Remember all the VA breaches? They had been getting an “F” for cyber security for years before the parade started. I lost count of how many breaches … scores?

Places that are supposed to be protecting us from this stuff, like Dept of Homeland Security & the Pentagon, been getting such low scores, that recent stories detailing what’s getting stolen should be no surprise.

It is one thing to beat the drum that a particular agency needs to fix cyber security, to keep reminding legislators and the public that we have this disaster waiting to happen.

It is another thing to publish a report that says there are hundreds of sites, of which only 11 are protected from intrusion, list the 11 sites, and what exactly is protected.

Oh yes, I am sure the professional hackers, terrorists, enemy nations (North Korea, Iran), somewhat hostile or sometimes hostile nations, they all knew this long before the report came out. But now we have an e-army of me-too amateurs to worry about, and less sophisticated trouble makers can join in.

The only way to protect the systems might be to deny e-privacy to 100% consumer users of the Internet. Could that be what is in the heads of some people who approve such reports?

If the DOT is issuing a report on Federal Aviation Administration’s air traffic modernization, the bad guys already know about the vulnerablility.

Cyber criminal oganizations recruit the best.

Security through obscurity does not work.

One question comes to mind… Who benefits from mass hysteria?
The Freedom of Speech also includes the Right to stay Silent. Exciting the masses is a common way to benefit for organization, the medical community, people against something.
So, was this really what the report said? The original article states that new vulnerabilities are being introduced that could increase risk… Anything can introduce risk. Living is a risk. The article was from the Wall Street Journal. Anything coming through the media should be scrutinized. Look past the bad and find the good things. The media likes to incite “riots”

To be perfectley honest any serious attacker will know this stuff already. There has often been debate about discussing vulnerabilities in the public domain and this sometimes the only way people get motivated to fixing them. There a numerous flaws in critical infrastructure systems and there has been for years I am not sure we are being told anything we dont already know.

Your competitors, absent their own SAFETY Act approval, cannot possibly provide their customers with this level of immunity or buy enough terrorism insurance to compensate others for losses arising from a serious e-terrorism event.

In today’s geo-political environment, demonstrating that the SAFETY Act affords customers total immunity from potentially catastrophic terrorism related liability is overwhelmingly compelling. Customer consideration of this “no-cost” immunity protection will likely outweigh many other issues and considerations aside from the day-to-day operational safety, efficiency and reliability.

If your SAFETY Act protected products or services represent or address a significant portion of your customer’s, subcontractor’s or supplier’s liability exposure, it is very possible they can save money on their insurance by selecting your product or service over one that does not afford them such protection.

More and more procurements, in both the private and governmental sectors, require SAFETY Act consideration, designation or eligibility. This trend is expected to increase and is actually addressed in a recent change to the Federal Acquisition Regulations or “FAR”.

Sorry to be so “windy” but I am passionate about this law and its benefits to everyone except perhaps the plaintiffs’ bar..

Enjoy the free advice

Any entity that buys, uses, installs, integrates, deploys, designs, manufactures, supplies, distributes, advises on, or is otherwise involved in, homeland security related products, technologies or services in any way, whether for yourself or others, does so at an extraordinary liability risk. Because of this catastrophic risk, management has a fiduciary responsibility to explore the very broad immunities, liability caps, defenses and other protections that could potentially be afforded them under the SAFETY Act. It is critical to know if, and how, your organization can benefit from this Federal law.

You do not have to be the actual manufacturer, developer or seller of the products, technologies and/or services to benefit. In fact, just by using someone else’s SAFETY Act approved products and/or services, you can benefit greatly.

The SAFETY Act is a little known and often misunderstood piece of legislation that can protect an entity from the truly “enterprise threatening” liability they could face following a terrorist event. This liability can come from an attack on their own facilities or an attack on a third party where products, technologies, advice or services were provided. The Act’s protection can apply to a physical attack on persons or property or to acts of cyber-terrorism that cause physical and/or financial harm.

The SAFETY Act was enacted by Congress as a part of the Homeland Security Act of 2002 (Public Law 107-296). SAFETY Act is actually an acronym for the section of the Homeland Security Act titled the “Support Anti-terrorism by Fostering Effective Technologies Act”.

The Act’s purpose is to ensure that the threat of potential liability suits does not limit or deter the development, manufacture, deployment, use or commercialization of products, technologies, procedures, software, system integration, advice and/or services that could prevent or mitigate a terrorist attack.

