The Washington Post has a long article on the latest Obama administration plan to protect government agencies from cyber attacks, Cybersecurity Plan to Involve NSA, Telecoms — DHS Officials Debating The Privacy Implications.

“The Obama administration will proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as the likely test site, according to three current and former government officials.

President Obama said in May that government efforts to protect computer systems from attack would not involve “monitoring private-sector networks or Internet traffic,” and Department of Homeland Security officials say the new program will scrutinize only data going to or from government systems.

But the program has provoked debate within DHS, the officials said, because of uncertainty about whether private data can be shielded from unauthorized scrutiny, how much of a role NSA should play and whether the agency’s involvement in warrantless wiretapping during George W. Bush’s presidency would draw controversy. Each time a private citizen visited a “dot-gov” Web site or sent an e-mail to a civilian government employee, that action would be screened for potential harm to the network.”

This is reported to be a continuation of the Einstein 3 program begun under the Bush administration. One difference is the new role for DHS in providing some oversight and guidance.

“Under a classified pilot program approved during the Bush administration, NSA data and hardware would be used to protect the networks of some civilian government agencies. Part of an initiative known as Einstein 3, the plan called for telecommunications companies to route the Internet traffic of civilian agencies through a monitoring box that would search for and block computer codes designed to penetrate or otherwise compromise networks.”

There’s a lot more in the article that is worth reading.

FaceBook is changing how it manages privacy starting today. After reading last week’s post on the FaceBook blog, More Ways to Share in the Publisher, and a followup note on ReadWriteWeb, A Closer Look at Facebook’s New Privacy Options, I thought I understood: Facebook was sharing more but only for people who have made their profiles public. From the official FaceBook post:

“We’ve received some questions in the comments about default privacy settings for this beta. Nothing has changed with your default privacy settings. The beta is only open to people who already chose to set their profile and status privacy to “Everyone.” For those people, the default for sharing from the Publisher will be the same. If you have your default privacy set to anything else—such as “Friends and Networks” or “Friends Only”—you are not part of this beta.”

But today the New York Times has an article, The Day Facebook Changed: Messages to Become Public by Default that clearly says more is coming (emphasis added):

“By default, all your messages on Facebook will soon be naked visible to the world. The company is starting by rolling out the feature to people who had already set their profiles as public, but it will come to everyone soon. You’ll be able each time you publish a message to change that message’s privacy setting and from that drop down there’s a link to change your default setting.

But most people will not change the setting. Facebook messages are about to be publicly visible. A whole lot of people are going to hate it. When ex-lovers, bosses, moms, stalkers, cops, creeps and others find out what people have been posting on Facebook - the reprimand that “well, you could have changed your default setting” is not going to sit well with people.”

But it will come to everyone soon! That’s a big change if true. I hope that there is come clarification soon from FaceBook. I, for one, am left confused.

In face, as the ReadWrite post notes, the FaceBook privacy policy interface is confusing and not easy to use.

“Unfortunately, it’s very difficult to manage the new privacy settings as they are currently constituted. Several members of our staff struggled to make changes to message-specific and default privacy settings really stick. The feature is confusing if not outright broken. A lot of messages intended for limited distribution are going to be sent out wider than the author intended. That’s not good.”

This is an important thing to get right.

AISL CO-PI Lada Adamic gave a keynote talk at Hypertext’09, the 20th ACM Conference on Hypertext and Hypermedia, held June 29 - July 1 in Trento. Lada’s talk, The Social Hyperlink, covered the influence of social networks on the World Wide Web, peer-to-peer systems, and virtual worlds. You can get her slides here.

Should the nations of the world work toward a treaty banning or at least limiting cyberwars? If we don’t, might we fall into an arms race that could be bad for everyone? Would A war in cyberspace be less dangerous for people than traditional wars? Or maybe worse?

John Markoff and Andrew Kramer have an interesting article, U.S. and Russia Differ on a Treaty for Cyberspace in Sunday’s New York Times.

“The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyberwar attacks that could wreak havoc on computer systems and the Internet. Both nations agree that cyberspace is an emerging battleground. … But there the agreement ends. Russia favors an international treaty along the lines of those negotiated for chemical weapons and has pushed for that approach at a series of meetings this year and in public statements by a high-ranking official.
    The United States argues that a treaty is unnecessary. It instead advocates improved cooperation among international law enforcement groups. If these groups cooperate to make cyberspace more secure against criminal intrusions, their work will also make cyberspace more secure against military campaigns, American officials say. “We really believe it’s defense, defense, defense,” said the State Department official, who asked not to be identified because authorization had not been given to speak on the record. “They want to constrain offense. We needed to be able to criminalize these horrible 50,000 attacks we were getting a day.”

