Cyber Terror Legislation

Title: Terrorist Capabilities For Cyberattack: Overview And Policy Issues
Date: January 22, 2007
Source: CRS Report for Congress

Terrorist’s use of the internet and other telecommunications devices is growing both in terms of reliance for supporting organizational activities and for gaining expertise to achieve operational goals. Tighter physical and border security may also encourage terrorists and extremists to try to use other types of weapons to attack the United States. Persistent Internet and computer security vulnerabilities, which have been widely publicized, may gradually encourage terrorists to continue to enhance their computer skills, or develop alliances with criminal organizations and consider attempting a cyberattack against the U.S. critical infrastructure.

Cybercrime has increased dramatically in past years, and several recent terrorist events appear to have been funded partially through online credit card fraud. Reports indicate that terrorists and extremists in the Middle East and South Asia may be increasingly collaborating with cybercriminals for the international movement of money, and for the smuggling of arms and illegal drugs. These links with hackers and cybercriminals may be examples of the terrorists’ desire to continue to refine their computer skills, and the relationships forged through collaborative drug trafficking efforts may also provide terrorists with access to highly skilled computer programmers. The July 2005 subway and bus bombings in England also indicate that extremists and their sympathizers may already be embedded in societies with a large information technology workforce.

The United States and international community have taken steps to coordinate laws to prevent cybercrime, but if trends continue computer attacks will become more numerous, faster, and more sophisticated. In addition, a recent report by the Government Accountability Office states that, in the future, U.S. government agencies may not be able to respond effectively to such attacks. This report examines possible terrorists’ objectives and computer vulnerabilities that might lead to an attempted cyberattack against the critical infrastructure of the U.S. homeland, and also discusses the emerging computer and other technical skills of terrorists and extremists. Policy issues include exploring ways to improve technology for cybersecurity, or whether U.S. counterterrorism efforts should be linked more closely to international efforts to prevent cybercrime (CRS Report for Congress, 2007)

Title: White House Eyes Cyber Security Plan 
Date: February 9, 2009
Source: CBS News

AbstractIn the age of terrorism and the Internet, threats to the United States' national security come not just from those wielding bombs and guns, but unconventional weapons – such as a keyboard and a mouse.

The White House announced today that it will conduct a review of the nation's cyber security to "ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector," according to a release from the White House.

The announcement comes less than a week after President Obama's pick to lead the Central Intelligence Agency, Leon Panetta,  raised the issue of protecting vital national security interests online during a hearing of the Senate Intelligence Committee. During the hearing, Panetta uttered the phrase "cyber-attack" in the same breath as such threats as al Qaeda and the potential of a nuclear armed North Korea.

"What is al Qaeda plotting in the tribal areas of Pakistan? What will it take to get Iran off of its dangerous nuclear path? What will be the keys to long-term stability in Afghanistan and in Iraq? Will North Korea give up its weapons program? Can we defend our networks against cyber-attack?" he said. "Our first responsibility is to prevent surprise.

"We know that our communications networks are vulnerable to malicious activity and cyber threats. But we don't know what our adversaries are planning and what damage they are capable of inflicting."

The 60-day interagency review will include advisors from the National and Homeland Security Councils and will be led by Melissa Hathaway, who served as Cyber Coordination Executive to the Director of National Intelligence under President Bush. In the Obama administration, Hathaway will get a new title – albeit an equally obtuse one – as Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils.

Mr. Obama's appointment of Hathaway fulfills a promise he made on the campaign trail last summer.

"We need to prevent terrorists or spies from hacking into our national security networks," he said in a July 16, 2008, speech in Indiana. "We need to build the capacity to identify, isolate and respond to any cyber-attack. And we need to develop new standards for the cyber-security that protects our most important infrastructure – from electrical grids to sewage systems; from air traffic control to our markets."

The review announced today is aimed at achieving those goals, without trampling privacy rights, according to the announcement.

"The national security and economic health of the United States depend on the security, stability, and integrity of our Nation's cyberspace, both in the public and private sectors. The president is confident that we can protect our nation's critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said Assistant to the President for Counterterrorism and Homeland Security John Brennan (CBS News, 2009).

Title: Senate Legislation Would Federalize Cybersecurity 
Date: April 1, 2009
Source: Washington Post

Abstract: Key lawmakers are pushing to dramatically escalate U.S. defenses against cyberattacks, crafting proposals that would empower the government to set and enforce security standards for private industry for the first time.

The proposals, in Senate legislation that could be introduced as early as today, would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. At the same time, the bill would add regulatory teeth to ensure industry compliance with the rules, congressional officials familiar with the plan said yesterday.

Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity "czar" with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said. 

How industry groups will respond is unclear. Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which represents private companies and civil liberties advocates, said that mandatory standards have long been the "third rail of cybersecurity policy." Dempsey said regulation could also stifle creativity by forcing companies to adopt a uniform approach.

The legislation, co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input. Although the White House indicated it supported some key concepts of the bill, there has been no official endorsement.

Many of the proposals were based on recommendations of a landmark study last year by the Center for Strategic and International Studies.

Currently, government responsibility for cybersecurity is split: The Pentagon and the National Security Agency safeguard military networks, while the Department of Homeland Security provides assistance to private networks. Previous cybersecurity initiatives have largely concentrated on reducing the vulnerability of government and military computers to hackers.

A 60-day federal review of the nation's defenses against computer-based attacks is underway, and the administration has signaled its intention to incorporate private industry into those defenses in an unprecedented way.

"People say this is a military or intelligence concern, but it's a lot more than that," Rockefeller, a former intelligence committee chairman, said in an interview. "It suddenly gets into the realm of traffic lights and rail networks and water and electricity."

U.S. intelligence officials have warned that a sustained attack on private computer networks could cause widespread social and economic havoc, possibly shutting down or compromising systems used by banks, utilities, transportation companies and others.

The Rockefeller-Snowe measure would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. It would require the National Institute of Standards and Technology to establish "measurable and auditable cybersecurity standards" that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals.

The proposal would also mandate an ongoing, quadrennial review of the nation's cyberdefenses. "It's not a problem that will ever be completely solved," Rockefeller said. "You have to keep making higher walls."

Last week, Director of National Intelligence Dennis C. Blair told reporters that one agency should oversee cybersecurity for government and for the private sector. He added that the NSA should be central to the effort.

"The taxpayers of this country have spent enormous sums developing a world-class capability at the National Security Agency on cyber," he said.

Blair acknowledged there will be privacy concerns about centralizing cybersecurity, and he said the program should be designed in a way that gives Americans confidence that it is "not being used to gather private information" (Washington Post, 2009).

Title: Pentagon Bill To Fix Cyber Attacks: $100M
April 7, 2009
CBS News

AbstractThe Pentagon spent more than $100 million in the last six months responding to and repairing damage from cyber attacks and other computer network problems, military leaders said Tuesday.

Air Force Gen. Kevin Chilton, who heads U.S. Strategic Command, said the military is only beginning to track the costs, which are triggered by constant daily attacks against military networks ranging from the Pentagon to bases around the country.

"The important thing is that we recognize that we are under assault from the least sophisticated - what I would say the bored teenager - all the way up to the sophisticated nation-state, with some pretty criminal elements sandwiched in-between," said Chilton, adding that the motivations include everything from vandalism to espionage. "This is indeed our big challenge, as we think about how to defend it."

According to Army Brig. Gen. John Davis, deputy commander for network operations, the money was spent on manpower, computer technology and contractors hired to clean up after both external probes and internal mistakes. Strategic Command is responsible for protecting and monitoring the military's information grid, as well as coordinating any offensive cyber warfare on behalf of the U.S.

Officials would not say how much of the $100 million cost was due to outside attacks against the system, versus viruses and other problems triggered accidentally by Defense Department employees. And they declined to reveal any details about suspected cyber attacks against the Pentagon by other countries, such as China.

Speaking to reporters from a cyberspace conference in Omaha, Neb., the military leaders said the U.S. needs to invest more money in the military's computer capabilities, rather than pouring millions into repairs.

"You can either pay me now or you can pay me later," said Davis. "It would be nice to spend that money proactively ... rather than fixing things after the fact."

Officials said that while there has been a lot of anecdotal evidence on the spending estimate, they only began tracking it last year and are still not sure they are identifying all the costs related to taking computer networks down after a problem is noticed.

The Pentagon has acknowledged that its vast computer network is scanned or probed by outsiders millions of times each day. Last year a cyber attack forced the Defense Department to take up to 1,500 computers off line. And last fall the Defense Department banned the use of external computer flash drives because of a virus threat officials detected on the Pentagon networks.

The cost updates come as the Obama administration is completing a broad government-wide review of the nation's cybersecurity.

In February, the White House announced that it would conduct a review to "ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector," according to a release from the White House (CBS News, 2009).

Title: Obama Information Czar Calls For Banning Free Speech
Date: January 14, 2010
 Prison Planet

AbstractThe controversy surrounding White House information czar and Harvard Professor Cass Sunstein’s blueprint for the government to infiltrate political activist groups has deepened, with the revelation that in the same 2008 dossier he also called for the government to tax or even ban outright political opinions of which it disapproved.

Sunstein was appointed by President Obama to head up the Office of Information and Regulatory Affairs, an agency within the Executive Office of the President.

On page 14 of Sunstein’s January 2008 white paper entitled “Conspiracy Theories,” the man who is now Obama’s head of information technology in the White House proposed that each of the following measures “will have a place under imaginable conditions” according to the strategy detailed in the essay.

1. Government might ban conspiracy theorizing.
2. Government might impose some kind of tax, financial or otherwise, on those who disseminate such theories.

That’s right, Obama’s information czar wants to tax or ban outright, as in make illegal, political opinions that the government doesn’t approve of. To where would this be extended? A tax or a shut down order on newspapers that print stories critical of our illustrious leaders?

And what does Sunstein define as “conspiracy theories” that should potentially be taxed or outlawed by the government? Opinions held by the majority of Americans, no less.

The notion that Lee Harvey Oswald did not act alone in killing JFK, a view shared by the vast majority of Americans in every major poll over the last ten years, is an example of a “conspiracy theory” that the federal government should consider censoring, according to Sunstein.

A 1998 CBS poll found that just 10 per cent of Americans believed that Oswald acted alone, so apparently the other 90 per cent of Americans could be committing some form of thought crime by thinking otherwise under Sunstein’s definition.

Sunstein also cites the belief that “global warming is a deliberate fraud” as another marginal conspiracy theory to be countered by government action. In reality, the majority of Americans now believe that the man-made explanation of global warming is not true, and that global warming is natural, according to the latest polls.

But Sunstein saves his most ludicrous example until last. On page 5 he characterizes as “false and dangerous” the idea that exposure to sunlight is healthy, despite the fact that top medical experts agree prolonged exposure to sunlight reduces the risk of developing certain cancers.

To claim that encouraging people to get out in the sun is to peddle a dangerous conspiracy theory is like saying that promoting the breathing of fresh air is also a thought crime. One can only presume that Sunstein is deliberately framing the debate by going to such absurd extremes so as to make any belief whatsoever into a conspiracy theory unless it’s specifically approved by the kind of government thought police system he is pushing for.

Despite highlighting the fact that repressive societies go hand in hand with an increase in “conspiracy theories,” Sunstein’s ‘solution’ to stamp out such thought crimes is to ban free speech, fulfilling the precise characteristic of the “repressive society” he  warns against elsewhere in the paper.

“We could imagine circumstances in which a conspiracy theory became so pervasive, and so dangerous, that censorship would be thinkable,” he writes on page 20. Remember that Sunstein is not just talking about censoring Holocaust denial or anything that’s even debatable in the context of free speech, he’s talking about widely accepted beliefs shared by the majority of Americans but ones viewed as distasteful by the government, which would seek to either marginalize by means of taxation or outright censor such views.

No surprise therefore that Sunstein has called for re-writing the First Amendment as well as advocating Internet censorship and even proposing that Americans should celebrate tax day and be thankful that the state takes a huge chunk of their income.

The government has made it clear that growing suspicion towards authority is a direct threat to their political agenda and indeed Sunstein admits this on page 3 of his paper.

That is why they are now engaging in full on information warfare in an effort to undermine, disrupt and eventually outlaw organized peaceful resistance to their growing tyranny (Prison Planet, 2010).

Title: Mapping Cyberspace
 October 6, 2010
 San Diego State University

: A $1.3 million grant from the National Science Foundation will help SDSU researchers create new ways to analyze the spread of information and ideas on the Internet. The multidisciplinary cyber-infrastructure innovation project will map cyberspace by tracking the flow of information and monitoring its movement on the Internet. “The spread of ideas in the age of the Internet is a double-edged sword; it can enhance our collective welfare, as well as produce forces that can destabilize the world,” said Ming-Hsiang Tsou, associate professor of geography and the project’s lead investigator. 

“This project aims at understanding the process by which the impact of co-related events or ideas disperse throughout the world over time and space.” The project seeks to map both the geography and the chronology of ideas over cyberspace, as the ripples of information radiate outward from a given event epicenter. By mapping and analyzing such ripples, researchers hope to better understand the role of new media in biasing, accelerating, impeding or otherwise influencing personal, social and political uses of such information.

Tracking Terrorist Ideas

One application of the project will be to track terrorist and extremist ideas on the web to see where the information originates and how it spreads. As an example, the news of an obscure preacher’s intention to burn the Koran spread like wildfire in various media throughout much of the world in general, and in the Islamic world in particular. “This singular announcement by a solitary person touched off violent protests that took the lives of many and threatened further escalation of tensions and rifts between the West and the Islamic world,” said Dipak Gupta, co-investigator on the project and professor of international security and conflict resolution

“This episode illustrates the potential of relatively isolated events for destabilizing the world in unforeseen ways and with far-reaching consequences.” By identifying the path of information online, researchers hope to learn what makes a place more prone to the spread of  any particular idea. In addition to terrorist ideas, the project also seeks to establish ways to map the spread of information on other ongoing topics, such as epidemics and global climate change, and other event-based topics, such as wildfires, earthquakes and hurricanes.  

Diffusion of Information

“Understanding information diffusion and acquisition—e.g., searching, sending—patterns in response to such disasters and epidemics may significantly facilitate intervention responses, and eventually, prevention responses,” Tsou said. The first phase of the project will develop basic language analysis tools creating semantic maps—words, phrases and patterns of language use—which characterize the seed sites in the spread of ideas.  Using these maps to guide web searches will provide a detailed picture of how seed sites are reporting an event. 

