It’s been studied for months to issue an Executive Order for Cybersecurity on information sharing of cybersecurity threats between companies. It’s been talked about for years. It’s a pressing issue that with high-level attacks going on targeting critical infrastructures, that information sharing between companies is important. President Barack Obama agrees that this should take effect.
One core problem in information sharing is that data on new threats to security and other cybercrime attacks need to be shared when it happens rather than in the middle of an attack. Usually, some companies will provide some info to other companies, but put it on low priority where the other company (on the receiving end) receive it too late to do anything about it.
As we reported back in late December, 46 US House of Representatives Republicans joined in a letter (PDF) to urge President Barack Obama not to issue the executive order on cybersecurity. The letter of urgency, led by Representatives Marsha Blackburn (Tennessee) and Steve Scalist (Louisiana) was aimed at helping to reduce the amount of government involvement in cyberwar, in hopes not to stir rages with hackers and other pests.
However, if companies don’t band together to help defeat the cybersecurity problems scattering aggressively on the Internet, then every normal internet user will be doing some information and credit card sharing, which could cause money to be robbed out of the pockets of millions of people everyday. But, with this Executive Order, at least companies can share information about cybersecurity threats and prevent people from being robbed, and clean up the situations of data and identity theft.
As we reported late last month, critical infrastructure vulnerabilities are getting out of hand.
“The cyber war has been under way in the private sector for the past year,” says Israel Martinez, a board member of the U.S. National Cyber Security Council, a nonprofit group composed of federal government and private sector executives.
“We’re finding espionage, advanced persistent threats (APTs), and other malware sitting in networks, often for more than a year before it’s ever detected,” Martinez says.
With this information paired with the Department of Defense wanting more cybersecurity workers, the state of National Security will improve along with cybersecurity.
According to Wired Magazine Online, The order, which runs eight pages (.pdf), directs the Attorney General’s office, the office of Homeland Security Secretary Janet Napolitano and the Director of National Intelligence to issue instructions to their agencies that would “ensure the timely production of unclassified reports of cyberthreats to the U.S. homeland that identify a specific targeted entity” to Congress and also develop a program for providing “classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure,” according to the document.
With the government wanting to expand operations to handle critical infrastructure vulnerabilities implementing more workers, to expediting security clearances, they have this to say in the Order:
“It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.”
Some worry about this order, and hope this is the right thing to do.
“I am concerned that the order could open the door to increased regulations that would stifle innovation, burden businesses, and fail to keep pace with evolving cyberthreats,” Republican Representative Michael McCaul, of Texas, said in a statement.
“The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties,” ACLU legislative counsel Michelle Richardson said in a statement. “Greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information.”
We’ll see the state of the internet security landscape as time goes on, as this is just the beginning. In efforts to see this thing through, congress will be keeping a close eye on this issue, and perhaps start adding other measures to support it.
The sharing of information on threats and attacks between government agencies and companies in the private sector has been tried numerous times and in many different ways over the last decade, with varying degrees of success. The need for information flowing in both directions likely is more pressing than ever right now, with high-level attacks targeting critical infrastructure systems and utilities every day, but much of that data in the government realm remains classified and few enterprises are eager to reveal details, either. As the attacks continue, officials say there may be a need for a new mechanism to get the information flowing.
One of the main problems when it comes to information sharing programs is that the data on new threats and attacks needs to be shared as the attacks are happening, and that’s difficult to accomplish. In the middle of an attack, security teams and incident-response groups are concerned with stopping the attack, discovering what systems have been compromised and determining whether any data was stolen. Packaging up the information on what happened, even if it’s readily accessible, and making it available for others is typically a low priority.
Read more on ThreatPost
- Hopes for federal cybersecurity standards fading (pcadvisor.co.uk)
- White House orders spy agencies to share cyberthreat intel with companies (nbcnews.com)
- DOD Seeks Ways to Streamline Information Sharing (defense.gov)
The US Department of Homeland Security is warning about vulnerabilities in a common SCADA (supervisory control and data acquisition) package that is used to remotely monitor and manage solar energy-generating power plants.
The DHS’s ICS-CERT issued an advisory on Wednesday that exploit code was circulating on the internet for security holes affecting the Italian vendor Sinapsi’s eSolar Light Photovoltaic System Monitor.
The eSolar Light Photovoltaic System Monitor is a SCADA product that allows solar power stations to simultaneously monitor different components of photovoltaic arrays, such as photovoltaic inverters, energy meters, gauges and so on.
ICS-CERT said in its advisory that the vulnerabilities, if successfully exploited, could allow attackers to remotely connect to the management server, “executing remote code, possibly affecting the availability and integrity of the device.”
General information pulled from the blog on Naked Security:
- Hackers pwn the sun – Exploit code released for software used to manage solar energy plants (nakedsecurity.sophos.com)
The cybersecurity bill discussed in congress earlier this Spring is now revised with newer details. The revision to the originally democratic bill is more based on disallowing the government to absolutely standardize new cybersecurity bills. The idea is for those with critical infrastructured networks get fully secure (as required). The new SECURE IT bill restricts the government from retaining and using information about cyberthreats.
According to Computer World: SECURE IT, backed by Sens. John McCain (R-Ariz.), Kay Bailey Hutchison (R-Texas), Chuck Grassley (R-Iowa), Saxby Chambliss (R-Ga.), Lisa Murkowski (R-Alaska), Dan Coats (R-Ind.), Ron Johnson (R-Wis.), and Richard Burr (R-N.C.), will allow companies to legally share real-time cyberthreat information from their networks with other industry stakeholders, law enforcement agents and government officials.
The restriction of the use of such information about cyberthreats is to help combat the ability of hackers from discovering the information and getting quicker revision time for their threats.
The mere investment in to tools to combat cybersecurity threats is crucial to American infrastructure, and infrastructure all around the world even!
The biggest deal is watching how cyberthreat information is shared. Programs like CISPA are not going to function very well. Which means cyberthreat information should be held between private parties for a temporary time, and once a mitigation is made, destroy the data.
Corporate and government systems are not immune to cyberattacks by hackers.