Chairman Rockefeller Remarks on Rockefeller-Snowe Cybersecurity Act

We need a new concept of security in the 21st century. We are in uncharted territory in the Information Age.

Our country is well-suited to meet this challenge – America is a country of pioneers and innovators.

Securing cyberspace is a new challenge. It is different from virtually every other security threat that we have faced in our history, and therefore we need a very different solution.

We have to pull together, like the pioneers did, and navigate this uncharted territory – and we have to do it together. We will have to do this with unprecedented proactive teamwork and collaboration between the government and the private sector.

The approach we are proposing is not a 20th century framework of “government regulation” – it is a new paradigm for the future.

For centuries, security has meant governments protecting their citizens within national borders.

This basic concept of government-provided security has remained in effect throughout American history, through all of our wars, hot and cold. Even now, 10 years into a new century with new and very different threats, we are still relying on the old approach to security: that the government alone is responsible to protect us from all threats.

The problem is that this model simply doesn’t work in cyberspace. Nearly 90 percent of critical infrastructure is owned and operated by the private sector.

The government can’t protect our citizens, or our critical infrastructure, on its own.

And private companies cannot protect themselves on their own.

Our future is literally being stolen from us with the theft of intellectual property and proprietary information from U.S. companies and innovators.

The status quo is not sustainable. We need a new model for the 21st century.

The Rockefeller-Snowe bill provides that new model – giving the government, private companies and private citizens the collaborative responsibility and authority to defend our country in a world where borders do not exist.

This collaboration and engagement between government and private sector on cybersecurity needs to be proactive and constant. It cannot be reactive and disjointed.

That goes for promoting innovation and best practices, professional development and education, emergency preparedness and response, public awareness, and virtually every other aspect of cybersecurity.

It is no longer government alone protecting the country; it’s all of us together.

Our approach is very different from traditional regulation because it gives the private sector unprecedented influence – and responsibility – in determining how our country defends itself.

It is better to act now than to wait to act after a cyber-emergency. We need the private sector to meet this challenge with bold and visionary leadership.

We know that concerns remain about some specific aspects of this bill, and Senator Snowe and I will continue to work with stakeholders and experts as we move forward.

We must emphasize that our core principle is not going to change: we need a new framework where private sector and government are on the same team, tactically and strategically.

They cannot just act in response to a government grant or contract, subpoena or regulation – but instead, they must act as an integral day-to-day and year-to-year part of 21st century business and national security plans and operations.

This bill will help to make that happen.

Rockefeller and Snowe Gain Momentum for Landmark Cybersecurity Act

Senator John D. (Jay) Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, and Senator Olympia J. Snowe (R-ME), a senior member of the committee, issued the following statements today after the Commerce Committee favorably reported out the Rockefeller-Snowe Cybersecurity Act.

“Our future is literally being stolen from us. Cyber attacks and hackers are at work raiding property and proprietary information from U.S. companies and innovators,” said Chairman Rockefeller. “The status quo is not sustainable. We need a new model for the 21st century. We must secure America’s critical networks, innovation and competitiveness in the global market. The Rockefeller-Snowe Cybersecurity Act provides a framework for a fundamentally new approach to combating cyber attacks. Today, we took another big step in moving this enormously important legislation forward.”

“It is simply undeniable that cyber intrusions and attacks represent both a potential national security and economic catastrophe as our vital information infrastructure – nearly 90 percent of it – is owned and operated by the private sector,” said Senator Snowe. “Without adequate cooperation between the public and private sectors to protect our critical infrastructure information systems – our strategic national assets – we risk a cyber-calamity of epic proportions with devastating implications for our nation. Our initiative, which is the culmination of a year’s worth of consultation and input from across the spectrum, streamlines cybersecurity-related functions and clarifies the responsibilities of government and private sector stakeholders.”

6th Annual GFIRST National Conference, August 15-20, 2010, JW Marriot San Antonio, Hill Country, TX

The 6th Annual GFIRST National Conference will be held August 15-20, 2010 at JW Marriot San Antonio, Hill Country, Texas. With an increasingly complex, evolving threat landscape to protect, a secure infrastructure is more important than ever. Regardless of the sector you work in, it is critical to understand the threat landscape to build an effective incident management and coordination capability that can accommodate applicable Legal and policy issues and initiatives. You can shape an effective response capability to manage tomorrow’s risks in cyberspace - starting here.

