"10 providers serve 80 percent of the market. We have classified relationships with a good number of them." -- US Rep Mike Rogers, reminding us how the government creates cartel structures [source Reuters]
One of the more interesting news elements concerns how the federal goverment is going to hand out teh very tastiest candy to contractors - specifically SAIC it now appears - in the form of classified undisclosed hacker attack goodies.
Interestingly AT&T would get get very very important info about vulnerabilities on Apple and other major corporate rivals, providing them with a colossal competitive edge in the so-called "marketplace".
Basically you have the introduction of a cartel system for hacking, reminiscent perhaps of the cartel system for distributing drugs so profitably for the powers-that-be. And of course Homeland Security in the middle, the keystone.
The government/contractor class is entering a more demented, less sound phase of the information age by hoarding important software bugs instead of getting them fixed.
Foreign spooks will surely get their hands on tons of hacks and way more systems will end up getting seriously assaulted. Putting up large cash bounties for responsible disclosure (i.e. telling people who can issue security patches to the public, then telling the public) is almost certainly a better way to approach the problem.
This current policy direction will probably cause far more havoc on the Internet than it will prevent, shocking an outcome as that may be.
Executive Order -- Improving Critical Infrastructure Cybersecurity | The White House
[...] Sec. 2. Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.[......]
Sec. 4. Cybersecurity Information Sharing. (a) It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats. Within 120 days of the date of this order, the Attorney General, the Secretary of Homeland Security (the "Secretary"), and the Director of National Intelligence shall each issue instructions consistent with their authorities and with the requirements of section 12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity. The instructions shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations.
(b) The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity. Such process shall also, consistent with the need to protect national security information, include the dissemination of classified reports to critical infrastructure entities authorized to receive them. The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a system for tracking the production, dissemination, and disposition of these reports.
(c) To assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 U.S.C. 143 and in collaboration with the Secretary of Defense, shall, within 120 days of the date of this order, establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.
(d) The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities), shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order.
So "critical infrastructure" includes plenty of big corporate interests and anything that would affect their economic well-being is a threat. As always, regulations which make institutions more permanent, as opposition to the "critical" elements of society becomes blended with "terrorism".
U.S. gives big, secret push to Internet surveillance | Politics and Law - CNET News - April 24, Declan McCullaugh (who probably doesn't talk to sources on the f&!!ing telephone that much these days)
Senior Obama administration officials have secretly authorized the interception of communications carried on portions of networks operated by AT&T and other Internet service providers, a practice that might otherwise be illegal under federal wiretapping laws.
The secret legal authorization from the Justice Department originally applied to a cybersecurity pilot project in which the military monitored defense contractors' Internet links. Since then, however, the program has been expanded by President Obama to cover all critical infrastructure sectors including energy, healthcare, and finance starting June 12.
Those documents show the National Security Agency and the Defense Department were deeply involved in pressing for the secret legal authorization, with NSA director Keith Alexander participating in some of the discussions personally. Despite initial reservations, including from industry participants, Justice Department attorneys eventually signed off on the project.
The Justice Department agreed to grant legal immunity to the participating network providers in the form of what participants in the confidential discussions refer to as "2511 letters," a reference to the Wiretap Act codified at 18 USC 2511 in the federal statute books.
The Wiretap Act limits the ability of Internet providers to eavesdrop on network traffic except when monitoring is a "necessary incident" to providing the service or it takes place with a user's "lawful consent." An industry representative told CNET the 2511 letters provided legal immunity to the providers by agreeing not to prosecute for criminal violations of the Wiretap Act. It's not clear how many 2511 letters were issued by the Justice Department.
In 2011, Deputy Secretary of Defense William Lynn publicly disclosed the existence of the original project, called the DIB Cyber Pilot, which used login banners to inform network users that monitoring was taking place. In May 2012, the pilot was turned into an ongoing program -- broader but still voluntary -- by the name of Joint Cybersecurity Services Pilot, with the Department of Homeland Security becoming involved for the first time. It was renamed again to Enhanced Cybersecurity Services program in January, and is currently being expanded to all types of companies operating critical infrastructure.
So you have a pilot program that covered the "Defense Industrial Base" or DIB. The security measures used to keep tabs on contractor computers are now rolled out across the interwebs. More on DIB below.
