TRUST Security and Privacy Blog

noreply@blogger.com (Christopher Brooks) — Mon, 17 Dec 2012 19:39:00 +0000

Please see the TRUST in the News blog

Rather than having two blogs about TRUST, we've decided to focus on one blog. Please see TRUST in the News.

"California Chosen as Home for Computing Institute"

noreply@blogger.com (Christopher Brooks) — Thu, 03 May 2012 22:27:00 +0000

The May 1, 2012 NY Times article "California Chosen as Home for Computing Institute" covers the $60 million theoretical computing center to be hosted at UC Berkeley. UCB College of Engineering Dean and TRUST PI S. Shankar Sastry is quoted elsewhere as saying that the goal of the institute will be to "bring into the educational mainstream, the role of computing and theory of computational science."

New Mac malware epidemic exploits weaknesses in Apple ecosystem

noreply@blogger.com (Mary Stewart) — Sun, 08 Apr 2012 00:31:00 +0000

For Mac owners, the nightmare scenario finally arrived. A piece of malware called Flashback, which has been in existence and steadily evolving for at least seven months, has infected more than 600,000 Macs worldwide, based on forensic analysis by a Russian antivirus company.

What makes this outbreak especially disturbing is that the owners of infected Macs didn’t have to fall for social engineering, give away their administrative password, or do anything stupid. All they had to do was visit a web page using a Mac that had a current version of Java installed.

Although Apple owners have been told for years that Macs don't get viruses. that's known to be untrue. Furthermore, Apple's casual approach to security updates makes them debatably more vulnerable. The Java flaw was reported in January and patched in February by Oracle. Apple's version of Java didn't get a patch until early April.

Security expert Brian Krebs points out that this behavior by Apple is lamentably typical:

Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun. The current custodian of Java – Oracle Corp. – first issued an update to plug this flaw and others back on Feb. 17. I suppose Apple’s performance on this front has improved, but its lackadaisical (and often plain puzzling) response to patching dangerous security holes perpetuates the harmful myth that Mac users don’t need to be concerned about malware attacks.

For complete article, see ZDNet.

DHS: $40M To Research Next Big Thing in Cyber Security

noreply@blogger.com (Mary Stewart) — Tue, 01 Feb 2011 00:57:00 +0000

The U.S. Department of Homeland Security announced a call for proposals this week in a $40 million program to encourage research and development in a wide range of topics related to cyber security. In a Broad Agency Announcement (BAA) dated January 26th, the DHS said it was soliciting papers and proposals centered on 14 different areas, including topics in software assurance, enterprise security metrics, usable security, as well as challenges arising from insider threats.

The Federal government has moved in recent ears to attract top security talent, while organization's like In-Q-Tel, the CIA's venture firm, have funded new, innovative ideas. But, as in the private sector, an overabundance of security products hasn't improved the security position of government networks.

Concurrently, spending on IT security continues to be criticized for waste of resources and a poor track record concerning learning from security incidents, e.g., the Wikileaks issue showcased the startling lack of security with sensitive data. The new DHS Proposal aims to address those issues as well.

See article in threatpost.

Discarded Copiers Hold Sensitive Data on Hard Drives

noreply@blogger.com (Mary Stewart) — Fri, 07 May 2010 22:09:00 +0000

SANS Newsbites tells of a CBS news investigation that had found that the hard drives of four digital copy machines purchased second-hand contained vast amounts of personally identifiable information, including police files on domestic violence and sex crimes, copies of pay stubs and checks and sensitive medical information like test results, prescriptions and diagnoses. This would be a major coup for those in the identity theft business.

"You're talking about potentially ruining someone's life," said Ira Winkler, former analyst for the National Security Agency, "where they could suffer serious social repercussions."

While some manufacturers say they offer security or encryption packages on their products, evidence keeps piling up in warehouses that many businesses are not willing to pay for such protection and the average American is oblivious to the dangers posed by digital copiers.

For full story, see CBS Evening News.

