Verizon's annual report on the latest trends in cyber-threats, one that is frequently referred to each year by cyber security experts, is out this week. Its big message? Low-tech threats pose the biggest risks by far.
Of the 621 confirmed "data breaches" (successful cyber-attacks) that Verizon's security team investigated around the world in 2012 -- in collaboration with 19 other organizations -- 99 percent were relatively unsophisticated. In fact, 78 percent of all attacks used methods requiring low or "very low" computer skills to gain entry to a target's networks. This means that "the average [computer] user could have done it" or that attackers downloaded hacking tools from the web.
It's also worth pointing out that the vast majority of devices vulnerable to attack by hackers are still traditional computing tools like ATMs (30 percent), desktop computers (25 percent), file servers (22 percent), and laptops (22 percent), while newer tech, such as web applications, constitute only 10 percent of the vulnerable computing assets, according to Verizon.
About 75 percent of attacks were motivated by financial gain on behalf of the hackers while 19 percent were espionage cases by government-backed hackers. The vast majority -- 76 percent -- of these attacks were made possible by stolen or weak passwords. (Hmm, does this sound familiar?) As the report's executive summary states, "If you want to see how widely available hacking tools have become, do a web search for ‘password cracker.'" Click here to read more about hacking tools that are readily available on the web.
So, who were the victims that Verizon's researchers studied? Thirty-seven percent were financial firms, 24 percent were retail or restaurants, 20 percent were manufacturing, transportation and utilities firms, and 20 percent were professional services providers.
Who was doing the attacking?
"The majority of financially motivated incidents we looked at originated in the U.S. or Eastern Europe - particularly Romania, Bulgaria and the Russian Federation," reads the report's executive summary. "Espionage cases were predominantly attributable to East Asia. But the attacks that we studied happened to companies all around the world."
The report goes on to explain that three-quarters of all espionage cases targeted manufacturing, transportation and professional services industries. This makes plenty of sense. As Killer Apps has reported before, hackers are interested in stealing intellectual property from professional services providers such as law firms and learning about the business secrets and processes used by Western manufacturing firms and aerospace companies.
Of the espionage cases, 95 percent of them relied on some form of email phishing attack: "Even the most targeted and malicious attacks often reply on relatively simple techniques," the report states.
Still, phishing attacks "have become much more sophisticated, often targeting specific individuals (spear phishing) and using tactics that are harder for IT to control. For example, now that people are suspicious of email, phishers are using phone calls and social networking."
(This last line should come as no surprise to anyone with a Twitter account. Who hasn't received the "Check out this awful thing people are saying about you here" tweet?)
Meanwhile, the report's authors insist that the oft-repeated dictum that a company's employees constitute its greatest cyber-threat is not accurate. "Contrary to popular belief, 86 percent of the attacks do not involve employees or other insiders at all. Of the 14 percent that do, it's often lax internal practices that make gaining access easier than you expect."
Specifically, this means that more than half of the employees committing cyber-sabotage were taking advantage of "old accounts or backdoors that weren't disabled" after the employees left their companies. In fact, 70 percent of IP theft cases committed by employees took place within 30-days of them announcing their resignation from their companies.
The report repeats over and over again that attackers are going after targets of opportunity. Basically, cybercriminals don't need to employ highly-advanced hacking tools because the victims make it easy for the attackers to get in.
Here's the report's executive summary:
Given all the news reports citing British, French, and Israeli officials saying that chemical weapons may have been used in Syria we thought we'd give you an updated version of what we know about Bashar al-Assad's stockpile of chemical agents and their delivery systems.
The United States' Intelligence Community's 2013 Worldwide Threat Assessment released last month states that Syria has a "highly active chemical weapons program" maintaining a stockpile of sarin, VX, and the longtime staple of chemical warfare, mustard gas. These weapons can be delivered a number of ways, via cluster bombs dropped from jets and helicopters to chemical warheads placed atop Scud ballistic missiles. They can even be fired via shorter-range artillery guns or missiles systems, like the Soviet-made BM-27 Uragan.
In addition to chemical weapons, the Intelligence Community's report states that it's likely the regime has biological weapons, albeit without dedicated delivery systems.
"Based on the duration of Syria's longstanding biological warfare (BW) program, we judge that some elements of the program may have advanced beyond the research and development stage and may be capable of limited agent production," reads the threat assessment. "Syria is not known to have successfully weaponized biological agents in an effective delivery system, but it possesses conventional and chemical weapon systems that could be modified for biological agent delivery."
