Read the rest of this article on the original site »

Sergey Nivens / Shutterstock.com

But that’s not to say that Apple hasn’t been preparing — quietly as always — for the kind of eventualities that tend to crop up when hackers and other digital miscreants are taken to probing your systems for vulnerabilities.

One visible sign of that preparation can be detected in the personnel that Apple has been hiring in the area of software and system security in recent years. Apple rarely if ever comments on any but its most senior hires. Nevertheless, several names have come to light. And while Apple generally doesn’t comment to confirm or deny the role that any of these people may or may not be playing in response to the latest incident, here are some people whose job at Apple involves security.

Craig Federighi: Senior vice president for software engineering, Federighi is in charge of all aspects of Apple’s operating system software, both on the Mac and the iOS platforms, and reports directly to CEO Tim Cook. He inherited responsibility for iOS after last year’s departure of Scott Forstal. He worked at Next Computer, the company Apple acquired in 1996 that brought Steve Jobs back to Apple after more than a decade. Later, Federighi spent a decade at Ariba, including a stint as its CTO. Everyone involved in OS security, whether for the iPhone, iPad or the Mac, reports to him.

David Rice: Hired in 2011 as Apple’s global director of security, Rice is a graduate of the U.S. Naval War College and spent time at the National Security Agency. However, he’s best known for his 2007 book “Geekonomics,” in which he argued that software is a new kind of public infrastructure that when built badly amounts to a public hazard, and those who buy it become virtual crash test dummies who have to suffer with a software industry that is unaccountable for the results.

Window Snyder: Hired in 2010, Snyder lists her title as Senior Product Manager, Security and Privacy. She had previously headed up security operations at Mozilla, the open source software organization responsible for the Firefox Web browser. She has also held software security positions at Microsoft and @stake, a security firm that’s now part of Symantec. She’s listed as co-author, with Frank Swiderski, of a Microsoft-produced book called “Threat Modeling,” which focuses on looking at computer security from the point of view of an attacker.

Ivan Krstić: Hired in 2009, the Croatian-born Krstić is in charge of core OS security on the Mac. He previously ran security for the One Laptop Per Child program, where he came up with a method to secure programs in Linux called BitFrost that wrapped individual programs in their own virtual operating environments so that one couldn’t harm the other. The approach was considered so novel that some suggested incorporating it as a core feature of Linux.

Kristin Paget: Currently a Core OS Security Researcher, Paget is a Microsoft veteran who’s generally credited with “saving Windows Vista” by forcing a delay in that operating system’s release after demonstrating that it wasn’t as secure as previously thought, Paget joined Apple late last year as a Core OS security researcher. Her hiring was first reported by Wired.

Image: Sergey Nivens / Shutterstock.com

As expected, the order creates a government working group that will reach out to the private sector to put in place some voluntary standards for companies deemed to be running critical infrastructure — banks, utilities, transportation companies and the like.

The president also addressed some of the concerns in his State of the Union address last night, saying, “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

Industry generally opposes the creation of standards, even voluntary ones, arguing that they tend to become de facto requirements. And there’s almost no point in following them if you can’t get any protection from civil liability if you do. That’s something that can only come from Congress, and the last time it passed legislation on this subject, Obama vetoed it. That bill did contain liability protection provision, but the Administration argued that it didn’t go far enough to protect things like personal data that might be shared between companies fending off an attack.

What the order really amounts to is a starting gun on the renewed push by the White House to get a new cybersecurity bill (I’m already really sick of that word) through Congress this year. Over the summer, the president outlined his concerns in a Wall Street Journal op-ed.

One thing that is happening: Companies in the information security space are seeing their share prices rise today, in part on assumptions that digital securities concerns topping the national agenda could mean new business in the coming year. Shares of Symantec opened higher in early trading, as did shares of Intel, which owns software security company McAfee. Checkpoint Software also rose.

Shares of a few companies are falling: Palo Alto Networks fell by more than 1.5 percent, while Sourcefire, which rose by more than 7 percent yesterday going into Obama’s speech and in anticipation of the order, settled down by more than 1 percent.

