QOTD - WEF - Axioms for the Cyber Age

Axioms for the Cyber Age:

Any device with software-defined behaviour can be tricked into doing things its creators did not intend.

Any device connected to a network of any sort, in any way, can be compromised by an external party. Many such compromises have not yet been detected.

The document (correctly IMO) summarizes the current state of affairs with respect to system security:

There are no proven secure systems, only systems whose faults have not yet been discovered, so trying to overcome “hackability” may be as hopeless as denying gravity.

Src: Global Risks 2012 - Seventh Edition | World Economic Forum

QOTD - ASIO DG on e-Spying Threat

The Internet and increased connectivity has expanded infinitely the opportunities for the covert acquisition of information by state-sponsored and non-state sponsored actors.

-- Mr David Irvine AO, Director-General of the Australian Security Intelligence Organisation

Src: Australian Security Intelligence Organisation - Transcript of remarks by ASIO head on July 5, 2011

QOTD - ASIO DG on e-Spying Threat

Cyber espionage has emerged as a serious and widespread concern and one that will continue to gain prominence due to the ongoing digitisation of data and increasing reliance on technology in commercial, governmental and military business.

-- Mr David Irvine AO, Director-General of the Australian Security Intelligence Organisation

Src: Royal United Services Institute of Australia - Transcript of remarks by ASIO head

QOTD - US DoD on Threat to Intellectual Property

While the threat to intellectual property is often less visible than the threat to critical infrastructure, it may be the most pervasive cyber threat today. Every year, an amount of intellectual property larger than that contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government departments and agencies.

Src: US Department of Defense Strategy for Operating in Cyberspace

QOTD - FBI on the State of Cyber-Crime

We are facing a very innovative crime, and innovation has to be the response.
[...]
Given enough money, time and resources, an adversary will be able to access any system. Companies need to understand that.

-- Gordon Snow, Assistant Director of the FBI's Cyber Division

Src: Cyber cops stymied by anonymous hackers

QOTD on Stop, Think, Connect

People online need to check their brains at the keyboard. They use their heads when they drive so they drive safely. So they need to think when they're online. They need to stop before they're about to do something online, think about what it is they're about to do, and then connect, and do so in a safe way. It's sad for those of us in the information technology industry and people who have been cybersecurity geeks for 15 years, but nobody actually buys a computer to have computer security. They buy a computer to do things. That's the whole purpose of having a computer. That's why they're going to connect. They just need to do so in the right way.

-- Philip Reitinger, Deputy Undersecretary, US Department of Homeland Security

Src: DHS Hears Government Infosec Pros Concerns

QOTD - Obama on Cyberspace & Cybersecurity

Today, as nations and peoples harness the networks that are all around us, we have a choice. We can either work together to realize their potential for greater prosperity and security, or we can succumb to narrow interests and undue fears that limit progress. Cybersecurity is not an end unto itself; it is instead an obligation that our governments and societies must take on willingly, to ensure that innovation continues to flourish, drive markets, and improve lives. While offline challenges of crime and aggression have made their way to the digital world, we will confront them consistent with the principles we hold dear: free speech and association, privacy, and the free flow of information.

The digital world is no longer a lawless frontier, nor the province of a small elite. It is a place where the norms of responsible, just, and peaceful conduct among states and peoples have begun to take hold. It is one of the finest examples of a community self-organizing, as civil society, academia, the private sector, and governments work together democratically to ensure its effective management. Most important of all, this space continues to grow, develop, and promote prosperity, security, and openness as it has since its invention. This is what sets the Internet apart in the international environment, and why it is so important to protect.

-- US President Barrack Obama, The White House

[as quoted in the ZDNet article by David Gewirtz]

Note: emphasis is mine

Src: The Obama Cyberdoctrine: tweet softly, but carry a big stick | ZDNet

Link: Original source (see page 3) of White House's International Strategy For Cyberspace (PDF)

QOTD on US Int/l Strategy For Cyberspace

Assuring the free flow of information, the security and privacy of data, and the integrity of the interconnected networks themselves are all essential to American and global economic prosperity, security, and the promotion of universal rights.

