Federal government announces $237 million in cybersecurity funding over the next five years

The federal government announced on Wednesday $142.6 million in cybersecurity funding – in addition to the $94.4 million for cybersecurity identified in Economic Action Plan 2015 – making a total investment over the next five years of $237 million.

Steven Blaney, Canada’s Minister of Public Safety and Emergency Preparedness, joined John Manley, president and CEO of the Canadian Council of Chief Executives, to announce the investments to advance Canada’s Cyber Security Strategy, Public Safety Canada (PSC) said in a press release.

The new funding will be used to “better protect essential cyber systems outside of the federal government by enhancing collaboration with the private and critical infrastructure sectors,” PSC said in the release. This includes a greater capacity for the Canadian Cyber Incident Response Centre to respond to, and mitigate, cyber incidents in the private sector. Through the development of real-time automated feeds, the private sector will receive additional threat information and faster dissemination, PSC noted in a backgrounder.

The investment will also be used to develop policing expertise to detect and disrupt cybercrime activities through dedicated resources and training, with the RCMP to establish a “dedicated investigative team to combat high-priority cybercrime.”

“As long as our digital infrastructure continues to evolve, there will always be those who try to exploit vulnerabilities to undermine Canada’s national security, public safety and economic prosperity,” Blaney said in the release. “Collaboration and information-sharing with critical infrastructure sectors and private sector partners is our best defence to protect our essential cyber systems.”

Launched in 2010, Canada’s Cyber Security Strategy is built on three pillars: securing government systems; partnering to secure vital cyber systems outside the federal government; and helping Canadians to be secure online. In 2013, the Canadian Anti-Fraud Centre received more than 16,000 complaints of cyber-related fraud (email and website scams), accounting for more than $29 million in reported losses, PSC reported.

View the original content and more from this author here: http://ift.tt/1LAwUAT

from critical infrastructure alliance http://ift.tt/1MM7k9h
via IFTTT

NJ Legislators Want To Ban Drone Photography Of ‘Critical Infrastructure’

from the your-rights-end-where-our-freaking-out-begins dept

Government paranoia about “critical infrastructure” will now be extended to drone photography, if New Jersey’s proposed legislation is any indication. While law enforcement agencies are still weighing the Fourth Amendment implications of surveillance drones, some local governments aremoving ahead with plans to shortchange the First Amendment.

This new legislation makes it a criminal offense to use a drone to take a photograph of “critical infrastructure.” And what is “critical infrastructure”? Any “asset” whose incapacity—even partial incapacity—would have an impact on the physical or economic security, or public health or safety, of the state. This specifically includes highways, waste treatment facilities, bridges, tunnels, and more.This proposal would codify something many public employees (especially those in law enforcement/security agencies) already mistakenly believe: that photography of public structuresis illegal and probably has something to do with terrorism. Even if the structure is already completely viewable with the naked eye, can be viewed via satellite photography and has been the subject of multiple official photo releases, people with cameras around certain structures are considered inherently suspicious. Now, this misguided “security” concern is being extended to eyes in the sky, something the government seems to believe should be in the possession of government agencies only.

The proposed penalties for violations are fairly severe.Specifically, this bill makes it a fourth degree crime for a person to use a civilian unmanned aerial vehicle, commonly referred to as a drone, to conduct surveillance of, gather evidence or collect information or data about, or photographically or electronically record any critical infrastructure without the prior written consent of the entity that owns or operates the critical infrastructure. A fourth degree crime is punishable by up to 18 months imprisonment, a fine of up to $10,000, or both.On top of that, the legislation would help the state build a list of “usual suspects.”The bill also prohibits a person from operating a civilian drone unless it is registered with the Division of Aeronautics in the Department of Transportation. In addition, a person is prohibited from operating a civilian drone unless the person maintains liability insurance coverage to insure against loss resulting from liability for bodily injury, death, and property damage sustained by any person arising out of the ownership, maintenance, operation, or use of the drone. The required minimum coverage is to be in an amount determined by the Commissioner of Banking and Insurance in consultation with the Commissioner of Transportation.A person who operates a civilian drone without the required registration or insurance is subject to a civil penalty of not less than $1,000 for a first offense and not less than $5,000 for a second or subsequent offense. In addition, for a second or subsequent offense, a person’s civilian drone registration is to be revoked for a period of two years.So, while law enforcement agencies argue that aerial surveillance has minimal Fourth Amendment impact because public places have a lowered expectation of privacy, they’re also supporting legislation that would grant public structures more protection than a member of the public’s fenced-in backyard. Of course, the Fourth Amendment only deals with privacy. This legislative push concerns security — something that tends to receive higher priority than Constitutional rights.