The Assad regime may well improvise with delivery systems as its weapons stockpiles are run down by the war. Remember, we've seen Syrian air force personnel pushing "barrel bombs" lit via cigarettes from the cargo doors of helicopters onto Syrian cities.
The recent reports about the Assad regime's possible use of chemical weapons do not provide information on the types of delivery systems used.
While we've reported that Western officials have stated that securing Syrian weapons of mass destruction (WMDs) would be an incredibly complicated operation, it's worth noting that NATO has deployed counter-WMD teams in the region for months, in an attempt to figure out how to secure Syria's stockpile in the event that the regime loses control of them.
Last week, it was revealed that the U.S. is sending about 100 soldiers to Jordan where they are establishing an Army headquarters unit there -- a possibly precursor to a larger buildup of forces that may move to secure the WMD. FP's Situation Report quoted a U.S. defense official as saying that the troops are "a well-trained, well-coordinated team that can be the nucleus of further mission planning and growth of the command and control element, should that be ordered."
But, as Charles Blair, a specialist on WMD proliferation with the Federation of American Scientists points out, there are no rock-solid public estimates of the size of Assad's arsenal.
"Any open source assessments of a Syrian BW program -- and its notional size and composition -- are purely hypothetical," Blair told Killer Apps in an email.
Last year, Chairman of the Joint Chiefs of Staff, Army Gen. Martin Dempsey, told lawmakers that the size of Assad's chemical weapons arsenal was "100 times the magnitude we experienced in Libya." (The Libyan government voluntarily destroyed most of its chemical weapons well before Muammar al-Qaddafi was overthrown in 2011.)
"I've heard that Syria has 100 to 200 missiles with nerve agents loaded and ready to go, but that seems extreme," Blair told us last summer.
However, he did point out today that Assad may have doubled down on his bio-weapons program in the wake of the 2007 Israeli airstrike that leveled one of his main nuclear research facilities at al-Kibar.
"We know that when Libya finally concluded that sophisticated chemical agents (i.e., nerve agents) were a bridge too far, they abandoned their CW pursuits and doubled down on their nuclear program (until abandoning that too in 2003)," wrote Blair. "Does this portend anything for Syria's BW program? Perhaps, if the 2007 Israeli destruction of Syria's clandestine nuclear reactor in September 2007 precipitated Damascus to double down on its BW program."
In addition to traditional chemical weapons, Blair says there are unconfirmed reports of Iranian transfers of riot control agents (RCAs) or "incapacitating agents" that have been used against the Syrian rebels.
"The Syrians have undoubtedly used RCAs and/or incapacitants but there are no open source credible estimates of the quantities Damascus might possess of these non-lethal agents," said Blair today.
As for the possibility that the weapons have fallen into rebel hands, Blair said, "to my knowledge there are no credible open source reports of any chemical agents or weaponized chemical munitions transferring hands."
Still, "no one in the open sources knows anything for certain about Syria's lethal CW arsenal and alleged offensive BW capabilities," he added.
This is interesting. An April 2013 report by the Defense Science Board says that arcane safety procedures are actually making some aspects of the way the Air Force handles its nuclear weapons more dangerous.
Perhaps the best example is that nuclear weapons maintainers aren't allowed to use the hoists designed to lift B-61 nuclear bombs onto Weapons Maintenance Trucks because "the end of the bolt [securing the hoist to the truck] is flush with the outer surface of the nut while technical data require that two threads show beyond the surface of the nut," reads the report. While this condition has existed since the trucks were introduced 22-years ago and has resulted in no problems, the Air Force recently barred units from using the hoists due to their failure to meet technical safety specifications. The result?
"An awkward process entailing the use of a forkliftt to move the weapon into the truck and the manhandling of the 200-pound tail section," states the report. The document goes on to describe the workaround as a procedure "that by any informed judgment, impose[s] far greater safety risk than that presented by the deficiency in the bolt length."
Apparently, new bolts are supposed to be on their way and a whole new truck is expected to enter service around 2015.
The report goes on to cite a number of smaller examples where the service's adoption of a "zero defect" mentality for adhering to the rules and regulations for all things associated with its nuclear weapons combined with old equipment is harming the service's ability to perform what it says is one of its most important missions. It goes on to slam the Air Force's Personnel Reliability Program (PRP) -- aimed at ensuring that airmen involved in nuclear-related activities are top quality -- as overly bureaucratic and adhering to guidelines so strict the report describes them as "ludicrous."
