Cyber Security Act 2009 (Part 1)… Huh?

Last weekend I was reading about a bill introduced April 1st in the US Senate co-sponsored by Sen. Jay Rockefeller (D-W.Va.) and Sen. Olympia Snowe (R-Maine).  The article was aptly titled Bill Would Grant President Unprecedented Cyber-security Powers.

I wanted to get a better idea of what was in this bill, so I took the liberty of downloading it and reading it.  There are some pretty startling powers being granted that could affect a large number of businesses, the Internet backbone providers, and our civil liberties.  I would just like to share a few of my findings.

The first question I had was, “Who would this affect?”.  The answer can be found on Page 50, starting at line 22:

FEDERAL GOVERNMENT AND UNITED STATES CRITICAL INFRASTRUCTURE INFORMATION SYSTEMS AND NETWORKS - The term ‘Federal Government and United States critical infrastructure information systems and networks’ includes -

(A) Federal Government information systems and networks; and
(B) State, local, and nongovernment information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.

In other words, the President has the freedom to choose as he sees fit.  This could include, for example, public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking finance, chemicals and hazardous materials, and postal and shipping.  You get the idea.

So, the next question then is, “What information would this government entity have access to?”.  The answer can be found on Page 39, starting at line 24:

(b) FUNCTIONS - The Secretary of Commerce -

(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such asses;

Say what?  Yup.  Any and all data regardless of privacy laws or other regulations.  All together now - Big Brother.

But wait, it gets better.  “How will this plan get implemented?”.  The Act calls for the creation of State and Regional Cyber-security Centers that would report to the Secretary of Commerce.  The purpose of these Centers as outlined starting on Page 11, Line 13, is to:

enhance the cybersecurity of small and medium sized businesses in the United States through -

(1) the transfer of cybersecurity standards, processes, technology, and techniques developed at the National Institute of Standards and Technology to Centers and, through them, to small and medium-sized companies throughout the United States.

The Centers activities will include actively transfering and disseminating solutions to a wide range of companies and enterprises, provide loans on a selective basis for advanced cybersecurity measures, and other purposes that directly compete with private sector enterprises in the cybersecurity industry.  I don’t think many IT companies would appreciate a GsE (Government Sponsored Entity) competing against them.  It’s like Fannie Mae and Freddie Mac all over again.

Don’t get me wrong.  I am fully aware that something needs to be done about the woeful security inadequacies in our nations federal computing networks.  I’m just not sure this is the proper approach.  There are more details that I will share in my next blog that I think you will find interesting as well.  This will include my thoughts on who the White House “Official” is as referenced in the WSJ article Electricity Grid in U.S. Penetrated by Spies.

What is the Value of the Cybercrime Industry?

I was reading Richard Stiennon’s blog the other day titled “Stay calm people. Cyber crime does not reap $1 Trillion in profits“.  In that article, Richard Stiennon stated he would be surprised if the amount actually exceeded $1 billion.

I for one am not sure what the total amount actually is, but I decided to do just a few hours of research anyways.  I must admit, going into this research I believed the value to be much more than $1 billion.  I’ll go ahead and share the results of my research and let you be the judge though.

Here’s an article from Eweek on this subject:  http://www.eweek.com/c/a/Security/Cybercrime-Internet-Fraud-on-Upswing-as-Lawmakers-Discuss-Strategy-263851/

“A recent report by Finjan on the market for rogue anti-virus products estimated revealed a group of cyber-crooks running a rogueware affiliate network had hauled in an average of $10,800 a day in profits.”

So, with that estimate, we’re at about $3.9 million or $10,800 x 365 days in a year.

Also in that article:  “Based on posts on various hacking forums we found that 1,000 bots (infected computers) are rented for $100-$200 per day,’ said Finjan CTO Yuval Ben-Itzhak.”

So, let’s conservatively say it’s $125 for simplicity:  1,000 bots x $125/day x 365 days in a year = $45.6 million.  This brings our running total to $49.5 million.

Next, the IC3 (Internet Crime Complaint Center) released a report stating the dollar loss as result of cybercrime was $265 million.  This includes a variety of fraud types including non-delivery of merchandise. — http://www.ic3.gov/media/2009/090331.aspx

Running total:  $314.5 million.

Now a big one pops up pertaining to intellectual property losses.  This is debatable as to if it should be included or not, but I think it should be since IP does have value.  (http://www.lafayette-online.com/science-technology/2009/03/cybercrime-increase/) — Article states that McAfee  “found that companies lost an estimated $4.6 billion in intellectual property last year as a result of cybercrime.”