Here’s Obama’s executive order in full, as posted to Scribd:

President Obama's Cybersecurity Executive Order, Feb. 12 2013 by Arik Hesseldahl

That the new policy is expected this week implies that President Obama may devote a few words to the subject in his State of the Union address on Tuesday night. Or he may not. But the fact of the matter is that the headlines have been rife of late with news of hacking attacks against American banks, media organizations and others that appear not be coming from pranksters in a basement, but from parties that appear to be operating barely at arm’s length from governments in countries like China and Iran.

One provision would order government agencies to share more information about the nature of computer threats with private companies and give relevant executives of those companies the option to get proper security clearances to get briefed on certain classified information about the nature of the threats, and perhaps lay the groundwork for improved responses.

Republicans and business groups have generally opposed this approach, arguing that voluntary government standards essentially amount to implied regulations that they have to follow whether they want to or not. Additionally they say — correctly — that any government-set standards would quickly be overtaken by the fluid nature of cyber security threats, which are changing daily.

Compare the approach, however, to the European Union, which has its own proposal for cyber security rules on the table, this one more onerous. It would require certain companies, including search engines, energy companies, banks, transit hubs, stock exchange and others to report disruptions to the operations of their computing systems and networks — including anything from human error to full-blown cyber attacks — to government authorities. The expectation is that the proposal will become law within the 27-nation EU within two years. Nothing voluntary about it.

Given the difference, here’s an interesting thought: So often the targets of attacks are entities so large as to have global operations and global networks. An attack on Google’s operations in Europe, for example, one that under the EU scheme would have to be reported to government authorities there, amounts to an attack on its operations in the States. The same is certainly true for many banks that operate on more than one continent.

Sharing of information about cyber security incidents has always been a tricky thing. Large companies don’t like to advertise that they’ve been attacked and their operations disrupted — and when they do disclose it publicly, they do so only sparingly — and the same is true for countries. One country doesn’t like sharing what it knows about a cyber attack because it doesn’t trust what its neighbor might do with the information.

But the difference in approaches makes me wonder why there isn’t more cooperation generally between countries, especially between the U.S. and Europe. National borders mean nothing in the digital realm, and attacks are very often launched from computers in one or more countries, operated remotely by people in one or more countries, against targets in one or more countries. Now everyone is a target and no one knows exactly who the attackers are.

This makes questions about cyber warfare and security infinitely more complex. Most attackers operate at a certain remove from any governments to which they may hold an allegiance, however strong or loose, allowing for what the diplomats like to call “plausible deniability.” Or they may be the equivalent of digital mercenaries fighting for whoever pays the most, or some combination of both. The multiple combinations of variables make the the old nation-to-nation, single attacker, single target paradigm seem outmoded.

That makes the sharing of information among authorities in the most target-rich nations — the U.S. and Europe generally — an important piece any response. If houses are being broken into by a burglar who happens to be good at prying open a certain kind of door or window that happens to be prevalent in your neighborhood, would you not want your neighbor to share that information with you so that you can prepare accordingly?

Perhaps the same kind of common sense approach should apply to the community of nations in the area of cyber security. Could it be done under the auspices of a multination treaty? Perhaps something similar to NATO, where an attack on interests in one country — whatever the entity doing the attacking, be it a nation-state, terrorists, or a gang of troublemakers — amounts to an attack on all? Just a thought.

Yahoo’s Chief Information Security Officer Justin Somaini (pictured here) has left the company, according to sources.

It’s not clear why the top security risk exec has departed the Silicon Valley Internet giant. But, said sources, it could be partially related to the recent hacking issues around the newly refreshed Yahoo Mail, including its vulnerabilities to cross-site scripting, or XSS, attacks. This has been blamed for a surge in spam emanating from compromised email accounts, a problem that some security experts outside the company said Yahoo has been slow to fix.

Along with a number of execs, including Connections SVP Shashi Seth, addressing such issues were within Somaini’s purview. It’s not clear if Seth — who has also been the subject of persistent departures rumors internally over the last few months — will also be getting some of the blame for the embarrassing security problem in a key Yahoo product.

But sources noted that Somaini’s leaving is also part of a wider look at a range of higher-level execs at Yahoo — top staff status is based on Levels, such as L3, L4, L5 — that is now taking place across the company by CEO Marissa Mayer.

Sources noted that Mayer is moving to replace a number of them as she seeks to remake the top ranks of the company, even as some are contemplating departure in the March time frame when their various and sundry stock options and other payouts are realized.