"At one base, the PRP inspectors from [Air Force Global Strike Comand] declared it a major finding that the dimensions of the red status identification stickers [that identify a persons medical status] were 1.5 inches rather than the prescribed 2 inches," reads the report. "One medical group commander, referring to the bureaucratic excesses stated: ‘administrative paperwork and chasing regulations are the focus of PRP rather than serving the airmen on PRP to ensure they are ready to perform their jobs'."
In something that sounds like it's straight out of Catch-22, the PRP requires airmen who need to go off base for a routine dental visit to have their status allowing them to work on nukes temporarily revoked because some medical flaw could, in theory, be discovered during this visit that would disqualify them from working in the service's so-called nuclear enterprise.
For example, an off-base dental appointment to have an annual examination or a routine filling requires suspension until the individual proves upon return that there was no cause. While the system declares there is no stigma with suspension, the individual must physically visit the medical facility upon return (at a specified time in some wings) and cannot perform his work until this administrative process is accomplished. Individuals who care a great deal about their work team know that there is no cause for suspension and feel they are forced to let their team down for no reason. It can take three to five days to return to work when the eventual determination is that there was no cause for concern. This also requires the time and attention of medical technicians, doctors, and certifying officials.
We can't make that stuff up.
"Much of the risk assessment conducted across the Air Force nuclear enterprise has little to do with performance, safety, and security risk to accomplishing the missions," reads a memo from the board's chairman, Paul Kaminski, which accompanies the report." Decisions to avoid very small technical risk result in far greater risk to personnel to perform essential nuclear related-tasks."
The report is one of several published over the last few years aimed at assessing the Air Force's progress in revamping its nuclear weapons-related activities. A 2007 incident where nuclear-tipped cruises missiles were mistakenly flown across the country and left missing and unguarded for more than a day and a 2008 incident where Air Force nuclear triggers were mistakenly shipped to Taiwan led to the firings of then Air Force Secretary Michael Wynne and former Air Force Chief of Staff Gen. T. Michael Moseley and the creation of a new command, Global Strike Command to oversee the service's fleets of ICBMs and nuclear bombers.
Retired Air Force Gen. Larry Welch, now chair of DOD's Permanent Task Force on Nuclear Weapons Surety, notes that the Air Force has "implemented extraordinary measures" that have been largely successful in restoring the "high standards of professionalism and discipline" to the nuclear enterprise.
Still, the service needs to, "provide faster and broader material evidence that the mission is indeed treated as Job 1 (or even as first priority behind the demands of ongoing combat operations)" reads a memo by Welch that accompanies the report. This can by accomplished by refurbishing dilapidated facilities, purchasing basic new materials (such as maintenance trucks described above) and by developing more intelligent ways to enforce performance standards, states the report.
CISPA isn't the only piece of cyber-security legislation that passed the House this week.
The Federal Information Security Management Act of 2013 updates the 2002 version of the federal IT security law, known as FISMA, by requiring government agencies to constantly monitor their computer networks for threats
Right now, FISMA requires government agencies to perform only yearly evaluations of cyber-threats and vulnerabilities. Yours truly can't tell you how many times I've heard cybersecurity experts say the current version of FISMA does nothing to stop fast-paced cyber threats; it's merely an exercise in checking off boxes.
As a statement released this week by Rep. Jim Langevin, co-chair of the Congressional Cyber Caucus says, "While the annual reports currently mandated under FISMA are supposed to give government executives overall insight into security management of their networks, this does not provide the minute-by-minute view into network security that is needed.
"It's just an out of date and slow process for examining security of government networks," a House staffer told Killer Apps. The new version of FISMA would mandate "continuous monitoring of networks and provide regular threat assessments."
Here's an excerpt from the Library of Congress' official summary of FISMA 2013, explaining the change in the reporting procedures:
Directs senior agency officials, with a frequency sufficient to support risk-based security decisions, to: (1) test and evaluate information security controls and techniques, and (2) conduct threat assessments by monitoring information systems and identifying potential system vulnerabilities. (Current law requires only periodic testing and evaluation.)
Directs agencies to collaborate with OMB [the Office of Management and Budget] and appropriate public and private sector security operations centers on security incidents that extend beyond the control of an agency. Requires that security incidents be reported, through an automated and continuous monitoring capability, when possible, to the federal information security incident center, appropriate security operations centers, and agency Inspector General.
