The National Institute of Standards and Technology (NIST) has released its 2010 Computer Security Division Annual Report. Donna Dodson, Chief, Computer Security Division & Deputy Chief Cybersecurity Advisor offers the following in her welcome statement:

The Computer Security Division (CSD), a component of NIST’s Information Technology Laboratory (ITL), conducts research, development and outreach necessary to provide standards and guidelines,  tools, metrics and practices to protect our nations information and  communication infrastructure.

In fiscal year (FY) 2010, CSD continued to build on its work in security management and assurance, cryptography and systems security, identity management and emerging security technologies.   CSD played a vital role in both national and international security  standard setting.  The division continues its leadership role in technologies and standards for Cloud Computing, Identity Management and as a Government Wide Leader and national coordinator  for the National Initiative for Cybersecurity Education (NICE).  In addition, this year marked the publication of NIST Interagency Report  (NISTIR) 7628,  Guidelines for Smart Grid Security, which identifies  security requirements applicable to the Smart Grid, security-relevant use cases, logical interface diagrams and interface categories,  vulnerability classes abstracted from other relevant cyber security  documents, specific issues applicable to the Smart Grid, and privacy concerns. We also continued to provide reference specifications  in multiple areas, allowing others to leverage our work to increase  the security of their systems and products.

…
Looking forward to FY2011, CSD plans to continue its work in information security, producing standards, guidelines, technical reference materials and specifications to improve the information security management of systems across the Nation and around the  world.

By the way, this report has the coolest front cover of any government report in recent history.  The image shown above is but a small excerpt.  Not that this has anything to do with the contents of the report or anything …

On Monday, the White House released a policy paper entitled, “A Policy Framework for the 2st Century Grid: Enabling Our Secure Energy Future.”  This report sets forth policy recommendations that build upon the Energy Independence and Security Act of 2007 and the Obama Administration’s smart grid investments to foster long-term investment, job growth, innovation, and help consumers save money.

The document’s foreword states:

A smarter, modernized, and expanded grid will be pivotal to the United States’ world leadership in a clean energy future. This policy framework focuses on the deployment of information and communications technologies in the electricity sector As they are developed and deployed, these smart grid technologies and applications will bring new capabilities to utilities and their customers In tandem with the  development and deployment of high-capacity transmission lines, which is a topic beyond the scope  of this report, smart grid technologies will play an important role in supporting the increased use of  clean energy.

A 21st century clean energy economy demands a 21st century grid. Much of the traditional electricity  infrastructure has changed little from the original design and form of the electric grid as envisioned by Thomas Edison and George Westinghouse at the end of the 19th century (EEI 2011, p6). In a 21st  century grid, smart grid technologies will help integrate more variable renewable sources of electricity,  including both utility scale generation systems such as large wind turbines and distributed generation systems such as rooftop solar panels, in addition to facilitating the greater use of electric vehicles and  energy storage. Moreover, such technologies will help enable utilities to manage stresses on the grid, such as peak demand, and pass savings on to consumers as a result.

The report introduction explains further:

The Federal Government, building on the policy direction set forth in the Energy Independence and Security Act of 2007 and the Recovery Act’s historic investments in innovation, offers this policy framework to chart a path forward on the imperative to modernize the grid to take advantage of opportunities made possible by modern information, energy, and communications technology.

The report concludes:

Smart grid technologies and programs represent an evolution in how our electricity system operates. As this report highlights, this transition offers significant promise for utilities, innovators, consumers,and society at large. This document has outlined four essential pillars that will enable the United Statesto transition to a smarter grid:

1. Enable Cost-Effective Smart Grid Investments: Smart grid technology can drive improvements in system efficiency, resiliency, and reliability, and help enable a clean energy economy through cost-effective grid investments. Many of these technologies promise to pay for themselves in operational improvements, and energy savings. The Federal Government’s research,development and demonstration projects, technical assistance, information sharing on technologies and programs, and evaluations provide valuable guidance for utilities, consumers, and regulators about what approaches are the most cost-effective, thereby paving the way for theeffective, ongoing upgrade of the grid.
2. Unlock the Potential of Innovation in the Electricity Sector: A modernized electric grid promises to be a powerful platform for new products and services that improve grid operations and deliver comfort, convenience, and savings to energy customers.
3. Empower Consumers and Enable Informed Decision Making: The success of smart grid technologies and applications depends on engaging and empowering both residential and small business consumers. New tools and programs promise to provide consumers personalized information and equip them to make informed energy choices, while ensuring their energyconsumption data is accorded privacy protections.
4. Secure the Grid: Protecting the electric system from cyber attacks and ensuring it can recover when attacked is vital to national security and prosperity. Developing and maintaining threat awareness and rigorous cybersecurity guidelines and standards are keys to a more secure grid.

The current electric grid and the proposed smart grid are fascinating to me.  From my perspectives as a residential customer, a security professional and an old electrical engineer, it seems incredible that the old system we have works so well. At the same time, the emerging smart grid system should  have great benefits for us all … and provide huge employment opportunities to those involved for many years to come.