Please do not change your password

noreply@blogger.com (Christopher Brooks) — Tue, 13 Apr 2010 16:29:00 +0000

Mark Pothier's Boston Globe article, Please do not change your password," covers a paper by Microsoft Researcher Cormac Herley, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," from the 2009 New Security Paradigms Workshop. Herley argues "that user's rejection of the security advice they receive is entirely rational from an economic perspective." Herley discusses "password rules," "teaching users to recognized phishing sites by reading URLs" and "certificate errors". Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic and Slashdot.

"Privacy Protection Needed as Smart Grid Arrives"

noreply@blogger.com (Christopher Brooks) — Sat, 13 Mar 2010 02:05:00 +0000

A press release from UC Berkeley's Law School, "Privacy Protection Needed as Smart Grid Arrives" points out privacy concerns with PG&E's Smart Meter project. In particular:

"Smart meters being installed now in California will collect 750 to 3,000 data points a month per household. This detailed energy usage data can indicate whether someone is at home or out, entertaining guests, or using particular appliances."

See "PG&E customer refuses to take smart meter, locks up old meter" for some of the controversy surrounding privacy and the accuracy of the meters.

Judge Hears Arguments on Google Book Settlement

noreply@blogger.com (Mary Stewart) — Thu, 25 Feb 2010 00:09:00 +0000

Federal judge Denny Chin heard more than four hours of testimony in a packed courtroom this week about the hotly contested class-action lawsuit filed against Google.

Supporters of a deal that would allow Google to create an extensive digital library and bookstore included the president of the National Federation of the Blind, a librarian at the University of Michigan, and a lawyer for Sony Electronics stated that the agreement would make millions of hard-to-find books available to an enormous audience.

A much larger group of opponents cited many concerns related to competition, privacy, violation of copyright and abuse of class-action processes. Law Professor at the University of California, Berkeley, Pamela Samuelson says that her academic colleagues would prefer to have their books available via open access, and also supported open access to orphan works. She said "the authors Guild has not fairly represented academic authors."

“We think orphan works is a public policy issue to be decided by Congress,” she said. She mentioned that she had asked for “meaningful constraints” on pricing subscriptions. And, while not responding directly to University of Michigan Librarian Courant, she offered a contrasting perspective: “for plaintiffs, books are commodities. For academics, books are a slow form of social dialog."

See more in The New York Times and a February 12th presentation , "How Fair is the Google Book Search Settlement" by Berkeley law professor Pamela Samuelson.

Adobe Download Manager Installing Software Without Consent

noreply@blogger.com (Mary Stewart) — Sat, 20 Feb 2010 01:23:00 +0000

Slashdot is running an article about a problem in the Adobe Download Manager (ADM) found by Researcher Aviv Raff. The net effect of the problem is that a user can be tricked into downloading and installing software without actual consent.

In a related article in PCMAG.COM, Raff's list of the following software can be downloaded and installed for users that have ADM installed by merely following a link to Adobe's site, including Adobe Flash 10, Adobe Reader 9.3, Adobe Reader 8.2, Google Toolbar6.3, McAfee Security Scan Plus and a half dozen more.

The ADM FAQ explains that ADM is installed when needed and removed when the system reboots. However, this ignores the fact that Adobe downloads don't tyically require a reboot and users might go a long time between them.

Raff also announced that he had found a remote code execution bug in ADM, increasing the danger of remote compromise by an order of magnitude or two.

See more at Security Watch.

NY Times: "Critics Say Google Invades Privacy With New Service"

noreply@blogger.com (Christopher Brooks) — Thu, 18 Feb 2010 23:59:00 +0000

TRUST faculty member Deirdre Mulligan is quoted in the Feburary 12, 2010 NY Times article Critics Say Google Invades Privacy With New Service. The article discusses privacy issues in Google's Buzz product where users may unintentionally publicly share the names of their contacts. Apparently, Google has made it difficult to make the contacts list private. Professor Mulligan is quoted as saying “You want to have a simple rollback mechanism, so once things are not what you expected them to be, you can get out quickly and not have to play a game of Whack-a-Mole.”

US preps cyber outfit to protect national electric grid

noreply@blogger.com (Mary Stewart) — Fri, 15 Jan 2010 23:45:00 +0000

The Department of Energy has said it would spend $8.5 million to create a National Energy Sector Cyber Organization that would help protect the nation's electric power grid, incorporating smart grid technology.

