Last week, I reported that the US Department of Defense had released a highly-anticipated document, entitled, “Department of Defense Strategy for Operating in Cyberspace.”  Here is a bit of an overview of the document.

The high degree of the Department of Defence’s dependence on cyberspace is abundantly evident:

Along with the rest of the U. S. government, the Department of Defense (DoD) depends on cyberspace to function. It is difficult to overstate this reliance; DoD operates over 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries around the globe. DoD uses cyberspace to enable its military, intelligence, and business operations, including the movement of personnel and material and the command and control of the full spectrum of military operations.

In speaking of the risks the DoD faces in this area, the report states:

Potential U. S. adversaries may seek to exploit, disrupt, deny, and degrade the networks and systems that DoD depends on for its operations. DoD is particularly concerned with three areas of potential adversarial activity: theft or exploitation of data; disruption or denial of access or service that affects the availability of networks, information, or network-enabled resources; and destructive action including corruption, manipulation, or direct activity that threatens to destroy or degrade networks or connected systems.

In response to these concerns, the DoD has outlined five strategic initiatives:

• Strategic Initiative 1: Treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential
• Strategic Initiative 2: Employ new defense operating concepts to protect DoD networks and systems
• Strategic Initiative 3: Partner with other U. S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy
• Strategic Initiative 4: Build robust relationships with U. S. allies and international partners to strengthen collective cybersecurity
• Strategic Initiative 5: Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation

On June 14th, the PCI Security Standards Council announced publication of the PCI DSS Virtualization Guidelines Information Supplement, which “provides guidance to those in the payment chain on the use of virtualization technology in cardholder data environments in accordance with PCI DSS.”

The introductory section in this document outlines four principles associated with the use of virtualization in cardholder data environments:

1. If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies.
2. Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments.
3. Implementations of virtual technologies can vary greatly, and entities will need to perform a thorough discovery to identify and document the unique characteristics of their particular virtualized implementation, including all interactions with payment transaction processes and payment card data.
4. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented.

After giving an overview of virtualization, the report sets forth a detailed review of risks inherent in a virtualized environment and specific recommendations about how to deal with those risks.

The document’s appendix describes in detail how each of the 12 broad PCI security controls that are mandated for logical environments need to be applied in a virtual setting.

I have long thought the PCI DSS specification to be a good example of how an industry regulates itself.  The Virtualization Guidelines document shows once again how the payments industry is in step with recent trends in Information Technology.

On Monday, the White House released a policy paper entitled, “A Policy Framework for the 2st Century Grid: Enabling Our Secure Energy Future.”  This report sets forth policy recommendations that build upon the Energy Independence and Security Act of 2007 and the Obama Administration’s smart grid investments to foster long-term investment, job growth, innovation, and help consumers save money.

The document’s foreword states:

A smarter, modernized, and expanded grid will be pivotal to the United States’ world leadership in a clean energy future. This policy framework focuses on the deployment of information and communications technologies in the electricity sector As they are developed and deployed, these smart grid technologies and applications will bring new capabilities to utilities and their customers In tandem with the  development and deployment of high-capacity transmission lines, which is a topic beyond the scope  of this report, smart grid technologies will play an important role in supporting the increased use of  clean energy.

A 21st century clean energy economy demands a 21st century grid. Much of the traditional electricity  infrastructure has changed little from the original design and form of the electric grid as envisioned by Thomas Edison and George Westinghouse at the end of the 19th century (EEI 2011, p6). In a 21st  century grid, smart grid technologies will help integrate more variable renewable sources of electricity,  including both utility scale generation systems such as large wind turbines and distributed generation systems such as rooftop solar panels, in addition to facilitating the greater use of electric vehicles and  energy storage. Moreover, such technologies will help enable utilities to manage stresses on the grid, such as peak demand, and pass savings on to consumers as a result.

The report introduction explains further:

The Federal Government, building on the policy direction set forth in the Energy Independence and Security Act of 2007 and the Recovery Act’s historic investments in innovation, offers this policy framework to chart a path forward on the imperative to modernize the grid to take advantage of opportunities made possible by modern information, energy, and communications technology.