The Act provides unprecedented immunities, liability protections, caps and other incentives for approved entities who use, supply, design, manufacture, provide or are otherwise involved in preventing, deterring, mitigating, responding to or recovering from a terrorism event.

SAFETY Act is very broad in scope as to what terrorism related identification, prevention, response, mitigation or recovery can be protected under the law. It can include anything that is designed, developed, modified or procured for preventing, detecting, identifying, or deterring acts of terrorism as well as responding to or limiting the harm such acts might otherwise cause.

SAFETY Act protection can apply to things you provide to others, as well as things you buy, use or do for your own facilities to protect people and property including cyber protection. These things do not have to be exclusively dedicated to anti-terrorism, they can have multiple functions. Examples that have both terrorism and non-terrorism elements include access control systems or procedures, security cameras, firewall software as well as a vast range of other “technologies”, including:

o Products
o Services
o Procedures
o Processes
o Advice
o Technology
o Software
o Network or Cyber protection
o Other forms of intellectual property

ATC network support is just one of the critical infrastructures that needs better cyber protection strategies, procedures and technologies. This is a good example of the catastrophic risks that entities face when designing, providing or deploying high tech solutions. If something goes badly wrong, are the plaintiffs going to sue the government? Way too hard as well as time and money consuming for the plaintiff’s bar. It is so much easier to go after the designer, service or technology supplier. “Deep Pockets”, we have all heard about them – well here is a good example.

For those organizations that provide services, technologies, ideas etc. relating to homeland security, including cyber protection, we thank you for betting your entire enterprise on the hopes that nothing will ever go wrong. If you think that there would never be a company would hold back deploying technologies that could stop a terror event because of liability fears, you are sadly wrong, very wrong. They have and will continue to do so unless they can get SAFETY Act protection. If you are a stockholder or the owner of these companies, what would your position be if they were betting the entire enterprise (liability wise) on less than say 0.5% of total revenues?

What is the solution? – The SAFETY Act or, “The Support Anti-Terrorism by Fostering Effective Technologies Act of 2002”. By utilizing this law, organizations can protect themselves from huge liabilities and at the same time, deploy more technologies or services to stop the truly terrorist catastrophic events without fear of runaway lawsuits.

Anyone involved in Homeland Security / Anti-terrorism needs to have some familiarity with the SAFETY Act. If not for yourself, for your company, clients, suppliers and the public at large. It is way too important!

Going back to the ATC / FAA issue, UPI.com just did an article on the president, cyber security and the SAFETY Act titled “Obama needs to back SAFETY Act on cybersecurity”

http://www.upi.com/Security_Industry/2009/04/09/Obama-needs-to-back-SAFETY-Act-on-cybersecurity/UPI-26391239288290/

There is also an article on the NFL’s recent SAFETY Act approval in USA Today and April’s Security Director News.

http://www.usatoday.com/news/nation/2009-03-09-safety-act_N.htm

http://www.securitydirectornews-digital.com/securitydirectornews/200904/

It is very important to understand that the comments I made about the NFL and SAFETY Act for Security Director News conceptually apply to any industry or organization type including FAA/ATC firewall and network security providers.

A quick (sort of quick) SAFETY Act Primer for those unfamiliar with this remarkable Federal law follows.

Given the number of botnets, the amount of spam, and incredible quantities of other malware in the wild, I think it quite reasonable to make the following conclusion:

The bad guys are aware of these vulnerabilities and are actively working to exploit them.

Publishing the fact that these systems may be vulnerable is a distant, distant cry from publishing the nature and details of the vulnerabilities themselves. Publishing this simple fact can, in the end, regardless of how long it takes, have only one outcome, and a positive one at that: Mitigations will be put in place.

Why? Because of embarassment and GAO pressure.

The bad guys either know these systems are vulnerable or hope they are. Either way, they are, as I type this, working to exploit them. This sort of published report changes nothing – NOTHING – for the bad guys.

This is not new news. There are multiple GAO reports going back to the 1990s pointing out vulnerabilities in the FAA’s air traffic control system as well as their enterprise networks. For example:
http://www.gao.gov/new.items/d01171.pdf
http://www.gao.gov/archive/2000/ai00330t.pdf
http://www.gao.gov/archive/1998/ai98155.pdf

There are many more. Google is your friend.