Dan Lohrmann: November 2008 Archives

The Internet Security Alliance (ISAlliance) is proposing a new model for protecting and defending critical technology systems and information.  These policy recommendations for the Obama Administration and the 111th Congress are called "The Cyber Security Social Contract."

In a 44 page document, the ISAlliance covers a broad range of issues ranging from defense to banking to higher education. The six page executive summary includes the following items:

- Overview of The Problem

- Government Must Embrace Some Inconvenient Truths

- The Cyber Security Social Contract

- Why the Internet is Different

- Why the National Strategy is Not Working

- Why the Regulatory Models Won't Work

- The Good News - We Do Know What Works

- Core Components of the Cyber Security Social Contract

I want to highlight the central piece of the Internet Security Alliance approach - the social contract. ISAlliance's model is based upon the agreement between government and the utilities in the early 20th century to provide phone, power and light service to Americans. Here's an excerpt: 

"The utilities guaranteed to make the infrastructure upgrades necessary to provide universal service. In return, government essentially guaranteed a return on the required private investment economically sufficient to make the investments good business decisions. The utilities maintained the investments over time because they were also provided exclusive franchises for the service area."

The report goes on to describe why voluntary approaches and regulatory models are not working. The report offers several excellent solutions and lays out proposed government roles, business roles and incentives for businesses that implement best practices.   

My response - I like the Internet Security Alliance proposal. We do need to move in this direction. I certainly encourage you to read their full report. 

Although these recommendations are far-reaching, my only criticism is that that they may not go far enough. We also need a social contract regarding cyber ethics with all Americans. The conduct of each person online is actually our weakest link. I offer an outline for a new national strategy on cyber ethics in the appendix of my book, Virtual Integrity. Just as we do for emergency preparedness,  we must engage individuals, families, non-profits, K-12 schools - as well as universities, businesses and the others mentioned in this plan.

Bottom line: We do need to take bold action. This social contract is a good idea.

What are your thoughts?   

The Pentagon has banned the use of computer flash drives, CDs, and other removable media, at least temporarily, because of a threat on Department of Defense (DoD) networks.

According to Federal Computer Week (FCW), "The virus is a variation of a three year old worm called SillyFDC which spreads by copying itself from one piece of removable media to another. When plugged into another computer the virus will automatically download code from another location."
   

The Associated Press and other news organizations reported that, "...Messages were sent to department employees informing them of new restrictions. As part of the ban, the Pentagon was collecting any of the small flash drives that were purchased or provided by the department workers...."

Fox News offered this video update, which described the serious nature of the attack.

This situation raises the wider questions regarding portable media. While these devices have long been barred from classified networks, some government organizations around the globe ban all USB use by staff. Examining the pros and cons associated with turning off USB drives can lead to an interesting dialogue. 

Basically, the decision comes down to ease of use and customer satisfaction versus the serious security threat posed by a loss of sensitive data. In addition, this DoD case raises the virus threat that can come up with portable media.

So what does your organization do? Are USB ports enabled on PCs and laptops?     

Global spam levels dropped dramatically after McColo, a northern California hosting company, was cut off on November 11.

Some experts estimated that McColo hosted the machines responsible for 75% of the global junk email traffic sent. The relief is expected to be temporary for those trying to stop the unwanted email, since other servers will likely be found to send out the spam.

The story was covered by numerous sources including the Washington Post, who initially broke the story. Here's an excerpt:

"Also unclear is the extent to which McColo could be held legally responsible for the activities of the clients for whom it provides hosting services. There is no evidence that McColo has been charged with any crime, and these activities may not violate the law.

Mark Rasch, a former cyber crime prosecutor for the Justice Department and managing director of FTI Consulting in Washington, D.C.,. said Web hosting providers are generally not liable for illegal activity carried out on their networks, except in cases involving copyright violations and child pornography. "

Others who covered the story included BBC News and ComputerWorld.  

The BBC reported, "Anti-spam firm Ironport has seen junk mail levels drop by 70% since McColo was taken offline on 11 November.... A recent study by computer scientists from the University of California, Berkeley and UC, San Diego (UCSD) found that spammers manage to turn a profit despite only getting one response to every 12.5m emails they send."

It will be very interesting to see if the amount of spam sent return to previous levels - and how fast it happens. In Michigan, we have seen a steady increase in the amount of email we block over the past few years. We were blocking over 90% of incoming email due to spam or viruses, but I'll let you know if that number drops significantly in coming months.

What did you see happening last week? Did spam numbers drop in your enterprise?     

The historic political events of the past week have brought the importance of Internet security back to a front and center story. As Newsweek and Government Technology Magazine reported, both the Obama and McCain campaigns were hacked by a foreign party. Here's an excerpt from the Newsweek article Hackers and Spending Sprees:    

At the Obama headquarters in midsummer, technology experts detected what they initially thought was a computer virus--a case of "phishing," a form of hacking often employed to steal passwords or credit-card numbers. But by the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system." The following day, Obama campaign chief David Plouffe heard from White House chief of staff Josh Bolten, to the same effect: "You have a real problem ... and you have to deal with it." The Feds told Obama's aides in late August that the McCain campaign's computer system had been similarly compromised.

