as an aggressive and innovative military intelligence officer, Alexander's confirmation has been delayed for nearly six months. Lawmakers have questioned whether the head of the NSA should lead a military unit and what, exactly, that new unit will be empowered to do.

Alexander is set to testify before the Senate Armed Services Committee on Thursday but has already provided written responses to questions from lawmakers.

Among other things, he stated that, faced with a cyber attack, the military must be able to respond in kind. It is "reasonable to assume that returning fire in cyberspace" is lawful, as long as any actions comply with the laws of war, he said in a 32-page document.

At issue is how military and intelligence authorities guide the operations of any new cyber command. U.S. policies governing cyber attacks and counterattacks lag behind the military's ability to conduct them.

Part of the challenge is that in cyberspace, a line of computer code could be an attempt to spy, disrupt a network or defend it, and that same code might unintentionally knock out critical systems in countries far from the target. The ambiguity -- and the fact that there is no international consensus on what constitutes use of force in cyberspace -- means the risks of provoking international conflict are real, experts say.

Have a look at the rest of this story over at the Washington Post

Thursday, April 1, 2010

Execs Need to Be Involved in Cyber Security Decisions

Business Week has a great story on how a new study calls for more C-level involvement in cybersecurity:

Organizations with top executives who aren't involved in cybersecurity decisions face a serious problem -- a major hit to their bottom lines, according to a report released Wednesday.

"Many organizations see cybersecurity as solely an IT problem," said Karen Hughes, director of homeland security standards programs at the American National Standards Institute (ANSI), one of the major sponsors of the new report. "We are directing a wake-up call to executives nationwide. The message is, this is a very serious issue, and it's costing you a lot of money."

The report, called "The Financial Management of Cyber Risk," recommends how C-level executives can implement cybersecurity risk management programs at their companies. Part of the goal is to get executives such as chief financial officers directly involved in cybersecurity efforts, said Larry Clinton, president of the Internet Security Alliance (ISA), the other major sponsor of the report.

The report cites a cyberpolicy review released by President Barack Obama's administration last May saying that U.S. businesses lost US$1 trillion worth of intellectual property to cyberattacks between 2008 and 2009. That number doesn't include losses due to theft of personal information and loss of customers, the report said.
The total cost of a typical breach of 10,000 personal records held by an organization would be about $2 million, the report said.

"We believe if we can educate American organizations about how much they're actually losing, we can move to the next step, which is solving the problem," Clinton said. Eighty to 90 percent of cybersecurity problems can be avoided by a combination of best practices, standards and security technology, but some organizations need to understand the financial problems associated with poor security practices before they will make changes, Clinton said. 

Read the full article over at Business Week