That said, sources said Somaini has been looking to leave too, unhappy with the new regime, as are some others at his level.

His quest for a new job should not be too hard, since Somaini has a strong resume, coming to Yahoo in April of 2011 from Symantec, where he was also CISO. Before that, he worked as a director of information security at VeriSign. He has a very lively cybersecurity blog, too, which you can look at here.

I reached out to Yahoo for comment, but have not heard back as yet.

Our nation, it appeared, was under cyber attack. Unknown hackers, perhaps a world away, had inserted malicious software into the computer networks of private-sector companies that operate most of our transportation, water and other critical infrastructure systems.

Read the rest of this post on the original site »

Lawyers, who increasingly rely on email, smartphones and other mobile devices to handle deals and other confidential matters, are being asked to encrypt messages, resist using free Wi-Fi connections, which can allow hackers to eavesdrop on communications, and regard even text messages as potential security threats.

Read the rest of this post on the original site »

It is a big package of software that apparently offers an attacker something like a Swiss Army knife, because it can do a lot of things that might be called for. It can monitor a computer’s network traffic, including tracking which Web sites are visited, and log and copy email coming in and going out. It can turn on a computer’s internal microphone and record conversations in the room and presumably send audio files of those recorded conversations to someone who will listen to them. Ditto with a machine’s internal Web cam. It can record what characters are typed on the keyboard, thereby capturing sensitive information like passwords and other user credentials that can be used later. It can capture shots of what is being displayed on a computer’s screen.

Seen in the wild some weeks back, the Washington Post, citing Western intelligence officials, reported today that Flame was created by the combined efforts and resources of the U.S. and Israeli intelligence agencies. The story matches and fills in some details on reporting by the New York Times on the same subject.

Work on Flame, the Post says, predated and later led to the creation of the Stuxnet worm, which is newer but was seen first in 2010. In that case, an Israeli-created worm that targeted industrial control computers in Iran is thought to have caused some centrifuges used to enrich uranium to spin too fast and explode.

Allow me to stitch this thread together with another: It was about a year ago that the Obama Administration made some broad pronouncements on treating cyberspace — the Internet and other scattered parts of the digital stage — as a new theater of warfare, equal, for military purposes, to land, sea, sky and space. An attack in one place warrants a military response or retaliation in another.

At the time, I wondered what a cyberwar might look like. Now we have an idea. The governments of the United States and Israel have been conducting a not-so-covert war against Iran without having to disclose it to their people.

Knowing this leaves me with two questions, one perhaps a legal technicality, the other more practical.

First, if the U.S. views attacks in cyberspace the same as other attacks, then how is a country being attacked supposed to see that? If the U.S. reserves the right to respond to a cyber attack with an air strike, does that not mean that Iran can do the same thing? And if the U.S. is launching attacks, shouldn’t there be some overt public acknowledgement of that fact? Yes, I’ll grant, fighting with bits is preferable to fighting with bullets and bombs, but if it’s the Obama Administration’s position that fighting with one is legally equal to fighting with another, shouldn’t one be done as readily in the open as the other? Warfare requires a degree of public approval. Espionage doesn’t.

Second, I have longer-term concerns about blowback and unintended consequences. Stuxnet and Flame were hard to make, and they were never intended to be discovered, let alone pulled apart and studied as closely as they have been. The fact that they’ve been studied in detail by both the good guys and the bad guys makes me wonder who might be learning from Stuxnet and Flame in order to adapt them for such things as, say, corporate espionage.

If Flame amounts to an early example of a new type of malware that can both easily evade detection and record everything happening both on and around a computer, then companies will have to respond accordingly. Imagine a world where anytime anyone holds a meeting where sensitive information is discussed, it takes place in a secure room with no electronics present. And that’s just for openers.

Created by: Paralegal.net

House passage of its measure, the Cyber Intelligence Sharing and Protection Act, came on a 248-168 vote Thursday and was supported by both Republicans and Democrats.

Read the rest of this post on the original site »

And with that story — entirely plausible but in this case a lie — a customer-service representative turned over customer account numbers and other details with a readiness that makes banks and other companies cringe.