The House also passed the Cybersecurity Enhancement Act which requires the National Science Foundation, the National Institute of Standards and Technology, and "other key federal agencies" to develop a strategic plan for federal cybersecurity research and development work, with a focus on securing industrial-control systems and developing advanced protections for personal information online. (Remember, the Stuxnet virus that destroyed thousands of Iranian uranium-enrichment centrifuges targeted the machines' industrial-control computers.)
The second bill also calls for the establishment of a "Scholarship for Service" program meant to cultivate a highly-skilled government cybersecurity workforce, and it requires the president to send a report to Congress on the government's current and future cybersecurity workforce needs.
The Cyber Intelligence Sharing and Protection Act, better known as CISPA, just passed the House by a vote of 288 to 188. Meanwhile, the Senate is working on crafting its own bill aimed at facilitating information-sharing on cyber-threats.
"We are currently drafting a bipartisan information sharing bill and will proceed as soon as we come to an agreement," Senate intelligence committee chair Dianne Feinstein wrote in an email to Killer Apps.
Remember, CISPA allows private businesses to share "cyber-threat information" with each other and government agencies, including the military.
Earlier this week, the White House threatened to veto CISPA unless it was amended to require that information businesses with the government go through a civilian agency, such as the Department of Homeland Security, before being sent to any military organization, such as the National Security Agency. The White House also wants to narrow the liability protections given to businesses that improperly disclose personal information or commit antitrust violations while sharing information with each other or the government.
"The version of CISPA that just passed the House floor includes an amendment that encourages, but doesn't require businesses to share cyber threat information with DHS instead of the military," a Hill staffer told Killer Apps.
Another amendment bans the U.S. government from using information gathered under the auspices of the bill to target a U.S. citizen for surveillance. Another one "reconfirms" that "the federal government may not use library records, book sales records, customer lists, fire arms sales records, tax returns, educational and medical records that it receives under CISPA," said the staffer.
Last week, the House intelligence committee removed language from the bill that would have allowed companies to collect and share information for "national security" purposes. Privacy advocates who oppose CISPA claimed using the broad term "national security" would allow the government to spy on people online without a warrant. The committee also added an amendment requiring that information shared with the government be scrubbed of all personal information.
Still, these amendments weren't enough to satisfy privacy advocates such as the ACLU. Here's what Michelle Richardson, one of the ACLU's lawyers, said after the bill passed today.
CISPA is an extreme proposal that allows companies that hold our very sensitive information to share it with any company or government entity they choose, even directly with military agencies like the NSA, without first stripping out personally identifiable information. We will work with Congress to make sure that the next version of information sharing legislation unequivocally resolves this issue, as well as tightens immunity provisions and protects personal information. Cybersecurity can be done without sacrificing Americans' privacy online.
The big questions that remain are whether the White House still opposes CISPA and whether the Democrat-controlled Senate will permit language included in CISPA to pass the conference process. So far, the White House has remained mum on today's news.
Last year's White House-backed Cyber Security Act of 2012, sponsored by former Senators Joe Lieberman and Susan Collins, failed to pass the Senate because Republicans objected to the bill's call for minimal cyber-security standards for certain banks, energy firms, communications providers, transport companies, and other so-called critical infrastructure providers.
In February, the White House issued an executive order allowing the government to share intelligence on cyber-threats with businesses and encouraging minimal best practices for critical-infrastructure providers.
This didn't take long. Cyber criminals have begun exploiting the Boston Marathon bombings to spread malware.
That's right, hackers are sending out a spam email labeled "Boston Marathon Explosion" in the subject line, according to a brand new FBI warning. The email contains a link to a website showing a series of photos of the attack site. At the bottom of the page there's an unloaded video that directs to "the Red Exploit Kit," according to the warning.
FP staffers have actually recieved several similar emails titled, "2 Explosions at Boston Marathon" and "Texas Plant Explosion".
The Red Exploit Kit is a new hacking tool that allows criminals to surreptitiously find security vulnerabilities in a victim's computer and upload malicious software through those vulnerabilities. "Once an exploit has been successful, the user sees a popup asking them to download a file, at which time the malware is downloaded," the warning says.
Once in, the hackers may look for personal information about their victims, according to the FBI. Personal information could include anything from bank account numbers to website passwords.
The FBI's announcement goes on to warn against fake charity Twitter accounts soliciting donations for victims of the attacks: "According to various reports, a Twitter account was created soon after the explosions that resembled a legitimate Boston Marathon account. Allegedly, for every tweet received to the account a dollar would be donated to the Boston Marathon victims."