The report concludes:

Smart grid technologies and programs represent an evolution in how our electricity system operates. As this report highlights, this transition offers significant promise for utilities, innovators, consumers,and society at large. This document has outlined four essential pillars that will enable the United Statesto transition to a smarter grid:

1. Enable Cost-Effective Smart Grid Investments: Smart grid technology can drive improvements in system efficiency, resiliency, and reliability, and help enable a clean energy economy through cost-effective grid investments. Many of these technologies promise to pay for themselves in operational improvements, and energy savings. The Federal Government’s research,development and demonstration projects, technical assistance, information sharing on technologies and programs, and evaluations provide valuable guidance for utilities, consumers, and regulators about what approaches are the most cost-effective, thereby paving the way for theeffective, ongoing upgrade of the grid.
2. Unlock the Potential of Innovation in the Electricity Sector: A modernized electric grid promises to be a powerful platform for new products and services that improve grid operations and deliver comfort, convenience, and savings to energy customers.
3. Empower Consumers and Enable Informed Decision Making: The success of smart grid technologies and applications depends on engaging and empowering both residential and small business consumers. New tools and programs promise to provide consumers personalized information and equip them to make informed energy choices, while ensuring their energyconsumption data is accorded privacy protections.
4. Secure the Grid: Protecting the electric system from cyber attacks and ensuring it can recover when attacked is vital to national security and prosperity. Developing and maintaining threat awareness and rigorous cybersecurity guidelines and standards are keys to a more secure grid.

The current electric grid and the proposed smart grid are fascinating to me.  From my perspectives as a residential customer, a security professional and an old electrical engineer, it seems incredible that the old system we have works so well. At the same time, the emerging smart grid system should  have great benefits for us all … and provide huge employment opportunities to those involved for many years to come.

On June 9th, the Federal Communications Commission issued  an interesting document, “The Information Needs of Communities – The Changing Media Landscape In A Broadband Age,” authored by Steven Waldman and The Working Group On Information Needs Of Communities.  (A two-page summary of the document is available here.)

The document introduction states:

In culmination of its work over the last year, the FCC Working Group on the Information Needs of Communities delivered a report on June 9, 2011 addressing the rapidly changing media landscape in a broadband age. In 2009, a bipartisan Knight Commission found that while the broadband age is enabling an information and communications renaissance, local communities in particular are being unevenly served with critical information about local issues.

Soon after the Knight Commission delivered its findings, the FCC initiated a staff-level working group to identify crosscurrent and trend, and make recommendations on how the information needs of communities can be met in a broadband world.

I enjoyed reading the statement by FCC Commissioner Michael J. Copps that accompanied the document’s release; here are a few excerpts:

Let’s begin with a basic truth: the future of our country’s media is an issue that goes to the heart of our democracy. A well-informed electorate is the premise and prerequisite of functioning self-government. To make this compact work, it is imperative that the FCC play a vital role in helping to ensure that all Americans have access to diverse and competing news and information that provide the grist for democracy’s churning mill.

…

The Digital Age holds amazing promise for expanding the scope of our democratic discourse. The Staff Report recognizes this and the present Commission has focused tremendous energy on both broadband deployment and adoption. But let’s recognize up-front that building a new town-square paved with broadband bricks and stacked with good news and information is not going to happen on auto-pilot.

…

An open Internet is not the entire solution for robust Twenty-first century journalism. It’s tougher than that, and I, for one, don’t believe we’ll get there absent some positive public policy solutions. We have never had successful dissemination of news and information in this country without some encouraging public policy guidance, going back to the earliest days of the young republic when Washington, Madison and Jefferson saw to it that newspaper were financially able to reach readers all across the fledgling young republic.