By using this linguistic framework, a sophisticated web search will indicate how these seed sites and their social networks of users are reporting an event and influencing each other. In the second phase of the project, researchers will collect data on the spread of words, phrases and patterns of language use on websites over time and space. By mapping these sites on a world map, visualization will show how the ideas are spreading. In the third phase of the project, statistical analyses will seek to understand the reasons for a particular course along which an idea spreads. In other words, potential factors that cause “susceptibility” to and “immunity” from a particular set of ideas will be identified. This project will continue for four years, collecting and analyzing data, and developing a theoretical structure on the spread of ideas. 

Understanding 'Collective Thinking'

“This project will help us to better understand the ‘collective thinking’ of human beings and minimize misunderstandings between different groups and people,” Tsou said. Mapping Cyberspace to Realspace: Visualizing and Understanding Spatiotemporal Dynamics of Global Diffusion of Ideas and the Semantic Web was funded for four years starting Oct. 1 (San Diego State University, 2010).

Title: EU And US Join NATO Cyber Security Pact
November 23, 2010
Computer World

A range of new plans to tackle cyber-crime has been approved by the European Union, the US and NATO over the past three days. The European Commission announced on Monday its proposals to develop three systems to raise the level of security for citizens and businesses in cyberspace.

An EU cybercrime centre to be established by 2013 will coordinate cooperation between member states, EU institutions and international partners, while an European information sharing and alert system, also planned for 2013, will facilitate communication between rapid response teams and law enforcement authorities. The Commission also wants to create a network of Computer Emergency Response Teams (CERTs) by 2012, with a CERT in every EU country.

However, Home Affairs Commissioner Cecilia Malmström was keen to play down concerns that these systems would lead to the creation of yet another citizens' information database, saying that no such database would be set up and that the aim of the new bodies is to manage the flow of information to prevent cyber-attacks, not to store it.

Meanwhile, following a meeting between US President Barack Obama, European Commission President Jose Manuel Barroso and European Council President Herman Van Rompuy at the weekend, the EU and US leaders announced the setting up of a working group on cybersecurity, which will report back in a year's time. This group will focus on the commercial side and potential threats to the regular consumer, said US envoy to the EU institutions William Kennard.

EU leaders on Sunday also made reference to data protection issues, saying that a speedy compromise on an overarching EU-US data protection agreement may facilitate the conclusion of other data transfer deals, for instance on passenger name records.

Elsewhere, NATO adopted its Strategic Concept charter at a summit in Lisbon, Portugal. The document includes plans to develop new capabilities to combat cyber attacks on military networks, but stops short of the 'active cyberdefence' plans that would have included the pre-emptive cyber strikes favoured by the Pentagon. Following attacks in 2008 on its classified military network the Pentagon established a new cyber command, making 'active cyberdefence' one of its policy pillars.

The new Strategic Concept replaces a 10-year-old strategy paper and seeks to update plans for the Internet age.

Awareness and planning are the cornerstones of the new NATO strategy. Terrorist groups and organised criminals are increasingly using cyber attacks on government administrations, and potentially also transportation and other critical infrastructure.

NATO members are keen to avoid a repeat of an incident affecting Estonia in 2007, when cyber-strikes paralysed bank and government websites there. Increasingly large scale attacks have threatened security in recent years. Two years ago Lithuania was subject to large-scale cyber-attack; the botnet 'Conficker' has affected millions of computers worldwide, including in France, the UK and Germany; and the 'Stuxnet' worm, possibly the first targeted cyber weapon, infected industrial control systems (Computer World, 2010).

Title: Pentagon Classifies Cyber-Attack As Act Of War
Date: June 2, 2011

Abstract: Having already been the victim of hackers of foreign origin, the 
Department of Defense has prepared a new doctrine declaring cyber-attacks an act of war that can warrant a conventional military response.

The development of the new cyber strategy has been likened to the effort of the early 1950s when military planners and administration officials grappled with how to respond to threats of nuclear attack. What eventually became known as a policy of deterrence involved varying levels of response to discourage adversaries, namely the former Soviet Union, from ever striking the U.S. or its allies with warheads.

The Obama administration is crafting its own multiple-choice options for handling future cyber-attacks that could range from economic sanctions to full-on military assault. Hacking attempts would not have to be solely directed at the Pentagon to warrant the engagement of air or ground forces by the U.S. For instance, a crippling cyber-attack on the nation’s energy supply system could produce a violent response.

“If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” a military official told The Wall Street Journal.

One stumbling block to engaging military forces would be assurance of knowing just where a cyber assault originated from. In an world where hacking utilizes servers around the world to obscure the identity of hackers, officials could find themselves lacking the smoking gun to pin blame on a foreign government or organization.

Whatever U.S. government officials are or aren’t saying publically, it is clear that the United States is already fully engaged in cyber-warfare. China is a nation where all computer activity is monitored by the government. Hackers of Chinese origin have attacked the computers of government agencies and defense contractors. Although it has attracted less media coverage, there is an unspoken acknowledgement that the U.S. cooperated with Israel in a sophisticated attack on Iran’s nuclear program (AllGov, 2011)

Title: VeriSign Demands Website Takedown Powers
Date: October 11, 2011
Source: The Register 

AbstractVeriSign, which manages the database of all .com internet addresses, wants powers to shut down "non-legitimate" domain names when asked to by law enforcement.

The company said today it wants to be able to enforce the "denial, cancellation or transfer of any registration" in any of a laundry list of scenarios where a domain is deemed to be "abusive".

VeriSign should be able to shut down a .com or .net domain, and therefore its associated website and email, "to comply with any  applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process", according to a document it filed today with domain name industry overseer ICANN.

The company has already helped law enforcement agencies in the US, such as the Immigration and Customs Enforcement agency, seize domains that were allegedly being used to sell counterfeit goods or facilitate online piracy, when the agency first obtained a court order.

That seizure process has come under fire because, in at least one fringe case, a seized .com domain's website had already been ruled legal by a court in its native Spain.

Senior ICE agents are on record saying that they believe all .com addresses fall under US jurisdiction.

But the new powers would be international and, according to VeriSign's filing, could enable it to shut down a domain also when it  receives "requests from law enforcement", without a court order.

"Various law enforcement personnel, around the globe, have asked us to mitigate domain name abuse, and have validated our approach to rapid suspension of malicious domain names," VeriSign told ICANN, describing its system as "an integrated response to criminal activities that utilize Verisign-managed [top-level domains] and DNS infrastructure".

The company said it has already cooperated with US law enforcement, including the FBI, to craft the suspension policies, and that it intends to also work with police in Europe and elsewhere.

It's not yet clear how VeriSign would handle a request to suspend a .com domain that was hosting content legal in the US and Europe but illegal in, for example, Saudi Arabia or Uganda.

VeriSign made the request in a Registry Services Evaluation Process (RSEP) document filed today with ICANN. The RSEP is currently the primary mechanism that registries employ when they want to make significant changes to their contracts with ICANN.

The request also separately asks for permission to launch a "malware scanning service", not dissimilar to the one recently introduced by ICM Registry, manager of the new .xxx extension.

That service would enable VeriSign to scan all .com websites once per quarter for malware and then provide a free "informational only" security report to the registrar responsible for the domain, which would then be able to take re-mediation action. It would be a voluntary service.

RSEP requires all registries including VeriSign to submit to a technical and competition evaluation.

Sometimes, ICANN also opens up an RSEP question to public comment, as seems likely in this case.

But ICANN's board of directors would have the make the ultimate decision whether to approve the anti-abuse policy and the malware-scanning service.

VeriSign is already anticipating that there may be criticisms from internet users "concerned about an improper takedown of a legitimate website" and told ICANN it plans to implement a "protest" policy to challenge such decisions.

The company's move echoes policy development in the UK, where .uk registry Nominet is in the late stages of creating rules that would allow it to suspend domains allegedly involved in criminal activity at the behest of law enforcement (The Register, 2011)

Title: Boeing Sees Growth In Cyber Despite Defense Cuts
Date: October 25, 2011 
Source: Reuters 

Abstract: Boeing Co (BA.N) opened a new cyber security center on Tuesday, saying it expected high single-digit or low double-digit growth in the sector in coming years despite major cuts in defense spending.

Dennis Muilenburg, chief executive of Boeing's Defense Space and Security, said creation of the new facility was part of Boeing's strategy to offset cuts in defense spending that could total as much as $1 trillion over the next decade.

Boeing's defense business has continued to invest in core areas such as aviation and satellites, and has already expanded international sales from 7 percent of revenues to around 18 percent, with that proportion due to increase to around 25 to 30 percent, Muilenburg told reporters at the center's opening.

In addition, Boeing would also continue to move aggressively into areas such as cyber security, where it expected to generate good revenues from government and commercial customers in coming years, Muilenburg said.

He declined to give details on what share of overall Boeing defense revenues came from cyber security, but said the company would continue to evaluate additional acquisitions to add new capabilities to its cyber security portfolio.

Boeing also bought several smaller cyber companies, including eXMeritus and Kestrel that brought in tools for data analysis and secure information-sharing capabilities. Narus and SMSi, two other recent acquisitions, added real-time traffic intelligence solutions and analytics capabilities.

Muilenburg said Boeing still aimed to balance overall commercial and defense sales, allowing growth in one area to help offset down cycles in the other, but commercial sales looked likely to overtake defense sales in coming years.

In past years, he said, defense and commercial sales contributed about 50 percent of revenues, a contrast from five years ago when defense sales outweighed commercial sales by about 60 to 40 percent. Now the pendulum was swinging the other way, with commercial sales buoyed by strong demand.


Boeing's new "Cyber Engagement Center" is located about 100 yards from the U.S. National Security Agency, the military intelligence agency charged with ensuring the security of government computer networks.

The 32,000-square-foot center, staffed by 30 to 40 people, is one of three at which Boeing monitors its own extensive computer network, one of the largest in the world with about 250,000 users and about 1 million nodes.

It will also provide secure facilities for Boeing to meet with commercial, government, and international customers to demonstrate its integrated data analysis capabilities and new ways to marry surveillance of physical and cyber security.

Boeing is also investing heavily to develop solutions that will allow companies and government workers to use commercially available computing devices such as iPads and smart phones without exposing secure data to possible cyber attacks.

Roger Krone, president of Boeing Network and Space Systems, said the cyber center underscored the company's commitment to working with existing and future customers to defend against escalating cyber threats.

"This is an hundred year market for us," Krone said. "It's a huge inflection point."

Boeing officials said the company amassed extensive experience in cyber security after years of developing, building and defending complex weapons systems, and managing a global network for its commercial airline sales.

Other companies in the cyber security sector, including Lockheed Martin Corp (LMT.N) and Britain's BAE Systems (BAES.L), have also set up cyber centers in recent years (Reuters, 2011).

Title: 'Rogue Websites' Bill Introduced In US House
Date: October 26, 2011
Source: Breitbart 

AbstractUS lawmakers introduced a bill on Wednesday that would give US authorities more tools to crack down on websites accused of piracy of movies, television shows and music and the sale of counterfeit goods.

The Stop Online Piracy Act has received bipartisan support in the House of Representatives and is the House version of a bill introduced in the Senate in May known as the Theft of Intellectual Property Act or Protect IP Act.

The legislation has received the backing of Hollywood, the music industry, the Business Software Alliance, the National Association of Manufacturers, the US Chamber of Commerce and other groups.

But it has come under fire from digital rights and free speech organizations for allegedly paving the way for US law enforcement to  unilaterally shut down websites, including foreign sites, without due process.

House Judiciary Committee chairman Lamar Smith, a Republican from Texas, said the bill "helps stop the flow of revenue to rogue websites and ensures that the profits from American innovations go to American innovators.

"Rogue websites that steal and sell American innovations have operated with impunity," Smith said in a statement.

"The online thieves who run these foreign websites are out of the reach of US law enforcement agencies and profit from selling pirated goods without any legal consequences," he said.

"The bill prevents online thieves from selling counterfeit goods in the US, expands international protections for intellectual property, and protects American consumers from dangerous counterfeit products," Smith said.

Howard Berman, a Democrat from California who co-sponsored the legislation, said it is "an important next step in the fight against digital theft and sends a strong message that the United States will not waiver in our battle to protect America's creators and innovators."

The House Judiciary Committee is to hold a hearing on the bill on November 16.

The Washington-based Center for Democracy and Technology (CDT) said the House bill "raises serious red flags.

"It includes the most controversial parts of the Senate's Protect IP Act, but radically expands the scope," the CDT said in a statement. "Any website that features user-generated content or that enables cloud-based data storage could end up in its crosshairs.

"Internet Service Providers would face new and open-ended obligations to monitor and police user behavior," the CDT said. "Payment processors and ad networks would be required to cut off business with any website that rightsholders allege hasn't done enough to police infringement.

"The bill represents a serious threat to online innovation and to legitimate online communications tools," it said.

The Obama administration has come in for some criticism for shutting down dozens of "rogue websites" over the past year as part of a crackdown known as "Operation in Our Sites."

US authorities in November, for example, shut down 82 websites selling mostly Chinese-made counterfeit goods, including golf clubs, Walt Disney movies, handbags and other items (Breitbart, 2011).  

Title: The Non-Existent 'Cyber War' Is Nothing More Than A Push For More Government Control
Date: October 28, 2011
Source: Tech Dirt

AbstractReason's recent post, "Cyber War: Still Not a Thing," addresses the claims of various politicians that America is under constant attack from hackers and other cyber criminals. While various DDoS attacks on prominent government websites would seem to indicate a larger problem, the real issue here is the use of "war" rhetoric to remove all sense of proportion, thus greasing the wheel for overreaching legislation.

Ever since Vietnam, the U.S. government has shown an odd propensity for dragging us into unpopular (and unwinnable) wars. Between the protracted Iraq "War" (nearly a decade at this point), our involvement in Afghanistan and our intervention in Libya , Americans are finding that the old concept of "war" doesn't really fit what's going on here. 

Back on the home front, various unwinnable wars continue to suck down tax dollars and erode civil rights. The War on Drugs. The War on Terror. The political system is no longer interested in mere skirmishes or "police actions." Everything is a capital-W "War." 

A multitude of problems arise from couching these situations in catastrophic and adversarial terms. Declaring "war" on drugs has brought the battle to the home front and turned our law enforcement into an ad hoc military force. The slightest of violations is met with excessive force. There are dozens of stories of people whose houses have been invaded by SWAT teams armed with automatic weapons. Uninvolved children have been thrust into violent situations by the perceived wrongdoing of their parents. When a person possessing a couple of ounces of marijuana is treated like a Colombian drug lord, the system is being abused. 

Using the word "war" automatically defines your opponent as violent, no matter how untrue that designation is. Declaring the nation to be in the midst of a "cyberwar" allows law enforcement and government security agencies to escalate their response to perceived threats. Every reaction becomes an overreaction. No matter what your opinion of Anonymous and like-minded hackers might be, it's pretty safe to say that most of us do not consider them to be a violent threat. 

