The “Stop CISPA” petition on the We The People petition site has crosses the recently instated 100,000 threshold required for a response from the Obama administration. The petition asks the administration to reject CISPA for its overly broad language:

CISPA is about information sharing. It creates broad legal exemptions that allow the government to share “cyber threat intelligence” with private companies, and companies to share “cyber threat information” with the government, for the purposes of enhancing cybersecurity. The problems arise from the definitions of these terms, especially when it comes to companies sharing data with the feds.

It will be interesting to see if, and how, the administration responds to this petition. President Obama has already signed an executive order that accomplishes what CISPA aims to do without the civil liberty violations. The President acknowledged, however, that an executive order isn’t enough and called upon Congress to pass cybersecurity legislation.

That’s going to be the hard part, though, as Congress proved last year that it can’t agree on cybersecurity measures. Privacy advocates may not even have to bother the White House if the House and Senate can’t come to any sort of agreement. Even if they do, the White House promised to stand against CISPA last year. Unless something changes, the White House will stand against CISPA again.

[h/t: TechDirt]

Security experts have found that Congress itself is woefully unprepared for a cyberattack on its network. They say that Congressional networks lack the technology and security methods to prevent attacks. The danger here is that a successful hack could yield a treasure trove of classified information from lawmakers.

Speaking to The Hill, Tom Kellermann, VP of Cybersecurity for Trend Micro, says that Congress is “overly reliant on perimeter defenses that are ineffective in today’s targeted environment.” He also says that Congressional networks “lack their own appropriate levels of funding for technologies and manpower to deal with this properly.”

If hackers were interested in Congress, who would they hit? Security experts say that high-ranking lawmakers would be first on the list, but important committees like the Intelligence and Armed Services committees would also be high priority targets. These committees hold highly classified information from government agencies like the FBI and the Pentagon that would be especially desirable.

For their part, many people in Congress told The Hill that they practice “proper cyber hygiene.” That is to say that members of Congress and its employees are trained to spot phishing attempts and malware attacks. It’s a good first line of defense that could prevent incidents like the recent Apple and Facebook hacks that used an exploit in Java to gain access to systems.

As always, lawmakers can talk a good talk, but are they really doing enough to protect their networks from hackers? Congress’ cybersecurity professionals have been reportedly stepping up their game over the past few years to prevent the kind of attacks that have crippled corporations over the last few years. They do, however, emphasize the need for new cybersecurity regulations. Let’s just hope Congress can provide one devoid of CISPA’s privacy infringing ugliness.

With that being said, let’s get into the nitty gritty of the executive order, shall we? First up are details on how information sharing between public government entities and private corporations will work:

Sec. 4. Cybersecurity Information Sharing. (a) It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats. Within 120 days of the date of this order, the Attorney General, the Secretary of Homeland Security (the “Secretary”), and the Director of National Intelligence shall each issue instructions consistent with their authorities and with the requirements of section 12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity. The instructions shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations.

(b) The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity. Such process shall also, consistent with the need to protect national security information, include the dissemination of classified reports to critical infrastructure entities authorized to receive them. The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a system for tracking the production, dissemination, and disposition of these reports.

(c) To assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 U.S.C. 143 and in collaboration with the Secretary of Defense, shall, within 120 days of the date of this order, establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.

(d) The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities), shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order.

(e) In order to maximize the utility of cyber threat information sharing with the private sector, the Secretary shall expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.

In short, this part of the order makes it easier for government and companies to share information between themselves. This is what CISPA and CSA hoped to accomplish, and this executive order accomplishes pretty much the same thing.

What could be worrisome about this part of the order is that it makes it too easy to share information, but that would only be a concern if extensive privacy protections were not put in place. That’s where the next part of the order comes in:

Sec. 5. Privacy and Civil Liberties Protections. (a) Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities. Such protections shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities.

(b) The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the Secretary ways to minimize or mitigate such risks, in a publicly available report, to be released within 1 year of the date of this order. Senior agency privacy and civil liberties officials for other agencies engaged in activities under this order shall conduct assessments of their agency activities and provide those assessments to DHS for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revised as necessary. The report may contain a classified annex if necessary. Assessments shall include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities.

