Fifteen years ago, cartoonist Peter Steiner drew two dogs sitting in front of a computer, one saying to the other, "On the Internet, nobody knows you're a dog." This iconic adage, cute in its day, is now a warning.

Criminal, terrorist and nation-state cyberattacks against banks, technology companies, online merchants, individuals and government agencies cost the U.S. economy $400 billion annually, focused most often on stealing business and military secrets, and personal data.

In cyberspace, not knowing for sure what person or device is on the other end of the line has serious downsides. It erodes overall trust, limits users' ability to secure their own systems, hinders effective governmental response, and causes organizations to collect more personal data than they really need.

The New York Times reported today that the Transportation Security Administration sent a letter to at least four graduate students at MIT informing them that the agency turned down their request for an identification card to work at the nation’s ports. The letters noted the students were “security threats.”

The students had applied for a so-called Transportation Worker Identification Credential, or TWIC, card, a program the federal government created after 9/11 to tighten security at the nation’s ports. The deployment of TWIC has been delayed for months for numerous reasons.

The Times article cites two cases, one involving a German student, the other a British student. In the rejection letters, John Busch, who is identified as a security administration official, wrote, “I have determined that you pose a security threat.”

Computer forensics is becoming more important to law enforcement agents as criminals use computers to commit crime. Microsoft has made it easier for officers to get that information off a computer by providing, for free, a USB thumb drive that can bypass all Windows security programs. "The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime," according to an article published by the Seattle Times. "It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer." Microsoft first distributed the thumb drives last year and now more than 2,000 officers in 15 countries are using them.

As expected, privacy experts and techies aren’t too keen on this development.

Hat tip: Slashdot

The following item was posted by Jill R. Aitoro.

The Office of Management and Budget has long touted the value of transparency in government. So explain this:

OMB released a report today on progress in implementation of Homeland Security Presidential Directive 12, or HSPD 12, which requires agencies to issue biometrically enabled credentials to all employees and contractors to replace standard flash badges. In that report, the total number of employees and contractors that will receive the badges were more than double what OMB reported only six months ago. OMB now reports that 4.3 million employees and 1.2 million contractors require new cards, compared to 1.9 million federal employees and 591,358 contractors, as reported in October 2007.

That change likely explains another anomaly. Ninety-seven percent of federal employees and 79 percent of contractors could not have completed the required background checks, as reported in October, because the latest report states that only 59 percent and 42 percent respectively have done so.

What’s the explanation for such a drastic difference? OMB opted not to provide one in a briefing on the latest numbers; in fact, the change in the numbers wasn’t even mentioned. When asked later, a spokeswoman attributed the undercount to faulty data. “We have better and more complete data now than we had previously,” she said.

Bruce Schneier recently wrote a wonderful explanation of why the dichotomy between security and privacy is artificial. I recommend it to the privacy officials who must confront security as the rationale for poor privacy practices and to security officials who must find ways to integrate privacy into their thinking and program planning.

So how does FedWorld see this topic? With no subtlety at all, of course.

According to senior officials inside and outside the national security establishment, the Nation is at war in cyberspace.

This war, like many things in cyberspace, confounds traditional boundaries. It is occurring in part on U.S. soil, where many of the attacked public and private sector computers are located. While some attacks are coming from foreign powers, others are from terrorist groups, and still others come from organized crime. Often the identity and intent of the attackers is unclear.

As Samuel Adams said in 1768, “Even when there is a necessity of military power, within the land . . . a wise and prudent people will always have a watchful & jealous eye over it.” Indeed, it is longstanding policy in this country that the military not be used to enforce the law on U.S. soil, except in major emergencies. This division between national security and civilian law enforcement activities is maintained in electronic surveillance as well. It colors the current FISA extension debate.

Few observers believe these divisions work in cyberspace. Yet there is no clear vision of how to proceed while guarding the underlying principles. For that reason, this matter deserves a considered public conversation. While a national cyber security initiative is necessary and timely, the secrecy surrounding the Administration’s program does not serve the Nation's long term interest.

Former Defense Secretary Robert McNamara said, speaking of Vietnam, "We failed to draw Congress and the American people into a full and frank discussion and debate of the pros and cons of a large-scale military involvement . . . before we initiated the action." We still have the opportunity to avoid that mistake in cyberspace.

Is IPv6 yesterday's news? Or is it? Are organizations integrating the fucntionality promised by IPv6 into the infrastructure of the organization? What is the level of commitment to incorporating the functionality of IPv6 to provide the enhanced security and information protection that is necessary as information sharing, information dissemination become the norm?