All previous indications point to this being handled just as badly as any previous "war." The point will come when people are overrun in their own homes by armed tactical units in response to actions like DDoS attacks which, as Reason points out, are usually "undirected protests" with "no tactical objective." Truly innocent citizens will be swept up in this as well, considering the number of computers out there that have been "zombified" and pressed into service as part of a botnet. Immigration and Customs Enforcement (ICE) has already demonstrated that it needs 
nothing more than an IP address to mobilize. 

In times of war, corners are cut and rights are treated as privileges. When the enemy is invisible and the list of possible suspects grows exponentially with each broadening of the definition of "hacking," the "war" becomes a convenient excuse for law enforcement fishing expeditions and violent tactical reactions. California has already decided police can 
search your phone without a warrant and the list of municipalities willing to expand police power with warrantless searches and abuse of "probable cause" continues to grow. 

The ugliest part of this whole "war" concept is that underneath all the tough talk and tougher action is a good old fashioned money grab. Reason cites Sen. Barbara Mikulski's quote, "We are at war, we are being attacked, and we are being hacked," while pointing out that Maryland is home to the U.S. Cyber Command Headquarters. A 
Baltimore Sun piece digs deeper into this money grab:

Mikulski, the state's senior senator, sits on the intelligence and appropriations committees. She said that she and Rep C.A. Dutch Ruppersberger, who sits on the appropriations and intelligence committees in the House, are Maryland's "one-two punch" on Capitol Hill. Mikulski also was named recently to a cyber security task force, which will focus on governance, technology development and work force development nationwide. 

O'Malley called for the establishment of a "National Center for Excellence for Cyber Security" in Maryland, more education and work force training, and an economic development strategy for cyber security in the state. 

The computer design and services sector, which includes cyber security, employs about 60,000 mostly high-paid workers in Maryland, and grew despite the national recession, at a 7.2 percent annual clip through November 2009, state officials said.

An earlier Reason piece points out even more examples

Beginning in early 2008, towns across the country sought to lure Cyber Command's permanent headquarters. Authorities in Louisiana estimated that the facility would bring at least 10,000 direct and ancillary jobs, billions of dollars in contracts, and millions in local spending. Politicians naturally saw the command as an opportunity to boost local economies. Governors pitched their respective states to the secretary of the Air Force, a dozen congressional delegations lobbied for the command, and Louisiana Gov. Bobby Jindal even lobbied President George W. Bush during a meeting on Hurricane Katrina recovery. Many of the 18 states vying for the command offered gifts of land, infrastructure, and tax breaks. 

The city of Bossier, Louisiana, proposed a $100 million "Cyber Innovation Center" office complex next to Barksdale Air Force Base and got things rolling by building an $11 million bomb-resistant "cyber fortress," complete with a moat. Yuba City, California, touted its proximity to Silicon Valley. Colorado Springs pointed to the hardened location of Cheyenne Mountain, headquarters for NORAD. In Nebraska the Omaha Development Foundation purchased 136 acres of land just south of Offutt Air Force Base and offered it as a site. 

Proposed cybersecurity legislation presents more opportunities for pork spending. The Cybersecurity Act of 2010, proposed by Sens. Jay Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine) called for the creation of regional cybersecurity centers across the country, a cyber scholarship-for-service program, and myriad cybersecurity research and development grants. 

Underneath any faux "war" is the lure of unregulated tax dollars. Building a force to counteract an undefinable foe is an open-ended "goal". In addition, this sort of thing gives government entities more of what they really want: power, money and control.

A rough Beltway consensus has emerged that the United States is facing a grave and immediate threat that can only be addressed by more public spending and tighter controls on private network security practices. 

It's a war alright. A war on civil liberties. It's a million (or more accurately, 7.9 billion) reasons to regulate and track internet usage and criminalize yet another section of the U.S. population. Tactical operations will now be mobilized against people who bring a laptop to a gunfight. And much like any other war, once it's underway, it's nearly impossible to stop (Tech Dirt, 2011)

Title: Cameron Warns On Internet Crackdown
 November 1, 2011
 Press Association 

Abstract: Fears of cyber attacks and rising online crime must not be an excuse for a "heavy-handed" crackdown on freedom on the internet, David Cameron has said.

Addressing an international cyberspace conference in London, the Prime Minister said it was essential to strike a balance between the needs of online security and the right to free expression.

Earlier, Foreign Secretary William Hague said it was not acceptable for governments to try to close down social media and mobile phone networks at times of social unrest.

However critics contrasted his comments with Mr Cameron's response to the London riots when he suggested preventing people using websites and mobile phones to plot violence and disorder.

"It's very easy to defend the case of black and white - human rights against dictatorships around the world," John Kampfner, the chief executive of the Index on Censorship, told the conference.

"But as soon as our own Western-style stability of the state is called into question, well then freedom of expression is expendable. There should be one rule for all including Western governments."

The call by Mr Cameron and Mr Hague for human rights online to be respected was seen as a direct challenge to Russia and China - both represented at the conference - who have been pressing for tighter regulation of the internet through binding international treaties.

Britain, in contrast, has been arguing for internationally agreed "norms of behaviour", ensuring the free flow of information and ideas in cyberspace while taking concerted action to tackle online crime.

"We cannot leave cyberspace open to the criminals and the terrorists that threaten our security and our prosperity but at the same time we cannot just go down the heavy-handed route," Mr Cameron told the conference.

"Do that and we will crush all that is good about the internet and the free flow of information - the climate of creativity that gives such life to so many new ideas and new movements" (Press Association, 2011)

Title: Canada Puts Up $477 Million To Foil Cyber Attacks
Date: November 14, 2011
Vancouver Sun

Abstract: Canada is poised to spend nearly half a billion dollars to gain access to a constellation of U.S. air force satellites designed to foil foreign cyber attacks.

Global Mercury, as Canada’s $477 million share of the Wideband Global Satcom (WGS) network, is to be known, will be immediately activated when a memorandum of understanding between the Department of National Defence and the U.S. air force is signed within the next few weeks.

"Our global security interests are not all protected by planes, ships and tanks. Some of the greatest threats are invisible, but real," Defence Minister Peter MacKay said after a visit to the Afghan capital to meet senior Afghan and NATO officials and some of the nearly 1,000 Canadian soldiers that began training Afghan security forces earlier this year as Ottawa’s 64-month combat mission in Kandahar ended.

Attempts by foreign governments to penetrate military and other government computer systems and those run by Canadian businesses were occurring "on an almost daily basis," according to a senior DND source.

MacKay did not name which countries Canada suspected of cyber attacks. However, it is widely believed that Russia and China are the leaders in this rapidly growing form of military and commercial espionage against the West.

"This is part of Canada’s effort to protect crucial information that we and commercial interests possess that have an effect on the economy," the minister said. "Because of where it is coming from, that’s why we are investing. We are spending a great deal of time studying how to protect our country against cyber attacks."

WGS was launched by the U.S. in 2007. When completed in 2018, the joint American-Australian initiative will have nine communications satellites each capable of handling massive amounts of bandwidth transmitting and exchanging secure data.

Cyber warfare was raised six weeks ago at the first meeting between MacKay and Leon Panetta, the new American secretary of defence. Panetta has, according to Reuters, said that "cyber is the battlefield of the future."

MacKay and the former director of the CIA are to meet again later this week at the Halifax International Security Forum.

Cyber security had not yet caught the attention of many Canadians "because it does not figure prominently in people’s lives," MacKay said. "It is very futuristic to speak of the cyber threat."

Another reason Canadians were generally unaware of the high number of cyber attacks against their country was that "you don’t give opponents your playbook," he said. "Speaking publicly about it does not necessarily improve our situation. Doing something about it does."

Among the other challenges that Canada faced was how to communicate much better in the Arctic, MacKay said. Radarsat 2 network has existed for several years but was in need of further upgrades, he said, including links between satellites and underwater sonar detection systems in the North and along Canada’s coastlines. The Department of Defence announced two years ago that it was to spend $25 million on such upgrades in a program known as Polar Epsilon.

Given the vastness of the High Arctic, drones, which are another emerging technology, "will figure prominently in our surveillance," MacKay said. "But we still have to determine the right platform."

Small unarmed surveillance drones known as ScanEagles had been tested for the first time three months ago in the Far North by the Royal Canadian Air Force. Canada’s first experience with flying larger unarmed drones in Afghanistan "had been instructive," although the flying conditions in the extreme heat of South Asia were much different than those found in northern Canada, MacKay said.

"The capability of drones goes up exponentially when you arm them like a fighter jet," he said. However, he noted that Canada was "investing in the F-35 (fighter jet) to cover that capability."

There has been much debate recently in the U.S. about the legality of using attack drones against suspected insurgents. Until now Canada has never acquired armed drones. However, Public Works Canada has alerted prospective manufacturers that if a project know as JUSTAS (Joint Uninhabited Surveillance and Target Acquisition System) is approved, Ottawa could spend more than $1 billion to purchase drones including attack drones.

"We are not yet at the discussion point about whether to proceed or not," with JUSTAS, MacKay said.

The media and political opposition have hounded MacKay and Canada’s top general, Walter Natynczyk lately about the justification for some flights they have taken on military aircraft.

Brushing these sometimes personal attacks aside, MacKay said: "It doesn’t compare to the work our soldiers do each day and the stress their families are under. These are part of the trials and tribulations of public life. It pales beside the suffering of Master Corporal (Byron) Greff’s family. "

Greff was the 158th Canadian soldier to die in Afghanistan. He was killed along with 15 Afghans, Americans and Britons when a suicide bomber struck the armoured bus that was transporting them between Afghan army and police training bases in Kabul last month (Vancouver Sun, 2011).

Title: US Joins NATO's Cyber Facility In Estonia
Date: November 16, 2011
Sacramento Bee

Abstract: The United States has joined NATO's cyber defense research center in Estonia that works on ways to combat cyberattacks.

The multinational center was created in 2008 after Estonia's government and corporate computer networks came under attack the year before following a dispute with neighboring Russia.

The United States will help fund the center, and its scientists and cyber defense experts will be able to both study and teach at the center's premises in the Estonian capital Tallinn.

The U.S. Embassy in Estonia said Wednesday that Poland was also joining the center, which now will have 10 members.

Previously the United States held an observer status at the facility (Sacramento Bee, 2011).

Title: Department Of Defense Cyberspace Policy Report
Date: November 21, 2011
Department of Defense

What constitutes use of force in cyberspace for the purpose of complying with the War Powers Act (Public Law 93-148).

The requirements of the War Powers Resolution apply to “the introduction of United States Armed Forces into hostilities or into situations where imminent involvement in hostilities is clearly indicated by the circumstances, and to the continued use of such forces in hostilities or in such situations.”

Cyber operations might not include the introduction of armed forces personnel into the area of hostilities. Cyber operations may, however, be a component of larger operations that could trigger notification and reporting in accordance with the War Powers Resolution. The Department will continue to assess each of its actions in cyberspace to determine when the requirements of the War Powers Resolution may apply to those actions (Department of Defense, 2011).

Title: The Business Cyber Security Summit 2011
Date: November 21-23, 2011
Cyber Security Summit 

Abstract: Cyber security is fast becoming a business critical issue for many organisations around the globe. Recent high profile cases including the IMF, Citigroup, Sony, Apple, and the UK Office of National Statistics highlight both the apparent vulnerability of these organisations and the highly damaging consequences of a successful cyber attack. It is estimated that a successful cyber attack on a large business can cost it an average of £690,000 and that an attack on a small and medium sized business can cost it an average of £55,000. However as I am sure you are aware, the damage it can do the reputation of a business in the eyes of its customers is incalculable.

The Business Cyber Security Summit 2011 brings together industry experts led by 5 C-Level Executives and 10 senior level IT Security Managers to discuss the latest solutions and strategies in order to combat this ever present danger and to ensure that your business is not paying the price for becoming the latest victim.

By attending this event you will be able to benchmark your existing security precautions against leaders within the field and network with CISOs, CIOS and Heads of IT Security who are addressing the same issues as you on a daily basis (Cyber Security Summit, 2011)

Title: Legal Expert Says Online Piracy Bill Is Unconstitutional
Date: December 11, 2011
The Hill

Abstract: Laurence Tribe, a constitutional law expert at Harvard Law School, argues the Stop Online Piracy Act (SOPA) violates the First Amendment in a memo sent to members of Congress on Thursday.

The bill would empower the Justice Department and copyright holders to demand that search engines, Internet providers and payment processors cut ties with websites "dedicated" to copyright infringement.

Tribe argues the bi Additionally, the law's definition of a rogue website is unconstitutionally vague, Tribe writes. 

"Conceivably, an entire website containing tens of thousands of pages could be targeted if only a single page were accused of infringement," Tribe writes. "Such an approach would create severe practical problems for sites with substantial user-generated content, such as Facebook, Twitter, and YouTube, and for blogs that allow users to post videos, photos, and other materials."

He argues SOPA undermines the Digital Millennium Copyright Act of 1998, which protected websites from being held responsible for the actions of their users.  

The bill would "effectively require sites actively to police themselves to ensure that infringement does not occur," he writes.

Tribe concludes the result is that the law would chill protected and lawful speech. 

"The threat of such a cutoff would deter Internet companies from adopting innovative approaches to hosting and linking to third party content and from exploring new kinds of communication," he writes.

In a footnote, Tribe acknowledges that he was hired by the Consumer Electronics Association, which is lobbying against SOPA, but he adds, "The views expressed in this paper represent my own views as a scholar and student of the Constitution." 

A spokeswoman for the House Judiciary Committee Republicans pointed to a competing legal analysis by constitutional law expert Floyd Abrams.

In that paper, Abrams notes that the First Amendment does not protect copyright infringement and argues that the bill's protections are sufficient to not cause a chilling effect on protected speech.

"The Internet neither creates nor exists in a law-free zone, and copyright violations on the Internet are no more protected than they are elsewhere," Abrams writes.

He argues that SOPA's procedures for protecting legitimate speech are so strong "that complaints in this area seem not to really be with the bill, but with the Federal Rules of Civil Procedure itself, which govern all litigants in U.S. federal courts."

Abrams wrote the analysis on behalf of a coalition of movie and television associations which support the legislation.

Laurence Tribe, a constitutional law expert at Harvard Law School, argues the Stop Online Piracy Act (SOPA) violates the First Amendment in a memo sent to members of Congress on Thursday.

The bill would empower the Justice Department and copyright holders to demand that search engines, Internet providers and payment processors cut ties with websites "dedicated" to copyright infringement.

Tribe argues the bill amounts to illegal "prior restraint" because it would suppress speech without a judicial hearing.

Additionally, the law's definition of a rogue website is unconstitutionally vague, Tribe writes. 

