Email-based cyber penetrations should cause industry and government to consider utilizing alternative communication channels, says the European Network and Information Security Agency. "When you say that email is not secure, [people] are shocked," said Louis Marinos, an ENISA senior expert risk management. Existing phishing filters and antivirus products "do not seem to be always working when attacks are performed over a long period of time," the report says.
"Once we decide that a federal response is warranted, there's still a broad spectrum of actions we could potentially take," said White House Cybersecurity Coordinator Michael Daniel during a Feb. 28 address at the RSA Conference in San Francisco. The White House hopes to expand the tools, both digital and physical, the president can use to respond to cyber attacks.
The report (.pdf), dated January 2013, says among the mandates the DoD chief information officer and the Defense Information Systems Agency could establish include aspects of trusted computing such as hypervisor attestation to assure that it hasn't been corrupted, cryptographic sealing and "strong virtual machine isolation."
Asia, and China in particular, has become the global locus of competition in cyberspace, says cybersecurity theorist James Andrew Lewis, in a new paper. Were it not for the fact of malicious Chinese cyber activities--which fall below the threshold of warfare but include rampant and internationally destabilizing cyber espionage--cyber conflict as an issue "would have a much lower profile and be of much less concern both regionally and globally."
A Defense Science Board task force says the Defense Department should segregate a portion of its military force away to ensure it has the capability to complete missions in the event of a catastrophic cyber attack. Ensuring the deterrence threat is credible will require separating some military forces of sufficient capability away from the wider DoD network, at least until Defense develops the capability to return assets to a trusted, known state, the report says.
The Veterans Affairs Department was transmitting sensitive data, including personally identifiable information and internal network routing information, over an unencrypted telecommunications carrier network, according to a March 6 VA Office of Inspector General report (.pdf).
"Effective continuous monitoring of computer workstations allows security issues to be identified and mitigated promptly, reducing the likelihood of a security breach," states the report. "When IRS data and its network are not secured, taxpayer information becomes vulnerable to unauthorized disclosure and theft."
Most major federal agencies have issued to a majority of employees the personal identity verification smartcards required by the 2004 Homeland Security Presidential Directive 12, but their utilization for network access remains mostly an exception.
Better coordination of cybersecurity research and development efforts between the public and private sectors is needed to counter growing cyber threats to the United States, according to a Feb. 26 joint congressional hearing of two House Space, Science and Technology subcommittees. That job is better left to Congress and not to the president, says Committee Chairman Lamar Smith (R-Texas).
Information technology appropriation typically get embedded within larger budget line requests, but some large efforts or IT offices do receive a budget line of their own, and so are visible in the Office of Management and Budget sequestration report (.pdf) the agency sent to Congress on March 1. For example, the e-government fund managed by the General Services Administration will undergo cuts of 5 percent, an amount equal to $600,000.