SECRECY NEWS
from the FAS Project on Government Secrecy
Volume 2013, Issue No. 21
February 25, 2013

Secrecy News Blog: http://www.fas.org/blog/secrecy/

SEQUESTER MAY SLOW PENTAGON RESPONSE TO WIKILEAKS

The across-the-board budget cuts known as sequestration that are expected to take effect on March 1 could impede the government's ability to respond to WikiLeaks and to rectify the flaws in information security that it exposed, a Pentagon official told Congress recently.

Zachary J. Lemnios, the assistant secretary of defense for research and engineering, was asked by Sen. Rob Portman (R-Ohio) to describe the "most significant" impacts on cybersecurity that could follow from the anticipated cuts to the Pentagon's budget.

Mr. Lemnios replied that "cuts under sequestration could hurt efforts to fight cyber threats, including [...] improving the security of our classified Federal networks and addressing WikiLeaks."

The sequester could also interfere with the Comprehensive National Cybersecurity Initiative that began under President Bush, he said, and could hold up plans to "initiat[e] continuous monitoring of unclassified networks at all Federal agencies."

Mr. Lemnios' response to Sen. Portman's question for the record (which had not specifically mentioned WikiLeaks) followed a March 2012 Senate Armed Services Committee hearing on Emerging Threats and Capabilities that was published in December 2012 (at page 42).

Generally speaking, computer security within the military is a daunting problem, Mr. Lemnios told the Committee, particularly since "The Department operates over 15,000 networks and 7 million computing devices across hundreds of installations in dozens of countries around the globe."

The challenge of cybersecurity cannot be fully described in public, said Dr. Kaigham J. Gabriel of DARPA. "The complete picture requires a discussion at the special access level." But he told the Committee last year that several basic points can be openly acknowledged:

"Attackers can penetrate our networks: In just 3 days and at a cost of only $18,000, the Host-Based Security System" -- the Pentagon's baseline computer security system -- "was penetrated."

"User authentication is a weak link: 53,000 passwords were provided to teams at Defcon; within 48 hours, 38,000 were cracked."

"The Defense supply chain is at risk: More than two-thirds of electronics in U.S. advanced fighter aircraft are fabricated in off-shore foundries."

"Physical systems are at risk: A smartphone hundreds of miles away took control of a car's drive system through an exploit in a wireless interface."

"The United States continues to spend on cybersecurity with limited increase in security: The Federal Government expended billions of dollars in 2010, but the number of malicious cyber intrusions has increased."

Though it was presumably not intentional, the WikiLeaks project galvanized government information security programs and accelerated efforts to devise "insider threat" detection mechanisms, along with intensified surveillance of classified and unclassified government computer networks.

"New classes of anomaly detection methods have been developed and are based on aggregating events across time and multiple sources to identify network and host-based behavior that might be malicious," James S. Peery of Sandia National Laboratories told the Senate Armed Services Committee at last year's hearing. "These approaches and behavioral-based methods have been successful in finding previously undiscovered malware."

"One drawback of this technology, though, is that it has a very high false positive rate," he said.


OPEN ACCESS TO SCIENTIFIC RESEARCH ADVANCES

Government-sponsored scientific research published in expensive journals should become more readily accessible to the public under an initiative announced by the White House Office of Science and Technology Policy on Friday.

Federal agencies that fund at least $100 million per year in scientific research were directed by White House science advisor John Holdren to develop plans to make the results of such research publicly available free of charge within a year of original publication.

"The logic behind enhanced public access is plain," Dr. Holdren wrote in response to a public petition on the White House web site. "We know that scientific research supported by the Federal Government spurs scientific breakthroughs and economic advances when research results are made available to innovators. Policies that mobilize these intellectual assets for re-use through broader access can accelerate scientific breakthroughs, increase innovation, and promote economic growth."

But the benefits of open access are not the sole consideration in the new policy. "The Administration also recognizes that publishers provide valuable services, including the coordination of peer review, that are essential for ensuring the high quality and integrity of many scholarly publications. It is critical that these services continue to be made available."

"We wanted to strike the balance between the extraordinary public benefit of increasing public access to the results of federally-funded scientific research and the need to ensure that the valuable contributions that the scientific publishing industry provides are not lost," Dr. Holdren wrote.

The resulting policy mandating free public access within 12 months of publication is the result of an attempt to balance those competing interests, and it too is subject to future modification "based on experience and evidence."


COMMENTS SOUGHT ON OVERSIGHT OF "DUAL USE" BIO RESEARCH

Members of the public are invited to comment on the feasibility and desirability of various forms of institutional oversight at federally-funded institutions that perform research involving certain pathogens or toxins.

"Certain types of research that are conducted for legitimate purposes may also be utilized for harmful purposes. Such research is called 'dual use research'," said a Notice filed in the Federal Register Friday by the Office of Science and Technology Policy.

"Dual use research of concern (DURC) is a smaller subset of dual use research defined as life sciences research that, based on current understanding, can be reasonably anticipated to provide knowledge, information, products, or technologies that could be directly misapplied to pose a significant threat with broad potential consequences to public health and safety, agricultural crops and other plants, animals, the environment, materiel, or national security," the OSTP Notice explained.

The term "dual use research of concern" should not be taken in a pejorative sense, OSTP said.

"Research that meets the definition of DURC often increases our understanding of the biology of pathogens and makes critical contributions to the development of new treatments and diagnostics, improvements in public health surveillance, and the enhancement of emergency preparedness and response efforts. Thus, designating research as DURC should not be seen as a negative categorization, but simply an indication that the research may warrant additional oversight in order to reduce the risks that the knowledge, information, products, or technologies generated could be used in a manner that results in harm. As a general matter, designation of research as DURC does not mean that the research should not be conducted or communicated."

In the February 22 Federal Register Notice, OSTP posed a series of questions concerning potential oversight arrangements for dual use research of concern and solicited feedback from interested members of the public.

******************************

Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists.

The Secrecy News blog is at:
      http://www.fas.org/blog/secrecy/

To SUBSCRIBE to Secrecy News, go to:
     http://www.fas.org/sgp/news/secrecy/subscribe.html

To UNSUBSCRIBE, go to:
      http://www.fas.org/sgp/news/secrecy/unsubscribe.html

OR email your request to saftergood@fas.org

Secrecy News is archived at:
      http://www.fas.org/sgp/news/secrecy/index.html

SUPPORT the FAS Project on Government Secrecy with a donation here:
      http://www.fas.org/member/donate_today.html