"Conceivably, an entire website containing tens of thousands of pages could be targeted if only a single page were accused of infringement," Tribe writes. "Such an approach would create severe practical problems for sites with substantial user-generated content, such as Facebook, Twitter, and YouTube, and for blogs that allow users to post videos, photos, and other materials."

He argues SOPA undermines the Digital Millennium Copyright Act of 1998, which protected websites from being held responsible for the actions of their users.  

The bill would "effectively require sites actively to police themselves to ensure that infringement does not occur," he writes.

Tribe concludes the result is that the law would chill protected and lawful speech. 

"The threat of such a cutoff would deter Internet companies from adopting innovative approaches to hosting and linking to third party content and from exploring new kinds of communication," he writes.

In a footnote, Tribe acknowledges that he was hired by the Consumer Electronics Association, which is lobbying against SOPA, but he adds, "The views expressed in this paper represent my own views as a scholar and student of the Constitution." 

A spokeswoman for the House Judiciary Committee Republicans pointed to a competing legal analysis by constitutional law expert Floyd Abrams.

In that paper, Abrams notes that the First Amendment does not protect copyright infringement and argues that the bill's protections are sufficient to not cause a chilling effect on protected speech.

"The Internet neither creates nor exists in a law-free zone, and copyright violations on the Internet are no more protected than they are elsewhere," Abrams writes.

He argues that SOPA's procedures for protecting legitimate speech are so strong "that complaints in this area seem not to really be with the bill, but with the Federal Rules of Civil Procedure itself, which govern all litigants in U.S. federal courts."

Abrams wrote the analysis on behalf of a coalition of movie and television associations which support the legislation (The Hill, 2011)

Title: NDAA Gives Pentagon Green Light To Wage Internet War
Date: December 15, 2011

In addition to kidnapping Americans and tossing them into Camp Gitmo without recourse or trial, the draconian NDAA bill
passed in the House yesterday contains language that will allow the Pentagon to wage cyberwar on domestic enemies of the state.

following language is in the final “reconciled” bill that will now travel to the Senate and ultimately Obama’s desk where it will be signed into law despite earlier assertions that he would veto the legislation:

Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to–

(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and

(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).

In July, the Pentagon released its cybersecurity plan. It declared the internet a domain of war but did not specify how the military would use it for offensive strikes. The report claimed that hostile parties “are working to exploit DOD unclassified and classified networks, and some foreign intelligence organizations have already acquired the capacity to disrupt elements of DOD’s information infrastructure.” In addition, according to the Pentagon, “non-state actors increasingly threaten to penetrate and disrupt DOD networks and systems.”

“If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” an official said prior to the release of the official document. “The US is vulnerable to sabotage in defense, power, telecommunications, banking. An attack on any one of those essential infrastructures could be as damaging as any kinetic attack on US soil,” Sami Saydjari, a former Pentagon cyber expert who now runs a consultancy called Cyber Defense Agency, told The Guardian in May.

The Pentagon and its contractors are overstating the case, writes Ryan Singel of Wired. “Despite mainstream news accounts, there’s been no documented hacking attacks on U.S. infrastructure designed to cripple it. A recent report from a post-9/11 intelligence fusion center that a water pump in Illinois had been destroyed by Russian hackers turned out to be baseless — and was simply a contractor logging in from his vacation at the behest of the water company,” Singel notes.

Singel also notes that the Pentagon is characterizing spying as an offensive act. Spying “isn’t an act of war — just ask the NSA and CIA, who spend billions of dollars a year spying on other countries by intercepting communications and persuading foreign citizens to give the U.S. valuable intelligence. It’s certainly an aggressive state action, and a diplomatic issue. But if spying was an act of war, every CIA agent hiding under diplomatic cover would count as cause for a country to attack the U.S.,” he writes.

The Pentagon has considered the internet enemy territory since it produced its Information Operations Roadmap in 2003. The document was released to the public after a Freedom of Information Request by the National Security Archive at George Washington University in 2006. The document declares the Pentagon will “fight the net” as it would a weapons system.

The document does not describes how the Pentagon will destroy the internet, but gradually degrade it.

“The internet is useful not only as a business tool but also is excellent for monitoring and tracking users, acclimatizing people to a virtual world, and developing detailed psychological profiles of every user, among many other Pentagon positives,” writes Brent Jessop. “But, one problem with the current internet is the potential for the dissemination of ideas and information not consistent with US government themes and messages, commonly known as free speech.”

The Pentagon war on manufactured and exaggerated cyber threats was expanded to include the private sector in 2010. “In a break with previous policy, the military now is prepared to provide cyber expertise to other government agencies and to certain private companies to counter attacks on their computer networks, the Pentagon’s cyber policy chief, Robert Butler, said Oct. 20,” Defense News reported. “An agreement signed this month with the Department of Homeland Security and an earlier initiative to protect companies in the defense industrial base make it likely that the military will be a key part of any response to a cyber attack.”

Under the new rules, the New York Times noted at the time, “the president would approve the use of the military’s expertise in computer-network warfare, and the Department of Homeland Security would direct the work.”

A caveat, however, was added to calm fears about further trashing of the Constitution. “Officials involved in drafting the rules said the goal was to ensure a rapid response to a cyberthreat while balancing concerns that civil liberties might be at risk should the military take over such domestic operations.”

After the NDAA is signed into law by Obama, he will have the authority to wage war against “domestic terrorists,” defined by the Department of Homeland Security as “rightwing extremists” and other anti-government types. As noted above, it will be the DHS that will “direct the work” against enemies of the state. It will work with the Pentagon to militarily neutralize the threat posed by activists and the alternative media.

In November, the DHS practiced its work by coordinating a nationwide police crackdown on the OWS movement. In the not too distant future, it may be using the Pentagon – now that Posse Comitatus is a dead letter – in its ongoing efforts to wage war on political opposition to the establishment (Infowars, 2011).

Title: Obama Defense Plan Details Heightened Global Cyber Danger
January 9, 2012
Computer World

US president Barack Obama has spoken of the drastically heightened cyber threat facing nations around the world, as he announced major changes to the American defence strategy.

As he appeared at the Pentagon last week to unveil the new defence strategy, Obama promised to focus closely on improving the technological capabilities of the US armed forces. "We will ensure that our military is agile, flexible and ready for the full range of contingencies," he said.

The US prioritisation of cyber security comes as Israel's deputy foreign minister compared a recent cyber-attack, in which credit card accounts were compromised, to a terrorist act.

The US, in its strategy, said it was stepping up spending on national cyber security, even though it is slashing the overall defence budget and the number of on-the-ground military personnel under the strategy. The cuts in personnel are aimed at achieving $450 billion (£290 billion) in Pentagon savings over the next decade.

The strategy document focused closely on the potentially severe online threats to America.

"Both state and non-state actors possess the capability and intent to conduct cyber espionage and, potentially, cyber attacks on the United States, with possible severe effects on both our military operations and our homeland," said the Sustaining Global Leadership document.

In the document, the Department of Defense warned that "sophisticated adversaries" will use "asymmetric capabilities, to include electronic and cyber warfare, ballistic and cruise missiles, advanced air defenses, mining, and other methods, to complicate our operational calculus".

"Our planning envisages forces that are able to fully deny a capable state's aggressive objectives in one region by conducting a combined arms campaign across all domains – land, air, maritime, space, and cyberspace."

The strategy document also shed light on how highly the Department of Defense also views the importance of establishing a more advanced high tech communications infrastructure for the US forces. "Modern armed forces cannot conduct high-tempo, effective operations without reliable information and communication networks and assured access to cyberspace and space," it said.

Secretary of defense, Leon Panetta, said that even though the US is cutting its overall defence budget, "we will protect, and in some cases increase, our investments in special operations forces, in new technologies like ISR and unmanned systems, in space - and, in particular, in cyberspace" (Computer World, 2012).

Title: Draft Cyber Bill Gives DHS Controversial Authorities
January 13, 2012
Federal News Radio

The draft version of the comprehensive cybersecurity bill could give the Homeland Security Department the ability to take "any lawful action" against contractors if their systems are under attack.

Bob Dix, a former staff director for the House Oversight and Government Reform Committee and now vice president government affairs and critical infrastructure protection for Juniper Networks, said that could mean taking over a vendor's system that contains federal data.

"There's some concern about what would be the criteria about that and how it would be the government has the ability under a provision of lawful action to take over a system used by an agency even if it's owned by a contractor," Dix said. "I am worried about the notion that suggests the government would have the authority under law to be able to take over systems of contractors if they view them as having vulnerabilities even if only a small percentage of that is government utilization."

The provision Dix is talking about is in Section 3553 of the bill's Federal Information Security Management Act (FISMA) Reform section.

The draft bill, obtained by Federal News Radio, would give the secretary of DHS the ability to "direct officials of agencies that own, operate, lease or otherwise control an information system, including information systems used or operated by another entity, including contractors, on behalf of a federal agency, to take any lawful action with respect to the operation of such information system for the purpose of protecting that information system from or mitigating a cybersecurity threat."

Dix said FISMA needs to be updated and several of the changes in the draft bill are good, but this provision goes too far.

Different Interpretation
Not everyone reads the provision the same as Dix.

James Lewis, the director of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), said Dix's interpretation is a bit extreme.

"I think it's more they could direct the contractors to take action," he said. "I see this more of as an ability to direct action than actually assuming control."

He said bills such as this one must include broad language to be implemented successfully.

"You either can try and define prescriptively every single example and those tend to be unworkable, or you have to settle for phrases such as any lawful action," Lewis said. "That doesn't bother me as much. Over time should that authority ever be exercised, they would figure out what that meant. But I think it's the kind of language that actually points to not taking control of contractor systems. I'm still not sure that would be lawful."

He added the language also fits in with the larger effort to reinforce DHS' authorities under FISMA. The Obama administration gave DHS more authority and responsibility under FISMA in July 2010.

The Senate promised to take up the comprehensive cyber bill early on in the 2012 session. The House has not publicly committed to take up a comprehensive bill.

Senate lawmakers have been trying to update FISMA for the last three years.

Sen. Tom Carper (D-Del.) introduced a bill to update the 2002 law in 2008 and held out hope each successive year, but couldn't get enough traction. Rep. Diane Watson (D-Calif.) introduced a version of the FISMA update in 2010, but again, it got nowhere.

Watson also tried to add a FISMA update to the 2010 Defense Authorization bill. But the provisions were not included in the final law.

Similar to other FISMA Reform Efforts
The FISMA reform in the latest bill looks similar to other efforts, Lewis said.

It codifies the oversight authority for DHS to issue policies, set standards, training requirements, conduct risk assessments and receive reports on agency compliance.

The reform bill also would update agency and chief information officer responsibilities, including ensuring cybersecurity is integrated with agency strategic and operational planning processes and developing and maintaining a risk management strategy.

Alan Paller, the director of research at the SANS Institute, has been an outspoken critic of the paperwork part of FISMA. He said the continuous monitoring language is most important in the reform bill.

"I think the key is the report language. There needs to be two or three examples in the report language that comes out with the bill so there is no question," Paller said. "The key people in this whole thing are the inspectors general. If they misinterpret it so the security people think they are suppose to do one thing and the inspectors general think they are suppose to write reports, which has been happening for the last 10 years, then you will get a lot of wasted reports. The key is the inspectors general understand exactly what was meant for continuous monitoring, meaning automated, online monitoring of every device on the network. If that is in the report language, that is good enough."

While the provision that could give DHS the ability to take over contractor systems is one controversial piece, it's what's in the section about critical infrastructure that could stop the bill in its tracks.

Juniper's Dix said his and others' concerns over the critical infrastructure section stem from the government getting too much oversight authority in specific areas. He said one provision would create additional regulatory regimes but not target the real cyber issues, which are the control systems of critical infrastructure providers.

The other area concerns assessing the risk management of critical infrastructure vendors.

"I don't think that is the role of the government," Dix said. "I don't think it's proper for the government to tell me and my company how best to manage the risk on behalf of my customers, my internal organization and my shareholders. I believe we do a pretty good job of that, and I think most people across the community do a pretty good job of that at this point in time."

Dix said there absolutely is room for improvement and places industry can improve upon, but it must come through a collaborative process. He pointed to the current effort with DHS through the Critical Infrastructure Coordinating Councils.

Dix said lawmakers in the House seem to understand this approach, but the Senate isn't getting it as quickly.

Critical Infrastructure in Most Need of Cyber Help
CSIS' Lewis said if the critical infrastructure section of the bill doesn't pass, the rest of the bill isn't worth much because this is the one area that needs the most attention.

Lewis said the bill does call for a collaborative process but there needs to be a way for DHS to make sure the standards are being met.

"The problem with voluntary, it doesn't work. We don't have to prove that anymore," Lewis said. "And when anyone says we can rely on a voluntary approach, you may want to smell their breadth. That is the crux of the matter. Can we create standards and hold companies to them? We have to recognize this has to be a very light touch, it has to be collaborative and it has to differ from sector to sector. That is the crucial point for me."

Along with FISMA and critical infrastructure, the bill includes two other sections, codifying DHS operational and oversight authorities and creating an Office of National Cyberspace Policy with a Senate-confirmed director.

"There is a real desire to do something in both parties," Lewis said. "They want to show this is not a do-nothing Congress and this is an important bill and if they can pass it, it would be an achievement that they would be proud of. The other thing I've heard is there is a real push from opponents of the bill to neutralize it and to pass the easy parts and leave out anything meaningful and come back at some point in the future. The odds are good we will get something, but whether it is something useful it remains to be seen" (Federal News Radio, 2012).

Title: Bigger US Role Against Companies' Cyberthreats?
Date: February 6, 2012
Fox News

Abstract: A developing Senate plan that would bolster the government's ability to regulate the computer security of companies that run critical industries is drawing strong opposition from businesses that say it goes too far and security experts who believe it should have even more teeth.

Legislation set to come out in the days ahead is intended to ensure that computer systems running power plants and other essential parts of the country's infrastructure are protected from hackers, terrorists or other criminals. The Department of Homeland Security, with input from businesses, would select which companies to regulate; the agency would have the power to require better computer security, according to officials who described the bill. They spoke on condition of anonymity because lawmakers have not finalized all the details.

Those are the most contentious parts of legislation designed to boost cybersecurity against the constant attacks that target U.S. government, corporate and personal computer networks and accounts. Authorities are increasingly worried that cybercriminals are trying to take over systems that control the inner workings of water, electrical, nuclear or other power plants.

That was the case with the Stuxnet computer worm, which targeted Iran's nuclear program in 2010, infecting laptops at the Bushehr nuclear power plant.

As much as 85 percent of America's critical infrastructure is owned and operated by private companies.

The emerging proposal isn't sitting well with those who believe it gives Homeland Security too much power and those who think it's too watered down to achieve real security improvements.

