The Complex

Jim Langevin wants cyber talk in State of the Union address

Rep. Jim Langevin (D-RI), co-chair of the Congressional Cyber Caucus, just released the text of a letter he sent President Barack Obama, urging him to discuss cyber security in his State of the Union address next week. Langevin doesn't specify what he wants the president to say other than "I hope that you will take the unique opportunity afforded by your State of the Union address to galvanize both Congress and the public to demand immediate action to secure out country's cyberspace."

Keep in mind that the White House is famously working an executive order that is believed to contain minimum IT security standards for banks, energy companies, transportation firms, and other so-called critical infrastructure providers in the wake of Congress's repeated failures to pass cyber security legislation last year.

This comes just after a New York Times report saying that the White House has decided it can conduct preemptive cyber strikes if it thinks such actions will stave off a major cyber attack that could seriously damage the United States. Last October, Defense Secretary Leon Panetta said the Defense Department is prepared to conduct this type of aggressive defense.

Here's the text of Langevin's letter:

 

February 5, 2013

The Honorable Barack Obama

President of the United States

The White House

1600 Pennsylvania Avenue NW

Washington, D.C. 20500

Dear Mr. President:

Congratulations on your inauguration for a second term. As your State of the Union address now approaches, I would like to thank you for your efforts to improve our nation's cybersecurity in your first term. From increasing the amount and quality of the data shared among federal agencies and the private sector to elucidating clear policy guidelines for trusted identities in cyberspace and cyberwarfare, your administration has truly made protecting American citizens and American interests a national priority.

Unfortunately, the scope of the challenge has only increased. The same American ingenuity that allows our businesses to be world-leaders in information technology also exposes us to a host of new threats. Defense Secretary Panetta, speaking to the Business Executives for National Security, described the current state of cyber-affairs as "a pre-9/11 moment." Attacks against our defense industrial base, our financial services infrastructure, our free press, and even our own government networks are a daily occurrence. While none have yet caused the destruction on the scope of 9/11, the potential for such a disaster is real, and it is growing.

Combating this threat is a pressing priority. As the co-founder of the Congressional Cybersecurity Caucus, I work to inform my colleagues of the inadequacy of existing legislation to secure the domain, and I have appreciated your administration's efforts to highlight the immediacy of our need. I hope that you will take the unique opportunity afforded by your State of the Union address to galvanize both Congress and the public to demand immediate action to secure our country's cyberspace. While I trust that you will use every existing avenue of executive power to improve our capabilities in this realm, our current laws simply do not reflect the amazing technological advances (and the accompanying challenges) that have been made since their enactment.

I was privileged to serve as the Co-chair of the Commission on Cybersecurity for the 44th Presidency, which presented you with a series of recommendations when you first took office. Your actions in your first term have made it abundantly clear that you have embraced the need for a comprehensive cybersecurity strategy, and I look forward to working with you to expand and implement this strategy throughout the coming session.

Sincerely,

Jim Langevin

Member of Congress

Getty Images

National Security

Here's the email to DoE employees notifying them of a cyber attack

Below is the email that the Department of Energy sent to its employees notifying them that the personal information about several hundred DoE staff and contractors at the department's Washington headquarters (shown above) may have been accessed by hackers.

You'll notice that DoE mention who might have been responsible for the attack and it makes no mention of whether classified information regarding nuclear-anything was accessed.

(Several media accounts have said Chinese hackers were to blame and that the cyber attack didn't access nuclear-related information.) 

You can also see that DoE is in the early stages of figuring out the details and full extent of the attack.  From the early reports, it sounds like this could have been a spear phishing email attack. If that's the case, an employee at DoE likely got a professional sounding email with a special file attached that contained malware, once the staffer clicked on the file, the hackers were into the department's networks. What would hackers/spies want with staffers' and contractors' email and the info contained within? For one thing, they could use it to crack security safeguards to other networks that contain classified information.

Click here to read an article about DoE's Inspector General's report on the department's cyber security practices from last fall that points out a bunch of cyber vulnerabilities.

Here's the email:

Employee Notification

The Department of Energy (DOE) has just confirmed a recent cyber incident that occurred in mid-January which targeted the Headquarters' network and resulted in the unauthorized disclosure of employee and contractor Personally Identifiable Information (PII).

The Department is strongly committed to protecting the integrity of each employee's PII and takes any cyber incident very seriously. The Department's Cybersecurity Team, the Office of Health, Safety and Security and the Inspector General's office are working with federal law enforcement to promptly gather detailed information on the nature and scope of the incident and assess the potential impacts to DOE staff and contractors. Based on the findings of this investigation, no classified data was compromised.

We believe several hundred DOE employees' and contractors' PII may have been affected. As individual affected employees are identified, they will be notified and offered assistance on steps they can take to protect themselves from potential identity theft.

Once the full nature and extent of this incident is known, the Department will implement a full remediation plan.  As more specific information is gathered regarding affected employees and contractors, the Department will make further notifications.

The Department is also leading an aggressive effort to reduce the likelihood of these events occurring again. These efforts include leveraging the combined expertise and capabilities of the Department's Joint Cybersecurity Coordination Center to address this incident, increasing monitoring across all of the Department's networks and deploying specialized defense tools to protect sensitive assets. 

Cybersecurity is a shared responsibility, and we all play an important role in maintaining the integrity and security of our networks. To help minimize impacts and reduce any potential risks, please keep the following best practices in mind:

Encrypt all files and emails containing PII or sensitive information, including files stored on hard drives or on the shared network.

Do not store or email non-government related PII on DOE network computers.

Wikimedia Commons