Identity and Security on the Web, Part Two: Federated Identity, a Solution for the Future
In part one I laid out the issues currently facing new and existing businesses when it comes to providing proper security for themselves and their user base, and how we have reached the level where identity proofing and authentication should be outsourced to dedicated professionals in the same way many businesses currently outsource accounting, legal and other specialized services which are not their core business. Today, this can be done because of the structured separation of concerns offered by federated identity, splitting out authentication from the company while still allowing them to perform authorization.
And that’s the key. Despite both words starting with “auth” (often leading to the confusion between them), the two concepts are different in important ways.
Natural Gas Pipelines Under Sustained Attack
In a recently released report, DHS has indicated that the natural gas pipeline infrastructure has experienced an advanced persistent threat (APT) style attack coordinated with a spearfishing campaign. News coverage, including one from CNET citing Shift, and one from the Financial Times citing the Interstate Natural Gas Association has raised some serious questions. Why are control systems attached to publicly routable networks, even if they’re behind a firewall? Shouldn’t they be air-gapped? The fact that we’re sustaining APT style attacks suggests we could have a real crisis on our hands should the unknown attacking third party get an itchy trigger finger. Why is INGA wondering whether control systems are routable?! This is clearly going to spur calls for new standards in cyber security for the gas sector, and that means NAESB will likely get yoked with that unenviable task.
CISPA Passes House – A First Step of Many
Yesterday the US House passed the Cyber Intelligence Sharing and Protection Act which included amendments to address privacy concerns. In passing the bill 248-168, the House sets the stage for the Senate to act on cyber security, particularly with the focus on the Cyber Security Act of 2012 (S.2105). The challenge for the Senate leadership will be reconciling the obvious need for a new framework to protect critical infrastructure in the face of growing cyber threats with powerful industry postions averse to potentially prescriptive regulatory regimes. The realities of critical infrastructure protection, particularly as it relates to “regulatory compliance” at present is that most utilities and infrastructure providers are induced to adopt a “check the box” mentality when dealing with auditors and regulators. This behavior tends to stick to the letter of the rules rather than the spirit. In the coming week, Shift will be posting a multi part series examining the traditional regulatory “check the box” mentality and to present ways to curb this trend in the future.
Identity and Security on the Web, Part One: Why is SSL so difficult?
In light of high profile certificate authority compromises this past year, critics of SSL and its successor technology Transport Layer Security (TLS) are questioning whether they are the best way to secure the Web. Proponents of the technology insist that it is not the underlying technology but instead the implementation and deployment of systems that use them that are flawed and difficult. I see this as being the case from both the business and consumer perspectives but for different reasons.
Filed under: If the Chinese can do it, why can’t we…
So General Alexander, under a friendly grilling by Congressman Hank Johnson of Georgia, asserted the NSA doesn’t have the capability to intercept traffic and read someone’s email. General Alexander categorically stated that because of a combination of a lack of Congressional authorization and a lack of infrastructure in place, it wasn’t technically feasible to intercept domestic communications. While in many respects I understand that they may not have wiretap facilities across the United States, it is likely that such a limitation is one more of paperwork and jurisdiction rather than capability. We’re going to need to reconile digital privacy issues with the growing need for real time situational awareness. All too often, malware is wrapped in the payloads of traffic and that’s going to require some inspection to stop at an infrastructural level.
NSA Building World’s Largest Signals Intel Facility
Reports by Wired today that the NSA is building a large datacenter in the Utah desert south of Salt Lake City are by no means news. Heck, the US Army Corps of Engineers had a project qualification presentation out over two years ago. What is interesting is that yet again underscores the point of the differences between political optics and true operational capability. Clearly, strategic planners at NSA thought a major investment into cyber and signals intellignce was was worth investing in a $1B+ facility with gargantuan data center capacity. It takes time, significant capital, and expertise to develop a true intelligence capability – something DHS does not really have today. Coupled with questions about the true scope of monitoring authority, and it’s clear that DHS will face some immediate challenges should Congress ultimately decide to task the agency with the critical effort. Politically, it’s far more palatable for DHS to manage domestic cyber security intelligence and threat awareness activities, particularly when coupled with a genuine commitment to partnerships forged with digital privacy advocates to ensure that American ideals regarding freedom and privacy are respected. Operationally, I’m not so sure. In terms of just raw infrastructure investment and time, assuming Congress and the President agreed to greenlight new programs right this second, it would be at least 2 years before just the facilities could be built. I wonder who has a new facility they could offer to their working facility challenged compatriots…. I hope the new Undersecretary for Cyber Security @ DHS likes the Utah desert.
Commerce Secretary Weighs in on Cyber Security
Secretary of Commerce John Bryson, wrote an opinion piece for Politico, roughly asking Congress to move expeditiously to deal with the growing cyber threat because delay is economically corrosive to US competitive advantage. In view of the latest rendition of Chinese malware, constructed in the style of an “advanced persistent threat”, I can’t agree more. When DHS is releasing a budget that ramps its cyber security spend to roll out EINSTEIN 3.0, and DARPA doubles its budget for basic research in offensive cyber security capabilities, it’s clear the weaponization efforts will become the focus of the next few years. Contrast DARPA’s strategy to the goals of DHS, and it becomes clear that closer coordination between DoD centric R&D apparatus and supply chain investments by private sector critical infrastructure owners is vital. It’s time to get serious about creating a critical infrastructure focused Trusted Supply Chain.
An Intelligent View of the Competing Cyber Bills
In perhaps the most well thought out analysis of the competing cyber security bills I’ve seen, the editorial staff at Bloomberg do seem to have their heads and hearts in the right place. I particularly like their calls for more flexibility to deal with real time threats, the expansion of the definition of critical infrastructure to include large vendors of IT services, and the inclusion of the NSA in the information sharing process. I am pleased to see Congress taking a hard look at the issue, and the debate that’s forming is certainly a productive one.
It appears our Canadian friends share our pain
For those looking for an object lesson grounded in cold hard facts proving competitive value destruction, our compatriots to the north have started to notice the true costs of cyber espionage, quantifiable in real terms. The article from the Vancouver Sun is quite damning, chronicling the painful downward spiral of Nortel, strangled by a loss in competitive edge vs. Huawei, ZTE, and others.
Apple, RIM, Cisco, and Juniper look out; you’re next. Especially when you have Richard Yu, Chairman of Huawei Devices, aiming to sell 60 million smart phones next year with a corporate annual revenue target of $100B within 5 years. When will we realize that American businesses and those of our allies already face the foxholes of a trade war, hobbled by the modern mustard gas of cyber espionage and IP theft?
WSJ: NSA Continues to Seek Active Domestic Role in Cybersecurity
If the Journal is to be believed, it appears the National Security Agency is looking for a domestic cybersecurity / cyber warfare intelligence mandate. According to unnamed sources, The NSA is looking for a role to perform domestic surveillance and cyber threat blocking for attacks inbound to American targets, public or private. Logically, under traditional constructs of warfare, this posture makes sense. What’s the difference between a foreign invader landing on the shores of California with an armada and the same foreign invader launching a network incursion via foreign-connected Internet Exchanges? In some cases, the network attack could conceivably be far more devastating. Under the pending Cybersecurity Act of 2012, the framework in the proposed legislation that enables voluntary collaboration by private entities with the NSA is a wholly appropriate way to deal with critical infrastructure protection. Further, if performed within the construct of the pending law, even traditional civil liberties are taken into account in framing the interaction among parties that share information. This is certainly an idea that bears merit, and one which clearly is a step in the right direction.