One issue under debate is how the bill narrowly limits the industries that would be subject to regulation.
Summaries of the bill refer to companies with systems "whose disruption could result in the interruption of life-sustaining services, catastrophic economic damage or severe degradation of national security capabilities."

Critics suggest that such limits may make it too difficult for the government to regulate those who need it.

There are sharp disagreements over whether Homeland Security is the right department to enforce the rules and whether it can handle the new responsibilities. U.S. officials familiar with the debate said the department would move gradually, taking on higher priority industries first.

"The debate taking place in Congress is not whether the government should protect the American people from catastrophic harms caused by cyberattacks on critical infrastructure, but which entity can do that most effectively," said Jacob Olcott, a senior cybersecurity expert at Good Harbor Consulting.

Under the legislation, Homeland Security would not regulate industries that are under the authority of an agency, such as the Nuclear Regulatory Commission, with jurisdiction already over cyber issues.

"Where the market has worked, and systems are appropriately secure, we don't interfere," said Sen. Joe Lieberman, I-Conn., chairman of the Senate Homeland Security and Governmental Affairs Committee. "But where the market has failed, and critical systems are insecure, the government has a responsibility to step in."

The bill, written largely by the Senate Commerce, Science and Transportation Committee and the Senate homeland panel, is also notable for what it does not include: a provision that would give the president authority to shut down Internet traffic to compromised Web sites during a national emergency. This `"kill switch" idea was discussed in early drafts, but drew outrage from corporate leaders, privacy advocates and Internet purists who believe cyberspace should remain an untouched digital universe.

While the Senate is pulling together one major piece of cybersecurity legislation, the House has several bills that deal with various aspects of the issue.

A bill from a House Homeland Security subcommittee doesn't go as far as the Senate's in setting the government's role. Still, it would require DHS to develop cybersecurity standards and work with industry to meet them.

"We know voluntary guidelines simply have not worked," said Rep. Jim Langevin, D-R.I. "For the industries upon which we most rely, government has a role to work with the private sector on setting security guidelines and ensuring they are followed."

Stewart Baker, a former assistant secretary at Homeland Security, said the government must get involved to force companies to take cybersecurity more seriously.

Concerns about federal involvement, he said, belie the fact that computer breaches over the past several years make it clear that hackers and other governments, such as China and Russia, are already inside many industry networks.

"They already have governments in their business, just not the U.S.," said Baker. "For them to say they don't want this suggests they don't really understand how bad this problem is."

Industry groups have lobbied against the Senate bill's regulatory powers and say new mandates will drive up costs without increasing security.

They say businesses are trying to secure their networks and need legal protections built into the law so they can share information with authorities without risking antitrust or privacy violations.

In a letter to lawmakers this past week, the U.S. Chamber of Commerce said any additional regulations would be counterproductive and force businesses to shift their focus from security to compliance.

Liesyl Franz, a vice president at TechAmerica, which represents about 1,200 companies, said businesses would prefer to work with the government to enhance security rather than face more regulations. She said companies coping with the potential security risks, market consequences, and damage to corporate reputations, are defending against cyberthreats.

Senior national security officials were on Capitol Hill last week to talk to senators about the growing cybersecurity threat. After the meeting, Sen. Susan Collins, R-Maine, said she's always had a sense of urgency about it, adding, "I hope the briefing gives that same sense of urgency to members to put aside turf battles."

She said senators are reviewing concerns raised by the Chamber about the bill (Fox News, 2012).

Title: BBC: Let’s Kill the Internet And Start Over
February 18, 2012
Prison Planet

Viewpoint: The internet is broken – we need to start over … Last year, the level and ferocity of cyber-attacks on the internet reached such a horrendous level that some are now thinking the unthinkable: to let the internet wither on the vine and start up a new more robust one instead. On being asked if we should start again, many – maybe most – immediately argue that the internet is such an integral part of our social and economic fabric that even considering a change in its fundamental structure is inconceivable and rather frivolous. I was one of those. However, recently the evidence suggests that our efforts to secure the internet are becoming less and less effective, and so the idea of a radical alternative suddenly starts to look less laughable. – BBC/ Prof Alan Woodward, Department of Computing, University of Surrey

Dominant Social Theme: Look, can we talk? The Internet is paedophiles’ best friend and a virus manufacturer besides. If we get rid of it, we’ll all be a lot safer. And especially the children. Good Lord, the children! The children!

Free-Market Analysis: It is clear to us by now that the Anglosphere power elite is increasingly desperate to shut down the Internet any way it can. This article posted at the BBC (whether or not the author understands he’s been enlisted on behalf of a larger Western elite agenda) is a good example of a sub dominant social theme within the context of this aim.

The power elite wants to run the world, and what we call the Internet Reformation has badly dented their plans. How does one run a secret, super-duper conspiracy to create a New World Order when one’s every move is plastered on the Internet the very next day?

It’s next to impossible. The elites have invested heavily in making their global operations “user friendly.” They’ve tried to pretend that increasingly authoritarian Western governments and global facilities such as the IMF and UN have agendas that are entirely supportive of human rights and individual prosperity.

Nothing could be further from the truth. What the Internet has shown us with increasing clarity over this past decade is that Western banking elites and their enablers and associates will stop at nothing in their quest for ultimate power.

They wish for one-world government (the UN), a one-world military (NATO), a one-world court (the recently formed Soros-sponsored International Criminal Court), a one-world central bank (the IMF), etc.

The exposure of the elite’s goals and its methodologies – its dependence on the corrupt counterfeiting practices of central banks for the trillion-dollar torrents of capital necessary to build world government – has led to an upswell of indignation and scrutiny around the world.

As a result, many of the elite’s dominant social themes are beginning to founder and fail. The elites had high hopes apparently for installing a carbon currency around the world based on the fraudulent message of global warming. But the Internet helped reveal emails that exposed the fraud.

The so-called war on terror has long been revealed to be both fraudulent and unpopular. Creating a so-called long war to generate the kind of chaos that is necessary to move the world toward global governance is perhaps a good idea from an elite standpoint … but not one that has worked out well.

As elite memes have degraded, the attacks on the Internet have stepped up. This article from the BBC is a good example of the kind of spurious justifications that are now being put forward to create a groundswell of support for the removal of a (somewhat) free and independent Internet.

We need to understand the root of the problem. In essence, the internet was never intended to be a secure network. The concept was developed by the Defense Advanced Research Projects Agency (Darpa) as a means of allowing a distributed computer system to survive a nuclear attack on the US. Those who designed the Internet Protocol (IP) did not expect that someone might try to intercept or manipulate information sent across it.

As we expanded our use of the internet from large, centralised computers to personal computers and mobile devices, its underlying technology stayed the same. The internet is no longer a single entity but a collection of ‘things’ unified by only one item – IP – which is now so pervasive that it is used to connect devices as wide-ranging as cars and medical devices …

While not a popular view, I think that the current internet can only survive if adequate global governance is applied and that single, secure technology is mandated. This is obviously fraught with the much rehashed arguments about control of the internet, free speech, and so on. Then there is the Herculean task of achieving international agreement and a recognised and empowered governance body …

I think the answer lies somewhere in the middle. We can have areas of the internet that are governed by a global body and run on technologies which are inherently secure, and we can have areas which are known to be uncontrolled. They can coexist using the same physical networks, personal computers and user interface to access both but they would be clearly segregated such that a user would have to make a clear choice to leave the default safe zone and enter what has been described as “the seediest place on the planet”.

This article is composed within the parameters of a typical elite dominant social theme. These are the promotional memes that the elites use to create ever-more authoritarian government. The idea is to frighten people into giving up control to specially prepared globalist entities.

In this case, the Internet itself is presented as a scary place, “the seediest place on the planet.” It is not, of course. It is, at root, simply a collection of electrons, and most of the abuses of privacy are likely taking place at the behest of Western intelligence agencies.

This is the part of the story that Dr. Woodward leaves out. Whether it is Facebook, Google, YouTube or Yahoo, US, European and British Intel agencies have apparently penetrated every part of these electronic facilities and are aggressively (and usually illegally) mining personal data from them.

One could make the argument, in fact, that without the intelligence abuses, the Internet would not have nearly so many difficulties. The chances are that many of its vulnerabilities were put in place by the very agencies that now claim the Internet is an unsafe place.

How the Internet’s electrons came to be characterized as “unsafe” is a puzzle we will leave to future historians. But what is more certain to us is that the Internet Reformation is beginning to have a significant impact on the elites and their plans for a New World Order.

Articles like this one, when combined with recent US legislation aimed at shutting down the current Internet using the tool of copyright violations, begin to provide us with a sense of the panic that the elites must be currently feeling about the exposure of their activities.

Conclusion: It also seems to confirm our hunch that the Internet was not some sort of elite plot to impose technological dominance on people but a Hayekian example of spontaneous social order. The old men who must run the affairs of the Anglosphere elites apparently didn’t see it coming and still have no idea what to do about it (Prison Planet, 2012).

Title: The U.N. Threat To Internet Freedom
February 21, 2012

On Feb. 27, a diplomatic process will begin in Geneva that could result in a new treaty giving the United Nations unprecedented powers over the Internet. Dozens of countries, including Russia and China, are pushing hard to reach this goal by year's end. As Russian Prime Minister Vladimir Putin said last June, his goal and that of his allies is to establish "international control over the Internet" through the International Telecommunication Union (ITU), a treaty-based organization under U.N. auspices.

If successful, these new regulatory proposals would upend the Internet's flourishing regime, which has been in place since 1988. That year, delegates from 114 countries gathered in Australia to agree to a treaty that set the stage for dramatic liberalization of international telecommunications. This insulated the Internet from economic and technical regulation and quickly became the greatest deregulatory success story of all time.

Since the Net's inception, engineers, academics, user groups and others have convened in bottom-up nongovernmental organizations to keep it operating and thriving through what is known as a "multi-stakeholder" governance model. This consensus-driven private-sector approach has been the key to the Net's phenomenal success.

In 1995, shortly after it was privatized, only 16 million people used the Internet world-wide. By 2011, more than two billion were online—and that number is growing by as much as half a million every day. This explosive growth is the direct result of governments generally keeping their hands off the Internet sphere.

Net access, especially through mobile devices, is improving the human condition more quickly—and more fundamentally—than any other technology in history. Nowhere is this more true than in the developing world, where unfettered Internet technologies are expanding economies and raising living standards.

Farmers who live far from markets are now able to find buyers for their crops through their Internet-connected mobile devices without assuming the risks and expenses of traveling with their goods. Worried parents are able to go online to locate medicine for their sick children. And proponents of political freedom are better able to share information and organize support to break down the walls of tyranny.

The Internet has also been a net job creator. A recent McKinsey study found that for every job disrupted by Internet connectivity, 2.6 new jobs are created. It is no coincidence that these wonderful developments blossomed as the Internet migrated further away from government control.

Today, however, Russia, China and their allies within the 193 member states of the ITU want to renegotiate the 1988 treaty to expand its reach into previously unregulated areas. Reading even a partial list of proposals that could be codified into international law next December at a conference in Dubai is chilling:

• Subject cyber security and data privacy to international control;

• Allow foreign phone companies to charge fees for "international" Internet traffic, perhaps even on a "per-click" basis for certain Web destinations, with the goal of generating revenue for state-owned phone companies and government treasuries;

• Impose unprecedented economic regulations such as mandates for rates, terms and conditions for currently unregulated traffic-swapping agreements known as "peering."

• Establish for the first time ITU dominion over important functions of multi-stakeholder Internet governance entities such as the Internet Corporation for Assigned Names and Numbers, the nonprofit entity that coordinates the .com and .org Web addresses of the world;

• Subsume under intergovernmental control many functions of the Internet Engineering Task Force, the Internet Society and other multi-stakeholder groups that establish the engineering and technical standards that allow the Internet to work;

• Regulate international mobile roaming rates and practices.

Many countries in the developing world, including India and Brazil, are particularly intrigued by these ideas. Even though Internet-based technologies are improving billions of lives everywhere, some governments feel excluded and want more control.

And let's face it, strong-arm regimes are threatened by popular outcries for political freedom that are empowered by unfettered Internet connectivity. They have formed impressive coalitions, and their efforts have progressed significantly.

Merely saying "no" to any changes to the current structure of Internet governance is likely to be a losing proposition. A more successful strategy would be for proponents of Internet freedom and prosperity within every nation to encourage a dialogue among all interested parties, including governments and the ITU, to broaden the multi-stakeholder umbrella with the goal of reaching consensus to address reasonable concerns. As part of this conversation, we should underscore the tremendous benefits that the Internet has yielded for the developing world through the multi-stakeholder model.

Upending this model with a new regulatory treaty is likely to partition the Internet as some countries would inevitably choose to opt out. A balkanized Internet would be devastating to global free trade and national sovereignty. It would impair Internet growth most severely in the developing world but also globally as technologists are forced to seek bureaucratic permission to innovate and invest. This would also undermine the proliferation of new cross-border technologies, such as cloud computing.

A top-down, centralized, international regulatory overlay is antithetical to the architecture of the Net, which is a global network of networks without borders. No government, let alone an intergovernmental body, can make engineering and economic decisions in lightning-fast Internet time. Productivity, rising living standards and the spread of freedom everywhere, but especially in the developing world, would grind to a halt as engineering and business decisions become politically paralyzed within a global regulatory body.

Any attempts to expand intergovernmental powers over the Internet—no matter how incremental or seemingly innocuous—should be turned back. Modernization and reform can be constructive, but not if the end result is a new global bureaucracy that departs from the multi-stakeholder model. Enlightened nations should draw a line in the sand against new regulations while welcoming reform that could include a nonregulatory role for the ITU.

Pro-regulation forces are, thus far, much more energized and organized than those who favor the multi-stakeholder approach. Regulation proponents only need to secure a simple majority of the 193 member states to codify their radical and counterproductive agenda. Unlike the U.N. Security Council, no country can wield a veto in ITU proceedings. With this in mind, some estimate that approximately 90 countries could be supporting intergovernmental Net regulation—a mere seven short of a majority.

While precious time ticks away, the U.S. has not named a leader for the treaty negotiation. We must awake from our slumber and engage before it is too late. Not only do these developments have the potential to affect the daily lives of all Americans, they also threaten freedom and prosperity across the globe (WSJ, 2012).

Title: Mock Cyber Attack On New York Used By Obama To Pitch Senate Bill
Date: March 8, 2012

Abstract: The Obama administration simulated a cyber attack on 
New York City’s power supply in a Senate demonstration aimed at winning support for legislation to boost the nation’s computer defenses.

Senators from both parties gathered behind closed doors in the U.S. Capitol yesterday for the classified briefing attended by Homeland Security Secretary Janet Napolitano, FBI Director Robert Mueller and other administration officials.