GFIRST6: Building Today, Shaping Tomorrow – Ensuring an Effective Response Capability to Manage Risks in Cyberspace.

What is GFIRST?
GFIRST is a group of technical and tactical practitioners from incident response and security response teams responsible for securing government information technology systems and providing private sector support. GFIRST members work together to understand and handle computer security incidents and to encourage proactive and preventative security practices across government agencies. GFIRST promotes cooperation among the full range of Federal, State and local agencies, including defense, civilian, intelligence, and law enforcement.

GFIRST6 Session Tracks:
Policy / Government
Provides attendees with an understanding of national-level cybersecurity policy and initiatives, as well as DHS-specific initiatives. In addition, provides the opportunity for US-CERT federal, state, and local partners to discuss their activities and efforts to manage cyber risk.

Threat Landscape
Allows participants the opportunity to discuss shifts in the evolving threat landscape, from widespread and unfocused Internet worms to targeted attacks aimed at specific organizations and individuals.

Incident Management
Allows participants to talk about best practices and efforts within the Incident Management lifecycle, including preparation, detection / analysis, and response / recovery.

Coordination
Offers attendees the opportunity to re-think traditional relationships among cyber authorities, while redefining necessary alliances to secure cyberspace.

Legal / Law
Aims to educate attendees on legal issue related to the use of communication, transactional, and distributive aspects of networked information devices and technologies.

There are many reasons to attend the GFIRST Conference:

• Networking with top information security professionals and government officials.
• Hearing expert speakers discuss the latest in cyber security news and trends as seen by government agencies, law enforcement, private sector and academia.
• Participating in information-sharing groups on topics such as collaboration methods and incident response practices.
• Continuing professional growth with industry peers and keeping abreast of the newest issues, trends, preemptive measures and case studies.

The GFIRST Conference is open to all interested in learning more about cyber security and incident response. GFIRST is a great place for public and private sector leaders serving in non-technical roles to become familiar with the fundamentals of cyber security and incident response. GFIRST is also an excellent resource for practitioners in incident response and information security from the public and private sectors.

U.S. Cybersecurity Bill Targets Industry Wide Cooperation

The Rockefeller-Snowe Cybersecurity Act provides a framework for engagement and collaboration between the private sector and government on cybersecurity, while protecting civil liberties, proprietary rights, and confidential and classified information. The bill will:

• Significantly raise the priority of cybersecurity throughout the federal government and streamline cybersecurity-related government functions, authorities and laws.
• Protect civil liberties, intellectual property and business proprietary information.
• Promote cybersecurity public awareness, education, and research and development.
• Foster market-driven cybersecurity innovation and creativity to develop long-term technology solutions and train the next generation of cybersecurity professionals.

The legislation is the culmination of a year’s worth of consultation and input from cybersecurity experts in the private sector, government and civil liberties community. The bill is scheduled to be marked-up on March 24, 2010.

The latest draft of comprehensive, bipartisan cybersecurity legislation to address U.S. vulnerabilities to cyber crime, global cyber espionage, and cyber attacks has been released yesterday.

“The Rockefeller-Snowe initiative seeks to bring new high-level governmental attention to developing a fully integrated, thoroughly coordinated public-private partnership,” said Senator Snowe. “It is imperative that the public and private sectors marshal our collective forces in a collaborative and complementary manner to confront this urgent threat.”

“The networks that American families and businesses rely on for basic day-to-day activities are being hacked and attacked every day. At this very moment, sophisticated cyber enemies are trying to steal our identities, our money, our business innovations, and our national security secrets,” said Chairman Rockefeller. “This 21st century threat calls for a robust 21st century response from our government, our private sector and our citizens. Private companies and the government must work together to protect our nation, our networks and our way of life from the growing cyber threat.”

Rockefeller-Snowe Cybersecurity Act - Bill Summary Cybersecurity Act of 2009 Bill Summary
Rockefeller-Snowe Cybersecurity Act - Bill Language Cybersecurity Act of 2009 Bill Language

U.S. Government Pours Money Into Cyber Security Technologies and R&D

U.S. Government pours money into cyber security technologies and R&D, creating a new set of business opportunities for cyber security technology vendors, - these are conclusions of a recently updated market study U.S. Federal Cybersecurity Market Forecast 2010-2015.