The intent is to create an independent national energy sector cyber security organization that would accelerate research, development and deployment priorities, including policies and protocols, according to the DOE.

DOE Acting Assistant Secretary Patricia Hoffman states:

"The scope and nature of security threats and their potential impact on our national security require the ability to act quickly to protect the bulk power system and to protect sensitive information from public disclosure. At the same time, we must continue to build long-term programs that improve information sharing and awareness between the public and private energy sector.

"The electric system is not the Internet. It is a carefully tended and balanced system that is critical to the Nation and the people. We must continue to strive towards an electric system that can survive an intentional cyber assault with no loss of critical functions," she said.

See complete article at NETWORK WORLD.

Nonprofit for collecting info on SCADA & PCS security incidents

noreply@blogger.com (Christopher Brooks) — Tue, 15 Sep 2009 17:45:00 +0000

The Risks Digest has an item that refers to Stephanie Neil's article in "Managing Automation", 12 Sep 2009 that discusses the http://www.securityincidents.org, "a newly formed non-profit group that provides public access to its Repository of Industrial Security Incidents (RISI)". This group is targeted towards SCADA and process control security incidents.

How much are you worth on the black market?

noreply@blogger.com (Mary Stewart) — Thu, 10 Sep 2009 23:52:00 +0000

Slashdot reports a new tool being developed by Symantec intended to raise consumer awareness about cybercrime. By answering a few questions about personal Internet use, the tool calculates your net worth on the black market calculations in three areas: how much your online assets are worth, how much your online identity would sell for on the black market, and your risk of becoming a victim of identity theft.

Norton's Online Risk Calculator is not intended to promote software or instill fear but to raise awareness about cybercrime, according to Marian Merritt, Internet security advocate for Symantec. Merritt pointed out that cybercrime is now larger than the international drug trade. Nearly 10 million people have reported identity theft in United States in the past 12 months and one in four households have already been victimized, she said.

Cybercrime is well reported in the IT space, but the message doesn't often reach the general public, according to Merritt. "You turn on the news and they are talking about capturing drug dealers going across the border, but they rarely show a hacker in handcuffs," she said.

See more in IT WORLD.

NIST Releases Security Standards for Federal Systems

noreply@blogger.com (Larry Rohrbough) — Sun, 16 Aug 2009 23:24:00 +0000

The National Institute of Standards and Technology (NIST) released Special Publication 800-53, titled Recommended Security Controls for Federal Information Systems and Organizations. This document addresses information security standards and guidelines, including minimum requirements for federal information systems. Released as part of NIST’s statutory responsibilities under the Federal Information Security Management Act (FISMA), this publication is geared toward information system and information security professionals who develop, implement, operate, manage, or assess/monitor federal information systems.

Adobe Vulnerability Targeted in Drive-by Attacks

noreply@blogger.com (Mary Stewart) — Thu, 23 Jul 2009 23:46:00 +0000

eWEEK.COM is running a story about a new zero-day vulnerability affecting Adobe's Flash Player software that is being exploited by attackers via drive-by downloads.

Adobe first warned about the vulnerability July 21, then issued an updated advisory the next night. The issue affects current versions of Flash Player on Windows, Mac and Linux platforms.

According to the U.S. Computer Emergency Response Team (US-CERT), an attacker can trigger an overflow by luring a user into opening a malicious Flash (SWF) file that is either hosted or embedded on a Web page or contained in a PDF file. Then the attacker could either trigger a system crash or take full control of a vulnerable system.

“There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows,” according to a post on the Adobe Product Security Incident Response Team blog. “We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009(the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh, and UNIX by July 31, 2009.”

“At the moment there (are) a low number of malicious sites serving the exploit, but we confirmed that the links have been injected in legitimate Websites to create a drive-by attack, as expected,” according to SANS Internet Storm Center.

See full article at eWEEK.COM.