The Department Of Commerce
Internet Policy Task Force
recently released a “green paper” document entitled, “Cybersecurity, Innovation and The Internet Economy”

Secretary of Commerce Gary Locke stated in his introductory message:

The following report – or green paper – recommends consideration of a new framework for addressing internet security issues for companies outside the orbit of critical infrastructure or key resources. While securing energy, financial, health and other resources remain vital, the future of the innovation and the economy will depend on the success of Internet companies and ensuring that these companies are trusted and secure is essential. This is the area of our focus.

The report recommends that the U. S. government and stakeholders come together to promote security standards to address emerging issues. It also proposes that the government continue to support both innovations in security and on the Internet more broadly. We believe this framework will both improve security at home and around the world so that Internet services can continue to provide a vital connection for trade and commerce, civic participation, and social interaction around the globe.

I haven’t yet read the complete document but, but look forward to understanding the policy recommendations laid out in the document and seeing how they influence the improvement of information security in the years going forward.

Cyberwarzone.com is a “portal for information on cyberspace related issues. Cyberwarzone collects information about ongoing events in the cyberspace world. The goal is to provide information on cyberwarfare, cybercrime and cyberterrorism.”

The site was founded and is maintained by a 21-year old digital forensics student, Reza Rafati.

Two associated sites are

• Worldwidenews.cyberwarzone.com. This projects “grabs” feeds from around the world and puts them on a list or a GEO-TAG enabled map. (GEO-tagging allows people to see where the news was published).
• Network portal for Cyber warfare security experts. This site is a news and collaboration site for information security experts.

When I hear a message that begins, “We’re from the government, and we’re here to help,” I am naturally suspicious.  My political philosophy, based on personal freedom, individual responsibility and natural consequences, is all too often infringed upon by over-reaching, even if well-intentioned, government mandates.  So, when I first learned of the “National Strategy For Trusted Identities In Cyberspace,” I quite naturally envisioned the typical government movement towards stronger control, greater regulation and reduced freedom.

These goals will require the active collaboration of all levels of government and the private sector  The private sector will be the primary developer, implementer, owner, and operator of the Identity Ecosystem, which will succeed only if it serves as a platform for innovation in the market. The Federal Government will enable the private sector and will lead by example through the early adoption and provision of Identity Ecosystem services. It will partner with the private sector to develop the Identity Ecosystem, and it will ensure that baseline levels of security, privacy, and interoperability are built into the Identity Ecosystem Framework.

That said, I include here some key points from the document.  A user-centric “Identity Ecosystem” is proposed – an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities—and the digital identities of devices. 

Where are Abby Sciuto and Timothy McGee when we need their help?  It would seem that their almost supernatural skills in cybersecurity and good-guy hacking are in great demand.  As reported by Josh Smith in NextGov:

Many of the FBI field agents assigned to combat cyber threats say they do not have enough expertise to do it, according to a new report from the Justice Department’s inspector general.

 

Justice Department officials found that more than a third of the 36 FBI agents surveyed said they don’t have the networking or counterintelligence expertise needed to effectively investigate national security breaches. The report also said that field offices lacked the forensic and analytical capabilities to take on national security investigations.

Sen. Susan Collins, R-Maine, who has proposed cybersecurity legislation on Capitol Hill, said the need for a capable cybersecurity work force is “more urgent than ever.”

“The threat of cyber attacks continues to grow every day,” said Collins, ranking member on the Homeland Security and Governmental Affairs Committee, in a statement. “That is why it is so troubling that the federal government has not adequately trained its cyber professionals to combat these threats.”

…

 

A dearth of trained cybersecurity professionals is plaguing government and industry efforts, with some analysts estimating that the U.S. needs 20,000 to 30,000 more people to adequately defend cyberspace.

The recent security breach affecting Sony Corp’s PlayStation network, is receiving high profile attention. As reported by Nick Wingfield in today’s Wall Street Journal:

Two U. S. Congress members are asking Sony Corp. to explain its handling of the recently disclosed data breach involving its PlayStation Network, one of the largest data thefts in history.

 

On Friday, Rep. Mary Bono Mack (R., Calif.) and Rep. G.K. Butterfield (D., N.C.), members of a Congressional subcommittee on commerce, manufacturing and trade, asked Kazuo Hirai, the head of Sony’s videogames division, to address their concerns. The letter asked when Sony first learned of the recent breach, why it waited days to notify its customers, and how Sony intends to prevent further breaches in the future.

Sony has said the breach occurred earlier this month and resulted in the loss of names, addresses and possibly credit card numbers associated with 77 million accounts on its online game network. While Sony and law enforcement officials haven’t addressed whether they have any suspects in the intrusion, one prominent target of a past Sony legal attack over a hacking incident denied any involvement in the data theft.

…

 

Sony hasn’t said what the financial impact from the data intrusion will be. Larry Ponemon, founder of a firm called the Ponemon Institute that analyzes the costs of data breaches, estimated it could run as much as $1.5 billion, including everything from Sony’s own forensic investigation, to the diversion of Sony personnel from their regular responsibilities to the cost of making amends to customers with free offerings.