Internet-service providers including AT&T Inc. and Comcast Corp. opposed new cybersecurity regulations at a House hearing. The companies said they prefer measures to improve voluntary sharing of information about cyber threats. Photo: Stephen Yang/Bloomberg

The mock attack on the city during a summer heat wave was “very compelling,” said Senator Susan Collins, a Maine Republican who is co-sponsoring a cybersecurity bill supported by President Barack Obama. “It illustrated the problem and why legislation is desperately needed,” she said as she left the briefing.

U.S. lawmakers are debating cybersecurity legislation following assaults last year on companies including New York- basedCitigroup Inc. (C), the third-largest U.S. bank by assets, and Bethesda, Maryland-based Lockheed Martin Corp. (LMT), the world’s largest defense company.

The attacks have increased concern that computer networks operated by U.S. banks, power grids and telecommunications companies may be vulnerable to hacking or viruses that may cause loss of life or inflict widespread economic harm.

The Obama administration is backing a Senate measure introduced on Feb. 14 by Collins and Senator Joe Lieberman, a Connecticut independent, that would direct the Homeland Security Department to set cybersecurity regulations for companies deemed critical to U.S. national and economic security.

Competing Bill
A competing Senate bill from eight Republicans including John McCain of Arizona and Kay Bailey Hutchison of Texas would avoid new rules while promoting information sharing through incentives such as protection from lawsuits. Representative Mary Bono Mack, a California Republican, is preparing to introduce similar legislation in the House.

Senator Roy Blunt, a Missouri Republican, called yesterday’s demonstration “helpful because it got a whole bunch of senators thinking about the same thing at the same time.” He said the exercise didn’t sway him to support either of the Senate bills.

After the briefing, Hutchison cited similarities in the two Senate measures while criticizing the “big new bureaucracy and regulatory scheme” in the Obama-backed legislation.

The simulated attack “was intended to provide all senators with an appreciation for new legislative authorities that could help the U.S. government prevent and more quickly respond to cyber attacks,” Caitlin Hayden, a White House spokeswoman, said in an e-mail after the briefing.

‘Disastrous’ Effects
A cyber attack leaving New York without power for a prolonged time could have “disastrous” effects, potentially severing communications, crashing life-saving medical equipment and destroying networks that run financial institutions, according to Lawrence Ponemon, chairman of the Ponemon Institute LLC, a research firm based in Traverse City, Michigan.

“I would project that you would have literally thousands of people dying,” Ponemon said in an interview. “A cyber attack on electrical grids that was sustained for three to four weeks would be like returning to the dark ages.”

A blackout that swept parts of North America in August 2003 left 50 million people in the dark for as long as four days. Hackers could cause blackouts “on the order of nine to 18 months” by disabling critical systems such as transformers, said Joe Weiss, managing director of Applied Control Solutions LLC, a Cupertino, California-based security consulting company.

“The dollars are incalculable,” Weiss said. The 2003 event, triggered when a power line touched tree branches in Ohio, caused losses of as much as $10 billion, according to a study by the U.S. and Canadian governments.

Internet Providers Object
Internet-service providers, including AT&T Inc. (T) and Comcast Corp. (CMCSA), opposed new cybersecurity regulations at a House hearing yesterday. The companies said they prefer measures to improve voluntary sharing of information about cyberthreats.

Government-imposed rules could impede innovation, the Internet providers said in testimony to a House Energy and Commerce subcommittee.

“Such requirements could have an unintended stifling effect on making real cybersecurity improvements,” Edward Amoroso, chief security officer for Dallas-based AT&T, said in testimony at the hearing. “Cyber adversaries are dynamic and increasingly sophisticated, and do not operate under a laboriously defined set of rules or processes.”

AT&T is the second-largest U.S. wireless carrier. Philadelphia-based Comcast, the leading U.S. cable provider, and Monroe, Louisiana-based CenturyLink Inc. (CTL) expressed similar views in their prepared testimony.

Senate Majority Leader Harry Reid, a Nevada Democrat, has said he wants to bring the Lieberman-Collins bill to the chamber’s floor for a vote as soon as possible, though he hasn’t given a date. The measure is co-sponsored by Democrats Jay Rockefeller of West Virginia andDianne Feinstein of California.

The Lieberman-Collins bill is S. 2105 and the McCain bill is S. 2151 (Bloomberg, 2012)

Title: McCain: Cybersecurity Bill Ineffective Without NSA Monitoring The Net
Date: February 16, 2012

Abstract: After three years of haggling to produce bipartisan cybersecurity legislation that addresses the security of the nation’s critical infrastructure systems, the Senate finally got a bill this week that seemed destined to actually pass.

That is, until a hearing on Thursday to discuss the bill in which Sen. John McCain (R-Arizona) sideswiped lawmakers behind the proposed legislation and announced that he, and seven other Senate ranking members, were opposed to the bill and would be introducing a competing bill in two weeks to address failings they see in the legislation.

McCain and his colleagues oppose the current bill on the grounds that it would give the Department of Homeland Security regulatory authority over private businesses that own and operate critical infrastructure systems and that it doesn’t grant the National Security Agency, a branch of the Defense Department, any authority to monitor networks in real-time to thwart cyberattacks.

The bill neglects to give authority “to the only institutions currently capable of [protecting the homeland], U.S. Cybercommand and the National Security Agency (NSA),” McCain said in a written statement presented at the hearing. “According to [General Keith Alexander, the Commander of U.S. Cybercommand and the Director of the NSA] in order to stop a cyber attack you have to see it in real time, and you have to have those authorities…. This legislation does nothing to address this significant concern and I question why we have yet to have a serious discussion about who is best suited to protect our country from this threat we all agree is very real and growing.”

The current cybersecurity bill proposes to do what nothing else has succeeded in doing to date – that is, improve the security of critical infrastructure systems. It would do this by giving the government regulatory power over companies that operate such systems to force them to do due diligence.

Sen. Joe Lieberman (I-Conn.) introduced the legislation on Tuesday along with Sen. Susan Collins (R-Maine) and Sen. Jay Rockefeller (D-W.Va.).

The Cybersecurity Act of 2012 (.pdf) requires the government to assess which sectors of critical infrastructure pose the greatest immediate risk and gives the Department of Homeland Security regulatory authority over the private companies that control designated critical infrastructure systems — such as telecommunications networks and electric grids and any other network “whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life.”

The bill keeps the authority for critical infrastructure security oversight in the hands of DHS, a civilian agency, as opposed to McCain’s preference for the NSA, which protects the military’s networks and the government’s classified networks.

But Homeland Security head Janet Napolitano testified in support of enhanced authority for DHS, noting that the government’s expanding efforts in this area include a 2013 budget request of a whopping $769 million for cybersecurity efforts – 74 percent higher than 2012′s budget request.

The legislation would require owners and operators of critical infrastructure to meet security standards established by the National Institute of Standards and Technology, the National Security Agency and other designated entities, or face unspecified civil penalties. Critical infrastructure entities would be allowed to determine how best to meet the standards based on the nature of their business sector, but they would be required to certify annually that they do meet them.

The bill would protect entities that adhere to the standards from being sued in civil court for punitive damages should they experience a cyber-attack, though the bill says nothing about protecting them from suits for actual damages.

Critical infrastructure owners and operators can “self-certify” that they are compliant or obtain an audit from a third-party, similar to the way that companies that process credit and debit card payments currently obtain third-party audits certifying that they adhere to standards set by the payment card industry.

This raises questions, however, about how effective such certifications will be for securing critical infrastructure.

Certifications in the payment card industry have been widely criticized as ineffective since third-party auditors that certify systems against a checklist of requirements are paid to do so and have an incentive to pass a system less they not be invited back to conduct subsequent assessments. A number of the most high-profile and expensive credit card data breaches have occurred at companies that were certified compliant at the time they were breached, highlighting the unreliability of such measurements.

Chris Wysopal, chief technology officer for computer security firm VeraCode, expressed doubts that the proposed legislation would improve security unless it included some tangible way to verify that the standards, as implemented by companies, are actually tested to ensure that they secure critical facilities.

“There has to be some reality-based testing of whether the stuff is actually effective,” Wysopal told Wired. “That’s what the U.S. government does when they want real assurance – they have a Red Team at the NSA test to see if what they’re doing is really working.”

He suggested the government might take a random sampling of critical infrastructure companies each year to conduct penetration tests to verify that the standards – and the ways that companies are implementing them – are doing what they’re meant to do.

Wysopal also says that for the standards to be effective they have to be re-assessed each year and altered to adapt to new threats.

“We’re dealing with a very evolving tech landscape and threat landscape,” he said. “Attackers change their attacks all the time, and anything that’s a standard has to be a totally living standard that people realize they will have to re-address each year” (Wired, 2012).

Title: CISPA: Cybersecurity Bill Authors Defend Legislation Against 'Privacy Disaster' Claims
Date: April 10, 2012
Huffington Post

Abstract: Authors of a cybersecurity bill sought to rebut criticisms on Tuesday from civil liberties groups who say the legislation does not protect consumers from having their private data shared with the government.

The Cyber Intelligence Sharing and Protection Act, or CISPA, sponsored by Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), seeks to give businesses and the federal government legal protection to share cyber threats with each other in an effort to thwart hackers.

Currently, they do not share that data because the information is classified and companies fear violating anti-trust law.

But privacy and civil liberties groups say the bill's definition of the consumer data that can be shared with the government is overly broad, and once the data is shared, the government could use that information for other purposes -- such as investigating or prosecuting crimes -- without needing to obtain a warrant. They also criticize the legislation for not requiring companies to make customer information anonymous before sharing it with the government.

Michelle Richardson, a legislative counsel at the American Civil Liberties Union, called the bill "a privacy disaster" and "a new backdoor around the Fourth Amendment."

"This is a whole new surveillance program," she told The Huffington Post.

The bill's authors say the legislation bars the government from using the information for other purposes "unless a significant cybersecurity or national security purpose exists." But they said the government should not be restricted in how it uses the data in case it includes evidence of a terrorist plot or child pornography.

They added that the bill includes adequate measures to protect privacy and civil liberties, such as calling for an inspector general to conduct annual audits on how the data is being used.

Rogers described his bill as "non-invasive" and "very limiting."

"This is just about sharing bad information and malicious software and code to allow the private sector to better protect themselves," Rogers told reporters in a conference call Tuesday morning.

The Obama administration declined to comment about the bill. But in a statement, Caitlin Hayden, a spokeswoman for the National Security Council, said "we would encourage the Congress to craft information sharing legislation carefully with robust protections to safeguard civil liberties and privacy."

Despite concerns, Rogers' bill has widespread bipartisan support, with more than 100 co-sponsors in the House and letters of support from the U.S. Chamber of Commerce and several major technology companies, including Facebook and Microsoft.

In December, the bill sailed through the House Intelligence Committee by a vote of 17 to 1 -- just one day after it was introduced.

The House is expected to vote on the bill the week of April 23.

Thus far, more than 40 cybersecurity bills have been unveiled on Capitol Hill, emerging from a wide range of committees, including Commerce, Foreign Affairs, Intelligence and Homeland Security. But the 
fate of the bills remains uncertain.

In the Senate, competing bills have been introduced amid differences over whether the Department of Homeland Security should be given power to enforce cybersecurity standards at private companies, which own and operate 85 percent of critical infrastructure.

Senate Majority Leader Harry Reid (D-Nev.) has said 
he plans to bring the legislation to the Senate floor for a vote in coming weeks.

Rogers and Ruppersberger also sought to refute what they said were false allegations spreading online that the bill is similar to SOPA, a controversial anti-piracy bill that was scuttled earlier this year after widespread Internet protests arguing the bill would censor the web.

Over the weekend, the hacker group Anonymous claimed credit for 
cyberattacks that briefly crashed the websites of the USTelecom and TechAmerica in retaliation for the trade groups' support of Rogers' cybersecurity legislation.

The hacker group said 
in a video that despite the defeat of SOPA earlier this year, Rogers' bill was "a new threat" and those who support it have become "sworn enemies of Anonymous."

Rogers said his bill has nothing in common with SOPA.

"They're comparing apples and oranges," Rogers said of Anonymous. The two bills "are so completely different there is absolutely no comparison"
(Huffington Post, 2012)

Title: DHS, CYBERCOM: Government And Private Sector “Must” Share Data To Prevent Cyber Threats
Date: May 27, 2012

Abstract: The takeover of the Internet is literally a fascist partnership between Google, the NSA, US CYBERCOM and other key entities. In recent weeks, a court refused to 
disclose the links between Google and the NSA, but obviously it confirms the important bleed over that has long been documented and exposed.

General Keith Alexander, head of both the NSA & CYBERCOM, who meets annually at Bilderberg with the likes of Google’s Eric Schmidt, Microsoft’s Craig J. Mundie (and former CEO Bill Gates), Facebook’s founders & funders and others, recently testified to the Senate Armed Services Committee about US CYBER COMMAND’s mission.

Gen. Alexander endorsed the Department of Homeland Security’s Blueprint for a Cyber Secure Future, which he helped write and give feedback on. “We welcome and support new statutory authorities for DHS that would ensure this information sharing takes place; an important reason why cyber legislation that promotes this sharing is so important to the nation.”

Alexander further stated, “Foundational to [CYBERCOM's mission] is the information sharing that must go on between the federal government and private sector, and within the private sector, while ensuring measures and oversight to protect privacy and preserve civil liberties.” Aside from the recognition of civil liberties that is merely for public consumption, this is a stark admission of the massive data theft that has been going on unchecked for sometime.

Such data mining, along with “identity-based access controls to services” (eerily close to fellow Bilderberger Neelie Kroes, of the EU Commission, would supposedly allow the prevention and detection of cyber crimes, hack attacks and any plans for “big” events like a (cyber) terror attack. To prepare for such paralyzing and potentially catastrophic events, CYBERCOM has done what it does best– go on the offensive. Information Week reports:

National Security Agency director and Cyber Command commander Gen. Keith Alexander said in October that “the advantage is on the offense” regarding cyber, and that the government should in some cases go after botnets and other malicious actors. Then, in November, the Defense Advanced Research Projects Agency (DARPA) for the first time publicly discussed the fact that it was doing research into offensive cyber capabilities.

Gen. Alexander further bragged about CYBERCOM’s first major tactical exercise, dubbed “CYBER FLAG”, in which operators “engaged in realistic and intense simulated cyber combat against ‘live’ opposition.” Top brass at the Pentagon and numerous intelligence agencies, who are also involved in CYBERCOM according to Alexander, also participated in the multi-day exercise. Alexander cautioned that “CYBER FLAG was no mere drill, but a training exercise for those necessarily engaged in cyber operations now.” Wow.