Russia has some specific proposals that it would like to have considered. But there are complications that arise due to cybercrime and Internet censorship.

“In a speech on March 18, Vladislav P. Sherstyuk, a deputy secretary of the Russian Security Council, a powerful body advising the president on national security, laid out what he described as Russia’s bedrock positions on disarmament in cyberspace. Russia’s proposed treaty would ban a country from secretly embedding malicious codes or circuitry that could be later activated from afar in the event of war. Other Russian proposals include the application of humanitarian laws banning attacks on noncombatants and a ban on deception in operations in cyberspace — an attempt to deal with the challenge of anonymous attacks.
…
But American officials are particularly resistant to agreements that would allow governments to censor the Internet, saying they would provide cover for totalitarian regimes. These officials also worry that a treaty would be ineffective because it can be almost impossible to determine if an Internet attack originated from a government, a hacker loyal to that government, or a rogue acting independently.”

The article makes the interesting revelation that this is not the first time that cyberspace arms control have been discussed between the US and Russia.

“In 1996, at the dawn of commercial cyberspace, American and Russian military delegations met secretly in Moscow to discuss the subject. The American delegation was led by an academic military strategist, and the Russian delegation by a four-star admiral. No agreement emerged from the meeting, which has not previously been reported. Later, the Russian government repeatedly introduced resolutions calling for cyberspace disarmament treaties before the United Nations. The United States consistently opposed the idea.
…
John Arquilla, an expert in military strategy at the Naval Postgraduate School in Monterey, Calif., who led the American delegation at the 1996 talks, said he had received almost no interest from within the American military after those initial meetings. “It was a great opportunity lost,” he said.

This week the BBC had a story about the UK’s cyber security programs, UK ‘has cyber attack capability’, with this video interview with Gordon Brown.

The article leads with this surprising discussion of the UK’s offensive capabilities.

“The UK has the ability to launch cyber attacks but does not use it for industrial espionage like some other countries, minister Lord West has said. He refused to be drawn on whether it was used for military purposes.
…
He told BBC Radio 4’s PM programme the UK faced coordinated Huber attacks “on a regular basis” from other countries including Russia and China. And he confirmed that the British government had approached the Russian and Chinese governments to ask them to stop the attacks. “We have had a dialogue with them in the past and I wouldn’t want to go into what goes on in terms of debate at the moment,” he told the BBC.
…
Pressed on whether Britain used cyber attacks itself, he said: “We do not go and attack other nations to try and find from them their industrial secrets.” But he added: “I think it would be very silly of any nation not to have an ability to use cyber space for the safety and security of its nation.” Pressed further on Britain’s cyber warfare capabilities, he said: “We have an ability to do things and we have got very good and very talented people who have worked on this.”

The article also quotes Lord West, the UK’s first cyber security minister, as saying that they had recruited “a team of former hackers for its new Cyber Security Operations Centre” at GCHQ.

“They had not employed any “ultra, ultra criminals” but needed the expertise of former “naughty boys”, he added. “You need youngsters who are deep into this stuff… If they have been slightly naughty boys, very often they really enjoy stopping other naughty boys,” he said.

The NYT reports in New Military Command for CyberspaceNew Military Command for Cyberspace that that the DoD has put NSA in charge of a a unified U.S. Cyber Command to oversee the protection of military networks against cyber threats.

“Defense Secretary Robert M. Gates on Tuesday ordered the creation of the military’s first headquarters designed to coordinate Pentagon efforts in the emerging battlefield of cyberspace and computer-network security, officials said. Pentagon officials said Mr. Gates intends to nominate Lt. Gen. Keith Alexander, currently director of the National Security Agency, for a fourth star and to take on the top job at the new organization, to be called Cybercom. The new command’s mission will be to coordinate the day-to-day operation — and protection — of military and Pentagon computer networks.”

USCYBERCOM is a subordinate unified command under the US Strategic Command.

KDAF-TV in Dallas/Fort Worth did a story on privacy and social media featuring an interview with Murat Kantarcioglu.

