Tracking source of South Korean cyber attack illustrates challenges for U.S.

The ongoing analysis of the crippling if short-lived computer attack last week against South Korean financial institutions and media companies highlights some of the key difficulties facing the United States and other nations trying to establish policies, procedures, and offensive and defensive cyber-security capabilities. Immediate reaction pointed suspiciously to North Korea and China as the most likely perpetrators of the attack, with initial news reports citing Chinese IP addresses identified as the source of the attack. Subsequent analysis resulted in a less clear picture, as security analysts suggested that certain characteristics of the attack made it appear to have come from a well-resourced attacker such as a government-sponsored program but retreated from earlier conclusions attributing the attack to China.Given current tensions between South and North Korea, looking by default to the North is understandable, and concerns over state-sponsored cyber-espionage have intensified in recent weeks, driven in part by the publication in February of a detailed report from security firm Mandiant providing the results of a technical analysis of Chinese government-sponsored spying activities.

The inability to pinpoint the source of a major attack with any great degree of confidence presents a substantial risk to cyber defense operations such as the U.S. Cyber Command (USCYBERCOM), particularly as they shift from largely defensive or retaliatory positioning to a greater emphasis on offensive capabilities. The technical ability to disable an adversary or to impact the computing or critical infrastructure of another nation is less an issue than knowing with some certainty that the targets of such activity is in fact the adversary in question. Anyone with even a rudimentary knowledge of network protocols and behavior understands the relative simplicity of masking an online identity by using a falsified source IP address, to say nothing of the potential that malicious activity accurately traced to a computer or other device in another country may have been compromised to serve as a launching point for attackers in entirely different locations. In the case of the South Korea attack, the IP address originally linked to a Chinese source turned out to belong to a computer at one of the targeted companies. South Korean officials never explicitly blamed China for the attack, suspecting instead that North Korea was responsible for the attack, possibly assisted by the Chinese or at least using infrastructure that belongs to China. It is not yet clear what role, if any, the U.S. government will play in investigating the South Korean attack, although the National Security Agency has long called out China among key foreign governments responsible for such attacks.

Weaknesses in Census Bureau security symptomatic of poor information security program

A news story in today’s Washington Post calls attention to a recent audit report from the Government Accountability Office, released last month, that identified numerous weaknesses in security controls at the U.S. Census Bureau that pose risks to the bureau’s ability to properly safeguard the information it collects. The weaknesses GAO found raise legitimate concerns about protecting the confidentiality of personal information on U.S. residents and the integrity of that information. Given the vast amount of personal information the Census Bureau collects and maintains and the reliance on the government of census data to determine legislative boundaries, allocate federal funding for social programs, and shape policy, the lack of effective security controls is both troubling and a bit surprising. GAO emphasized weaknesses in access controls, where it identified six distinct issues, and also pointed to operational and programmatic problems in information security management. The audit findings related to access controls included the following issues:

1. Insufficient boundary protection controls for network devices, namely conducting management and administration of such devices using the regular network rather than dedicating a separate subnet for such purposes;
2. Failure to enforce system, device, and individual user authentication and to fully implement federal authentication protocols such as personal identify verification;
3. Incomplete implementation of authorization controls, notably including granting unnecessary elevated privileges to users and operating some infrastructure devices without access control lists;
4. Lack of strong encryption on network devices, databases, and system components, including the use of invalid or unsigned digital certificates;
5. Inconsistent implementation of audit and monitoring controls, including the absence of real-time monitoring and the operation of intrusion detection controls that did not cover some network segments and that had insufficient capacity to process the existing volume of network traffic;
6. Inconsistent implementation of physical access controls to bureau facilities, including disabling access readers.

Other cited weaknesses include those in patch management and device configuration procedures, contingency planning, in the bureau’s implementation of its information security program. The findings of deficiencies within the security management program help explain a lot of the more detailed weaknesses addressed in the report. GAO noted that the Census Bureau is in the process of implementing a risk management program consistent with current NIST guidelines to federal agencies, but it seems the bureau has not moved beyond a system-specific view of security to better incorporate an enterprise-wide perspective and, within system-level procedures, often failed to fully document security controls, control assessments, weaknesses and vulnerabilities, and remediation plans. Indeed, the 13 recommendations for corrective action offered by GAO can be interpreted in the aggregate as an admonishment to follow existing standards and guidance to federal agencies to which the Census Bureau is already supposed to be adhering. The official bureau response to the audit findings, included as part of the published GAO report, suggests minor changes undertaken to achieve compliance but give no indication that the bureau is taking any steps to improve its information security program. This offers little reassurance to members of the public that any meaningful improvement is forthcoming, either in security posture of the Census Bureau’s computing environment or the protection of personal information entrusted to the bureau’s stewardship.

Executive action on critical infrastructure protection renews debate on privacy and information sharing

The release last week of an Executive Order focused on “Improving Critical Infrastructure Cybersecurity” represents the latest move by the administration to encourage information sharing between the federal government and private sector entities responsible for operating and maintaining critical infrastructure such as power utilities, telecommunications, transportation, and other vital services. The Executive Order and a corresponding Presidential Policy Directive (PPD-21) on Critical Infrastructure and Resilience also renewed debate over the extent to which the government is ignoring, rolling back, or enabling the circumvention of existing privacy laws by allowing largely unrestricted information sharing about individuals in the name of national security. While the latest presidential missives include language about respecting privacy rights and invoke Fair Information Practice Principles and other safeguards for civil liberties, criticisms of the government’s new policy call out the lack of specificity about exactly what types of information can be shared under what circumstances. Concerns over privacy implications seem somewhat lower than those focused on the Cyber Intelligence Sharing and Protection Act (CISPA) reintroduced in the House of Representatives with language essentially unchanged from the version that failed to make it through the 112th Congress.