But military-style wiretapping America with fancy 2511 loopholes isn't enough! Let's hand out hacks too! Not surprisingly the NSA's main digital plumbing people, specifically SAIC, are jumping aboard the classified Goodie Gravy train.
SAIC, Inc. : SAIC Signs Agreement With Department of Homeland Security To Be A Commercial Service Provider
05/15/2013| 04:10pm US/Eastern
MCLEAN, Va., May 15, 2013 /PRNewswire/ -- Science Applications International Corporation (SAIC) (NYSE: SAI) signed a Memorandum of Agreement (MOA) with the Department of Homeland Security (DHS) Enhanced Cybersecurity Services (ECS) program to become a Commercial Service Provider (CSP) of approved ECS services that will strengthen protection of U.S. critical infrastructure against imminent cyber attacks. In accordance with the MOA, SAIC is developing the capability and security certifications to utilize threat indicators for securing critical infrastructure customers against cyber threats.
Securing the Future is a guiding mission for SAIC. For decades, SAIC professionals have served the U.S. government and corporate America with expertise and technology to better protect our citizens, our military and our networks. SAIC is currently collaborating with community leaders and building key technologies and architectures that enable trusted sharing of threat information in real-time to protect against both the known and unknown threat landscape.
ECS is a voluntary information sharing program that assists critical infrastructure owners and operators as they improve the protection of their systems from unauthorized access, exploitation, or data exfiltration. DHS works with cybersecurity organizations from across the federal government to gain access to a broad range of sensitive and classified cyber threat information. DHS develops indicators based on this information and shares them with qualified CSPs, thus enabling them to better protect their customers who are critical infrastructure entities.
John Thomas, National Security Sector Acting President
"We must work together to protect our infrastructure, our economy, and our security from cyber attacks. If we don't work together, we won't succeed. This is why SAIC is proud to be a part of this endeavor to share valuable threat information between government and critical infrastructure providers."
Julie Taylor, Cybersecurity Operation Manager for National Security Services
"This collaboration between SAIC and DHS puts in place a new approach to threat sharing across public and private sectors that offers a positive shift in the threat landscape. Each step we take to cultivate our cyber ecosystem with trusted information sharing relationships will have a direct return on stabilizing our national security and our economy. Now that the doors of communication are open, we can further the cyber mission with valuable action as a team. "
David Lacquement, Cybersecurity Program Director
"As a former government executive in cyber threat management, I have seen firsthand the immense value that threat information sharing at network speed can offer to sustaining trusted channels for online transactions and communications. This public-private collaboration is strategically vital to significantly raising the level of cyber awareness, vigilance, and protection across our nation's critical infrastructure."
SAIC is a FORTUNE 500(®) scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. The Company's approximately 40,000 employees serve customers in the U.S. Department of Defense, the intelligence community, the U.S. Department of Homeland Security, other U.S. Government civil agencies and selected commercial markets. Headquartered in McLean, Va., SAIC had annual revenues of approximately $11.2 billion for its fiscal year ended January 31, 2013. For more information, visit www.SAIC.com. SAIC: From Science to Solutions®
Statements in this announcement, other than historical data and information, constitute forward-looking statements that involve risks and uncertainties. A number of factors could cause our actual results, performance, achievements, or industry results to be very different from the results, performance, or achievements expressed or implied by such forward-looking statements. Some of these factors include, but are not limited to, the risk factors set forth in SAIC's Annual Report on Form 10-K for the period ended January 31, 2013, and other such filings that SAIC makes with the SEC from time to time. Due to such uncertainties and risks, readers are cautioned not to place undue reliance on such forward-looking statements, which speak only as of the date hereof.
Contact: Melissa Koskovich Jennifer Gephart
(703) 676-6762 (703) 676-6389
Here is the Department of Homeland Security page on it: Enhanced Cybersecurity Services | Homeland Security. See also Office of Cybersecurity and Communications and Stakeholder Engagement and Cyber Infrastructure Resilience. I wonder if someone gets applause for these titles, whew...