-- US International Strategy for Cyberspace, White House (US)

Src: International_strategy_for_cyberspace.pdf (in Google Docs viewer)

Link: Direct link to PDF (on whitehouse.gov site)

QOTD - NSA CIO on Cloud Tech

We can't keep pace with the Googles, and we're not going to out-Apple Apple, But we need to take advantage of what they're doing, and make sure our workforce is exposed to the same technologies.

-- Lonny Anderson, CIO of the US National Security Agency (NSA)

Src: NSA developing cloud technologies - The H Security: News and Features

QOTD on Cyber-War

The odds are we'll wait for a catastrophic event, and then overreact.

-- Mike McConnell, former director of National Intelligence (US)

Src: Virtual war on U.S. a very real threat, experts say - Wire - Lifestyle - bellinghamherald.com

QOTD on Surveillance Society

The surveillance society is inevitable and irresistible.

-- Jeff Jonas, chief scientist of IBM’s Entity Analytics group

Src: If a surveillance society is inevitable, can privacy measures embedded in systems? | ZDNet

QOTD on Facebook & Privacy

The computer -- especially with sites like Facebook -- is now a virtual front door to your house allowing people access to your personal information. You deserve to look through the peep hole and decide who you are letting in.

-- US House Representative Joe Barton (Texas)

Src: Key lawmakers press Facebook on privacy concerns about user phone numbers and addresses [Updated] | Technology | Los Angeles Times

QOTD on SSN use in US Military

I stenciled portions of my Social Security number on my laundry bag in Iraq, where it was memorized by foreign-national laundry workers trying to enhance their customer service. I’d walk in and they’d say, ‘Number 1234, here’s your laundry,’ and they were very proud of that fact.

-- Lt. Col. Gregory Conti, former army intelligence officer, now West Point faculty

Colonel Conti has co-authored a report critical of the military's pervasive use of SSNs. The report is entitled  The Military’s Cultural Disregard for Personal Information

Src: Service Members Face New Threat - Identity Theft - NYTimes.com

QOTD on the Need for a Security Collective

Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.
[...]
Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk.

-- Scott Charney, Corporate VP of Trustworthy Computing at Microsoft

Src: The Need for Global Collective Defense on the Internet - Microsoft on The Issues - Site Home - TechNet Blogs

QOTD on Insiders

Insiders do not attack – instead they use legitimate accesses in support of their operations.

-- DARPA (US) Broad Agency Agreement for Project CINDER

Src: DARPA-BAA-10-84, Cyber Insider Threat (CINDER) Program | FedBizOps

QOTD - NASA CISO on Secure Software

The software industry is really one of the only organizations where you can knowingly build a defective product and push it out to a potential buyer and the buyer assumes all the risk. -- Jerry Davis, CISO for NASA

Src: Federal News Radio 1500 AM: NASA launches software assurance program

QOTD - Liberman on those dangerous electronic pipelines

The Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets. -- Joseph Lieberman, independent Senator for Connecticut

Src: Senators tackle Internet security - The Boston Globe

QOTD - Lieberman on cyber bad-guys?

Our economic security, our national security, and our public safety are now all at risk as a result of new kinds of enemies, with new kinds of names like cyberwarriors, cyberspies, cyberterrorists, and cybercriminals. -- Joseph Lieberman, independent Senator for Connecticut

Src: Senators tackle Internet security - The Boston Globe

QOTD on Privacy & Internet

We're at a very early stage right now of figuring out how do we keep the Internet as a space where individuals can be empowered, yet at the same time [make sure that] it doesn't turn into a place where people are just attacking each other and bringing down each other's systems. -- Rebecca MacKinnon of Princeton University's Center for Information Technology Policy

Src: Does Averting Cyberwar Mean Giving Up Web Privacy? : NPR

QOTD - NIST on Continuous Monitoring

NIST wrote a FAQ to answer many of the questions about Continuous Monitoring and whether it replaces the security authorization process (it does NOT).

Are there any risks associated with continuous monitoring?
Organizations should exercise caution in focusing solely on continuous monitoring at the expense of a holistic, risk‐based security life cycle approach. Without the appropriate planning for security controls (preferably early in the system development life cycle) and the correct implementation of those controls, the value of continuous monitoring is greatly diminished. This is because the near real‐time, ongoing monitoring of weak and/or ineffective security controls resulting from flawed information security requirements can result in a false sense of security.

Src: NIST FAQ
Also see NIST 800-37, Applying the Risk Management Framework to Federal Information Systems (February 2010)