Much of the public concern related to greater levels of information sharing between private sector entities and the government focuses on the potential for personal information about individuals – including the contents of emails and Internet browsing behavior – to be freely handed over to the government. The focus of the Executive Order, however, is on government agencies sharing threat information, including classified information, with private sector entities in order to better coordinate critical infrastructure protection activities.

Without getting into the potentially intractable privacy and security debate intrinsic to any heightened domestic threat monitoring efforts, one of the interesting aspects of the reactions in response to the new Executive Order is how little of the policy it contains is new. The majority of the responsibilities and intended actions specified last week appear almost verbatim in Homeland Security Presidential Directive 7 (HSPD-7), issued by President Bush in December 2003. In particular, the identification, prioritization, and coordinated protection of critical infrastructure assets and the need to coordinate efforts with relevant private sector entities have been core parts of federal critical infrastructure protection policy and practice for several years. HSPD-7 placed federal oversight of critical infrastructure protection with the Department of Homeland Security and directed the DHS Secretary to “produce a comprehensive, integrated National Plan for Critical Infrastructure and Key Resources Protection” more commonly known as the National Infrastructure Protection Plan (NIPP). These responsibilities are reiterated in the Executive Order and PPD-21 (including requiring an update to the NIPP), augmented with the proposed development of a Cybersecurity Framework by the National Institute of Standards and Technology (NIST), the agency currently responsible for developing information security standards and guidance to satisfy federal legal, regulatory, and policy requirements, notably including those enumerated in the Federal Information Security Management Act (FISMA). It remains to be seen how much the new Cybersecurity Framework will resemble or draw upon the government’s current Risk Management Framework and associated recommended security controls, but given the government-wide progress in moving to a consensus approach and set of standards and guidelines, it seems to be a logical starting point.

First cloud service provider authorized under FedRAMP

Just over a year after OMB formally announced the the Federal Risk and Authorization Management Program (FedRAMP), which relies on third-party assessments of cloud service providers seeking to offer their services to government agencies, the FedRAMP Joint Authorization Board issued its first provisional authority to operate (ATO) to Autonomic Resources for its infrastructure-as-as-service offering, the Autonomic Resources Cloud-Platform (ARC-P). Autonomic Resources only serves the federal government market with its services, which currently include cloud-hosted email as well as infrastructure.

Supreme Court rules unanimously that GPS tracking of suspects requires a warrant

The U.S. Supreme Court published a decision yesterday in United States v Jones, in which it held unanimously (although with three separate opinions using different reasoning to reach the same conclusion) that the use of a GPS monitoring device to conduct long-term surveillance of an individual requires a warrant. When the Court granted certiorari and the case was argued last November, legal analysts suggested the ruling could be the most significant Fourth Amendment case in recent memory, but the arguments among the justices authoring the three opinions (Scalia, writing for the Court and joined by four of his colleagues; Alito, joined by two others; and Sotomayor) as to the best way to interpret key precedents leave unresolved some fundamental questions about the constitutionality of electronic surveillance methods.

In the D.C. Circuit appellate case that was the basis of the appeal to the Supreme Court, the crux of the government’s argument was that use of a GPS device to conduct surveillance did not violate an individual’s reasonable expectation of privacy, applying Justice Harlan’s test from his concurring opinion in Katz v. United States. The Supreme Court appeared to find the reasonable expectation of privacy issue moot, concluding simply that placement of a GPS tracking device on the suspect’s vehicle (an “effect” for purposes of applying the Fourth Amendment”) constituted a search, and rejecting the government’s assertion that without a reasonable expectation of privacy, no search occurred. The court’s opinion refutes the government’s apparent suggestion that applying Katz somehow substitutes for common-law approaches based on trespass rights. The strength of the argument applied here is that the trespass perpetrated by the police involved a personal effect, an item explicitly protected in the Fourth Amendment.

Justice Alito’s concurring opinion reaches the same decision on the facts of the case as the official opinion but relies solely on Katz to do so, due to the many difficulties associated with relying on trespass law and pointing out that court precedent has established that the fact that a trespass occurred is neither necessary nor sufficient to establish a violation under the Fourth Amendment. Justice Alito further argues that the two separate events (installing the GPS device and using the device to gather information) alone would not constitute a search. With the specifics of this case, the court did find that the combination of physical trespass with an intent to gather information unquestionably constitutes a search and therefore invokes the protections of the Fourth Amendment. The problem with this approach, as both Justice Alito and Justice Sotomayor note in their concurring opinions, is that if GPS monitoring can be performed without a technical trespass, the court’s argument in this case would provide little protection.

This ruling stops short of addressing another issue raised during the appellate process regarding whether the length of time during which a subject is under continuous surveillance has any bearing on his or her reasonable expectation of privacy. Other cases involving electronic surveillance devices, notably including United States v. Knotts, addressed limited or short-term tracking, leaving open the question of whether more prolonged use would require a different application of constitutional principles. Justice Alito, relying solely on Katz to base his concurring opinion argument, determined that “longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy.” Justice Scalia expresses some frustration with Justice Alito’s reasoning, suggesting that under the Harlan standard, prolonged continous electronic surveillance would be permissible under current constitutional interpretation. Justice Sotomayor provided a closer consideration of the nature of GPS tracking technology and potential evolution of societal expectations of privacy, which are a key element in the Harlan test under Katz. She goes so far as suggesting that “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties” and to reject the prevailing assumption that secrecy is a prerequisite for privacy. It appears a more comprehensive ruling on GPS tracking and other forms of electronic monitoring will have to wait for a case with a set of circumstances that limits the Court to considerations of the reasonableness of such monitoring, with or without regard to the length of time over which it occurs.