According to Newsweek, the Feds assured the Obama campaign that the cyber attack did not come from his political opponents. Meanwhile, a top McCain official confirmed that their computers had also been hacked.

But to end the story there would be an injustice to the importance of recent events. The London Times offered a fascinating analysis of President-elect Obama's use of the Internet during the campaign.

Under the Tech section with the title, Is the YouTube-isation of politics a good thing? (note the English use an "s" rather than our "z"), the article describes the importance of the Internet as reported from a Web 2.0 Summit in San Francisco. On the panel, Arianna Huffington, who founded the Huffington Post, reportedly said, "Were it not for the Internet, Obama would not be president."

The panelists went to to describe how YouTube and the wider Internet has changed everything in political expectations. The panelists also brought up the digital divide  and those in society who don't have Internet access and don't participate online.

A related post-election question is: How will the Internet be used differently in a President Obama adminstration?

Again the London Times offered some early insights with their article Barack Obama: master of the web shares his night of triumph with the world. The article describes the behind-the-scenes look at his election night triumph. The article also describes how quickly his new transition website was launched at change.gov which encourages supporters to: "Share your story and your ideas, and be part of bringing positive, lasting change to this country."

The website continues a tactic Mr Obama employed to such brilliant effect during his campaign: making people feel they have a stake in his strategy while simultaneously galvanising an army of supporters and new donors, who were kept in almost daily contact with the campaign through e-mails and text messages.

Will President Obama be remembered as the first "Internet President"?  Time will tell. He certainly appears to be the first President who will use Web 2.0 technologies to reach out directly to millions of Americans and bypass the media with his instant messages.

No matter which side you are on, politics will never be the same. Cyberspace will now play a central role for elections at all levels of government. Elected officials will follow the President-elect's model.

My view: cyber security is no longer a side show. We are now on center stage - even in politics.

What's your view? 

The government of Australia, long known as leaders in digital government, has announced an ambitious project that is getting plenty of global attention. Arguing that the porn problem has reached epidemic levels in society and hurting families, a "Family First" government program is being initiated which has mandatory new filtering guidelines for ISPs. 

Arstechnica.com said it this way, "Liberal democracies aren't generally pleased with massive state-run mandatory Internet filtering schemes, but Australia's government is plowing ahead with just such a project...."

"Family First would consider a mandatory ISP-based filtering system that protects children by blocking illegal content like child pornography, but allows adults to opt out of filtering to access material classified R18+ or less," said the party.

While many groups have lined up against the program and call this censorship, the government argues that parental responsibility simply isn't workable and that children are finding damaging material online. 

A related article was published back in August 2007 by Arstechnica.com which announced the $189 million (Australian) anti-porn tech initiative. According to that article,

"Approximately $89 million will be used to establish Australia's National Filter Scheme, which will impose burdensome filtering requirements on ISPs and provide Australian citizens with free* access to PC-based Internet filtering software. The filtering systems will leverage the Australian Communications and Media Authority's official Blacklist, which is based on the country's National Classification Scheme. According to a statement issued on Friday by communications minister Helen Coonan, the Australian Communications and Media Authority is also evaluating plans to extend the Blacklist to include 'terrorism and cyber-crime sites upon prescription by the Attorney-General.'"  

Arguments against the program are made on the basis of degradation of Internet performance and limiting the free speech of adults. And yet, it is hard to argue with the Australian government's assertion that this "illegal content" problem is now out of control in cyberspace. The challenge becomes defining what content is illegal with current technology and not blocking content which is legal for adults.

ABC News in Australia offered commentary by Michael Meloni on the high price of internet filtering and the need to focus on children. Here's a quote:

"To provide a safer environment for children online we need to focus on areas posing a real threat to young Australians like cyber-bullying, identity theft and online predators. Filtering does nothing to reduce these risks. Just like we educate children about staying safe outside, we need to educate them about staying safe online. Walk them through it just like we'd walk them to the park. If that means educating parents unfamiliar with the Internet as well, then let's do it." 

While it would be inappropriate for me to take sides on this effort as CISO in Michigan, I understand the sense of urgency. No doubt, the free speech advocates have great points against limiting the freedoms of adults in society, but it is also government's responsibility to protect it's citizens against crime. The challenge becomes how far can and should governments go to restrict adults, fight predators or help children.

 There are entire books on the history of this topic in America, including the Children's Online Protection Act of 1998 (which includes action required by the states), the Children's Internet Protection Act (CIPA) of 2000, and related actions taken by the courts.   

 So why do I put this information about Australia in an American magazine? These same issues are still very real in the USA. New questions come up every day about our government role at a federal or state level. I expect this topic to get much more attention here in 2009 and beyond than it did in 2008. The debate here has been somewhat delayed, due to the election campaign and the economy.

What are your thoughts?