Then there’s the inherent stupidity of carving out a drone-specific ban. People with regular cameras (or cell phones) will still be able to photograph these structures, as will aerial photographers in planes and helicopters. It’s a very specific paranoia — one limited solely to new tech that’s currently subject to very little government control.

And that’s really what this is all about. Lawmakers have (civilian) drone fever and the only cure is more cowbell legislation. Those pesky men (and women) and their flying machines are harming the nation’s security somehow with their democratization of aerial photography. These legislators obviously feel the only entity that should have full access to the skies and everything below is the government. And if the First Amendment has to suffer some cutbacks, so be it.

View the original content and more from this author here: http://ift.tt/1GH0nRu

from critical infrastructure alliance http://ift.tt/1MM7k99
via IFTTT

Syracuse gets $10 million from NY State for water main and roadway repairs

SYRACUSE — Syracuse Mayor Stephanie Miner and State Assemblyman Bill Magnarelli announced this morning a state grant of $10 million for infrastructure repairs.

$9.2 million of the 10 million will go directly towards road and water main repairs and replacements.

In 2015 the city has experienced 251 water main breaks and in 2014 the city had a record 391.

The rest of the money will go to what the mayor is calling “cutting edge research.”

Sensors will be placed in water mains to detect from the inside when a water main is deteriorating, that way the crews can perform preventative maintenance.

“From road reconstruction to water mains and much more, the city has critical infrastructure needs,” said Mayor Miner.

View the original content and more from this author here: http://ift.tt/1IifPEY

from critical infrastructure alliance http://ift.tt/1CTTFwZ
via IFTTT

Cyber Norm Development and the Protection of Critical Infrastructure

In cybersecurity, protecting critical infrastructure has long been important. In the early days of this policy area, the Clinton administration identified the need to protect critical infrastructure from cyberattacks. The Obama administration’sFramework for Improving Critical Infrastructure Cybersecurity highlights the importance of protecting critical infrastructure from cyber threats. Other governments exhibit similar concerns. Recently, Germany passed legislation mandating critical infrastructure operators improve their cybersecurity. Internationally, the United States has advocated a non-binding or “soft law” norm that countries should not damage critical infrastructure in other nations, and the UN Governmental Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) apparently accepted this idea during its 2015 session. Given national and international activity on critical infrastructure protection, is this area producing new norms for cyberspace?

As Henry Farrell observed in his CFR Cyber Brief on promoting norms in cyberspace, “U.S. policymakers argue that the United States and others need to build norms to mitigate cybersecurity problems.” Addressing cyber threats to U.S. critical infrastructure, Admiral Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, asserted, “We have got to develop a set of norms or principles in this space.” Such emphasis on developing norms suggests that norms do not exist. However, cyberattacks by state or non-state actors against critical infrastructure are illegal under international law. In short, we have lots of norms, rather than a shortage of them.

In terms of criminal activities against critical infrastructure, the Council of Europe’sConvention on Cybercrime provides substantive and procedural rules that support states parties’ responses to such activities. The International Convention for the Suppression of Terrorist Bombings applies to attacks against infrastructure facilities through weapons or devices that can cause death, serious bodily injury, or substantial property damage, which can encompass cyberattacks by terrorist groups. A cyberattack by a state that damages critical infrastructure in another state would violate the international legal principle of non-intervention and, if sufficiently bad, might violate international law’s prohibition on the use of force.