At the hearing of Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security “More Security, Less Waste: What Makes Sense for our Federal Cyber Defense”, Senator John McCain said:

“The federal government relies heavily on complicated information systems for day-to-day operations. The risks posed to these systems have never been higher. Cybercrime and cyber espionage are on rise. Indeed, nation-states seek to exploit our government networks, to steal sensitive intelligence or intellectual property for military and industrial advantage.”

“Recognizing these threats, the federal government is spending billions of dollars on information technology security each year. OMB estimates 6.2 Billion was spent in fiscal year 2008 alone, nearly 10% of entire cost of the federal IT investment portfolio.”

With a cumulative market valued at $55 billion (2010 – 2015), the U.S. Federal Cybersecurity market will grow steadily – at about 6.2% CAGR over the next six years, these are forecasts of a new quantitative landmark report “U.S. Federal Cybersecurity Market Forecast 2010-2015“. The report provides:

• Federal cyber security market by technologies and R&D.
• Federal cyber security market by software, hardware, software services, personnel training;
• Cybersecurity market segments by investment type (National Security Systems, Mission Area Support, Infrastructure/Office Automation/Telecommunications, Enterprise Architecture and Planning);
• Six-year detailed forecast for the period 2010-2015;
• Agency-by-agency detailed forecasts for both defense and civilian sectors;

Cyber Defense Competition, March 11-13, 2010, Columbia, Maryland

The 5th Mid-Atlantic Collegiate Cyber Defense Competition (CCDC) will take place in the SAIC Conference Center in Columbia, Md., March 11-13. Students will compete against cyber attackers attempting to disrupt and compromise computer networks. Science Applications International Corporation (SAIC) sponsors the competition.

Cyber crime is a persistent and growing threat. According to the U.S. Department of Defense, there will be a significant shortfall in the types of scientists, engineers and mathematicians needed to maintain a strong defense. The CCDC helps address this challenge.

“Defense of our cyber infrastructure is imperative, and competitions such as the CCDC provide students with an exciting and challenging introduction to careers in science, technology, and engineering,” said Larry Cox, SAIC senior vice president and business unit general manager. “Since SAIC is a science and engineering company, we are committed to promoting technical disciplines to future generations.”

During the competition, students will compete against a “Red Team” responsible for conducting offensive operations against the defending student teams. Members of the Red Team are traditionally professional penetration testers or students of offensive network warfare. The competition focuses on the operation aspects of managing and protecting an existing network infrastructure. Student teams are scored based on their ability to detect and respond to outside threats; maintain availability of existing services such as email servers; respond to business requests; and, balance security needs against business needs.

UK’s Cyberdefence Infrastructure Lags Behind U.S. Cousins

It was June 2009 when UK announced in the first time its Cyber Security Strategy. The Cyber Security Strategy sets out the U.K. Government’s plans to establish two new organisations, both of which will be established in September 2009, and will be operational by the end of March 2010:

• An Office of Cyber Security (OCS) to provide strategic leadership for and coherence across Government. The OCS will establish and oversee a cross-government programme to address priority areas in pursuit of the UK’s strategic cyber security objectives.
• A Cyber Security Operations Centre (CSOC) that will bring together existing functions: to actively monitor the health of cyber space and co-ordinate incident response; to enable better understanding of attacks against UK networks and users; and to provide better advice and information about the risks to business and the public.

According to a parliamentary answer of Baroness Crawley the Cyber Security Operations Centre (CSOC), based near GCHQ in Cheltenham, is delayed by lack of staff:

“The Office of Cyber Security (OCS) is allocated £130,000 funding for FY 09-10, while the Cyber Security Operations Centre (CSOC) has not been allocated a budget for this fiscal year. OCS and CSOC staff costs are being borne by parent departments, with IT set-up costs being borne by a combination of the Cabinet Office (OCS) and GCHQ (CSOC), as host organisation, as well as contributing agencies. The OCS is predicted to have 18 personnel allocated by early 2010. CSOC expects to have a staff of 19 by 10 March (the centre’s initial operating capability—or IOC—date).”

Facing Thorny Road to Secure Cyber Space

In a report Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative, the US Government Accountability Office concludes that the US government is still far from reaching the goals of secure cyber space.

GAO was asked to determine:

• what actions have been taken to develop interagency mechanisms to plan and coordinate CNCI activities
• what challenges CNCI faces in achieving its objectives related to securing federal information systems.