US CYBERCOM, which is literally housed inside the National Security Agency (NSA), has only been in existence for two years and only operational for a little over a year, yet is eager to expand its powers in effort to guard the nation, its government agencies and peoples from cyber threats far and wide. Gen. Alexander cited numerous attempts to bring down military networks and those of their contractors. Hackers groups including Anonymous and LulzSec made 2011 the “Year of the Hacker,” Alexander told Congress, and things are clearly just getting started. Stuxnet (admittedly launched jointly by the U.S. & Israel) and other incidents have made that clear (Infowars, 2012).

Title: U.N. Could Tax U.S.-Based Web Sites, Leaked Docs Show
Date: June 7, 2012

Abstract: The United Nations is considering a new Internet tax targeting the largest Web content providers, including Google, Facebook, Apple, and Netflix, that could cripple their ability to reach users in developing nations.

The European proposal, offered for debate at a December meeting of a U.N. agency called the International Telecommunication Union, would amend an existing telecommunications treaty by imposing heavy costs on popular Web sites and their network providers for the privilege of serving non-U.S. users, according to newly leaked documents.

The documents (No. 1 No. 2) punctuate warnings that the Obama administration and Republican members of Congress raised last week about how secret negotiations at the ITU over an international communications treaty could result in a radical re-engineering of the Internet ecosystem and allow governments to monitor or restrict their citizens' online activities.

"It's extremely worrisome," Sally Shipman Wentworth, senior manager for public policy at the Internet Society, says about the proposed Internet taxes. "It could create an enormous amount of legal uncertainty and commercial uncertainty."

The leaked proposal was drafted by the European Telecommunications Network Operators Association, or ETNO, a Brussels-based lobby group representing companies in 35 nations that wants the ITU to mandate these fees.

While this is the first time this proposal been advanced, European network providers and phone companies have been bitterly complaining about U.S. content-providing companies for some time. France Telecom, Telecom Italia, and Vodafone Group, want to "require content providers like Apple and Google to pay fees linked to usage," Bloomberg reported last December.

ETNO refers to it as the "principle of sending party network pays" -- an idea borrowed from the system set up to handle payments for international phone calls, where the recipient's network set the per minute price. If its proposal is adopted, it would spell an end to the Internet's long-standing, successful design based on unmetered "peered" traffic, and effectively tax content providers to reach non-U.S. Internet users.

In a statement (PDF) sent to CNET on Friday morning, ETNO defended its proposal as "innovative" and said it had been adopted unanimously by its executive board. It would amend the treaties by saying, "to ensure an adequate return on investment in high bandwidth infrastructures, operating agencies shall negotiate commercial agreements to achieve a sustainable system of fair compensation for telecommunications services," ETNO said.

Such sender-pays frameworks, including the one from ETNO, could prompt U.S.-based Internet services to reject connections from users in developing countries, who would become unaffordably expensive to communicate with, predicts Robert Pepper, Cisco's vice president for global technology policy.

Developing countries "could effectively be cut off from the Internet," says Pepper, a former policy chief at the U.S. Federal Communications Commission. It "could have a host of very negative unintended consequences."

It's not clear how much the taxes levied by the ETNO's plan would total per year, but observers expect them to be in the billions of dollars. Government data show that in 1996, U.S. phone companies paid their overseas counterparts a total of $5.4 billion just for international long distance calls.

If the new taxes were levied, larger U.S. companies might be able to reduce the amount of money they pay by moving data closer to overseas customers, something that Netflix, for instance, already does through Akamai and other content delivery networks. But smaller U.S. companies unable to afford servers in other nations would still have to pay.

The leaked documents were posted by the Web site WCITLeaks, which was created by two policy analysts at the free-market Mercatus Center at George Mason University in Arlington, Va, who stress their Wikileaks-esque project is being done in their spare time. The name, WCITLeaks, is a reference to the ITU's December summit in Dubai, the World Conference on International Telecommunications, or WCIT.

Eli Dourado, a research fellow who founded WCITLeaks along with Jerry Brito, told CNET this afternoon that the documents show that Internet taxes represent "an attractive revenue stream for many governments, but it probably is not in the interest of their people, since it would increase global isolation."

Dourado hopes to continue posting internal ITU documents, and is asking for more submissions. "We hope that shedding some light on them will help people understand what's at stake," he says.

One vote Per Country 
ETNO's proposal arrives against the backdrop of negotiations now beginning in earnest to rewrite the International Telecommunications Regulations (
PDF), a multilateral treaty that governs international communications traffic. The ITRs, which dates back to the days of the telegraph, were last revised in 1988, long before the rise of the commercial Internet and the on-going migration of voice, video and data traffic to the Internet's packet-switched network.

The U.S. delegation to the Dubai summit, which will be headed by Terry Kramer, currently an entrepreneur-in-residence at the Harvard Business School, is certain to fight proposals for new Internet taxes and others that could curb free speech or privacy online.

But the ITU has 193 member countries, and all have one vote each.

If proposals harmful to global Internet users eventually appear in a revision to the ITRs, it's possible that the U.S. would refuse to ratify the new treaty. But that would create additional problems: U.S. network operators and their customers would still be held to new rules when dealing with foreign partners and governments. The unintended result could be a Balkanization of the Internet.

In response to the recent criticism from from Washington, ITU Secretary-General Hamadoun Toure convened a meeting yesterday with ITU staff to deny charges that the WCIT summit in Dubai "is all about ITU, or the United Nations, trying to take over the Internet." (The ITU also has been criticized, as CNET recently reported, for using the appearance of the Flame malware to argue it should have more cybersecurity authority over the Internet.)

"The real issue on the table here is not at all about who 'runs' the Internet -- and there are in fact no proposals on the table concerning this," Toure said, according to a copy of his remarks posted by the ITU. "The issue instead is on how best to cooperate to ensure the free flow of information, the continued development of broadband, continued investment, and continuing innovation."

Robert McDowell, a Republican member of the Federal Communications Commission who wrote an article (PDF) in the Wall Street Journal in February titled "The U.N. Threat to Internet Freedom," appeared to reference the ETNO's proposal for Internet taxes during last week's congressional hearing.

Proposals that foreign governments have pitched to him personally would "use international mandates to charge certain Web destinations on a 'per-click' basis to fund the build-out of broadband infrastructure across the globe," McDowell said. "Google, Tunes, Facebook, and Netflix are mentioned most often as prime sources of funding."

They could also allow "governments to monitor and restrict content or impose economic costs upon international data flows," added Ambassador Philip Verveer, a deputy assistant secretary of state.

ITU spokesman Paul Conneally told CNET this week that:

There are proposals that could change the charging system, but nothing about pay-per-click as such. There isn't anything we can comment about this interpretation because, as stated before, member states are free to interpret proposals as they like, so if McDowell chooses to interpret as pay-per-click, that is his right and similarly it is he who should provide pointers for you.

From the beginning, the Internet's architecture has been based on traffic exchange between backbone providers for mutual benefit, without metering and per-byte "settlement" charges for incoming and outgoing traffic. ETNO's proposal would require network operators and others to instead negotiate agreements "where appropriate" aimed at achieving "a sustainable system of fair compensation for telecommunications services" based on "the principle of sending party network pays."

"Not all those countries like open, transparent process"

This isn't the first time that a U.N. agency will consider the idea of Internet taxes.

In 1999, a report from the United Nations Development Program proposed Internet e-mail taxes to help developing nations, suggesting that an appropriate amount would be the equivalent of one penny on every 100 e-mails that an individual might send. But the agency backed away from the idea a few days later.

And in 2010, the U.N.'s World Health Organization contemplated, but did not agree on, a "bit tax" on Internet traffic.

Under the ITU system for international long distance, government-owned telecommunications companies used to make billions from incoming calls, effectively taxing the citizens of countries that placed the calls. That meant that immigrants to developed nations paid princely sums to call their relatives back home, as high as $1 a minute.

But technological advances have eroded the ability of the receiving countries to collect the fees, and the historic shift to voice over Internet Protocol services such as Skype has all but erased the transfer payments. Some countries see the WCIT process as a long-shot opportunity to reclaim those riches.

The ITU's process has been controversial because so much of it is conducted in secret. That's drawn unflattering comparisons with the Anti-Counterfeiting Trade Agreement, or ACTA, an international intellectual property agreement that has generated protests from Internet users across the world. (The Obama administration approved ACTA in 2011, before anyone outside the negotiations had a chance to review it.)

By comparison, the Internet Society, with 55,000 members and 90 worldwide chapters, hosts the engineering task forces responsible for the development and enhancement of Internet protocols, which operate through virtual public meetings and mailing lists.

"Not all those countries like open, transparent process," says Cisco's Pepper, referring to the ITU's participants. "This is a problem" (CNET, 2012)

Title: White House Circulating Draft Of Executive Order On Cybersecurity
Date: September 6, 2012
The Hill

Abstract: The White House is circulating a draft of an executive order aimed at protecting the country from cyberattacks, The Hill has learned.  

The draft proposal, which has been sent to relevant federal agencies for feedback, is a clear sign that the administration is resolved to take action on cybersecurity even as Congress remains gridlocked on legislation that would address the threat.

The draft executive order would establish a voluntary program where companies operating critical infrastructure would elect to meet cybersecurity best practices and standards crafted, in part, by the government, according to two people familiar with the document. 

The concept builds off of a section in the cybersecurity bill from Sen. Joe Lieberman (I-Conn.) that was blocked last month by Senate Republicans, who called it a backdoor to new regulations. 

The draft has undergone multiple revisions and is brief, spanning no more than five pages. It is still being worked on and is subject to change, the people familiar with the draft stressed. 

It's also unclear whether the final product will get the president's approval to move forward.

A new draft of the executive order is expected to be shared with agencies next week. 

White House counterterrorism adviser John Brennan
 first floated the idea of an executive order in a speech a few days after the Senate bill failed. He said the White House would consider taking action on the executive level to ensure key infrastructure such as the power grid, water supply and transportation networks are secure.

The momentum for cybersecurity legislation in Congress weakened after Lieberman's bill failed to clear the Senate. Now industry groups and Congress are watching the White House for clues about what might be included in a executive order on cybersecurity. 

A spokeswoman for the White House declined to comment on whether a draft for a executive order was being circulated, but said it is one of the options the administration is weighing.

"An executive order is one of a number of measures we’re considering as we look to implement the president’s direction to do absolutely everything we can to better protect our nation against today’s cyberthreats," said White House spokeswoman Caitlin Hayden. "We are not going to comment on ongoing internal deliberations.”

Sponsors of Lieberman's bill have urged the White House to issue an executive order to put measures in place that ensure key infrastructure is better protected from cyberattacks. Sens. 
Jay Rockefeller (D-W.Va.) and Dianne Feinstein(D-Calif.) both sent letters to the White House last month that urged the president to take action. 

According to the people familiar with the draft, the executive order would set up an inter-agency council that would be led by the Department of Homeland Security (DHS). Members of the council would include the Department of Defense and the Commerce Department, and discussions are ongoing about including other agencies and officials, such as representatives from the Department of Energy and Treasury Department, as well as the attorney general and the director of national intelligence. 

DHS would be responsible for the overall management of the program, but the Commerce Department's National Institute of Standards and Technology (NIST) would work with industry to help craft the framework for it. The agency would work with the private sector to develop cybersecurity guidelines and best practices.

DHS would receive the guidance from NIST and work with so-called sector coordinating councils to identify which industry sectors would be considered critical infrastructure, as well as determine what cybersecurity best practices and standards the industry participants in the voluntary program would follow. 

Those coordinating councils are already in place, and fall under an arm of DHS that manages critical infrastructure protection. The councils are run and organized by industry members from each sector, such as financial services and electricity. 

It would be left up to the companies to decide what steps they want to take to meet the standards, so the government would not dictate what type of technology or strategy they should adopt.

One of the main issues still under discussion involves the kinds of incentives the government will offer critical infrastructure operators to entice them into the program. 

The executive branch is limited when it comes to the types of incentives it can offer companies, as much of that authority rests with Congress. For instance, the executive branch is barred from offering companies liability protection if they face lawsuits after a security breach. 
"For many of these incentives, you need new legislative authority," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, who has not seen a copy of the draft executive order. 

To get industry participation in the program, Lewis argues that it's key for the inter-agency council to include agencies that already regulate critical infrastructure, such as the Federal Energy Regulatory Commission. 

Lewis also fears that it would take the government too long to get the voluntary program in the executive order up and running.

"The White House needs to step back and say, 'Does this make a meaningful contribution in the near term?' " Lewis said. 

Additionally, he cautioned that industry would balk at electing to join a program led by DHS, which is plagued with a spotty track record when it comes to leading national security efforts. 

"Find me a company that says 'I'm going to voluntarily agree to be regulated by DHS.' Nobody is going to volunteer to have DHS regulate them," Lewis said
(The Hill, 2012).

Title: Philippines Gags Internet With 'Draconian' Cyber Crime Law
Date: October 3, 2012

Abstract: The Philippines has approved measures to prosecute users that post “defamatory” comments on social media websites such as Twitter and Facebook. They will be liable for a fine of 1 million pesos (US$24,000) or face up to 12 years in prison.

Websites that publish the material may also be shut down.

The cyber-law has been branded as ‘draconian’ and a serious violation of freedom of speech by rights groups.

“The cyber crime law needs to be repealed or replaced,” said Brad Adams, Asia director of the Human Rights Watch. “It violates Filipinos’ rights to free expression and it is wholly incompatible with the Philippine government’s obligations under international law.”

He stressed that while the bill was in action it will have a “chilling effect over the entire Philippines online community.”

The new legislation extends Philippines libel law, which has been previously contested by Human Rights Watch, into cyberspace.

Aside from prosecuting users who post material deemed offensive, the bill grants authorities the power to collate and retain information from people’s Facebook and Twitter profiles, as well as eavesdropping on conversations over Skype.

“Anybody using popular social networks or who publishes online is now at risk of a long prison term should a reader – including government officials – bring a libel charge,” Adams said. “Allegedly libelous speech, online or off-line, should be handled as a private civil matter, not as a crime.”

Human Rights Watch has appealed to the Philippines government on numerous occasions to decriminalize libel speech in the country, but the government has thus far been unresponsive to the requests.

Hackivist group Anonymous called on their supporters in the country to rally against the new legislation and cyber attack government sites on what they dubbed “Bloody Monday” and “Black Tuesday” before the institution of the law on Wednesday.

The government says the new bill is a necessary tool to safeguard Philippines society from cyber threats, arguing that without it the country would be laid bare to hacking, identity theft, spamming and intellectual property theft.

Southeast Asian Crackdown
The cyber-security law is the latest in a series of Southeast Asian government measures that have curtailed internet freedoms in the region.