Google Book Search Settlement Inquiry Announced

noreply@blogger.com (Christopher Brooks) — Wed, 08 Jul 2009 00:51:00 +0000

ISEDB's article "Google Book Search Settlement Inquiry Announced" includes a link to Pam Samuelson's talk Reflections on the Google Book Search Settlement. See also her 4/17/09 guest blog "Legally Speaking: The Dead Souls of the Google Booksearch Settlement", where she says:

"In the short run, the Google Book Search settlement will unquestionably bring about greater access to books collected by major research libraries over the years. But it is very worrisome that this agreement, which was negotiated in secret by Google and a few lawyers working for the Authors Guild and AAP (who will, by the way, get up to $45.5 million in fees for their work on the settlement—more than all of the authors combined!), will create two complementary monopolies with exclusive rights over a research corpus of this magnitude. Monopolies are prone to engage in many abuses."

"The Book Search agreement is not really a settlement of a dispute over whether scanning books to index them is fair use. It is a major restructuring of the book industry’s future without meaningful government oversight. The market for digitized orphan books could be competitive, but will not be if this settlement is approved as is."

Professor Samuelson points out that "nothing in the settlement agreement speaks about privacy interests of users" and that this is very different than how libraries operate.

Announcement: 2nd Annual Privacy Law Scholar Conference, June 4-5 2009

noreply@blogger.com (Mary Stewart) — Tue, 26 May 2009 23:34:00 +0000

The 2nd Annual Privacy Law Scholars Conference (PLSC) will be held at the Claremont Resort in Berkeley, CA, on June 4-5. PLSC is an academic paper workshop, and there are no panels of boring talking heads. Instead, we have two days of intense discussion about privacy issues.

If you have students who are interested in working in the privacy field, I strongly encourage you to pass on info about the event. It's free, and about 100 privacy academics (predominately law, but also econ and some computer science, including Peter Neumann, Chris Soghoian, and Jeff Jonas, the inventor of NORA) participate, as well as 50 leading legal practitioners. It's a wonderful opportunity to network, share ideas,etc.

Schedule and information

The password to all papers is plsc2009.

Send email to choofnagle at law.berkeley.edu if you would like to participate.

Mathematical Advances Strengthen IT Security

noreply@blogger.com (Mary Stewart) — Thu, 14 May 2009 16:23:00 +0000

ACM TechNews is running an article about a new cryptography approach based on the mathematical theory of elliptic curves, a leading candidate to replace the widely used RSA public key security system.

Elliptic curves are equasions with two variables, e.g., x and y, including terms where both x and y are raised to powers of two or more. The possibilities for elliptic curves and other modern mathematical techniques were discussed at a recent workshop organized by the European Science Foundation (ESF).

“The impact of the elliptic curve method for integer factorisation (developed by my PhD advisor Hendrik Lenstra) has played a role in introducing elliptic curves to cryptographers, albeit for attacking the underlying problem on which RSA is based (the difficulty of factoring integers),” said David Kohel, convenor of the ESF workshop, from the Institut de Mathematiques de Luminy in Marseille, France.

Kohel describes the advantage of elliptic curve cryptography as its immunity to the specialized attacks that have degraded the strength of RSA (smaller keys can be used to provide the same levels of protection).

"In general, the cryptographer has the benefit over the cryptanalyst (the person attacking the cryptosystem) as he or she can select the key size for any desired level of security, provided everyone has the same base of knowledge of best attacks on the underlying cryptosystem," he says.

See details in European Science Foundation.

Chinese Hackers Targeting NYPD Computers

noreply@blogger.com (Mary Stewart) — Tue, 28 Apr 2009 16:21:00 +0000

Slashdot prints an article about a network of mystery hackers, mostly based in China, making 70,000 attempts a day to break into the NYPD's sytem, according to Commissioner Raymond Kelly. He said he suspects that his department is being targeted by foreign hackers because it has beefed up operations in the international arena since the 9/11 attacks.

"We are constantly studying events worldwide and assessing their implications for New York," said Kelly, adding that the NYPD now has officers stationed in Abu Dhabi, Jordan, Great Britain, France, Spain, Canada and the Dominican Republic.

Kelly also said senior police officers have been attending lectures by foreign affairs and terrorism experts. The Commissioner's surprising revelations closely followed a Canadian report exposing a China-based electronic spy network that has invaded at least 1295 computers in 103 countries.

Dubbed "GhostNet", the group of hackers have targeted embassies, foreign ministries and the Dalai Lama's offices in India, Brussels, London and New York.

