Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[802SEC] FW: BOUNCE stds-802-sec@majordomo.ieee.org: Non-member submission from ["Paul Nikolich" <paul@yas.com>]




Forwarding for Paul (who still doesn't have his email configured
properly to submit to the reflector ;^)

 -Bob
 

-----Original Message-----
From: owner-stds-802-sec@majordomo.ieee.org
[mailto:owner-stds-802-sec@majordomo.ieee.org] 
Sent: Friday, October 11, 2002 9:00 AM
To: owner-stds-802-sec@majordomo.ieee.org
Subject: BOUNCE stds-802-sec@majordomo.ieee.org: Non-member submission
from ["Paul Nikolich" <paul@yas.com>] 
From: "Paul Nikolich" <paul@yas.com>
To: "IEEE802" <stds-802-sec@ieee.org>

Dear SEC,

Jim Carlo thought 802 members might be interested in providing input
into the National Strategy to Secure Cyberspace.  Those that are
interested are invited to submit comments.  See below for details.  This
activity might be particularly interesting for those groups that have or
are thinking about securing their links.

Please forward this information to your constituents.

Regards,

--Paul

-----Original Message-----
From: Jim Carlo [mailto:jtcarlo@worldnet.att.net]=20
Sent: Tuesday, September 24, 2002 8:42 PM
To: Paul Nikolich
Cc: Carl Stevenson; Geoff Thompson
Subject: FW: CDT preliminary analysis of WH Cyber-security Strategy

fyi. This may have general interest to some of your Working Groups. This
came across the IEEE-USA mailing list. Note that 802.11b is directly
mentioned. Comments are open through 18Nov - let me know very soon if
there
is an area IEEE should comment on, and we can crank up the process.

Jim Carlo (j.carlo@ieee.org) Phone:1-214-693-1776 Fax:1-214-853-5274
J.Carlo Consulting LLC (Focus on Telecom Strategy/Standards/Patents)
Chair, IEEE-SA Standards Board

-----Original Message-----
From: owner-ieeeusa-ccip@majordomo.ieee.org
[mailto:owner-ieeeusa-ccip@majordomo.ieee.org]On Behalf Of
d.rudolph@ieee.org
Sent: Tuesday, September 24, 2002 10:01 AM
To: ieeeusa-ccip@ieee.org
Subject: CDT preliminary analysis of WH Cyber-security Strategy





On September 18, the White House released the National Strategy to
Secure Cyberspace.  The document, labeled a draft, is open for
comment through November 18.   The document (in PDF) is online at
http://www.whitehouse.gov/pcipb/

The Strategy has a number of positive elements, but is also quite
general on some key points, raising several questions requiring
further attention.  DPSWG will be meeting with White House officials
on October 2 at 10 AM at CDT to provide feedback on the Strategy.

I.         Overview

The report sets out five "Guiding Policy Principles:"

*  Embrace private-public partnerships
*  Avoid regulation
*  Safeguard civil liberties and privacy
*  Coordinate with Congress
*  Cooperate with state and local governments

II.        Privacy

The Strategy's treatment of privacy starts with a very good
statement: "The interests of security and personal privacy need not
be antithetical to one another."   (p. 8)  In this post 9/11 era,
when many discussions of security start from the premise that civil
liberties must be curtailed to improve security, this is a refreshing
statement.

The report goes on to state:  "Indeed, to a large degree, by securing
the integrity of communications over the Internet, the measures
advocated in this Strategy seek to protect individual privacy and,
thus, complement those interests.  Nevertheless, in crafting measures
to increase the nation's security, one must exercise caution to avoid
undermining those fundamental values and characteristics of free
society that the nation is seeking to protect in the first place.
Accordingly, care must be taken to respect privacy interests and
other civil liberties.  Consumers and operators must have confidence
that information will be handled accurately, confidentially, and
reliably." (p. 8; see also p. 43)

III.       Issues Requiring Further Attention

There are several recommendations that seem to merit DPSWG attention.
We highlight four below - we welcome input from DPSWG members on
other issues of importance or concern.

A.         Wireless Issues:

The Strategy has two recommendations particularly relevant to
wireless technologies:

"R4-12  Federal departments and agencies must be especially mindful
of security risks when using wireless technologies.  Federal agencies
should consider installing systems that continuously check for
unauthorized connections to their networks.  Agencies should
carefully review the recent NIST report on use of wireless
technologies and take into account NIST recommendations and findings.
..."

"R4-13  Government and industry should actively promote awareness for
individuals. enterprises, and government of the security issues
involved in the adoption of wireless technologies, especially those
utilizing the 802.11b standard and related standards. ..."

These recommendations are intentionally general, but reflect
increased government interest in the security of wireless networks.
The key question is where government will take this issue in the next
cycle, with or without industry partnership.

B.         Intrusion Detection and Network Monitoring

"R4-39  ISPs, hardware and software vendors, IT security-related
companies, computer emergency response teams, and the ISACs,
together, should consider establishing a Cyberspace Network
Operations Center (Cyberspace NOC), physical or virtual, to share
information and ensure coordination to support the health and
reliability of Internet operations in the Untied States.  Although it
would not be a governmental entity and would be managed by a private
board, the Federal government should explore the ways in which it
could cooperate with the Cyberspace NOC."

"R4-40  The Federal government should complete the installation of
the Cyber Warning Information Network (CWIN) to key government and
nongovernment cybersecurity-related network operation centers, to
disseminate analysis and warning information and perform crisis
coordination."

We assume that recommendation R4-40 refers to the reincarnation of
FidNet, the intrusion detection monitoring system now being managed
by GSA.

"R4-43  The United States should establish a vigorous program to
counter cyber-based intelligence collection against U.S. government,
industry, and university sites."

What does this mean?

C.         Attribution/Authentication

The report includes several discussions of authentication and
attribution questions.  It includes a discussion of the role of
authentication in identifying users of non-public systems to ensure
that they are authorized to use the system. (e.g., pp. 24, 25)  Other
parts of the report seem to refer to identifying or tracking users
more generally.  In particular, on the question of attribution, there
is one recommendation and one issue for discussion:

"R4-45  The United States should continue to improve its ability to
quickly attribute the source of threatening attacks or actions,
seeking to develop that capability to suppress threats before attacks
occur."

"D4-27  Because cyber attacks can be launched from anywhere in the
world, it is important to develop capabilities to rapidly determine
the origin of an attack or exploit in order to respond effectively.
This capability, commonly referred to as "attribution," is central to
determining if an attack is sponsored by a foreign power.  How can
government and industry analysts enhance attribution capabilities in
order to more rapidly identify the source of an attack?"

CDT is working on a set of privacy principles for online
authentication, and would like to put together a subgroup to explore
the question further.

D.         Consumer Education

The Strategy starts with the home user and small businesses and notes
the creation of the StaySafeOnline site,
http://www.StaySafeOnline.info.

CDT and the Internet Education  Foundation have extensive experience
working with coalitions to create easy-to-use web resources for
users.  See, e.g., http://www.GetNetWise.org.  IEF is now working on
a Privacy Toolbox.  http://www.privacytoolbox.org/   We are eager to
expand the Toolbox into security issues, cooperating with the FTC and
the Internet industry.

Let me know what you think.  I would like to create a small online
resource of materials relating to the strategy, including industry
and public interest feedback.

--
Jim Dempsey

Deputy Director, Center for Democracy and Technology
Policy Director, Global Internet Policy Initiative
1634 I Street, NW Suite 1100
Washington DC, 20006
voice: +1 202 637-9800      fax: +1 202 637-0968
jdempsey@cdt.org