What a week it’s been in the cybersecurity business!
On Monday, the Massachusetts Institute of Technology released a report that called for the establishment of a body with nationwide authority to oversee the securing of the United States’ national power grid.
Last week, Congress began working to push through the Cyber Intelligence Sharing and Protection Act of 2011, a bill that would exonerate private firms for sharing customer data with the government.
Meanwhile, the Obama administration has invoked national security powers last used during the Cold War to force U.S. telecommunication carriers including AT&T and Verizon to divulge confidential information about their networks as it goes on a hunt for Chinese cyberspying, according to a Bloomberg report.
Where Washington will get the trained manpower to conduct the search remains unclear. The U.S. Government Accountability Office reported that manpower planning and initiatives for hiring and retaining cybersecurity personnel at major federal agencies needs an overhaul.
In the private sector, Facebook was in the cybersecurity news for the second time in a month, this time because a worm is apparently hijacking members’ accounts to inject a banking Trojan.
Finally, researchers at Columbia University discovered that some Internet-connected printers can be hijacked while online.
Preserving Our Power
Developing and maintaining cybersecurity standards regarding utilities and resources like the power grid are in the hands of different organizations and agencies, and the resulting hodge-podge has led to infighting among the agencies, the MIT report states.
It’s a mess, all right, Patrick Miller, president and CEO of the National Electric Sector Cybersecurity Organization (NESCO), told TechNewsWorld.
Apparently nobody quite knows who’s in charge and what rules to apply.
“We need to think about it in terms of response and regulation, but in a judicious manner,” Miller said. “You can’t just throw protections onto the power grid and expect them to work; it takes a lot of thought and discussion.”
The MIT report points out that interested parties are discussing having communications networks for the public grid that are not connected to the public Internet.
“It’s unlikely that there will be the required isolation,” said IT security expert Randy Abrams.
“Convenience always trumps security, and this will be a huge problem,” Abrams told TechNewsWorld.
The MIT report has “very little information dealing with actual control system cybersecurity,” pointed out Joseph Weiss, managing partner at Applied Control Solutions.
Creating the Global Data-Sharing Village
The Cyber Intelligence Sharing and Protection Act of 2011, introduced as a bipartisan bill by leaders of the House intelligence committee last week, seeks to let private companies share data with the government freely.
Both the White House and civil liberties advocates have expressed concern that the bill could jeopardize individuals’ privacy.
The bill isn’t subject to any oversight or transparency measures, and the only oversight for sharing with the federal government would be through the Privacy and Civil Liberties Oversight board, which no longer exists, the Electronic Frontier Foundation warned.
The bill is supported by Verizon and various business entities.
Where Has All the Manpower Gone?
The eight federal agencies with the highest IT budgets don’t measure up in their workforce planning practices for cybersecurity staff, the GAO has warned.
These are the Departments of Defense, Homeland Security, Health and Human Services, Treasury, Veterans Affairs, Commerce, Transportation and Justice.
The Departments of Commerce, Health and Human Services, and Treasury have neither departmental workforce plans nor workforce plans that specifically address cybersecurity workforce needs, the GAO found.
Further, the agencies don’t have consistent data on how many people are in their cybersecurity workforces because it’s difficult to define what a cybersecurity worker is, and the definition of a cybersecurity position hasn’t been standardized, the GAO said.
Printer Hijacking and Facebook
Another brouhaha erupted this past week when researchers at Columbia University warned that hackers might be able to hijack millions of printers connected to the Internet.
They demonstrated that a remote firmware command in some HP LaserJet printers can be taken over by hackers.
“Columbia has demonstrated an actual vulnerability to the device that allows you to gain control of the printer,” Kevin Brown, from ICSA Labs, told TechNewsWorld.
HP said the report was “sensational and inaccurate,” and announced it’s building a firmware upgrade to mitigate the problem.
Meanwhile, Facebook, which had been hit by cybercriminals in early November, was nailed again this past week.
The first attack had hackers hijacking user accounts and using them to send out spam containing gory and pornographic images, but this second one links to malicious software.
“The previous attack utilized a phishing attack that encouraged users to paste JavaScript into the URL bar,” Mike Geide, senior security researcher at Zscaler ThreatLabZ, told TechNewsWorld. “This new round [uses] a picture with a link to malware, so the previous detection logic that [Facebook] put in place would not detect this.”
Security “is an arms race, and our teams are always working to identify the next threat and build defenses for it,” Facebook spokesperson Frederic Wolens told TechNewsWorld.