Malaysia has recently introduced amendments in the law that could encroach on internet freedoms. The changes would allow authorities to identify people who publish potentially inflammatory material on the web which activists say would force writers to resort to self-censorship to avoid prosecution.

In addition, the Cambodian government is enforcing a draft law that seeks to install surveillance cameras and record calls in internet cafes. The country’s rulers maintain the bill is a crime prevention measure, while critics brand it as a violation of privacy rights (RT, 2012)

Title: Activists: New Philippines Law Gags Netizens
Date: October 4, 2012

Abstract: A quick tweet or Facebook post could put you behind bars in the Philippines under a new cyber law, according to activists.

The Cybercrime Prevention Act of 2012 came into effect Wednesday despite widespread protests among netizens, journalists and free speech activists. "Reaction has been overwhelming. This is quite unprecedented," said Carlos Conde of Human Rights Watch in Manila. "I haven't seen this kind of uprising from the online community in the Philippines. This is a setback for one of the most social-media savvy countries."

The Philippines had a steadily rising 28 million internet users in 2011, approximately 30% of the population, according to the World Bank, placing it among the top 20 nations for internet use. Before the law came into effect, the Philippines was ranked the most "free" in Asia, according to the 2012 Freedom House report on internet freedom. The Philippines ranked sixth globally, after the United States, Australia and other European nations.

The new law addresses an array of content and computer-related offenses, including cybersex, child pornography, unsolicited commercial communications and identity theft. The act also states that there will be "special cybercrime courts manned by specially trained judges to handle cybercrime cases."

Critics of the law, who are calling it the "new marshal law online," are against a provision that criminalizes libel.

"The law is so vague in many respects; it is being interpreted in many ways -- comparing 'liking' something on Facebook to an investigative exposé -- the law has to be clear," Conde said. "It's almost like an afterthought -- the libel portion was put there haphazardly." Existing libel laws of the Philippines were dubbed "excessive" by the United Nations in October 2011.

Local news organizations and civil rights groups mobilized to file a petition against the law, which they believe "establishes a regime of cyber authoritarianism." The petition has sought a restraining order against enforcement of the new law.

"You never know what's going to trigger these libel offenses...[the law] goes against overall freedom of press and expression. It is motivated by personal experiences -- they don't like what you say and then you are penalized for it," said Gayathri Venkateswaran of the Southeast Asian Press Alliance.

Other points of the new law have been contentious, such as the "take-down" provision, which enables the Department of Justice to order removal of defamatory content without due process.

The Philippines government, in a statement, acknowledged the questions over the "constitutionality of certain provisions of the Act" but also called on "critics of the cybercrime Act to speak out against online vandalism and bullying with as much vigor and passion as they expressed in their objections to certain provisions of the law."

The new law "is quite good ... except for the item on libel," said Jacques DY Gimeno, a contributor to the Freedom House report. "At least the government is now dealing with cybercrime.

"Self-censorship will go up, internet users will have a sense of needing to police themselves," she added.

On the future of the cybercrime law, Gimeno said, "It will probably be modified because it is so unpopular. People are taking note of the legislators who voted for the law; to pacify voters they will amend to mask the actual intention" (CNN, 2012).

Title: Draft White House Order Seeks To Stop Cyberattacks By Sharing Threat Details With Companies
October 20, 2012
Fox News

A new White House executive order would direct U.S. spy agencies to share the latest intelligence about cyberthreats with companies operating electric grids, water plants, railroads and other vital industries to help protect them from electronic attacks, according to a copy obtained by The Associated Press.

The seven-page draft order, which is being finalized, takes shape as the Obama administration expresses growing concern that Iran could be the first country to use cyberterrorism against the United States. The military is ready to retaliate if the U.S. is hit by cyberweapons, Defense Secretary Leon Panetta said. But the U.S. also is poorly prepared to prevent such an attack, which could damage or knock out critical services that are part of everyday life.

The White House declined to say when the president will sign the order.

The draft order would put the Department of Homeland Security in charge of organizing an information-sharing network that rapidly distributes sanitized summaries of top-secret intelligence reports about known cyberthreats that identify a specific target. With these warnings, known as tear lines, the owners and operators of essential U.S. businesses would be better able to block potential attackers from gaining access to their computer systems.

An organized, broad-based approach for sharing cyberthreat information gathered by the government is widely viewed as essential for any plan to protect U.S. computer networks from foreign nations, terrorist groups and hackers. Existing efforts to exchange information are narrowly focused on specific industries, such as the finance sector, and have had varying degrees of success.

Yet the order has generated stiff opposition from Republicans on Capitol Hill who view it as a unilateral move that bypasses the legislative authority held by Congress.

Administration officials said the order became necessary after Congress failed this summer to pass cybersecurity legislation, leaving critical infrastructure companies vulnerable to a serious and growing threat. Conflicting bills passed separately by the House and Senate included information-sharing provisions. But efforts to get a final measure through both chambers collapsed over the GOP's concerns that the Senate bill would expand the federal government's regulatory power and increase costs for businesses.

The White House has acknowledged that an order from the president, while legally binding, is not enough. Legislation is needed to make other changes to improve the country's digital defenses. An executive order, for example, cannot offer a company protection from liabilities that might result from a cyberattack on its systems.

The addition of the information-sharing provisions is the most significant change to an earlier draft of the order completed in late August. The new draft, which is not dated, retains a section that requires Homeland Security to identify the vital systems that, if hit by cyberattack, could "reasonably result in a debilitating impact" on national and economic security. Other sections establish a program to encourage companies to adopt voluntary security standards and direct federal agencies to determine whether existing cyber security regulations are adequate.

The draft order directs the department to work with the Pentagon, the National Security Agency, the director of national intelligence and the Justice Department to quickly establish the information-sharing mechanism. Selected employees at critical infrastructure companies would receive security clearances allowing them to receive the information, according to the document. Federal agencies would be required to assess whether the order raises any privacy or civil liberties risks.

To foster a two-way exchange of information, the government would ask businesses to tell the government about cyberthreats or cyberattacks. There would be no requirement to do so.

The NSA has been sharing cyberthreat information on a limited basis with companies that conduct business with the Defense Department. These companies work with sensitive data about weapon systems and technologies and are frequently the targets of cyberspying.

But the loss of valuable information has been eclipsed by fears that an enemy with the proper know-how could cause havoc by sending the computers controlling critical infrastructure systems incorrect commands or infecting them with malicious software. Potential nightmare scenarios include high-speed trains being put on collision courses, blackouts that last days or perhaps even weeks or chemical plants that inadvertently release deadly gases.

Panetta underscored the looming dangers during a speech last week in New York by pointing to the Shamoon virus that destroyed thousands of computer systems owned by Persian Gulf oil and gas companies. Shamoon, which spreads quickly through networked computers and ultimately wipes out files by overwriting them, hit the Saudi Arabian state oil company Aramco and Qatari natural gas producer RasGas.

Panetta did not directly connect Iran to the Aramco and RasGas attacks. But U.S. officials believe hackers based in Iran were behind them.

Shamoon replaced files at Aramco with the image of a burning U.S. flag and rendered more than 30,000 computers useless, Panetta said. The attack on RasGas was similar, he said.

A spokeswoman for the National Security Council, Caitlin Hayden, said the administration is consulting with members of Congress and the private sector as the order is being drafted. But she provided no information on when an order would be signed. "Given the gravity of the threats we face in cyberspace, we want to get this right in addition to getting it done swiftly," she said (Fox News, 2012).

Title: Obama Signs Secret Directive To Help Thwart Cyberattacks
November 14, 2012
Washington Post

President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyber­attacks on the nation’s web of government and private computer networks.

Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October.

The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.

The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.

“What it does, really for the first time, is it explicitly talks about how we will use cyber-
operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”

The policy, which updates a 2004 presidential directive, is part of a wider push by the Obama administration to confront the growing cyberthreat, which officials warn may overtake terrorism as the most significant danger to the country.

“It should enable people to arrive at more effective decisions,” said a second senior administration official. “In that sense, it’s an enormous step forward.”

Legislation to protect private networks from attack by setting security standards and promoting voluntary information sharing is pending on the Hill, and the White House is also is drafting an executive order along those lines.

James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, welcomed the new directive as bolstering the government’s capability to defend against “destructive scenarios,” such as those that Defense Secretary Leon E. Panetta recently outlined in a speech on cybersecurity.

“It’s clear we’re not going to be a bystander anymore to cyberattacks,” Lewis said.

The Pentagon is expected to finalize new rules of engagement that would guide commanders on when and how the military can go outside government networks to prevent a cyberattack that could cause significant destruction or casualties.

The presidential directive attempts to settle years of debate among government agencies about who is authorized to take what sorts of actions in cyberspace and with what level of permission.

An example of a defensive cyber-operation that once would have been considered an offensive act, for instance, might include stopping a computer attack by severing the link between an overseas server and a targeted domestic computer.

“That was seen as something that was aggressive,” said one defense official, “particularly by some at the State Department” who often are wary of actions that might infringe on other countries’ sovereignty and undermine U.S. advocacy of Internet freedom. Intelligence agencies are wary of operations that may inhibit intelligence collection. The Pentagon, meanwhile, has defined cyberspace as another military domain — joining air, land, sea and space — and wants flexibility to operate in that realm.

But cyber-operations, the officials stressed, are not an isolated tool. Rather, they are an integral part of the coordinated national security effort that includes diplomatic, economic and traditional military measures.

Offensive cyber actions, outside of war zones, would still require a higher level of scrutiny from relevant agencies and generally White House permission.

The effort to grapple with these questions dates to the 1990s but has intensified as tools and weapons in cyberspace become ever more sophisticated.

One of those tools was Stuxnet, a computer virus jointly developed by the United States and Israel that damaged nearly 1,000 centrifuges at an Iranian nuclear plant in 2010. If an adversary should turn a similar virus against U.S. computer systems, whether public or private, the government needs to be ready to preempt or respond, officials have said.

Since the creation of the military’s Cyber Command in 2010, its head, Gen. Keith Alexander, has forcefully argued that his hundreds of cyberwarriors at Fort Meade should be given greater latitude to stop or prevent attacks. One such cyber-ops tactic could be tricking malware by sending it “sleep” commands.

Alexander has put a particularly high priority on defending the nation’s private-sector computer systems that control critical functions such as making trains run, electricity flow and water pure.

But repeated efforts by officials to ensure that the Cyber Command has that flexibility have met with resistance — sometimes from within the Pentagon itself — over concerns that enabling the military to move too freely outside its own networks could pose unacceptable risks. A major concern has always been that an action may have a harmful unintended consequence, such as shutting down a hospital generator.

Officials say they expect the directive will spur more nuanced debate over how to respond to cyber-incidents. That might include a cyberattack that wipes data from tens of thousands of computers in a major industrial company, disrupting business operations, but doesn’t blow up a plant or kill people.

The new policy makes clear that the government will turn first to law enforcement or traditional network defense techniques before asking military cyberwarfare units for help or pursuing other alternatives, senior administration officials said.

“We always want to be taking the least action necessary to mitigate the threat,” said one of the senior administration officials. “We don’t want to have more consequences than we intend” (Washington Post, 2012).

Title: The DSB Task Force On Resilient Military Systems And The Advanced Cyber Threat
Date: January 2013

Abstract: (DOD, 2013).

Title: Obama Signs Executive Order On Cybersecurity
Date: February 13, 2013

Abstract: Barack Obama has signed an executive order on cybersecurity aimed at boosting the defense of critical US infrastructure, while also avoiding the criticism over compromising civil liberties that its legislative predecessors suffered from.

­The legislative push continues, and will cover the same area and make the increase in security mandatory for the private sector. A new version of the controversial bill CISPA is expected to be introduced to the House on Wednesday.

President Obama revealed the long-expected executive order in his State of the Union address on Tuesday. He cited “growing threat from cyber-attacks” as the reason he used his executive power where legislators failed, adding that America must face this rapidly growing threat.

“We know hackers steal people’s identities and infiltrate private e-mail,” he said. “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”

Years from now, Americans cannot look back and wonder “why we did nothing in the face of real threats to our security and our economy,” Obama said.

The order directs government officials to come up with standards to reduce cybersecurity risks within the next 240 days, and to encourage companies to adopt the new framework. However, it has no legal power to force companies to adopt the framework of cybersecurity best practices.

The framework will be technology-neutral and aimed at addressing security gaps in the computer networks of crucial parts of the country's infrastructure – the electric grid, gas lines, water treatment plants and transportation networks.

Federal agencies are also being encouraged to share information with private companies on potential cyber threats. This would encompass technical data, such as identifying malicious code, and not private information, senior administration officials said.

Not a substitute for legislation
The executive order comes in place of cybersecurity legislation that failed to pass legislative scrutiny last year. The issue of protecting infrastructure from cyber-attacks was initially free of partisan divide, but became increasingly politicized as work on it progressed.

Democrats favored the Cybersecurity Act of 2012, a bill that would have the Department of Homeland Security identify private owners of infrastructure considered critical and force them to introduce tighter defenses against hacker attacks, as advised by the federal government. Business lobbyists and Republican lawmakers opposed and eventually killed the bill, saying it would over-regulate the private sector and cost too much.

The Republican-backed Cyber Intelligence Sharing and Protection Act, or CISPA, passed the House only to be later strangled in the Senate amid criticism from Internet privacy and civil liberties advocates. Among other things, the bill would allow legal blanket protection to companies volunteering private information to the government, and would allow the National Security Agency, which is normally restricted to foreign intelligence, to collect data domestically.

The new executive order has yet to raise any red flags from business owners or rights groups. The ACLU said it was "encouraged" by the move, and – in an apparent reference to CISPA – added that it shows "there are smart ways to bolster cybersecurity while protecting privacy."

However the administration does not view the order as a replacement for the legislative process. Obama urged Congress to follow his lead and pass legislation giving Washington “a greater capacity to secure networks and deter attacks.”

In a joint statement, Republican Senators John McCain, Saxby Chambliss and John Thune said the executive action could not "achieve the balanced approach" that a Congressional law would.

“The Senate should follow regular order and craft legislation that will have an immediate impact on our nation's cybersecurity without adding or prompting regulations that could discourage innovation and negatively impact our struggling economy,” they said.

On Wednesday, the key sponsor of CISPA, Republican Representative Mike Rogers, who also chairs the House Intelligence Committee, is expected to reintroduce the bill.

“We agree that our biggest barriers to bolster our cyber defenses can be fixed only with legislation,” Rogers said.

The executive order comes as the number of government agencies and companies targeted by hackers is growing. Over the past two weeks, the Federal Reserve, the Energy Department and the New York Times and Wall Street Journal have all disclosed that their networks were breached by hackers (RT, 2013).