« November 2009 | Main

December 09, 2009

National Defense Authorization Act For FY 2010

I stumbled upon a security blog of some guy who took a good look at the National Defense Authorization Act for FY 2010.

I must admit, regarding my topic on offensive cyber security policy, some interesting provisions are included in the act. As I don’t want to keep these from you, please see below (Strong emphasis added):

SEC. 931. IMPLEMENTATION STRATEGY FOR DEVELOPING LEAPAHEAD CYBER OPERATIONS CAPABILITIES.
(a) STRATEGY REPORT REQUIRED.—Not later than March 1,
2010, the Under Secretary of Defense for Acquisition, Technology,
and Logistics shall submit to the congressional defense committees
a report on a strategy for organizing the research and development
bodies of the Department of Defense to develop leap-ahead cyber
operations capabilities.
(b) ELEMENTS.—The report required by subsection (a) shall address the following: (1) A description of the management structure and investment
review process for coordinating the technology development
of advanced offensive and defensive cyber operations
capabilities
(e) CYBER OPERATIONS CAPABILITIES DEFINED.—The term
‘‘cyber operations capabilities’’ means the range of capabilities
needed for computer network defense, computer network attack,
and computer network exploitations. Such term includes technical as well as non-materiel solutions

Posted by Annemiek Moraal at 03:24 PM | | Comments (0) | TrackBacks (0)

December 06, 2009

Battlefield of cyber security

What should the US policy regarding cyber security look like?

Before that might become clear to everyone, a battle within the USG is taking place over who will be responsible for what as cyber security touches upon various aspects of US national security. Will DoD, DoC, DHS or a committee get it on their agenda? It gives power, but on the other hand a lot of responsibilities as well. Politics is a hard game.

Let’s go back to the concept of the term “cyber security” and what could have caused the sudden buzz of it. An interesting insight is giving by Nissenbaum (2005) in her article “Where computer security meets national security? Nissenbaum puts forward the difference between technical computer security and cyber security:
“…The other [cyber security], more recent entry, focuses on collective and institutional systems, reflecting the influence of political and national security actors.”

A couple of years ago, the term cyber security wasn’t as big as it is right now. President Bush did not wanted to touch upon it (though he was forced to agree upon spending 30$ bln on CNCI).
The last years, the topic has gained more and more interest and has become part of the strategic list of not only the US but also the UK, EU etc.

Nissenbaum talking about cyber security (vs techn security):
“Why are the issues it raises matters of security and what are the sources of its
moral weight? The meaning of security is drawn not from ordinary usage but from usage developed in the specialized arena of national security. The difference, therefore, is not merely one of scope but of meaning.”

An interesting quote from her:
“To securitize an activity or state-of-affairs is to present it as an urgent, imminent, extensive, and existential threat to a significant collective.”

Bush has been able to execute many military actions and spend a lot of money after 9/11.

What has caused President Obama to suddenly put cyber security as the number 1 of spending areas and part of his strategic priorities?
More interesting: if the threat is perceived as presented above in the quote, would Obama or whatever dept, be able to get away with executing offensive cyber security strategies?

Posted by Annemiek Moraal at 10:50 AM | | Comments (0) | TrackBacks (0)

December 03, 2009

Ask the security expert!

When typing in Google “offensive cyber security”, the second hit Google provides us with is searchsecurity.com stating that it is “the web’s best security-specific information resource for enterprise IT professionals” (let’s just take that for as it is right now).

It is a site where one can post a question and an expert will answer it.
On April 11 someone posted the question:
Should a national cybersecurity strategy include offensive botnets?
And the expert response this time was from Sherri Davidoff

At first, she makes a resemblance with cane toads in Australia. A little awkward but okay.. Her opinion actually boils down to a certain NO to the above question. One which is almost the same as my topic whether there is a case for an offensive cyber security policy, only does the question addresses botnets in particular.

Her argument:
“To introduce a new, powerful, distributed weapon without the knowledge or resources to fully control it, would be foolish. An offensive botnet itself would be an especially coveted target for attackers.”

Would this happen you think? It sounds realistic as many geeks and scripkids would just love to see if they can somehow hack the botnet. In addition, foreign nations that discover the United States is attacking its government or citizens with botnets are not going to be happy. What will happen next..?

An additional note posted by the expert:
“In the current environment, there is a high risk that any offensive cybersecurity technology would be compromised, misused or abused.”

Interesting..

Posted by Annemiek Moraal at 08:37 PM | | Comments (0) | TrackBacks (0)