The warning goes on to say that, while that account has been suspended, other fraudulent accounts may be set up. "The FBI was made aware of at least 125 questionable domains registered within hours of the Boston Marathon Explosions. Though the intentions of the registrants are unknown, domains have emerged following other disasters for fraudulent purposes."
Here are the FBI's recommendations for avoiding marathon bombing-related online scams.
Individuals can limit exposure to cyber criminals by taking the following preventative actions when using email and social networking Web sites.
- Messages may contain pictures, videos, and other attachments designed to infect your computer with malware. Do not agree to download software to view content.
- Links appearing as legitimate sites (example: fbi.gov), could be hyperlinked to direct victims to another Web site when clicked. These sites may be designed to infect your computer with malware or solicit personal information. Do not follow a link to a Web site; go directly to the Web site by entering the legitimate site's URL.
Individuals can also limit exposure to cyber criminals by taking the following preventative actions when receiving solicitations from, or donating to, charitable organizations online.
- Verify the existence and legitimacy of organizations by conducting research and visiting official Web sites. Be skeptical of charity names similar to but not exactly the same as reputable charities.
- Do not allow others to make the donation on your behalf. Donation-themed messages may also contain links to Web sites designed to solicit personal information, which is routed to a cyber criminal.
- Make donations securely by using debit/credit card or write a check made out to the specific charity. Be skeptical of making donations via money transfer services as legitimate charities do not normally solicit donations using this method of payment.
Investigators sifting through the flood of cellphone, surveillance camera, and TV footage of Monday's bombings at the Boston Marathon are being aided by technology similar to the software that the military has used to collect intelligence about IED attacks in Iraq and Afghanistan.
"There's a different twist to it this time. The different twist is the increased degree of crowd-sourcing if you will, in terms of providing information. You have many, many more sensors in the context of people with video devices in their smartphones," said retired Lt. Gen. David Deptula, who was in charge of the Air Force's intelligence efforts from 2006 to 2010. "You had many, many more collectors than we had in the past."
The amount of video and photo documentation of the marathon attacks may be unprecedented, so how do you sift through all that data quickly to find clues? Software, naturally.
As ABC News reported, investigators from the FBI's Operational Technology Division are likely using a computer program that can do things like recognize faces in a crowd if they match those listed in a criminal database. This is similar to the software that the military has been developing for years in an effort to quickly glean information from UAV videos.
As the U.S. military flocked to the skies of Iraq and Afghanistan with all manner of camera-equipped spy-planes, intelligence officials soon realized they were collecting far more footage -- thousands of hours a day -- than human beings could sort through in time to use the information it contained. The military turned to tech companies to produce software capable of quickly identifying certain things analysts were looking for -- say, a red Toyota pickup truck that had been seen at a bombing site.
"There are software programs that are out there that allow one to rapidly search through that information and key in on what the investigators may find of interest," said Deptula. "Exponential growth is not hyperbole when it comes to motion imagery, much less still imagery, because we've had an explosion in that kind of information. As the information [available] has grown, people have moved from human analytic teams to more automated means to sift through all that data."
"Let's say somebody reported that they saw somebody that was Caucasian, with a yellow sweatshirt, with powder burns on their hands running away before the explosion -- that's a hypothetical -- you could tell the software to look for a yellow sweatshirt, Caucasian running before a certain period of time," said Brian Cunningham, a former White House security official and now a senior advisor to the Chertoff Group who works with firms that develop this kind of software. New York City and London both have massive video surveillance systems that use similar software.
Still, another homeland security consultant who wished to remain anonymous tells Killer Apps that it might not be that easy. First of all, Boston doesn't have a massive, centralized video camera system the way New York does. Many of the images will come from people's phones and other private cameras, meaning that investigators will probably have to receive and review each photo and film clip individually.
"There are some automated tools that exist for this type of thing, but for the most part it's just a very labor-intensive process to go through things and try to correlate and sequence things in time and look for suspicious activity and then try to build a profile for how somebody's moving around," said the former DHS official. "There are capabilities like in London and lower New York where they can follow a person who is of concern as they walk from camera to camera. When you're dealing with public-source information it's just a different process."