Enhanced Cybersecurity Services
Protecting critical infrastructure against growing and evolving cyber threats requires a layered approach. The Department of Homeland Security (DHS) actively collaborates with public and private sector partners every day to respond to and coordinate mitigation efforts against attempted disruptions and adverse impacts to the nation’s critical cyber and communications networks and infrastructure.
As the federal government’s lead agency for coordinating the protection, prevention, mitigation, and recovery from cyber incidents, DHS works regularly with business owners and operators to strengthen their facilities and communities. To accomplish this, the DHS Enhanced Cybersecurity Services (ECS) program was expanded in February 2013 by Executive Order - Improving Critical Infrastructure Cybersecurity.
ECS is a voluntary information sharing program that assists critical infrastructure owners and operators as they improve the protection of their systems from unauthorized access, exploitation, or data exfiltration. DHS works with cybersecurity organizations from across the federal government to gain access to a broad range of sensitive and classified cyber threat information. DHS develops indicators based on this information and shares them with qualified Commercial Service Providers (CSPs), thus enabling them to better protect their customers who are critical infrastructure entities. ECS augments, but does not replace, an entities’ existing cybersecurity capabilities.
The ECS program does not involve government monitoring of private networks or communications. Under the ECS program, information relating to threats and malware activities detected by the CSPs is not directly shared between the critical infrastructure CSP customers and the government. However, when a CSP customer voluntarily agrees, the CSP may share limited and anonymized information with ECS. See the Privacy Impact Assessment below for more details.
Critical Infrastructure Entities
Most critical infrastructure entities already utilize cybersecurity providers to protect their networks. The ECS program offers an enhanced approach to protecting these entities by supplementing existing services and commercial capabilities with U.S. Government cyber threat information. This approach supports the delivery of enhanced capabilities to eligible participants from all sectors.
Participation in the program is voluntary and is designed to protect government intelligence, corporate information security, and the privacy of participants, while enhancing the security of critical infrastructure. Validated entities from all critical infrastructure sectors are eligible to participate in the ECS program and receive ECS services from qualified CSPs.
To learn more about becoming a validated critical infrastructure entity, please contact the ECS Program Management Office at ECS_Program@HQ.DHS.gov.
Commercial Service Providers
CSPs receive threat information from DHS and use it to offer specified services to their critical infrastructure customers in a secure environment in order to ensure the security of government furnished information.
CSPs deliver services to eligible customers through commercial relationships. The ECS program is not involved in establishing the commercial relationships between CSPs and validated critical infrastructure entities. As of February 2013, the following CSPs are approved to provide ECS services to critical infrastructure entities:
DHS is working with several additional providers who seek to offer enhanced cybersecurity services to entities. To learn about becoming a CSP, please contactECS_Program@HQ.DHS.gov.
Sector Specific Agencies
Sector Specific Agencies (SSAs) and DHS form a critical partnership within the ECS program. The role of the SSA is to leverage existing relationships with critical infrastructure entities to expand and improve ECS. The SSA is also responsible for helping to characterize risks and threats unique to critical infrastructure entities in their respective sectors. This characterization will enable the federal government to deliver the most effective indicators relevant to ECS protected entities based upon the unique threat environment of their sector. SSAs also serve as a vital conduit to DHS for data leading to requirements that will drive the development of ECS program capabilities.
Privacy and Civil Liberties
DHS embeds and enforces privacy protections and transparency in all its activities and uses the Fair Information Practice Principles (FIPPs) to assess and mitigate any impact on an individual’s privacy. DHS has conducted and published a Privacy Impact Assessment for the ECS program. DHS also ensures that ECS and all of its cybersecurity activities are structured in a way that ensures individual rights are protected.
For more information, contact ECS_Program@HQ.DHS.gov.
Once you poke around on FedBizOpps.gov a little bit it's easier to see how they blow so much money in DC.
Fun FEMA Pork tangent: Here are some FEMA satellite phone sole source contract. On the one hand, it's good someone has a satellite phone in emergencies, but someone is profiting off this sale...