Toronto University's 10-month study suggests that the GhostNet is linked to Chinese government espionage agencies, which Chinese government officials deny.

See complete article in the New York Daily News.

Most electronic voting isn't secure, CIA expert says

noreply@blogger.com (Mary Stewart) — Thu, 23 Apr 2009 00:33:00 +0000

The Risks Digest points to an article about a CIA agent testifying before the Election Assistance Commission. His position is that electronic votes are not secure and can be altered and further, are being altered already in some locales.

The CIA agent, a cybersecurity expert, suggested that Venezuelan President Hugo Chavez and his allies fixed a 2004 election recount, a pronouncement that could further agitate U.S. relations with the Latin leader.

In a presentation that could provide foreboding lessons for the United States, where electronic voting is becoming preeminent, Steve Stigall summarized what he described as attempts to use computers to undermine democratic elections in developing nations. Stigall told the Election Assistance Commission that computerized electoral systems can be manipulated at five stages, from altering voter registration lists to posting results.

"You heard the old adage 'follow the money,' " Stigall said, according to a transcript of his hour-long presentation that McClatchy obtained. "I follow the vote. And wherever the vote becomes an electron and touches a computer, that's an opportunity for a malicious actor potentially to . . . make bad things happen."

Stigall said that some countries had taken extraordinary steps that improved security. For example, he said internet systems that encrypt vote results so they're unrecognizable during transmission "greatly complicates malicious corruption."

After reviewing the agent's remarks, director of election reform for the citizens' lobby 'Common Cause, Susannah Goodman says they showed

"we can no longer ignore the fact that all of these risks are present right here at home . . . and must secure our election system by requiring every voter to have his or her vote recorded on a paper ballot."

See complete article in McClatchy Newspapers.

Obama Sides With Bush In Spy Case

noreply@blogger.com (Mary Stewart) — Mon, 26 Jan 2009 16:43:00 +0000

Slashdot picked up a story in Wired about the Obama administration siding with the Bush administration when it urged a federal judge to set aside a ruling in a closely watched case examining whether a U.S. president may bypass Congress and establish warrantless wiretapping programs designed to spy on American citizens.

With just hours left in office, President George W. Bush asked U.S. District Judge Vaughn Walker late Monday to stay enforcement of a Jan.5 ruling admitting key evidence into the case. On Thursday, the Obama administration said in its filing with the court

"The Government's position remains that this case should be stayed"

marking the first time it was clear that the new president was in agreement with the Bush administration's reasoning in this case.

The legal hubbub concerns Walker's decision to admit a classified document as evidence that allegedly shows that two American lawyers for a now-defunct Saudi charity were electronically eavesdropped on without warrants in 2004.

The Obama administration is in agreement with the previous administration in its legal defense of July legislation that immunizes the nation's telecommunications companies from lawsuits accusing them of complicity in Bush's eavesdropping program, according to testimony last week by incoming Attorney General Eric Holder.

A separate case requiring a decision on the constitutionality of the immunity legislation (which Obama voted for as a U.S. Senator from Illinois) brought by the Electronic Frontier Foundation is pending before Judge Walker.

See details in Wired.

Privacy Groups Want Strong Security Measures for Electronic Health Records

noreply@blogger.com (Mary Stewart) — Wed, 21 Jan 2009 23:50:00 +0000

SANS Institute summarizes an article about US privacy rights and civil liberties advocacy groups writing legislators and asking them to ensure that any adoption of electronic health records include substantial security measures. Such letters from the American Civil Liberties Union, the National Association of Social Workers and Patient Privacy rights request that patients have control over how their medical records are used and that they be protected from organizations that share and sell medical information.

"We all want to innovate and improve health care, but without privacy our system will crash as any system with a persistent and chronic virus will," Patient Privacy Rights executive director Ashley Katz said at a Capitol Hill briefing.

Chairman of Senate Health, Education, Labor and Pensions, Edward Kennedy and ranking member Michael Enzi submitted a bill in the 110th Congress and have worked with Judiciary Chairman Patrick Leahy to beef up its privacy provisions. However, Senate Small Business ranking member Olympia Snowe does not believe the measure went far enough, and together with Rep. Edward Markey, D-Mass., and Rep. Lloyd Doggett, D-Texas, offered letters of support for the privacy groups' call to action.