Cunningham agrees that while the Boston Police Department or the FBI has the software capable of identifying a particular person or bag as they appear in the mountains of video, investigators still face the challenge of uploading all that footage so the software can analyze it. "The biggest challenge will be: how do you upload that volume of video onto a single server or a couple of servers that can be searched against?" he said.
Investigators have identified two
people they want to talk to in connection with suspects (see the video above) in the Boston bombing. But, Cunningham said, "It's not clear
yet whether it was good old-fashioned shoe leather as much as analytic software."
He explained how the process could work: "You'd figure out where the devices were, and while you had street cops out interviewing people and collecting video of cellphones and you would go to fixed cameras in department stores or ATMs and pole cameras that are right around the area of the devices" and then upload the footage into the software, said Cunningham. "They also may have just had officers sitting there watching the footage. Let's say there were 15 cameras that were fixed, that had a good line of site of where the device was, then you could throw 100 officers at it; you probably wouldn't need software."
Cunningham also points out that investigators are working with cellphone companies to find cellphone records of the calls that were made close to the site of the explosions. Cellphones might allow them to find calls that were used to detonate the explosives. It's not clear if the explosives were triggered by timing devices or cellphones. Initial reports suggest that at least one of the suspects sought by investigators was actually talking with someone on the phone rather than triggering a bomb.
"Once they know what cellphone was his, that's the jackpot because they can find out where he was right before, and they can find out where he is today if he's dumb enough to be carrying that same cellphone," added Cunningham. Even if the phone the suspect used was a cheap, pay as you go phone, investigators would immediately begin to look for the store where that phone was sold.
Today, the White House once again threatened to veto the Cyber Intelligence Sharing and Protection act, CISPA, unless the bill incorporates additional privacy protections.
"The Administration recognizes and appreciates that the House Permanent Select Committee on Intelligence (HPSCI) adopted several amendments to H.R. 624 [CISPA] in an effort to incorporate the Administration's important substantive concerns. However, the Administration still seeks additional improvements and if the bill, as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill." (Underlines by the White House.)
"We have long said that information sharing improvements are essential to effective legislation, but they must include proper privacy and civil liberties protections, reinforce the appropriate roles of civilian and intelligence agencies, and include targeted liability protections," said National Security Staff spokeswoman Caitlin Hayden today.
CISPA -- set for a vote on the House floor tomorrow and Thursday -- allows private businesses to share information on cyber threats with each other and government agencies including the military. The bill died last year after the White House issued a veto threat, citing concerns that it would infringe on citizens' privacy rights.
Despite the veto threat, the White House said it looks forward to working with the committee to refine the information-sharing bill. Remember, the White House called for such legislation after it released its cyber-security executive order in February that allows the government to share information on cyber-security threats with businesses. But the executive order could only permit government-to-industry info- sharing, it couldn't mandate industry to share information, nor could it protect businesses that share such information from lawsuits.
Last week, the intelligence committee struck language from CISPA that would have allowed private companies to collect and share information for "national security" purposes -- a statement that was too vague for privacy advocates, who claimed this would allow the government to spy on people's online lives without a warrant. The committee also added language to the bill requiring that information shared with the government be scrubbed of all personal information.
Still, these steps don't go far enough for the White House, which wants the bill to do more to protect personal information and to place a civilian government agency -- namely the Department of Homeland Security -- in charge of receiving information from businesses instead of allowing the info to be sent directly to a military organization, such as the National Security Agency.
The Administration, however, remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable - and not granted immunity - for failing to safeguard personal information adequately. The Administration is committed to working with all stakeholders to find a workable solution to this challenge. Moreover, the Administration is confident that such measures can be crafted in a way that is not overly onerous or cost prohibitive on the businesses sending the information. Further, the legislation should also explicitly ensure that cyber crime victims continue to report such crimes directly to Federal law enforcement agencies, and continue to receive the same protections that they do today.
The White House is also calling for the bill to reduce the amount of protection it affords companies from lawsuits if they improperly share private information or violate antitrust laws while sharing info on cyber threats with one another or the government.
The Administration agrees with the need to clarify the application of existing laws to remove legal barriers to the private sector sharing appropriate, well-defined, cybersecurity information. Further, the Administration supports incentivizing industry to share appropriate cybersecurity information by providing the private sector with targeted liability protections. However, the Administration is concerned about the broad scope of liability limitations in H.R. 624. Specifically, even if there is no clear intent to do harm, the law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage or otherwise injure or endanger other entities or individuals.
John Reed reports on the frontiers of cyber war and the latest in military technology for Killer Apps.