[ISN] Thoughts on USG Candor to China on Cyber

http://www.lawfareblog.com/2014/04/thoughts-on-usg-candor-to-china-on-cyber/ By Jack Goldsmith lawfareblog.com April 8, 2014 Paul is skeptical about the USG’s unilateral briefing to Chinese officials on some of its cyber operations and doctrines that David Sanger discloses in the NYT. He argues that China is unlikely to reciprocate, he doubts the usefulness of the unilateral disclosure, and he wonders why the USG does not share the information with the American public. I think the matter is more complex. First, it may be (as I have long argued) that greater candor by the USG vis a vis China is a necessary precondition to genuine progress on the development of norms for cyberoperations – both exploitation and attack. Unless we can credibly convey what we are doing and what we might do (and not do) in certain cyber situations, our adversaries will assume the worst and (a) invest in their own cyber programs to keep up – a classic arms race situation, and/or (b) interpret particular cyberoperations in a risk-averse fashion, in their least charitable light, which might induce unwarranted escalation in those contexts. Our adversaries will rationally assume the worst because, despite USG claims about its responsible use of cyber exploitations and attacks, the news is filled with reports about prodigious USG cyber-operations and aggressive plans in this realm. Indeed, as Sanger notes: “The Pentagon plans to spend $26 billion on cybertechnology over the next five years — much of it for defense of the military’s networks, but billions for developing offensive weapons — and that sum does not include budgets for the intelligence community’s efforts in more covert operations. It is one of the few areas, along with drones and Special Operations forces, that are getting more investment at a time of overall Pentagon cutbacks.” Second, Paul is right to be skeptical about reciprocity by China. But it sounds like the United States didn’t give up much new information on U.S. doctrine for the use of cyberweapons. (Sanger states that “elements of the doctrine can be pieced together from statements by senior officials and a dense “Presidential Decision Directive” on such activities signed by Mr. Obama in 2012.”) More importantly, the United States can in theory benefit from unilateral disclosure of doctrine and weapons capabilities even if China doesn’t reciprocate, for the unilateral disclosure might assist China in interpreting, and not misinterpreting, USG actions in the cyber realm – all to the USG’s advantage. As Sanger says, “American officials say their latest initiatives were inspired by Cold-War-era exchanges held with the Soviets so that each side understood the “red lines” for employing nuclear weapons against each other.” In theory, unilateral information disclosure to China about the nature of USG cyberoperations can help China interpret USG actions properly, and can thereby help tamp down on the possibility of mistaken escalation by China; and the USG might also in this manner help China to see the benefits to itself in disclosure to the USG. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Nurses Say Pagers Must Go; Hospitals Drag Feet

http://www.informationweek.com/healthcare/mobile-and-wireless/nurses-say-pagers-must-go-hospitals-drag-feet-/d/d-id/1204255 By Alison Diana InformationWeek.com 4/8/2014 Nurses and other healthcare workers who communicate vital patient information say they need an alternative to outdated pagers and insecure smartphones. At most hospitals, nurses are still required to communicate with colleagues and doctors via Voice over IP (VoIP) or pagers. But many nurses, who tend to be constantly on the go, are increasingly ignoring policy and are texting from their smartphones instead. This approach carries risks: Not only are the phones insecure, but they could also introduce germs into sterile environments. Pagers may be less risky, but they aren’t efficient. They cost US hospitals $8.3 billion in 2013, according to a report by the Ponemon Institute: $3.2 billion through time-consuming discharge processes and another $5.1 billion while clinicians waited for patient information (an average of 46 per minutes per day). Fed up with waiting for pages, nurses are taking matters into their own hands. Although 89% of hospitals forbid the use of personal smartphones at work, 67% of hospitals report nurses are using their iPhones, Androids, and other devices to support clinical communications and workflow, according to a new report by Spyglass Consulting Group. Hospital IT departments know nurses are doing this, but they don’t have the time or the resources to monitor their usage. Of the 53% of hospitals with BYOD programs, only 11% include nursing staff. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Public or Private Cloud? The Decision Comes Down to Risk, DISA CIO Says

http://www.nextgov.com/cloud-computing/2014/04/public-or-private-cloud-your-agency-decision-comes-down-risk-disa-cio-says/82114/ By Frank Konkel Nextgov.com April 8, 2014 For federal agencies, deciding whether information, data or applications belong in a public or private government cloud or a hybrid combination of the two is no easy feat. Myriad factors play into these decisions – projected cost savings, information sensitivity and availability, to name a few – but according to U.S. Defense Information Systems Agency Chief Information Officer David Bennett, the single most important element continues to be risk. DISA recently rolled out a government-operated cloud computing services portfolio called milCloud that was designed to attract Defense Department customers who seek the cloud’s promise of cost reductions combined with increased control, flexibility and mission security necessary for classified and controlled unclassified information. “You have to understand risk and the data you’re dealing with,” said Bennett, speaking at a Nextgov event Tuesday. “As you look at those things, you have to ask questions like, ‘What controls do I have in place?’ We want to leverage commercial opportunities and reap the benefits of doing that, but we also want to verify and make certain what’s out there and that we’re able to understand and monitor that.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] How to protect yourself from the ‘Heartbleed’ bug

http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/ By Richard Nieva CNET News Security April 8, 2014 A major new security vulnerability dubbed Heartbleed was disclosed Monday night with severe implications for the entire Web. The bug can scrape a server’s memory, where sensitive user data is stored, including private data such as usernames, passwords, and credit card numbers. It’s an extremely serious issue, affecting some 500,000 servers, according to Netcraft, an Internet research firm. Here’s what you can do to make sure your information is protected, according to security experts contacted by CNET: Do not log into accounts from afflicted sites until you’re sure the company has patched the problem. If the company hasn’t been forthcoming


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Social Engineering Grows Up

http://www.darkreading.com/author.asp?section_id=314&doc_id=1204252 By Kelly Jackson Higgins Dark Reading 4/7/2014 Fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off today with new “tag team” rules to reflect realities of the threat. The wildy popular DEF CON Social Engineering contest this year in Las Vegas will feature a new twist: Each contestant will be assigned a teammate to whom they must hand-off during the live event where they cold-call targeted corporations. “We needed to create an event like the real world,” says Christopher Hadnagy, chief human hacker at Social-Engineer.org , and organizer of the contest, now in its fifth year. “In the 30 minutes [of the live call], you have to tap out at least twice” so that each teammate will have a role in the live call. The contest aims to wring as much potentially revealing information about the company from the unsuspecting call recipient. Contestants squeeze as many predetermined “flags” out of employees at major US corporations, everything from the type of browser they are using to the name of their cleaning/janitorial service. The pretense could be that the caller needs to hand the call to his manager or another colleague, for example, to provide more legitimacy for the call


Facebooktwittergoogle_plusredditpinterestlinkedinmail

Hilarious Marcus Ranum Interview at RSA 2014

I gotta say, there are very few days where I really laugh out loud about the security industry. Today is one of those days. I was sent this clip from a friend of mine and apparently it was also tweeted @riskybusiness. Its a very good interview of Marcus by Patrick Gray about the RSA conference and I agree with their comment “I think Marcus Ranum (@mjranum) and I managed to sum up the RSA trade floor in 37 seconds…“.

Click here to listen to the interview


Facebooktwittergoogle_plusredditpinterestlinkedinmail