Today, in a Computerworld article entitled, “Security still top concern with cloud, despite Amazon outage,” Jaikumar Vijayan stated,

Despite the heightened focus on cloud availability and uptime caused by Amazon’s prolonged service outage last week, security will likely remain the bigger long-term concern for enterprises.

Kyle Hilgendorf, a cloud computing analyst at Gartner reminded us that we need to plan for emergencies:

Amazon portrays an aura of invincibility, whether intentional or not, and this outage is going to remind enterprise customers that nobody is perfect and increased due diligence is required.

However, Hilgendorf said that security is really the more pressing concern.

I still consider it to be the bigger, long-term concern. Enterprises I speak to are more concerned about security than they are about availability, reliability or performance.

Jonathan Penn, an analyst at Forrester Research, said that last week’s Amazon outage is sure to stoke enterprise anxiety about cloud performance and uptime, but security is still going to be the bigger worry for most enterprises.

Companies that are looking to move applications to a hosted cloud environment are going to want even more availability assurances from their vendors now.

Ultimately though, enterprises need to realize that there can never be 100% uptime in a cloud environment, just as there can never been continuous availability within an enterprise data center.

Failures of the sort that happened last week will happen again, and it’s up to enterprises to ensure that they have measures in place to mitigate any resulting service disruptions.

Over the longer term, the thornier issue for most companies will continue to be data security. Forrester’s clients have consistently rated security as their top concern with cloud computing, ahead of other issues such as performance and availability.

It looks like we in the information security industry still have our work cut out for us.

I first read the news about Apple’s secretive location tracking capability in the Kaspersky Labs Threat Post article, “Secret iPhone Feature Tracks Owners’ Whereabouts“:

Security researchers have discovered a hidden iPhone feature that secretly tracks and saves the meanderings of the phone – and presumably its owner.

The tracking feature was described in a presentation at the Where 2.0 Conference in San Francisco on Wednesday. According to the researchers, Pete Warden, founder of Data Science Toolkit and Alasdair Allan a researcher at Exeter University in the UK, the tracking feature records the phone’s movements, including what cell phone towers and Wifi hotspots it connects to, when and where. While that information isn’t shared with Apple, it is retained even when iPhone users update their hardware, suggesting that Apple had plans to use the data at a later time.

Was I surprised?  No.  Irritated?  Yes.  We have one more piece of evidence, that when power is concentrated in the hands of a few, abuses tend to occur.

After reading the O’Reilly Radar article, “Got an iPhone or 3G iPad? Apple is recording your moves“, I followed a link to an application to see for myself:

How can you look at your own data?

We have built an application that helps you look at your own data. It’s available at petewarden.github.com/iPhoneTracker along with the source code and deeper technical information.

The broad view clearly showed the four states in which I have used my month-old iPad:

But the real interesting view was of my supposed meanderings in Arizona:

I can easily explain three of the four major clumps of usage in the Phoenix metropolitan area – my home, the Phoenix airport, and a client site. But I have never taken my iPad to the fourth area of supposed heavy use.

All the outliers are even more problematic.  I used the iPad once in a mountainous area northeast of Phoenix, but all the other outliers?  My only explanation is that I must have forgotten to place the iPad in “Airplane Mode” on one or more more of my flights (heaven forbid!).  The iPad must have connected with dozens of cell towers as we flew over.

My message to Steve Jobs?  Please, just call. I’d gladly invite you over for dinner or take you to my favorite restaurant, where we could discuss the things that are important to me in my life.  But these shenanigans?  Really tawdry for a supposely high class company.

I am anxious for the time when I can buy groceries or pay for a meal with my iPhone.  According to Juniper Research, that time may be be closer than you would think.

As reported by GigaOM, Juniper Research predicts that 1 in 5 Smartphones Will Have NFC by 2014.  NFC, or “Near Field Communication,” is a technology that allows a payment to be made by holding a device, such as a mobile phone, in close proximity to a NFC-capable point of sale terminal.

I think it would be great to use a mobile wallet on my iPhone, working in concert with an NFC chip embedded within my iPhone, to make a payment.

The GigaOM article states:

Juniper said the increasing momentum behind NFC, with a stream of vendor and carriers announcements in recent months, is helping boost the prospects of NFC. North America will lead the way, according to Juniper, with half of all NFC smartphones by 2014. France, in particular, is off to a quick start, with 1 million NFC devices expected this year.

Of course, there is more than just putting moble wallet apps and NFC chips on smartphones.

But the NFC ramp-up will still faces challenges. With so many players involved, from merchants, operators, manufacturers and web giants like Google, service complexity will be an issue. The industry also needs to work out business models around NFC while ensuring strong security for consumers unfamiliar with the concept of a mobile wallet, said Howard Wilcox, the author of the report.

Which smart phone vendor will be first to the races with a mainstream NFC-equipped device? Will the next iPhone be NFC-equipped?  I hope so, but I had also hoped for that in the iPhone 4.  Time will tell.  I’m just hoping for sooner, rather than later.

And, by the way, Identity Management and Information Security are crucial to an overall solution. Knowing who the user is and that user wants to do, and making sure their information is absolutely safe, are critical components of the mobile payments infrastructure that must be built. In that vein, its great to be in the industry that is making this all happen.