If binding international law prohibits states from damaging critical infrastructure in other countries, what does a non-binding norm against the same activity contribute to norm development in cyberspace? The GGE agreed in 2013 that the UN Charter, including its principles on non-intervention and the use of force, applies in cyberspace, so the norm on not attacking critical infrastructure could be a cyber-specific application of these general rules. But, if so, this corollary should be binding under international law. Norm development usually does not move from binding rules to voluntary guidelines. Another way to interpret the non-binding norm is that the rules against intervention and the use of force are not effective in cyberspace, which requires building consensus around a cyber specific norm. But, it’s not clear why a non-binding norm will be more effective than two of the most fundamental rules of international law.

Less commented upon is the possible emergence of a norm requiring national and international action to defend critical infrastructure against cyberattacks. Countries can improve national critical infrastructure cybersecurity without needing international norms. However, as cyber threats to critical infrastructure have grown more serious, states have started to use international law to address these threats. This activity highlights international interest in strengthening cybersecurity in national critical infrastructure and reveals the need for more cooperation.

This potential norm arises from states using international law to advance critical infrastructure protection in two ways. First, countries increasingly use multilateral, regional, and bilateral processes to address critical infrastructure cybersecurity, including activities in, for example, the International Atomic Energy Agency, International Civil Aviation Organization, NATO, the EU, and ASEAN. Generally, these efforts involve non-binding efforts to strengthen national cyber defenses for critical infrastructure, improve information sharing on cyber threats, and facilitate assistance to other countries. Second, some countries use international law directly. An EU directive on critical infrastructure requires operators to protect themselves against cyber threats. The African Union Convention on Cyber Security and Personal Data Protection mandates that states parties take action to protect critical infrastructure in their jurisdiction.

Such international activities perhaps indicate the development of a “soft law” norm that includes “cyber due diligence” obligations on countries with respect to national critical infrastructure and responsibilities to cooperate with other nations in strengthening cybersecurity for critical infrastructure. Such a norm could have other implications, including, for example, how countries deal with “zero day” vulnerabilities of concern for critical infrastructure operations. State behavior is not yet sufficient to claim that this norm is anything more than incipient, but perhaps this aspect of protecting critical infrastructure deserves more attention as efforts on developing norms for cyberspace continue.

View the original content and more from this author here: http://ift.tt/1MoQE9Y

from critical infrastructure alliance http://ift.tt/1IiffXL
via IFTTT

Guardians at the Gate: Securing Third-Party Access to Critical Systems | @CloudExpo #Cloud

Access is everything. It is the fundamental pillar that determines whether critical enterprise assets are safe or exposed. Knowing the answers to the questions of who is accessing what, where they are accessing that information from, why they are accessing that information and, finally, what exactly they’re accessing are the basic questions that stand between a breach and brand reputation.

Today, access extends well beyond the borders of the enterprise. Global supply chains are increasingly complex. This year at RSA, Josh Douglas, CTO at Raytheon, described the global supply chain as being comprised of shared processes and shared technology that distributes products used in creating, sharing and distributing information. The global supply chain is intertwined intimately and it doesn’t seem it will unravel itself anytime soon.

Enterprises are encompassed with the challenges around managing access to clouds and their various flavors, along with their network infrastructure, applications and data. In doing so, third parties become more and more critical to help deploy, control and maintain this transforming and fluid IT landscape.

This access is not only about people accessing machines to undertake their daily operational activities. This access also includes machines talking to other machines in an automated fashion and the underlying content of those interactions.

Yet for some reason, managing third-party access often comes as an afterthought in the industry’s overall security strategies and postures. However, the data would suggest that this topic warrants more attention:

• 70 percent of enterprises enter into contracts with external vendors without having conducted any security checks
• 92 percent of enterprises don’t have any supply chain risk management abilities in place.
• 44 percent this year compared to 54 percent last year – are bothering to put in the effort to vet the security of third-party providers and others in their IT supply chain
• 60 percent of organizations allow third-party vendors remote access to internal networks
• 63 percent of data breaches are caused by security vulnerabilities introduced by third parties
• 58 percent of organizations have no confidence that their third-party vendors are securing and monitoring privileged access to their network

The greater challenge in decreasing third-party risk exposure is what I call the “I got it, you take it” effect, where each party expects the other to take the primary responsibility for ensuring the security of the access. In reality, like any healthy relationship, security results from an equal continuous committed effort of both parties.