Is the there, there to obtain the long term focus to transition an organization from IPv4 to IPV6?
Has your organization started the journey?

There was an interesting story in today's Boston Globe. It appears that there are significant security gaps in "implanted devices that help regulate heartbeats and use wireless technology."

Dr. William H. Maisel, director of the Medical Device Safety Institute at Beth Israel Deaconess Medical Center in FDA who led a research project into medical device security risks, says in the story:

"With some technical expertise, we were able to retrieve information from the device [built by Medtronic] in an unauthorized fashion. We were able to send commands to the device in an unauthorized fashion and could reprogram settings and even tell the device to deliver a high-voltage shock."

While Maisel says not to worry, that the technical expertise required to hack these devices is very high, how long do you think it will be before hackers actually are able to replicate what Maisel and his team of researchers were able to do?

Of course, medical device manufacturers like Medtronic don't really have to worry too much. Given the recent Supreme Court ruling on Class III medical devices, all they have to do is to add the risk to their warning label, get the FDA to approve it, and they are immune if their devices get hacked.

Most of us who have taught information security at one time or another have relied on the C-I-A mnemonic to help our students think of the multiple dimensions of information security. Confidentiality, Integrity and Availability are well understood to be the ways one should view the task of information protection.

But well over 90 percent of FedWorld dialogue about security of the U.S. government enterprise is about confidentiality – preventing unauthorized access to sensitive information – though the other two aspects are arguably more important.

The Government Accountability Office recently reiterated its designation of information security as a governmentwide “high-risk issue” in its report, Information Security: Protecting Personally Identifiable Information. The high-risk designation for information security in the federal government has been included in GAO reports to Congress each year since 1997. Along with its own audits, GAO’s most recent high-risk assessment was based on consideration of annual reporting by federal agencies of their own assessments of risk, including certain material risks reported regarding information security.

Consequences of real and perceived inadequacies in information security policies and controls

Under what circumstances would U.S. consumers confidently continue to share their data with companies that self report under Sarbanes-Oxley that their operations put customer data at high risk? Frankly, it is hard to imagine the likelihood that such companies could easily maintain the continuing trust and confidence of customers or shareholders without significant costs. In fact, Larry Ponemon, chairman of The Ponemon Institute, has reported that U.S. businesses have seen a steady exodus of customers, a reluctance of some customers to share data and increased costs, including from lost business opportunities, following disclosure of data breaches at their companies. Should we expect the reactions of U.S. citizens to be any different in the federal space? It seems unlikely.

There are reports that the IRS as well as tax authorities in other countries including Canada, Germany, Australia, Italy, Sweden, Spain, the United Kingdom, and New Zealand have purchased stolen information detailing confidential bank accounts in Liechtenstein. Liechtenstein has very strict banking privacy laws, and it is seen by all the above countries as a safe haven for tax evaders. The country, which is a tiny principality next to Switzerland, is one of three countries (Andorra and Monaco being the other two) listed by the Organization for Economic Cooperation and Development as being "uncooperative tax havens."

How did the countries get this information? In one news report, it was said that, "Heinrich Kieber, a 42-year-old computer expert, offered the information for sale to several countries, including Germany, which paid about $6.3-million for it. (Mr. Kieber is said to be hiding in Australia under a new identity.)"

As noted on Government Executive's Web site, the Government Accountability Office has found that only two federal agencies -- the Treasury and Transportation departments -- have been able to demonstrate that they have implemented the Office of Management and Budget's issued guidance in 2006 and 2007 reiterating governmental agency responsibilities under the Privacy Act of 1974, the E-Government Act of 2002 and the Federal Information Security Management Act of 2002. OMB's guidance drew particular attention to agency security and privacy requirements associated with personally identifiable information. Some 18 agencies met the guidance to some degree, while two -- the Small Business Administration and the National Science Foundation -- didn't meet any of the guidance.

I am so glad to see federal agencies care so much about your or my personal information.

OMB reissued the guidance two years ago in the wake of the many data breaches then occurring throughout government, but especially those that happened at the Veterans Affairs Department.

In the ironically-labeled memorandum M-07-11 (feeling lucky?), officials at the Office of Management and Budget say that adopting standardized configurations for Windows desktops in federal agencies will somehow create a situation in which “[i]nformation is more secure, overall network performance is improved, and overall operating costs are lower.” Each of these claims is questionable, but the essential truth is that standardizing desktop configurations will have tiny security impacts, will entail enormous unfunded costs and will potentially make federal networks less secure.