Mr. Patten, a 35-year-old cybersecurity expert who was with the U.S. Air Force before he started working for a consulting firm in Kansas City, Mo., didn’t actually use or sell the data, which he gathered in running a test for the investment firm of its security arrangements. But the ease with which the employee was persuaded to divulge the information points to a troubling trend, security experts and law enforcement officials say.

Read the rest of this post on the original site »

And these aren’t the kind of cyber attacks carried out by bumbling troublemakers like the LulzSec gang, which make headlines but really only cause a nuisance for companies like Sony. In these cases, networks were compromised by remote access tools — or RATs, as they’re known in the industry. These tools — and they are tools, because they have legitimate uses for system administrators — give someone the ability to access a computer from across the country or around the world. In this case, however, they were secretly placed on the target systems, hidden from the eyes of day-to-day users and administrators, and were used to rifle through confidential files for useful information. It’s not for nothing that McAfee is calling this Operation Shady RAT.

McAfee says the attacker was a “state actor,” though it declined to name it. I’ll give you three guesses who the leading candidate is, though you’ll probably need only one: China.

Dmitri Alperovitch, McAfee’s Vice President, Threat Research, makes a statement in his blog entry on the discovery that should give everyone minding a corporate or government network pause: “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.” He further divides the worldwide corporate landscape into two camps: Those who have been compromised and know it, and those who simply don’t know it yet.

This has been a particularly nasty year on the cyber security front. (I hate to say it, but I told you so.) Prior to this, the big attack whose full impact has not yet been fully sized up was the one against the RSA SecureID system, which uses popular keychain devices that create a constantly changing series of numbers that in turn create a second password for access to system resources. They’re widely used in government and military circles and among defense contractors. Google has been a regular target in recent years.

The RSA attack and Operation Shady RAT are examples, Alperovitch says, of an “Advanced Persistent Threat.” The phrase has come to be a buzzword that, loosely translated into English, means the worst kind of cyber attack you can imagine. Unlike the denial-of-service attacks and network intrusions carried out by LulzSec and its ilk, which require only minimal skill and marginal understanding of how networks and servers work, an APT is carried out by someone of very high skill who picks his targets carefully and sneaks inside them in a way that is difficult to detect, which allows access to the target system on an ongoing basis that may persist for years.

How did these attacks happen? Its very simple: Someone at the target organization received an email that looked legitimate, but which contained an attachment that wasn’t. This is called “spear phishing,” and it has become the weapon of choice for sophisticated cyber attackers. The attachments are not what they appear to be — Word documents or spreadsheets or other routine things — and contain programs that piggyback on the targeted user’s level of access to the network. These programs then download malware which gives the attackers further access. This all happens in an automated way, but soon after, live attackers log in to the system to dig through what they can find, copy what they can, and make a getaway — though they often leave the doors unlocked so they can come back for repeat visits.

Alperovitch notes — correctly, to my mind — that the phrase has been picked up and overused by the marketing departments of numerous security companies. His larger point is that too often those attacked in this way refuse to come forward and disclose what they’ve learned, thereby allowing the danger to continue for everyone else.

Alperovitch says that the data taken in Operation Shady RAT adds up to several petabytes worth of information. It’s not clear how it has been used. But, as he says, “If even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth.” It’s also bad for a target’s national security, because defense contractors dealing in sensitive military matters are often the targets. The best thing that can happen is that victims start talking about their attacks and sharing information with each other so that everyone can be ready for the next one, which is surely coming.

The photo, which appeared on the U.K.-based tech site shinyshiny.tv, is of Jake Davis, an 18-year-old resident of Britain’s Shetland Islands, specifically the island of Yell. The original photo appeared in the Instagram account of a user known as timbr. Update: Timbr turns out to be Tim Bradshaw of the Financial Times.

After reports surfaced suggesting that police may have been tricked into arresting the wrong person, police say they’re certain they have their man.

Davis appeared in a City of Westminster court this morning and was granted bail; he is next scheduled to appear in court on Aug. 30. He faces five charges related to distributed denial-of-service attacks against several sites, including, notably, the U.K.’s Serious Organized Crimes Agency in June.

Using the online handle “Topiary,” Davis had functioned as the group’s spokesman and gave interviews to the media about its activities. The group attracted a great deal of media attention for its numerous attacks against, among others, Sony, PBS, Nintendo, Britain’s National Health Service, the U.S. Senate, the U.S. Central Intelligence Agency, private affiliates of the FBI, and the Arizona Department of Public Safety.