View the original content and more from this author here: http://ift.tt/1DB3Gdh

from critical infrastructure alliance http://ift.tt/1DB3Gd5
via IFTTT

Utility safety: New survey reveals critical infrastructure cybersecurity challenges

Utility cybersecurity: Information technology (IT) executives within critical infrastructure organizations see a need for public-private threat intelligence sharing partnerships (86 percent of respondents) to keep pace with escalating cybersecurity threats, according to a survey released by The Aspen Institute and Intel Security. A majority (76 percent) of survey respondents also indicated they believe a national defense force should respond when a cyber attack damages a critical infastructure company within national borders. Additionally, although most respondents agree that threats to their organizations are on the rise, they maintain a high degree of confidence in existing security.

The survey, Holding the Line Against Cyber Threats: Critical Infrastructure Readiness Survey, reveals that the critical infrastructure providers surveyed are pleased with the results of their efforts to improve cybersecurity over the last three years, but at the same time many (72 percent) said that the threat level of attacks was escalating. Almost half of all respondents (48 percent) believe it is likely that a cyberattack on critical infrastructure, with the potential to result in the loss of human life, could happen within the next three years.

“This data raises new and vital questions about how public and private interests can best join forces to mitigate and defend against cyberattacks,” said Clark Kent Ervin, Director, Homeland Security Program, Aspen Institute. “This issue must be addressed by policymakers and corporate leaders alike.”

Survey results suggest there may be a disconnect between critical infrastructure providers and the current threat landscape:

· Perceived Improvements: Respondents believe their own vulnerability to cyberattacks has decreased over the last three years. When asked to evaluate their security posture in retrospect, 50 percent reported that they would have considered their organizations “very or extremely” vulnerable three years ago; by comparison, only 27 percent believe that their organizations are currently “very or extremely” vulnerable.

· Government Involvement Encouraged: Private industry is often hesitant when it comes to government¹s involvement in private sector business; however, 86 percent of respondents believe that cooperation between the public and private sectors on infrastructure protection is critical to successful cyber defense. Furthermore, 68 percent of respondents believe their own government can be a valuable and respectful partner in cybersecurity.

· Confidence in Current Solutions: Sixty-four percent believe an attack resulting in fatalities has not happened yet because good IT security is already in place. Correspondingly, more than four in five are satisfied or extremely satisfied with the performance of their own security tools such as endpoint protection (84 percent), network firewalls (84 percent), and secure web gateways (85 percent).

· Disruptions Increasing: More than 70 percent of respondents think the cybersecurity threat level in their organization is escalating. Around nine in ten (89 percent) respondents experienced at least one attack on a system within their organization, which they deemed secure, over the past three years, with a median of close to 20 attacks per year. Fifty-nine percent of respondents stated that at least one of these attacks resulted in physical damage.

· Loss of Life?: Forty-eight percent of respondents believe it is likely that a cyberattack that will take down critical infrastructure with potential loss of life will occur within the next three years, although there were no additional survey questions to determine the circumstances under which respondents believed the loss of life could occur. More US respondents thought this scenario was “extremely likely” to occur than did their European counterparts.

· User Error Still #1 Issue: Respondents believe user error is the greatest cause of successful attacks on critical infrastructure. Organizations may strengthen their security postures, but individual employees can still fall victim to phishing emails, social engineering and drive-by browser downloads that successfully infect their organizations’ networks.

· Government Response: Seventy-six percent of respondents believe a national defense force should respond when a cyber attack damages a critical infastructure company within national borders.

· Different Country Perspectives: US respondents believe the likelihood of a catastrophic cyberattack on critical infrastrucutre that could result in loss of life is more certain than do their European counterparts. While 18 percent of US sources consider this scenario “extremely likely” to occur in the next three years, only 2 percent in Germany and 3 percent in the UK think it extremely likely.