Running total:  $4.9 billion

Also, in just one case, authorities caught 4 men accused of hacking into a Calgary company’s computer system and stealing $1.8 million.  http://www.crime-research.org/news/09.05.2008/3559/

Running total: $4.9 billion+

Finally, I analyzed data published at http://datalossdb.org/yearly_reports/dataloss-2008.pdf.  According to their reports, there was at least 20 million credit card numbers compromised last year.  A number of articles online suggest the cost to financial institutions varies wildly for each card stolen or lost.  I’ve found claims of anywhere between $2 and $4 per card.  So, with at least $20 million cards lost as result of cybercrime alone, and a conservative number $2.50 per card, that value would be $50 million.

With only using just the above that I found in just a few hours of research online, you can easily see how this number can grow.  We’re already near $5 billion and definitely near if not over the $1 billion even if you want to lower the value of intellectual property stolen.  Next, I’m sure we could come up with a number of VOIP phone systems that were compromised and rang up millions in long distance transactions.  Then, we can throw in unreported estimates, fees paid to developers to write exploits, extortion amounts, etc.  The list goes on, but I do believe this to be at least in the billions if not tens of billions of dollars.  I do have to agree, however, that I doubt it to be into the $1 trillion territory.

Doing the “Impossible”

We’ve all heard lines like these before:  “That can’t be done”; “There’s no way to make that work like that”; “It just won’t work”; and/or “It’s impossible!”  Maybe with all the negative items we’re hearing in the news (and in some cases are experiencing firsthand) like the bad economy, wars, constant bickering, higher than normal unemployment, etc.  the level of general negativity is high and impacting peoples perceptions and spirit of determination.  Either way, I’m hearing more and more such statements from all around.

The fact of the matter is, these are times when the determined will prove themselves, and the leaders begin to emerge from the rest of the crowd.  Over the past few weeks, we have been involved in a number of projects at Nuspire that were inherited from other competitors or ours.  Below are a few examples of tasks that needed to be completed.  In all cases, we were told “It’s impossible.”

Case One: The problem was, as based on a previous blog of mine http://blogs.nuspire.com/bkblog/?p=18, a large IT consulting firm was working with one of our clients.  An application was inherited by this team to support.  Unfortunately, they couldn’t seem to get the application working as a non-administrative privileged user.  So, they quite absolutely exclaimed, “This application requires administrative privileges and will not work nor be supported any other way.”  The problem with this, is that when you trust normal end users with full admin rights to their PC’s problems eventually ensue, and the systems can become costly to support on an ongoing basis due to viruses, malware, spyware, trojans, worms, etc. that can then run amuck on the network.

When this was brought to our attention, I wasn’t willing to settle.  I knew other developers had espoused such claims for their software before, and in the past, I was able to get such applications functioning under normal user permissions.  Now supposably, this other IT company had spent endless hours trying to find a work around.  They even exclaimed it would require a complete recoding (costing millions) to meet these requirements.  They thought I was crazy when I told them I wanted to try and make it work.  Needless to say, just a few hours later, a solution was found that allows these applications to run effectively and without error as a normal user, and it doesn’t require any recoding efforts.

Case Two: If anyone has ever been responsible for managing 100’s of desktops, you know that doing so effectively requires patience, determination, and most of all creativity.  We have just taken over a desktop support contract for a nationwide firm.  The machines we inherited are Windows XP and only have 256MB of RAM.  When we started working with them (just a month ago), they were still on SP1 and had no anti-virus protection.  You can probably now only start to imagine why a competitor of ours lost this contract.  The task is to upgrade these machines to SP3 and all the latest hotfixes, upgrade Adobe, upgrade IE plugins, install a managed AV solution, keep the bootup/login times the same or just a few seconds longer, and perform all these updates in 1 business day without an onsite physical presence.

Again, our team started working on this project a few weeks ago.  After install of the previously selected AV solution, patching, SP3 upgrade, etc… the systems RAM utilization increased by about 30%.  The drawback of this was that it went over the physical amount of RAM available thus significantly impacting the PC’s performance.  Obviously, this was unacceptable to the client.  Immediately, ideas were tossed around including forgoing AV protection.  We weren’t quite willing to give up just yet though.  After some significant system changes, disabling unneeded services, and even evaluating other managed AV products the system now is fully patched, has managed AV protection, runs all the latest IE plugins, and utilizes less than the 256MB of physical memory.  Result - system does take a bit longer to boot, but only 20 seconds.  In addition, the remote patching and upgrading process is done with a single click and can be accomplished in under 4 hours (depending on bandwidth at each location).

These are just two examples over the past few weeks of “Impossible” tasks that we were able to accomplish at Nuspire.  Personally, I hate expressions of absolute such as always, never, and impossible.  The more I experience, the more I realize that with the right attitude and determination anything is possible.  If you have any examples of your own, I’d like to hear your comments and thoughts.