FEMA seeks to acquire on an other than full and open competition basis MSAT satellite terminals. These terminals are primarily utilized in Disaster Operations for mission critical communications within FEMA, as well as for communicating with strategic partners to support disasters. There is currently only one commercial satellite operator in North America offering two-way radio, push-to-talk (PTT) capability integrated with telephone. This feature makes it possible to communicate with another terminal in a specific talk group anywhere in CONUS. Authority is FAR 6.302-1 The anticipated period of performance is for one year. THIS NOTICE OF INTENT IS NOT A REQUEST FOR COMPETITIVE QUOTES. NO TELEPHONE INQUIRIES WILL BE ACCEPTED. A determination by the Government not to compete this acquisition based upon responses to this notice is solely within the discretion of the Government.
Contracting Office Address:
500 C Street SW
Patriots Plaza -- 5th Floor
Washington, District of Columbia 20472
Primary Point of Contact.:
Anyway here is the Reuters story central to this whole turn of narrative, a new system "Outside of the Military Industrial Complex" indeed.
REUTERS: Government to Share Cyber Security Information with Private Sector - By Joseph Menn | May 15, 2013
The U.S. government will use classified information about software vulnerabilities for the first time to protect companies outside of the military industrial complex, top officials told Reuters this week.
Secretary of Homeland Security Janet Napolitano said that a system being developed to scan Internet traffic headed toward critical businesses would block attacks on software programs that the general population does not realize are possible.
“It is a way to share information about known vulnerabilities that may not be commonly available,” Napolitano said at the Reuters Cybersecurity Summit in Washington, D.C.
The information would come from “a variety of sources” including intelligence agencies, she said on Tuesday.
The National Security Agency and other intelligence agencies develop and acquire knowledge about software flaws in order to penetrate overseas networks. Until now, there has been no straightforward way for these agencies to share that classified data with U.S. companies outside the defense sector, even though those companies could become victims of cyber attacks.
The plan is to discreetly share the data through what the government calls Enhanced Cybersecurity Services. Under a February presidential order, those services will be offered by telecommunications and defense companies to utilities, banks and other critical infrastructure companies that choose to pay for them.
Napolitano’s Department of Homeland Security will take the information from the NSA and other sources, and relay it to service providers with security clearances. The service providers would then use these “attack signatures” – such as Internet routing data and content associated with known adversary groups – to screen out malicious traffic.
Napolitano’s comments were the first disclosure that the screening would also cover attacks on software using methods known to the government that have not been disclosed to the software manufacturers or buyers.
While U.S. intelligence agencies have at times warned software manufacturers, such as Microsoft Corp. and Google Inc., or Homeland Security officials of specific, declassified problems, the new system will be machine-to-machine and far more rapid.
It reflects the realization that many espionage attacks from overseas are aimed at the private sector and that future destructive attacks may arrive the same way. (Classified attack signatures have been used to protect defense manufacturers under a Pentagon program.)
House of Representatives Intelligence Committee Chairman Mike Rogers said he was glad about the plan to share more broadly information about vulnerabilities, while maintaining control of the process to avoid tipping off rival countries or criminals.
“This can’t happen if you post it on a website,” Rogers, a Republican and lead author of a cybersecurity information-sharing bill that has passed the House, told the Summit. “We have to find a forum in which we can share it, and 10 providers serve 80 percent of the market. We have classified relationships with a good number of them.”
Among those that have agreed to provide the classified security services are AT&T Inc. and Raytheon Co. Northrop Grumman Corp. said this week it had also joined the program.
The secret but widespread U.S. practice of buying up tools leveraging unknown or “zero-day” software flaws for spying or attacks was the subject of a Reuters Special Report last week, in which former White House cybersecurity advisors said more flaws should be disclosed for defensive reasons.
Michael Daniel, the White House cybersecurity policy coordinator, told the Summit the Enhanced Cybersecurity Services program was still evolving and the type of information shared would change as threats do.
“We want to use the full capabilities that we have to protect as much of the critical infrastructure as we can with that program,” he said.
(Reporting by Joseph Menn; Editing by Tiffany Wu and Leslie Gevirtz)
Here is the earlier Zero Day story: Booming 'zero-day' trade has Washington cyber experts worried | Reuters
(Reuters) - The proliferation of hacking tools known as zero-day exploits is raising concerns at the highest levels in Washington, even as U.S. agencies and defense contractors have become the biggest buyers of such products.
White House cybersecurity policy coordinator Michael Daniel said the trend was "very worrisome to us."