(c) In producing the report required under subsection (b) of this section, the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS shall consult with the Privacy and Civil Liberties Oversight Board and coordinate with the Office of Management and Budget (OMB).

(d) Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.

As you can see, the above text illustrates that the Obama administration has built some decent privacy protections into the executive order. It’s a major relief since some were concerned that the executive order would be just like CISPA, privacy violations and all.

If you don’t want to take my word for it, the privacy protections in the executive order also got a pass from the ACLU. The organization’s Legislative Counsel Michelle Richardson had this to say about it:

“The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties. For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information. More encouragingly, the adoption of Fair Information Practice Principles for internal information sharing demonstrates a commitment to tried-and-true privacy practices – like consent, transparency, minimization and use limitations. If new information sharing authorities are granted—especially the overbroad ones being pondered by the House – these principles will be more important than ever. We look forward to working with the administration to make sure that the devil isn’t in the details when privacy regulations are drafted.”

Section seven of the order contains a number of strategies to be implemented by the government to address and counter any cyber attacks directed at critical infrastructure. The central point is the creation of a “cybersecurity framework” that will include “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” Keeping transparency as a central theme, the Director of the National Institute of Standards and Technology will “engage in an open and public review and comment process” during the creation of said framework.

Government agencies will be required to implement the above framework, but it’s entirely voluntary for private operators of critical infrastructure. That being said, the Obama administration will be doing its damnest to convince these private institutions to incorporate cybersecurity standards. One way the administration will be doing this is through the creation of an incentive program that will be pitched to the administration within 120 days. It will then be implemented by the President if it does not require the passage of new laws. If it does, Obama will take his case to Congress.

Finally, the order calls upon the government to seek out infrastructure that’s at the greatest risk of cyberattacks. Once they’ve been identified, the government will work with these organizations to make sure that any risk of cyberattacks are mitigated. As such, these organizations have the chance to make their case, every two years, for whether the cybersecurity standards placed upon them are “regulatory burdens.”

There’s sure to be a lot of talk about this cybersecurity executive order over the coming months. In his speech last night, President Obama indicated as much saying this order is meant to force Congress’ hand in passing extensive cybersecurity legislation. That being said, the order’s emphasis on privacy and civil rights protections makes me hopeful that the administration will smack down any attempts to revive CISPA this year.

Speaking to The Hill, sources close to the White House said that senior officials will announce Obama’s long in development cybersecurity mandate on Wednesday. The order will reportedly establish a voluntary program where “companies operating critical infrastructure would elect to meet cybersecurity best practices and standards crafted, in part, by the government.”

The order will be announced at an event that is due to take place that U.S. Department of Commerce. In attendance will be a who’s who of major cybersecurity proponents, including White House Cybersecurity Coordinator Michael Daniel, Department of Homeland Security Deputy Secretary Jane Lute, and National Security Director Gen. Keith Alexander. You can expect some, or all, of them to talk about the grave threat our nation faces from cyberattacks from China and the like, and how this executive order will better protect our aging infrastructure from cyberattacks.

Of course, members of Congress aren’t going to like it. They’re going to push for their own extensive cybersecurity legislation to replace whatever Obama’s administration cooks up. House Intelligence Committee Chairman Mike Rogers was already planning to reintroduce CISPA this week, but the executive order may force his hand in pushing the reviled legislation through the House even faster than before. Doing so would once again block all meaningful discussion on the privacy concerns present in the bill in favor of just pushing something through.

Of course, the Senate will probably not like it either, and may very well introduce its own cybersecurity legislation as well. It may choose to vote on CISPA, if it passes the house, but the Senate may very well choose to go its own way once again by crafting its own legislation. If it does, we may very well end up with a situation just like last year where neither legislative branch can come up with anything, thus justifying the executive order.

The Hill’s report doesn’t have any concrete details on what the executive order will entail, but we should probably prepare for the worst. Despite talking up a good game as a proponent on online privacy, President Obama has recently signed worrisome, and privacy infringing, legislation like the FISA extension into law.

We’ll keep our ear to the ground to let you know when, and if, a cybersecurity executive order is announced, and what it entails.