The arrest in the U.K. followed a string of arrests in the United States, in which 16 people have been accused of being involved with the distributed denial-of-service attack against PayPal, the payment unit of eBay. LulzSec had in recent days been organizing a protest against PayPal, encouraging people to kill their accounts with the service.

LulzSec’s Twitter account has been quiet since July 27, the day the arrest was announced. And the Twitter account belonging to Topiary has been wiped of all messages, save for one saying “You cannot arrest an idea.” The Twitter account belonging to AnonymousIRC, the group under whose banner LulzSec briefly operated, included a message of support.

http://bit.ly/obmiaW | Stay strong, @atopiary. We will continue this, as your last tweet is truth. We, the people, silent no more. #AntiSec

August 1, 2011 4:56 am via TweetDeckReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

Bruce McConnell, a senior cybersecurity official with the Department of Homeland Security, sat down with The Wall Street Journal’s John Bussey to discuss what role the government should play in this effort and why he’s especially concerned about the theft of intellectual property.

Here are edited excerpts of their conversation.

MR. BUSSEY: We have a new era. It used to be that a company locked its front doors and maybe put a fence around the perimeter, kept its stuff in the warehouse, and there would be a cop on the beat making sure that anybody rattling the front door would be caught. Now that we have this new sort of rattling of the front door, who’s the cop on the beat?

Read the rest of this post on the original site »

Botnets like Rustock use malicious code to string together hundreds of thousands of personal computers that are then used to send spam email without knowledge of their owners. In the case of Rustock, infected computers were managed by a fleet of 26 separate “command and control” servers that sent them instructions.

Read the rest of this post on the original site »

Talk of an “Internet kill-switch” to be used in the event of cyberwarfare has reemerged in light of recent events in Egypt, and coincides with a new federal initiative intended to improve security for individual Internet users.

According to Mr. Schmidt, securing the information superhighway involves too many factors to be lumped into a single bucket. Resolving online criminality like identity theft should be treated differently than protecting the electric grid from sabotage by foreign powers or online espionage, but war-like rhetoric may threaten the U.S.’s ability to deal with any of these issues effectively, he warned.

Read the rest of this post on the original site

Law-enforcement agencies said they are investigating the incidents, which McAfee said have been going on at least since late 2009 but may have started as early as 2007. The company said the attacks, which it dubbed “Night Dragon,” were still occurring.

McAfee said the hackers targeted five multinational firms, but wouldn’t identify the companies by name because some of them are clients. McAfee said it was sharing the findings “to protect those not yet impacted and to repair those who have been.”

Read the rest of this post on the original site »

Apple has tapped security expert and author David Rice to be its director of global security, several sources have confirmed to me. He’s expected to start at Apple in March.

Apple hasn’t returned calls seeking comment.

There’s no word yet about what precisely Rice’s job will entail, and knowing secrecy-obsessed Apple, there likely won’t be. But it’s not hard to make a reasonable guess.

With iPhones and iPads penetrating the enterprise in ever more impressive numbers, companies want to know they’re secure.

Late last year Apple started working with Unisys to help it sell Apple products to corporations and government agencies, all of which are concerned about the security implications of iPhones and iPads running on their networks.

Those who know Rice describe him as a deeply respected name in IT security circles who not only can speak the kind of language that makes CIOs comfortable, but can also back up that language with the skills and knowledge to match.

Rice hasn’t yet responded to my messages seeking comment, but his bio is fascinating. He’s a 1994 graduate of the U.S. Naval Academy and has a master’s degree in Information Warfare and Systems Engineering from the Naval Postgraduate School. He served as a Global Network Vulnerability analyst for the National Security Agency and as a Special Duty Cryptologic officer for the Navy.

His LinkedIn profile says he’s executive director of the Monterey Group, a cybersecurity consulting firm. He’s also on the faculty of IANS, an information security research company.

He also works with the U.S. Cyber Consequences Unit, a nonprofit organization that researches the potential for cyber attacks and their impact. Before that he worked for the security firm Neohapsis.

