Defense.gov News Article: Intelligence Leaders Urge Congress to Act on Cyber Laws

Defense.gov News Article: Intelligence Leaders Urge Congress to Act on Cyber Laws.

Intelligence Leaders Urge Congress to Act on Cyber Laws

By Lisa Daniel
American Forces Press Service
WASHINGTON, Feb. 2, 2012 – The threat to U.S.-based computer networks is one of the country’s most pressing security problems, and Congress needs to act on it soon, the director of national intelligence told a congressional panel today.
James R. Clapper Jr. said he and all of the U.S. intelligence leadership agree the United States is in a type of cyber Cold War, losing some $300 billion annually to cyber-based corporate espionage, and sustaining daily intrusions against public systems controlling everything from major defense weapons systems and public air traffic to electricity and banking.
Clapper was joined by CIA Director David H. Petraeus, Defense Intelligence Agency Director Army Lt. Gen. Ronald L. Burgess Jr. and FBI Director Robert S. Mueller for a House Select Intelligence Committee hearing on worldwide threats. He urged lawmakers to pass a bill that forces intelligence sharing between the government and the private sector, such as the Defense Industrial Base pilot program that then-Deputy Defense Secretary William J. Lynn III launched last year.
“It’s clear from all that we’ve said – and I hope predications about mass attacks don’t become a self-fulfilling prophesy – but we all recognize we need to do something,” he said.
Clapper also urged Congress to reauthorize the Foreign Intelligence Surveillance Act, which he called crucial to intelligence gathering. It expires this year.
The director said he foresees a cyber environment in which technologies continue to be fielded before effective security can be put in place. Among the greatest challenges in cyber security, he added, are knowing the perpetrator of a cyber attack in real time and capabilities gaps in the cyber supply chain – the entire set of key actors involved in the cyber infrastructure.
Mueller noted that the National Cyber Task Force includes 20 U.S. agencies, “so when a major intrusion happens, we’re all at the table.” The “breaking down of stovepipes” and sharing information in cyber security “is as important now as it was before 9/11,” he added.
The FBI director told the panel that 47 states have different reporting requirements for cyber attacks, and the private sector doesn’t have to report them at all. “If they’re not reported, we can’t prevent the next one from happening,” he said.
Mueller said the cyber threat is growing and is important to address. “I do believe cyber threats will equal or surpass the threat from terrorism in the near future,” he said.
Clapper agreed. “We all recognize this as a profound threat to this country, to its future, to its economy, to its very being,” he said. “We all recognize it, and we are committed to doing our best in defending the country.”

Biographies:
James R. Clapper Jr.
Related Sites:
Special Report: Defense Department Cyber Strategy
Related Articles:
Sharing Intelligence Helps Contractors Strengthen Cyber Defenses
Lynn Outlines New Cybersecurity Effort

We’re Officially in the Age of CyberWarfare

We’re Officially in the Age of MalWar.

In the first week of June, NY Times Reporter David E. Sanger published an article titled “How a Secret Cyberwar Program Worked.” This article was actually a sneak preview into David’s new book that has now been released titled: “Confront and Conceal” This claim was far from unbelievable as many CyberSecurity professionals, (myself included) had already guessed that the United States and/or Israel had to be behind the “Stuxnet”, and also the newfound “Flame” viruses.

What was unbelievable was that this was published at all, especially by a United States citizen. This borders on the line of treason and if it was 20 years ago, anyone reporting this to the world would have been called a traitor and brought up on federal charges. For at the past few years, we have been living in a new age, the age of “CyberWarfare”.

Through Mr. Sanger, The New York Times revealed — a report citing anonymous “sources” involved in the program — that two White House administrations and Israel collaborated to create the Stuxnet worm and deployed it to attack an Iranian nuclear facility. According to the Times, the operation dubbed “Olympic Games” began during the George W. Bush administration, when frustration over Iran’s developing nuclear program was at a fever pitch in 2006. The CIA had tried more traditional means of sabotaging Iran’s nuclear facility, attempting to get faulty and even booby-trapped parts set to explode into the facility, but with little success.

In the last few years of the Bush presidency, a bit of code called a beacon was developed and smuggled into the Iranian facility. Its job was to gather information on the SCADA computer systems, essentially creating an electronic map that would then be sent back to the National Security Agency. The beacon did its job and its findings, coupled with some follow-up research and experimentation in a joint effort between Washington and Israel, yielded the development of Stuxnet. The idea behind the worm was to infiltrate the systems that control centrifuges, which spin at high speeds to separate uranium molecules. The virus would vary the speeds of the spinning machines rapidly, speeding them up and slowing them down in quick succession until the delicate parts gave way under the stress.

Iran’s centrifuges first began spinning out of control for no apparent reason in 2008, but no damage was done. Bush left office and pressed the new President Obama to preserve “Olympic Games.” The 44th President took his predecessor’s advice and continued the operation. Stuxnet was designed to interact with the Siemens SCADA computer equipment that Iran was known to use in their “secret” uranium enrichment plants. (“SCADA” stands for Supervisory Control and Data Acquisition.)

In 2010, the worm escaped the confines of the Iranian plant, apparently on an engineer’s personal laptop. It soon began to propagate itself on the Internet, and when discovered by security researchers, it made worldwide headlines. Even with the cat out of the bag, Obama pressed on and shortly thereafter the worm took down nearly 1,000 centrifuges. Several years after President Bush had marked Iran in his infamous “Axis of Evil” State of the Union speech, the United States and Israel had launched a successful attack to do real (if only temporary) damage to the country’s infrastructure. The weapon started on a USB thumb drive and the ammunition was a chunk of code – the initial tools of CyberWarfare.

The main problem with Iran knowing who is behind the attack is of course the threat of retaliation. The threat of Cyber Retaliation is going to be a major problem because it doesn’t cost as much to write some malicious code as it does to strengthen a military. Iran has just created its own Computer Emergency Response Team, and it will not be long before it begins training and enlisting malicious coders to help it mount a retaliation.

CyberWarfare doesn’t just break down the importance of geographic boundaries, it also strips away the prominence of political boundaries and nation-states themselves. Just as terror networks driven by ideology rather than nationalism changed how we think about national and global security, CyberWarfare further decentralizes those threats. Fifteen years ago, the simplest way to launch a strike on Iran’s infrastructure (to say nothing of planning for Iran’s likely retaliation) might have involved a supersonic bomber taking off from a base in Missouri, dropping a payload and heading back home. The resources to pull off that single bomb run have required many years, several big defense contracts and several billions in taxpayer dollars to create. That means that the barrier to entry for engaging in global warfare was pretty much restricted to nations. Now, in the age of MalWar, that bar has been lowered dramatically.

While worms like Stuxnet and the recently discovered Flame are believed to be so complex that they could only have been created with the backing of a large government, that won’t be true forever, and it may not even be true any longer as I write this, if it ever was.

In fact, as Data Center Pro and MIT’s Technology Review point out, hackers have already begun to learn from Stuxnet, and some of the worm’s code even showed up in TDL-4, the so-called “indestructible” zombie botnet. This means the confusing array of hacks, DDOSes and defacements perpetrated by Anonymous, AntiSec and other groups (if you can even call them that) with a dizzying variety of names, structures, associations and motives could be just the beginning.

Many of the world’s Industrial Control Systems like those Stuxnet infiltrated are woefully short on anti-virus and basic security protection, and the foundation for launching CyberWarfare on them is now loose in the wild. It may not be long until a now unknown group conducts an attack on a power plant to make a political statement, or takes down a sewage treatment plant.

(This article was based on a GroovyPost.) article by Eric mack