Smells Like Incompetence
via journalist Malena Carollo reporting for the eponymous Christian Science Monitor, comes an astonishing news item of what is perhaps the single most egregious failure in federal information security this century (so far...).
"Moving forward, Archuleta assured the committee that OPM would continue to improve their cybersecurity efforts and work on the recommendations given by the Inspector General "to the best of our ability." "That’s what frightens me, Mrs. Archuleta," said Rep. Mick Mulvaney (R) of South Carolina, "that this is the best of your ability." - via Malena Carollo reporting at the Christian Science Monitor
DARPA and BBN, 'A History of the ARPANET: The First Decade' →
Bolt Beranek and Newman (BBN) Report #4799 Document entitled 'A History of the ARPANET: The First Decade'. First published in 1981, and detailing early ARPANET engineering, via the March 2015 'The Internet Protocol Journal' (Volume 18, Number 1). Download IPJ back issues and find subscription information at Internet Prorocol Journal.
FCC Denies Delay Requests, Net Neutrality Rules On The March →
via Grant Gross, writing at PC World, comes news of the United States Federal Communications Commission denial of submitted requests from a group of Cable and Telephony providers (the ususal suspects) to slow the implementation of the Commission's Net Neutrality rules. This, my fiends, is one commish we can all get behind (except, of course, the Cable, Telephony and their lobbyists).
NIST CSD, ITL, CPP Slated to Host 8th Cloud Computing Forum →
NIST's Computer Security Division and the Information Technology Laboratory (ITL) along with the NIST Cloud Computing Program has announced hosting of the 8th Cloud Computing Forum and Workshop. Registration Information, etc. can be viewed here. Included with the announcement is the Call for Abstracts, noted below:
- Abstract Submission Deadline: May 15, 2015
- Abstracts Review Deadline: June 1, 2015
- Presentation Submission Deadline: July 1, 2015
Interested? Download the 8th Cloud Computing Forum and Workshop Abstract Submission form, additional information resides here.
Alexanders' Warning: Catastrophic Attacks on Energy Sector in the Offing
via David Bisson, writing at Tripwire's State of Security blog, comes a particularly dire warning from Keith Alexander, GEN (RET) USA (RET), holder of a Bronze Star and the 16th Director of the United States National Security Agency, focusing on the security bulwarks of the embattled Energy Sector.
FCC Issues Net Neutrality Order Document →
The Federal Communications Commission has issued the codified order targeting Net Neutrality. Entitled FCC 15-24*, for GN Docket Number 14-28, In the Matter of Protecting and Promoting the Open Internet, Report and Order on Remand, Declaratory Ruling, and Order. At over *Four hundred pages long*, this document will (likely) become one of the most highly contentious Orders emerging this year (or the weapon of choice for conspiracy theorists due to it's weight*) from the Commission.
FAA Systems Found Vulnerable to Attack, GAO Reports
News, via The Washington Post's Ashley Halsey III of significant information security issues at the Federal Aviation Agency. In this case, the Government Accountability Office has published a new report entitled "FAA Needs to Address Weaknesses in Air Traffic Control Systems", detailing significant shortcomings in the agency's capability to fend off electronic attacks.
The GAO report facts speak volumes: The FAA has failed to fully implement the planned, 'agency-wide' information security program. The failure to implement and deploy is a tell-tale of questionable competency within the Agency's information security management, whose duty and primary task is protecting the National Airspace System (aka NAS), of which, should be the core competency of the FAA.
Time for a change at the FAA? Probably, however, the issue of foot-dragging is deeply systemic at the Agency, witness the multi-year effort to implement the FAA's Next Generation Air Transportation System (aka NextGen). Any change will most likely be accomplished over decades, rather than single digit years... After all, thirteen years post-FISMA and the Agency has not yet implemented and deployed the mandated FISMA requirements, is, in a word - astonishing.
Now, focusing on the issues, we turn to the GAO discovered chllanges the FAA faces (of which, a statement from the GAO appears below, and is a direct excerpt from the published report. Read it, my fellow citizens, and weep.
"While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA's systems. Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses.
FAA also did not fully implement its agency-wide information security program. As required by the Federal Information Security Management Act of 2002, federal agencies should implement a security program that provides a framework for implementing controls at the agency. However, FAA's implementation of its security program was incomplete. For example, it did not always sufficiently test security controls to determine that they were operating as intended; resolve identified security weaknesses in a timely fashion; or complete or adequately test plans for restoring system operations in the event of a disruption or disaster. Additionally, the group responsible for incident detection and response for NAS systems did not have sufficient access to security logs or network sensors on the operational network, limiting FAA's ability to detect and respond to security incidents affecting its mission-critical systems.
The weaknesses in FAA's security controls and implementation of its security program existed, in part, because FAA had not fully established an integrated, organization-wide approach to managing information security risk that is aligned with its mission. National Institute of Standards and Technology guidance calls for agencies to establish and implement a security governance structure, an executive-level risk management function, and a risk management strategy in order to manage risk to their systems and information. FAA has established a Cyber Security Steering Committee to provide an agency-wide risk management function. However, it has not fully established the governance structure and practices to ensure that its information security decisions are aligned with its mission. For example, it has not (1) clearly established roles and responsibilities for information security for the NAS or (2) updated its information security strategic plan to reflect significant changes in the NAS environment, such as increased reliance on computer networks.
Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk." via the United States Government Accountablity Office Report "FAA Needs to Address Weaknesses in Air Traffic Control Systems"
Creation, Beltway Style
Meanwhile, news of the creation of a new United States Agency is brightening some security professionals view of information sharing capabilities inter- and intra- government. Created in the likeness of the National Counterterrorism Center [itself created post 9/11 in the wake of information sharing failures within [and obviously without] the federal civilian government & the military]. Monikered the Cyber Threat Intelligence Integration Center, it will ostensibly function as the defacto repository for existing 'cyber' operations/intelligence facilities government-wide, and will facilitate information sharing and decision making capabilities [more, below].
"The CTIIC will focus on four priorities:
- Improving cyber defense, including widespread adoption of the NIST Cybersecurity Framework;
- Improving the ability to disrupt, respond to and recover from attacks;
- Enhancing international cooperation; and
- Making cyberspace intrinsically more secure, including eliminating passwords as the default security tool and enhancing consumer protection. "
- via the Federal Times
Automotive Security, The Shaming
via Wired's Andy Greenberg, comes news of a United States Senate report, detailing answers provided by 16 car makers as responses to questions from United States Senator Markey in 2014 targeting automotive vulnerabilities. Simply astounding.
ENISA, Threat Landscape 2014 Analysis
ENISA, the European Union Agency for Network and Information Security has published the agency's yearly Threat Landscape Report 2014 [PDF, 3,335 KB) analysis. Today's' Must Read.
Government of Canada, Data From Canada Mandated To Remain In Canada →
Dr. Michael Geist (Law Professor at the University of Ottawa, and the current holder of the Canada Research Chair in Internet and E-commerce Law) holds forth on current cloud cogitation up north (at least within the data confines of the Government of Canada / Gouvernement du Canada).