The Comprehensive National Cybersecurity Initiative (CNCI) has been established by President Bush in 2008 in response to the ongoing threats to federal systems and operations posed by cyber attacks,. This initiative consists of a set of projects aimed at reducing vulnerabilities, protecting against intrusions, and anticipating future threats.

GAO reviewed CNCI plans, policies, and other documentation and interviewed officials at the Office of Management and Budget (OMB), Department of Homeland Security, and the Office of the Director of National Intelligence (ODNI), among other agencies. GAO also reviewed studies examining aspects of federal cybersecurity and interviewed recognized cybersecurity experts.

The White House and federal agencies have taken steps to plan and coordinate CNCI activities by establishing several interagency working groups. These include:

• the National Cyber Study Group, which carried out initial brainstorming and information-gathering for the establishment of the initiative;
• the Communications Security and Cyber Policy Coordinating Committee, which presented final plans to the President and coordinated initial implementation activities;
• and the Joint Interagency Cyber Task Force, which serves as the focal point for monitoring and coordinating projects and enabling the participation of both intelligence-community and nonintelligence- community agencies.

These groups have used a combination of status meetings and other reporting mechanisms to track implementation of projects.

CNCI faces several challenges in meeting its objectives:

1. Defining roles and responsibilities. Federal agencies have overlapping and uncoordinated responsibilities for cybersecurity, and it is unclear where overall responsibility for coordination lies.
2. Establishing measures of effectiveness. The initiative has not yet developed measures of the effectiveness in meeting its goals. While federal agencies have begun to develop effectiveness measures for information security, these have not been applied to the initiative.
3. Establishing an appropriate level of transparency. Few of the elements of CNCI have been made public, and the rationale for classifying related information remains unclear, hindering coordination with private sector entities and accountability to the public.
4. Reaching agreement on the scope of educational efforts. Stakeholders have yet to reach agreement on whether to address broad education and public awareness as part of the initiative, or remain focused on the federal cyber workforce.

Until these challenges are adequately addressed, there is a risk that CNCI will not fully achieve its goal to reduce vulnerabilities, protect against intrusions, and anticipate future threats against federal executive branch information systems.

The federal government also faces strategic challenges beyond the scope of CNCI in securing federal information systems:

• Coordinating actions with international entities. The federal government does not have a formal strategy for coordinating outreach to international partners for the purposes of standards setting, law enforcement, and information sharing.
• Strategically addressing identity management and authentication. Authenticating the identities of persons or systems seeking to access federal systems remains a significant governmentwide challenge. However, the federal government is still lacking a fully developed plan for implementation of identity management and authentication efforts.

Meanwhile the cyber security market is booming, according to Market Research Media report.

Cyber Security and Information Intelligence Research Workshop, April 21-23, 2010, Oak Ridge, Tennessee

The Annual Cyber Security and Information Intelligence Research Workshop [CSIIRW] will be held April 21-23, 2010 at Oak Ridge National Laboratory in Oak Ridge, TN. The aim of this workshop is to introduce and discuss novel theoretical and empirical research focused on (the many) different aspects of software security / dependability, the heart of the cyber infrastructure is software.

Topics:

• Scalable trustworthy systems
• Enterprise-level metrics
• Coping with insider and life-cycle threats
• Coping with malware and polymorphism
• Phishing/whaling, spam and cyber crime
• High assurance system survivability
• Cyber security for the Smart Grid
• Digital provenance and data integrity
• Privacy-aware security and usable security
• Social networking models for managing trust and security

Role-Based Training for IT Security, March 23-25, 2010, Bethesda, Md.

The National Institute of Standards and Technology (NIST) and the Federal Information Systems Security Educators’ Association (FISSEA) are co-hosting FISSEA’s 23rd annual conference Role-Based Training for IT Security March 23-25, 2010, at the Natcher Conference Center at the National Institutes of Health in Bethesda, Md.

“Unraveling the Enigma of Role-Based Training” is designed for information systems security professionals from government, industry or academia who are trainers, developers, educators, managers, supervisors or researchers involved with information systems security awareness, training, education and certification. In the context of information security, role-based training provides individuals with the knowledge and skills needed for the security functions they perform.

Two tracks will be offered: “Role-based Training” and “Security Awareness Training and Education.” Attendees will learn more about role-based training and its implementation, new techniques for developing and conducting Awareness and Training programs, updated cyber-security initiatives, opportunities to network with the federal cybersecurity training community, and professional development.