Asked if U.S. government buying in the offensive market was adding to the problem, Daniel said more study was needed. "There is a lot more work to be done in that space to look at the economic questions...so we can do a better job on the cost-benefit analysis," he said.
Some security experts say the government's purchasing power could help instead of hurt. They argue the U.S. government should bring the market into the open by announcing it will pay top dollar for zero-days and then disclosing all vulnerabilities to the companies concerned and their customers.
"Given that people are now buying vulnerabilities, the U.S. should simply announce that it is cornering the market, that they will pay 10 times anyone else," said Dan Geer, chief information security officer at In-Q-Tel, the U.S. intelligence community's venture capital firm. He said he was speaking outside of his official capacity.
IN-Q-TEL TROLLING. FACK... This story is going all over the place. In-Q-Tel is the CIA's venture capital wing, worth noting for those unfamiliar. They use government money to make private venture capitalists tons of profits - for example building up Keyhole into Google Earth, which, when installed on your computer phones home constantly.
In-Q-Tel - Wikipedia. Among other things: "In-Q-Tel sold 5,636 shares of Google, worth over $2.2 million, on Nov 15, 2005. The stocks were a result of Google’s acquisition of Keyhole, the CIA funded satellite mapping software now known asGoogle Earth."
Exclusive: Google, CIA Invest in 'Future' of Web Monitoring | Danger Room | Wired.com: "The investment arms of the CIA and Google are both backing a company that monitors the web in real time — and says it uses that information to predict the future."
In-Q-Tel: The CIA's Tax-Funded Player In Silicon Valley : All Tech Considered : NPR && 25 Cutting Edge Companies Funded By The Central Intelligence Agency - Business Insider
Batchez of linx follow when diving into this newest gravy train. Here is a plain setup showing a bunch of classified stuff about to go out the door to shady contractors, I'm sure none of them sketchballs with foreign intelligence angles who will sell out and use the good stuff to attack for massive profit.
DIBS ON YOUR INTERNETS: This is probably the original DIB thing now foisted on America at large, or closer to it:
www.dc3.mil/dcise/DIB Enhanced Cybersecurity Services Procedures.pdf
DIB Enhanced Cybersecurity Services (DECS)
The Department of Defense (DoD) in coordination with the Department of Homeland Security (DHS) is actively engaged in multiple efforts to foster mutually beneficial partnerships with the Defense Industrial Base (DIB) to protect DoD information residing on or passing though DIB company systems. One such effort is the DIB Cyber Security/Information Assurance (CS/IA) Program, including its optional DIB Enhanced Cybersecurity Services (DECS) component.
Under the optional DECS component of the DIB CS/IA Program, the Government will furnish classified cyber threat and technical information either to a DIB company or to the DIB company’s Commercial Service Provider (CSP). This sensitive, Government-furnished information enables these DIB companies, or the CSPs on behalf of their DIB customers, to counter additional types of known malicious cyber activity, to further protect DoD program information.
This is also nuts: www.uscg.mil/hq/cg5/cg544/docs/ECS_Fact_Sheet.pdf
And: Raytheon, Lockheed Get U.S. Secrets as Cybersecurity Go-Betweens
Cyber Security, Critical Infrastructure, and Obama’s Executive Order - Deloitte CIO - WSJ
Northrop, US DHS team up to support enhanced cybersecurity services :: Strategic Defence Intelligence
U.S. gives big, secret push to Internet surveillance | Politics and Law - CNET News
Other Major Moves of Note right now: Of course the Bitcoin ecosystem got a major swipe at it from Department of Homeland Security's new uber-agency, Homeland Security Investigations. Warrant Reveals Homeland Security Seized Mt. Gox’s Dwolla Account for ‘Unlicensed Money Transmitting’ | Betabeat. I covered some key notes on the ever-spreading DHS-HSI organization in April 2012.
Associated Press situation is a big deal too. via @johnknefel: What's at Stake When the Department of Justice Seizes AP Phone Records | Politics News | Rolling Stone
Anyway I will leave it there for now. The Hack Cartel rides high today, but as with all these corrupt authoritarian bubbles they tumble sooner or later.
The Cyberwar fleet of fools will sink of its own accord, but how many innocent fishing boats will get capsized in the wake of their fooling about?