"Without robust safeguards, the health IT systems we are planning for today could turn the dream of integrated, seamless electronic health networks into a nightmare for consumers," Markey said in a statement.

For complete article, see nextgov.

CWE/SANS TOP 25 Most Dangerous Programming Errors

noreply@blogger.com (Mary Stewart) — Tue, 13 Jan 2009 17:10:00 +0000

Yesterday, the SysAdmin, Audit, Network, Security (SANS) Institute announced that in Washington D.C., experts from more than 30 U.S. and international cyber security organizations jointly released a list of the 25 most dangerous programming errors that bring about security bugs permitting cyber espionage and cyber crime. The project is a significant component of an overall national security initiative.

The impact of such errors is extensive, where just two errors led to more than 1.5 million web site security breaches in 2008. Those breaches then cascaded onto the computers of people who visited those websites.

The people and organizations that provided input to the project are among the most respected security experts, coming from an extensive range of leading organizations such as Symantec, Microsoft, DHS's National Cyber Security Division, and NSA's Information Assurance Division to the Japaneses IPA, to the University of California at Davis and Purdue University.

Remarkably, all the experts quickly came to agreement, despite some intense discussion.

"There appears to be broad agreement on the programming errors," says SANS Director, Mason Brown, "Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify."

See complete Announcement in SANS.

State Secrets Defense Rejected in Wiretapping Case

noreply@blogger.com (Mary Stewart) — Fri, 09 Jan 2009 00:03:00 +0000

Slashdot references a report in Ars Technica of a federal judge ruling that a lawsuit filed by an Islamic charity alleging illegal wiretapping by the National Security Agency may proceed.

The case, Al Haramain v. Bush, stands out in that unlike the Electronic Frontier's more widely publicized suits agains the NSA and cooperating telecoms, the plaintiffs here know that the directors of the charity were specifically subjected to warrantless surveillance, thanks to a government faux pas that put a classified memo in the hands of the charity's lawyers.

Judge Vaughn Walker, who has been handling a raft of suits concerning the NSA's super-secret Stellar Wind program decided that the charity could seek to show they'd been spied upon using public evidence.

"Without a doubt," he wrote, plaintiffs have alleged enough to plead 'aggrieved persons' status so as to proceed to the next step in proceedings."

The Justice Department repeatedly tried to try to block the suit by invoking national security concerns. At one point, Walker described the government's argument "without merit" and characterized another argument as "circular".

See complete report at Ars Technica.

Congress in the Cyber-Crosshairs

noreply@blogger.com (Mary Stewart) — Wed, 24 Dec 2008 18:58:00 +0000

ACM TechNews points out the cover story of National Journal about what it will take to keep the next invader out of Congressional computers.

Two years ago, 15 House panels and members' offices were invaded by malware whose nature suggest the intrusions originated in China. One target, the office of House Representative Frank Wolf (R-Va) argued before the House that the fear of admitting vulnerability might be a reason underlying U.S. intelligence and national security's reluctance ro publicize the breaches sooner.

"I strongly believe that the appropriate officials, including those from the Department of Homeland Security and the FBI, should brief all members of Congress in a closed session regarding threats from China and other countries against the security of House technology, including our computers, BlackBerry devices, and phones," he said.

While it appears that there is little interest from members of Congress in discussing cyber vulnerabilities, it is likely because they have little understanding of them. Former director the DHS' Cyber Security Division Amit Yoran says

"As a member of Congress, you have so many issues competing for your attention and, historically, cyber-security hasn't been one that's won out. It's not an issue that is particularly well tracked by their constituents."

In a recent study prepared by the Center for Strategic and International Studies concluded for President-elect Barack Obama that Congress is unsuited for managing executive-branch cybersecurity due to the inconsistency and fragmentation of its oversight. The study group recommended that Obama take charge of cybersecurity and establish a new office for cyberspace in the Executive Office of the President that would collaborate closely with the National Security Council, "managing the many aspects of securing our national networks while protecting privacy and civil liberties."

See complete article at National Journal Magazine.