His 2007 book, “Geekonomics,” has been described as the software industry’s equivalent of Ralph Nader’s “Unsafe at Any Speed.” In it he argues that software is modern infrastructure–just like a bridge (hence, the picture on the cover)– and if it’s poorly made or insecure, it constitutes a public hazard.

Those who buy software–consumers, corporations and governments–end up being “crash test dummies” for an industry with no accountability for losses incurred by their customers, he argues.

He goes on to peg the costs of patching faulty software at $180 billion a year, and says that’s probably conservative. Patching software for security weaknesses takes capital that might be used for other, more productive, things.

His solution? Taxes. In a 2008 interview with Forbes, he compared security vulnerabilities in software to the unavoidable pollution emitted by factories. Since software can never be perfect, a “bug tax” keyed to the number and severity of software bugs discovered would create an incentive for better quality control.

Rice would be the latest in a string of high-profile security hires at Apple.

Last March, it hired Window Snyder, the former security chief at Mozilla, as its senior product manager for security, and in 2009 it hired Ivan Krsti?, the former head of security for the One Laptop Per Child project, to work on core security for Mac OS X. Jon Callas, the former CTO of encryption software maker PGP, now a unit of Symantec, joined Apple last year.

An odd turn of events, considering Hathaway led the administration’s 60-day review of governmentwide cybersecurity preparedness and seemed its likely choice to head up the new cybersecurity office. With the post now vacant and the list of candidates who’ve been considered for the job rumored to have reached at least 30, the administration may have a tough time finding the right person for this difficult job–and convincing him or her to accept it.

“As it stands right now, the cyber czar would have two bosses, the National Security Council and National Economic Council, as well as a chief information officer and chief technology officer,” Greg Garcia, former assistant secretary for cybersecurity and communications at the Department of Homeland Security, told Dark Reading. “In addition, that individual would have to herd all of the cats at DHS and other agencies. Those are big shoes to fill–in fact, I’m skeptical that anyone could succeed in the [cyber czar] job.”

And Garcia’s not the only one. Among other potential candidates who’ve reportedly told the White House they’re not interested: former Republican U.S. Representative Tom Davis of northern Virginia, Microsoft (MSFT) executive Scott Charney, Symantec (SYMC) Chairman John Thompson and retired Air Force General Harry Raduege Jr., the former Defense Information Systems Agency director and co-chair of the Commission on Cybersecurity for the 44th Presidency.

An odd turn of events, considering Hathaway led the administration’s 60-day review of governmentwide cybersecurity preparedness and seemed its likely choice to head up the new cybersecurity office. With the post now vacant and the list of candidates who’ve been considered for the job rumored to have reached at least 30, the administration may have a tough time finding the right person for this difficult job–and convincing him or her to accept it.

“As it stands right now, the cyber czar would have two bosses, the National Security Council and National Economic Council, as well as a chief information officer and chief technology officer,” Greg Garcia, former assistant secretary for cybersecurity and communications at the Department of Homeland Security, told Dark Reading. “In addition, that individual would have to herd all of the cats at DHS and other agencies. Those are big shoes to fill–in fact, I’m skeptical that anyone could succeed in the [cyber czar] job.”

And Garcia’s not the only one. Among other potential candidates who’ve reportedly told the White House they’re not interested: former Republican U.S. Representative Tom Davis of northern Virginia, Microsoft (MSFT) executive Scott Charney, Symantec (SYMC) Chairman John Thompson and retired Air Force General Harry Raduege Jr., the former Defense Information Systems Agency director and co-chair of the Commission on Cybersecurity for the 44th Presidency.

Back then, he says, he would discuss virus threats at length before a lawmaker would raise his hand. “You’re expecting some question that might impress you, and they’d ask, ‘Can you tell me what a virus is?’”

Yesterday, however, when he addressed the Senate Committee on Commerce, Science, and Transportation, he was surprised to hear senators fluently discussing botnets and the recent cyber-attack against Estonia.

Exchanging glances with colleagues after the hearing, he recalls, “We made that face that you make when you’re kind of impressed.”

The subcommittee handles a wide range of communications, security and technology issues, and it conducted the hearing, titled “Cybersecurity: Assessing Our Vulnerabilities and Developing an Effective Defense,” to identify security threats and changes the government needs to make to fend them off.

Read the rest of this post