[Image: dcJohn/flickr]

The Hill reports that Rep. Dutch Ruppersberger, the ranking member of the House Intelligence Committee, is partnering with Intelligence Chairman Mike Rogers to re-introduce CISPA into the house this year. The original CISPA was threatened with a veto from the White House, but Ruppersberger hopes to avoid that this year by working directly with White House staff in the crafting of the bill.

What kind of cybersecurity bill can we expect from a collaboration between the House and the Obama administration? It’s too early to tell, but Ruppersberger says that his team is “working with the White House to to make sure that hopefully they can be more supportive of our bill than they were last time.” These discussions with the White House are reportedly “working pretty well.”

For the bill to have support from the White House, it will have to feature more of the privacy protections found in the Senate’s CSA. Both CISPA and CSA raised concern over their lack of privacy protections, but the White House seemed to favor CSA.

The reemergence of CISPA is only the beginning of a year that will be putting a lot of emphasis on cybersecurity. The U.S. is already gearing up for what could turn into massive offensives that are carried out online. Calls for a cybersecurity bill that sets ground rules for what the nation can and can not do will only continue to grow as the year goes on.

In a report Monday morning, The New York Times spoke to senior officials involved in the creation of the White House’s cyber warfare directive. The officials reveal that the White House has been developing its cyber warfare rules for the past two years to address the growing threat that nations like China and Russia pose in regards to cyberattacks. These rules will govern how the U.S. military, which just recently expanded its cybersecurity force, can retaliate to cyberattacks and in what ways these new weapons can be used in traditional offensives.

In regards to retaliation, the U.S. military is reportedly being held back by strict rules that state it can not act unless provoked by a major threat. Of course, this could lead to pre-emptive attacks which has some critics concerned that the U.S. would launch a major cyberattack against an innocent party. The officials stated that they understand the concern, and the rules seek to define “what constitutes reasonable and proportionate force” when it comes to pre-emptive or retaliatory attacks.

As for traditional offensives, the use of cyberweapons will be strictly restrained. The officials claimed that the U.S. has the cyber equivalent of a nuclear warhead in its arsenal, but such an attack would be considered a last resort. It would also be deployed much like a nuclear attack, as it would require authorization directly from the president.

Smaller cyberattacks, however, can be used by the military without the authorization of the President. An example would be the military using cyberweapons to disable automated defenses from afar to clear the way for a traditional strike.

Of coures, all of this only applies to the military. What about domestic infrastructure that’s targeted by cyberattacks from foreign nations? That responsibility will fall to the Department of Homeland Security. That’s what proposed laws like CISPA and CSA would have, and could have, addressed if the bills didn’t contain wide spread privacy violations. The Obama administration is expected to issue an executive order for domestic cybersecurity in the near future as well that would free up communications between private and public entities to address cyberattacks.

[h/t: techdirt]

The New York Times reports that the Pentagon is preparing to expand the Defense Department’s Cyber Command to more than 4,000 people. The center only has about 900 personnel currently working for it. With the expansion, the Defense Department hopes to create three different forces – national mission forces, combat mission forces and cyber protection forces. The first would protect national infrastructure, the second would execute cyberattacks against enemies, and the third would protect the Pentagon’s computer systems from unauthorized intrusions.

It’s an ambitious plan, but the Pentagon recognizes that it’s a challenging one as well. Defense officials say that it will be difficult to find and train thousands of people in something as complicated as cyber defense. That being said, the military says that the threat of a cyber attack is “real” and it needs to bolster its defenses before something disastrous like Stuxnet attacks U.S. infrastructure.

The Pentagon’s move to expand its cyber forces comes as the number of cyber attacks against private and public organizations increase every year. Anonymous has been a major source of these attacks with its latest target being the U.S. government. The government also regularly attributes a number of attacks against its systems to China or Russia. The most recent being a supposed Chinese cyber attack against the White House’s servers.

Alongside an increase to the Pentagon’s cyber defenses, the U.S. government will most assuredly propose more legislation that will beef up security. CISPA and CSA were defeated last year after privacy and government regulation concerns were brought to light, but some lawmakers will undoubtedly bring it up again this year. It’s also been suggested that President Obama will issue an executive order to institute a number of cybersecurity rules in the country.