…

These issues mean a lot to me because I believe they mean a lot to our country. I have been outspoken about them–and sometimes blunt, I know. I intend to keep speaking out on them in the months and, if needed, the years ahead. This nation faces  stark and threatening challenges to the leadership that brought us and the world successfully through so many dire threats in the century just past. Now we confront fundamental new uncertainties about the revival of our economy, where new jobs will come from, how we will prosper in a hyper-competitive global arena, how to support the kind of education that our kids and grandkids will need to thrive–indeed to survive–in this difficult time, how to open the doors of opportunity to every American, no matter who they are, where they live, or the particular circumstances of their individual lives.We’ve got a lot to get on top of as a country and if we don’t have the facts, don’t have the information, and don’t have the news about what’s going on in the neighborhood and the town and the nation and world around us, our future will be vastly diminished. That’s why so much rides on the future of what we are talking about today.

I think these are valuable objectives, but it isn’t clear where this document will lead.  One author commented, “FCC Report on Media Offers Strong Diagnosis, Weak Prescriptions.”

I personally feel sensitive to this changing landscape.   I love the innovation of the USA Today and Wall Street Journal iPad apps, but I still enjoy reading the local paper-based newspaper over breakfast.  But my favorite local newspaper went out of business a couple of years ago, and the surviving newspaper is steadily shrinking in size.  This local newspaper’s online presence falls far short of the USA Today/WSJ readability model.  It will be interesting to see how this all plays out.

To start with, I think I’ll transfer the whole 465-page report to my iPad and read it there.

PS.  I think the FCC has an ugly logo.  That’s all.

The Department Of Commerce
Internet Policy Task Force
recently released a “green paper” document entitled, “Cybersecurity, Innovation and The Internet Economy”

Secretary of Commerce Gary Locke stated in his introductory message:

The following report – or green paper – recommends consideration of a new framework for addressing internet security issues for companies outside the orbit of critical infrastructure or key resources. While securing energy, financial, health and other resources remain vital, the future of the innovation and the economy will depend on the success of Internet companies and ensuring that these companies are trusted and secure is essential. This is the area of our focus.

The report recommends that the U. S. government and stakeholders come together to promote security standards to address emerging issues. It also proposes that the government continue to support both innovations in security and on the Internet more broadly. We believe this framework will both improve security at home and around the world so that Internet services can continue to provide a vital connection for trade and commerce, civic participation, and social interaction around the globe.

I haven’t yet read the complete document but, but look forward to understanding the policy recommendations laid out in the document and seeing how they influence the improvement of information security in the years going forward.

The 2010 Data Breach Investigations Report covers a study conducted by the Verizon Business RISK team in cooperation with the United States Secret Service.

In some ways, data breaches have a lot in common with fingerprints. Each is unique and we learn a great deal by analyzing the various patterns, lines, and contours that comprise each one. The main value of fingerprints, however, lies in their ability to identify a particular individual in particular circumstances. In this sense, studying them in bulk offers little additional benefit. On the other hand, the analysis of breaches in aggregate can be of great benefit; the more we study, the more prepared we are to stop them.

Not surprisingly, the United States Secret Service (USSS) is also interested in studying and stopping data breaches. This was a driving force in their decision to join us in this 2010 Data Breach Investigations Report. They’ve increased the scope of what we’re able to study dramatically by including a few hundred of their own cases to the mix. Also included are two appendices from the USSS. One delves into online criminal communities and the other focuses on prosecuting cybercrime. We’re grateful for their contributions and believe organizations and individuals around the world will benefit from their efforts.

With the addition of Verizon’s 2009 caseload and data contributed from the USSS, the DBIR series now spans six years, 900+ breaches, and over 900 million compromised records. We’ve learned a great deal from this journey and we’re glad to have the opportunity to share these findings with you. As always, our goal is that the data and analysis presented in this report proves helpful to the planning and security efforts of our readers.

Presentation by Gerry Gebel of Axiomatics at Kantara workshop. Includes good overview of XACML and coverage of v3.0 enhancements.

Presentation by Ashish Jain, Andrew Nash and Jeff Hodges of PayPal Information Risk Management at OpenID Summit, 2 November 2009.