Chris Young, Executive Vice President and General Manager of Intel Security, will be speaking at the Aspen Security Forum in Aspen, Colorado, where more than 80 leading experts will discuss the most critical questions about national security.

Methodology

The survey, conducted by Vanson Bourne, interviewed 625 IT decision makers with influence over their organization’s security solutions in France, Germany, the United Kingdom and the United States (250 interviews in the US and 125 in each of the UK, France and Germany).

Respondents were from private and public organizations (minimum of 500 employees), with particular focus on the critical infrastructure sectors of energy (139 respondents), transport (130 respondents), finance (159 respondents) and government (128). Questionnaire surveys, such as the one conducted by Vanson Bourne and Intel Security, collect data at a single point in time and are limited in their ability to collect complex and nuanced responses. Furthermore, they are not independently able to support long-term conclusions.

About The Aspen Institute

The Aspen Institute is an educational and policy studies organization based in Washington, DC. Its mission is to foster leadership based on enduring values and to provide a nonpartisan venue for dealing with critical issues. Through public and invitation-only forums, roundtables, and conferences, speeches, books, opinion editorials, social media outlets, and media interviews and appearances, the Aspen Institute¹s Homeland Security Program works to heighten public awareness as to the nation’s continued vulnerability to terrorism and to persuade decision makers to take the necessary steps to close the gap between how secure we should be and how secure we actually are. http://ift.tt/xYsyz1

About Intel Security

McAfee is now part of Intel Security. With its Security Connected strategy, innovative approach to hardware-enhanced security and unique McAfee Global Threat Intelligence, Intel Security is intensively focused on developing proactive, proven security solutions and services that protect systems, networks and mobile devices for business and personal use around the world. Intel Security is combining the experience and expertise of McAfee with the innovation and proven performance of Intel to make security an essential ingredient in every architecture and on every computing platform. The mission of Intel Security is to give everyone the confidence to live and work safely and securely in the digital world.

View the original content and more from this author here: http://ift.tt/1Km4LgJ

from critical infrastructure alliance http://ift.tt/1fofxFw
via IFTTT

Bids come in high for new Siskiyou jail sewer project

An unexpected cost increase for the installation of critical infrastructure for the county’s new jail has the Siskiyou County Board of Supervisors wary of things to come.

In April, the board had approved a Memorandum of Understanding between the county and the city of Yreka to reimburse the city for the design and installation of a sewer main and its connections at the proposed site for the new jail project.

The decision was driven in part by the city’s own repaving project on Foothill Drive, which runs adjacent to the proposed jail site.

Once the new pavement is in place, the city will institute a moratorium on cutting into it, meaning that the county would incur the costs of repairing the road if it waits until after the city’s work is done.

At that time, county staff estimated that the cost would be $100,000.

On Tuesday, the supervisors were asked to approve the project with a new price of $226,597, which was determined by the bids received from construction firms.

The price increase caused a stir for some on the board, including District 3 Supervisor Michael Kobseff.

He said that he believes the current bid – and others on future projects – will all come in higher than necessary in response to the county’s somewhat desperate position.

To address the issue of the additional cost, County Administrative Officer Terry Barber presented the board with three potential options.

The first would be to pull $126,597 out of the county’s Accumulated Capital Outlay fund, which currently has $600,000 for capital projects.

The other two options both presented deferment scenarios, with the city of Yreka absorbing the up front costs and the county reimbursing them either upon the sale or development of two attached parcels.

Kobseff and Board Chair Ed Valenzuela argued that the county should pay the entire amount up front, keeping the county from dealing with additional debts in the future.

The board voted unanimously to take that option, and the ACO account will supplement the $100,000 already approved in April for the project.

The jail itself is still an unknown for the county, as it waits on the outcome of additional funding through state legislation.

View the original content and more from this author here: http://ift.tt/1GG9p1m

from critical infrastructure alliance http://ift.tt/1Km4vOE
via IFTTT