[Image]

Computer security company AVG released its list of the top threats facing computer, and mobile device, users in 2013. Not surprising, the list contains a number of threats that were already at large or growing to be a major threat last year.

First up, AVG predicts that Java will continue to be the most exploited software on computers. That may just be the case as Oracle already had to deal with a major zero-day exploit last year along with other various security loopholes that hackers always seem to find before security researchers. The software’s spread across over 1 billion computers ensures it will remain a desirable target.

Besides Java’s vulnerabilities, the biggest threat facing users is mobile malware. Android is especially susceptible to malware as many people download malicious apps from unofficial app stores that don’t properly screen their services for malware. Google Play or Amazon’s Android Appstore are the safest bets for avoiding mobile malware, but no promises can be made.

Other threats include an increase in ransomware, cloud service breaches and other scary things that lawmakers and government agencies refer to when trying to push new cybersecurity laws that curb your privacy rights.

AVG’s report may sound like a lot of fear mongering, but it’s seemingly appropriate in an age where people are falling for obvious malware attacks all the time. People need to be more vigilant when browsing the Internet or checking email and avoid any links that look even remotely suspicious. Another handy rule of thumb is to disable Java or any other vulnerable Web plugin before visiting a site that doesn’t look legitimate. You should also stop using dumb passwords, like “password.”

On a final note, you should probably stop using Internet Explorer.

CISPA passed in the House, but the Senate’s rejection of CSA made it hard to move forward. The bill’s sponsor, Majority Leader Harry Reid, tried to push CSA through one more time, but the senate rejected his motion for cloture earlier this week.

So what does this mean? The US won’t have a cybersecurity bill before the end of the year. It was a long shot already, but this just cements it. There might be efforts to revive CISPA or CSA next year, but the public’s resistance to these bills might force lawmakers to write entirely new bills to address cybersecurity concerns.

In the meantime, there’e are rumors that President Obama will be signing off on an executive order that would implement much of CSA. Bloomberg reports that the executive order would seek to protect vital computer networks from cyber attacks. It’s unknown if the executive order contains any of the privacy concerns that were found in both CSA and CISPA.

The chances of an executive order are pretty high at this point. Cybersecurity is a major concern of the military, and Obama has already taken action in the form of a secret directive. The Washington Post reports that Obama has already signed a directive allowing the military to be more aggressive in preventing cyber attacks on government and private networks.

The directive doesn’t have quite the power of an executive order, but it should be a sign of things to come. The White House has already been targeted by hackers earlier this year, and Obama obviously wants to avoid any more scenarios like that. Giving the military more freedom in directing its own cybersecurity campaigns is just one part of whatever form the executive order takes.

Today, we are more interconnected than ever before. Not only do we use the Internet to stay connected, informed, and involved, but we rely on it for all of our day-to-day needs. The nation’s critical infrastructure relies heavily on the Internet for everything from submitting taxes, to applying for student loans, to following traffic signals, to even powering our homes. Can you imagine our lives without the Internet?

Yet, for all of its advantages, increased connectivity brings increased risk of crime – thus making cybersecurity one of our country’s most important national security priorities.

Passwords continue to be a concern. This week, we looked at new data about some of the recent big password leaks, finding that the most common password on the Internet is password, followed by 123456 and 12345678. Suffice it to say, passwords aren’t being taken seriously enough.

Software developer Siber Systems has put out a set of simple password-related tips for consumers to consider:

1. Create passwords that are difficult for anyone to guess, including friends, family and hackers. Avoid passwords that relate on a personal level, instead use upper and lower case letters, random symbols, and do not use any word found in the dictionary. One trick is to choose the first letters of each word from a random phrase such as “I like to eat pineapple daily”, to get “iLtEPd”, with the addition of a symbol and number for added measure. Also change passwords every 30 days.

5. Utilize technology tools to make password management and selection easier.

Setting a strong password is the top recommendation from the Department of Homeland Security, when it comes to practicing cybersecurity. Other recommendations include: keeping your operating system, browser and other software optimized by installing updates, maintaining an open dialogue with family, friends and community about Internet safety, limiting the amount of personal info you post online and using privacy settings, and being cautious about what you receive or read online.