The US Department of Homeland Security will look at private-sector companies in an effort to mitigate cyber-attacks
The government is proposing to extend existing powers, so it can analyse the communications of organisations such as banks, utility providers and transport companies, to prevent online attacks on the country’s infrastructure, according to US security officials.
The move is in response to an executive order signed by President Obama in February that calls upon the owners and operators of critical US infrastructure to “improve cyber-security information sharing and collaboratively develop and implement risk-based standards”.
The order also called on the Department of Homeland Security (DHS) to recommend ways to mitigate security attacks and, among other tasks, for the secretary of homeland security to direct the development of a cyber-security framework that includes a “set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks”.
The order called upon the DHS to establish the required procedures within six months.
In response, the agency is planning to expand an existing programme that currently scans the Internet communications of military contractors to include a wider array of private-sector organisations, according to US government security officials, who testified on the matter at a congressional hearing last week. Participation in the programme will be voluntary.
The organisations participating in the programme will submit data such as web traffic and email communications to the DHS, which will pass it to private-sector telecommunications and security providers that have employees holding security clearances.
These companies, who will be paid for their efforts, will analyse the data based on classified information provided by US intelligence agencies including the National Security Agency (NSA) targeting particular espionage or hacking threats.
Companies that have so far signed up to carry out scanning operations include AT&T and Raytheon.
The companies carrying out the scans will only provide the government with anonymised data such as aggregate statistics, according a senior DHS official cited by Reuters, who declined to be identified.
“That allows us to provide more sensitive information,” the official told Reuters. “We will provide the information to the security service providers that they need to perform this function.”
The NSA said it is looking for a way to better protect the US’ private sector-based critical infrastructure, such as banks, utilities, motorways and rail networks, without infringing upon citizens’ civil liberties. The organisation said it could use data such as what malicious software turns up in the scans, and the IP addresses linked to it.
“There is a way to do this that ensures civil liberties and privacy and does ensure the protection of the country,” said NSA director general Keith Alexander at a congressional hearing last week.
The data to be analysed could include web addresses, strings of characters and email sender names. A Raytheon executive told Reuters that the signatures provided by the DHS do not require deep packet inspection (DPI), a controversial technique that includes the scanning of email contents. A government official also told Reuters there are currently no plans to include DPI in the scanning programme.
Security providers are currently working on secure hardware that could carry out automated scans using the classified government signatures, which would allow companies without security-cleared employees to execute the scans, according to Reuters.
Last month’s executive order called on the DHS to recommend ways to mitigate security attacks and, among other tasks, for the secretary of homeland security to direct the development of a cyber-security framework that includes a “set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks”. To the fullest extent possible, the framework is to “incorporate voluntary consensus standards and industry best practices,” said the order.
“We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy,” said President Obama during his State of the Union address on 12 February.
The leaders of US intelligence efforts and of the nation’s quickly growing Cyber Command recently warned that cyber operations by nation-states and rogue actors have become a major concern for the country, eclipsing the threat of terrorism and weapons of mass destruction.
In his delivery of the worldwide threat assessment to the US Senate Select Committee on Intelligence on 12 March, Director of National Intelligence James Clapper led his list of global threats with the current cyber operations against the nation’s interests, indicating that cyber-attacks and espionage are having more impact today than terrorism or the threat of weapons of mass destruction.
Recent attacks on US banks, the destructive virus that deleted data from 30,000 workstations at Saudi Aramco, and the wholesale theft of sensitive data by various nations – chief among them China – had weakened the United States’ technological advantage, Clapper said in his prepared remarks.
“We assess that highly networked business practices and information technology are providing opportunities for foreign intelligence and security services, trusted insiders, hackers, and others to target and collect sensitive US national security and economic data,” Clapper said.
In a separate hearing, Gen. Keith Alexander, commander of the US Cyber Command, said the organisation is quickly ramping up its operations, and plans to hire up to 5,000 cyber-savvy soldiers to staff its operations.
Public sector IT – the triumph and the tragedy… Take our quiz!
Originally published on eWeek.