“Online Social Networks are redefining privacy and personal security, but how much of your personal life have you already given up? A professor at UT Dallas says chances are you’ve given up more than you know.

A 2004 report prepared for the 9/11 Commission looked at the oft cited problem that various information sharing policies resulted in a “wall” between intelligence and law enforcement agencies. That 3 page report was recently declassified.

“Legal Barriers to Information Sharing: The Erection of a Wall Between Intelligence and Law Enforcement Investigations”, Commission on Terrorist Attacks Upon the United States, Staff Monograph, Barbara A. Grewe, Senior Counsel for Special Projects, 20 August 2004.

One of the study’s conclusions is that there was no legal reason why intelligence information could not have been shared before 9/11 but that many people thought that there were legal restrictions.

“The information sharing failures in the summer of 2001 were not the result of legal barriers but of the failure of individuals to understand that the barriers did not apply to the facts at hand. Simply put, there was no legal reason why the information could not have been shared.”

So, if the applicable laws and official policies were not the the problem, changing them doesn’t directly address the problem. To me this report points out an opportunity for those of us working with computer-based policy systems.

We can and should create prototype systems that can help humans by (1) automatically rendering opinions about what existing policies allow and prohibit; (2) providing good explanations for those opinions; (3) letting people examine the reasoning and data provenance underlying the opinions and explore related situations through alternate assumptions and counterfactuals; and (4) collecting feedback from people for analysis and to drive the evolution of the policy systems.

This is a tall order, but there is a lot of prior work on explanation in expert systems that we can draw on.

(spotted on FAS Secrecy News)

A group of 37 researchers in information security and privacy law have sent an open letter to Google encouraging the company to enable HTTPS as the default protocol for Google Mail, Docs, and Calendar. Doing so, the letter says, will protect Google customers’ communications from theft and snooping.

“Google uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers’ login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Google supports HTTPS encryption for the entire Gmail, Docs or Calendar session. However, this is disabled by default, and the configuration option controlling this security mechanism is not easy to discover. Few users know the risks they face when logging into Google’s Web applications from an unsecured network, and Google’s existing efforts are little help.

Support for HTTPS is built into every Web browser and is widely used in the finance and health industries to protect consumers’ sensitive information. Google even uses HTTPS encryption, enabled by default, to protect customers using Google Voice, Health, AdSense and Adwords.

Rather than forcing users of Gmail, Docs and Calendar to “opt-in” to adequate security, Google should make security and privacy the default.”

See the post on Wired’s Threat Level blog for more information and a quote from Google in response.

“Google responded Tuesday morning, saying that it is already ahead of the pack by even offering HTTPS, and that the company is looking into whether it would make sense to turn it on as the default for all Gmail users.

“Free, always-on HTTPS is pretty unusual in the e-mail business, particularly for a free e-mail service,” Google engineer Alma Whitten wrote Tuesday morning on Google’s security blog. ”It’s something we’d like to see all major webmail services provide.”

The company is planning a trial where small samples of different types of Gmail users will be shifted to a default HTTPS to see how fast things load, how happy users are and what networks or computer setsups fair badly, according to Whitten.

“Unless there are negative effects on the user experience or it’s otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users,” Whitten wrote, noting that the extra cost associated with the computing power needed for encyrption was not holding the company back.”

Science Daily notes a social networking paper that sounds interesting.

“A new approach to analyzing social networks, reported in the current issue of the International Journal of Services Sciences, could help homeland security find the covert connections between the people behind terrorist attacks. The approach involves revealing the nodes that act as hubs in a terrorist network and tracing back to individual planners and perpetrators.”

Yoshiharu Maeno, Yukio Ohsawa, Analyzing covert social network foundation behind terrorism disaster, nt. J. Services Sciences, 2009, 2, pp.125-141. (preprint).

Abstract: This paper addresses a method to analyse the covert social network foundation hidden behind the terrorism disaster. It is to solve a node discovery problem, which means to discover a node, which functions relevantly in a social network, but escaped from monitoring on the presence and mutual relationship of nodes. The method aims at integrating the expert investigator’s prior understanding, insight on the terrorists’ social network nature derived from the complex graph theory and computational data processing. The social network responsible for the 9/11 attack in 2001 is used to execute simulation experiment to evaluate the performance of the method.