This is not to say that configuration management practices in the federal government are beyond reproach, but we need to admit a few realities:

Yesterday's Greenpeace Heathrow protesters reminded us that governments are working hard at the magician's trick of redirection: "Everyone pay careful attention to the long lines, uniformed attendants and electronic technology at the passenger-screening station. Pay no attention to the unlocked/unmonitored doors and gates that provide direct access to the aircraft." Also see Bruce Schneier on this topic. Bruce also spotted this, which should really give you pause.

When the Congress attempts to regulate behavior or dictate outcomes within or beyond the republic, it has few effective tools for direct control. Making an activity illegal does not stop the activity; it just changes the risk-reward calculus for anyone contemplating such an act. Rewarding certain economic choices with favorable tax treatment nudges the economy in certain directions (not always those wished for by the tax tinkerers).

The Federal Information Security Management Act (FISMA) is a wonderful example of Congress and the executive branch using blunt tools to bludgeon reality into a new path. The problem is clear: FedWorld doesn’t do a world class job of protecting sensitive information on either side of the Potomac. But the congressional response was to institute annual reporting, to empower (but not fund) inspectors general to provide independent assessments of the basis of such reports and to empower (but not fund) the National Institute of Standards and Technology (NIST) to develop standards for non-classified information.

On a scale of importance, where would you rank the following: taxpayer personal information, plans for weapons systems, pre-decisional legal or enforcement deliberations, names of informants in this or other countries, results of drug trials, pre-award procurement information, blueprints of government facilities, schedules of surprise enforcement actions (immigration, food safety, etc.), unpublished minutes of the Federal Reserve Board Open Market Committee, and official travel schedules of government officials in countries with active terrorist cells?

Because I am a government annuitant and a participant in various federal health benefit programs, you can bet I am concerned that the Office of Personnel Management and its contractors maintain the highest standards in protecting personal, banking, and health information about me and my family. But it is clear to me that other government information is worthy of even higher standards of protection.

Apparently, in FedWorld, personal information must be far more important than any other type of data, because protection of personal information appears to be the sole focus of attempts to “fix” the Federal Information Security management Act (FISMA).

Then I remember that none of the other information types vote, so every elected official is elbowing others on the way to the microphone to proclaim his dedication to privacy principles … and the Office of Management and Budget is standing in line at the microphone to announce a new reporting requirement.

Billy Graham used to have a fellow who traveled everywhere with him whose sole responsibility was to detect when the Rev. Graham was getting carried away with himself or his mission and yell "bullsh**." I believe the U.S. government needs just such a person to keep the legislative and executive branches focused on protecting our most precious assets (including information). I would volunteer but the ceaseless shouting would be more than my aged body could stand.

Since retiring from the federal government in 2007, I have watched with a mixture of alarm and amusement as the Office of Management and Budget, Congress, the National Institute of Standards and technology, the inspectors general, the Government Accountability Office and agencies have continued to miss the point of information and mission assurance while enriching consultants and printer manufacturers by producing mountains of increasingly meaningless paperwork.

I intend to bring to readers’ attention various issues I believe deserve more critical thinking than is typically available in the federal enterprise (which I will henceforth call FedWorld).

I also believe:

• Information protection is better than security plans
• Privacy protection is better than privacy plans or impact statements
• Intrusion prevention beats the pants off intrusion detection
• Personnel security has almost nothing to do with HSPD-12
• Cybersecurity is only marginally related to information security
• … and so on.

Please remember my point of view before you comment on something I’ve written by chiding me that the Federal Information Security Management Act (FISMA) has it otherwise, that OMB guidance points in another direction, or that an IG will write me up. I no longer live in FedWorld so those customs and folk beliefs seem quaint.

Recently I had the privilege of talking about computer security at a hearing before two subcommittees of the House Committee on Oversight and Government Reform.

My principal focus was the Bush administration’s new "Cyber Initiative."

On Jan. 8, President Bush issued a new National Security/Homeland Security Directive. This order establishes a comprehensive, national cybersecurity initiative. Little is known publicly about the details of this national security order, because it is still classified. But it shows that information security is receiving serious attention at the highest levels of the executive branch. I believe this is good news.

The order creates an expanded role for the National Security Agency in protecting civilian agency systems. This raises some significant policy questions, such as, "How best can the government maintain and build trust with the private sector to promote computer security?"

For more on this topic, you can read my earlier post.

Kudos to fellow blogger Bruce McConnell on his testimony, which raises legitimate procedural questions about National Security Presidential Directive 54/ Homeland Security Presidential Directive 23 on cybersecurity. He also calls for a more detailed review of the Privacy Act.