A number of civil liberty and privacy advocates have questioned the use of the scanners, raising concerns that Transportation Safety Administration (TSA) employees will be essentially viewing passengers’ nude outlines. The ACLU and other privacy advocates claim it amounts to a “virtual strip search.” Employees are located remotely and only see the image on the screen, not the actual passenger.

According to the TSA website, “TSA has implemented strict measures to protect passenger privacy, which is ensured through the anonymity of the image. The image cannot be stored, transmitted or printed, and is deleted immediately once viewed. Additionally, advanced imaging technology screening is optional to all passengers.”

In an article published in the Washington Post, former DHS Secretary Michael Chertoff wrote “the TSA has listened to the reasonable concerns of privacy advocates and incorporated numerous suggestions into its protocols to draw the right balance between security and privacy.”

While TSA has stated that the images will not be stored or sent, the Electronic Privacy Information Center (EPIC) has claimed that 2008 documents it obtained from TSA state that the machines need to have image storage and sending capabilities while in test mode.

EPIC Executive Director Marc Rotenberg says that this could facilitate abuse by employees and hackers.

So what is the potential for data breaches with the body scanner technology?

The threat from outsiders can be mitigated by ensuring that the body scanners are not wired to external Internet or to machines that are connected to the Internet. Additionally, if the images are transmitted to the TSA officer responsible for viewing the images, the risk of possible interception increases. Earlier this year, The New New Internet reported on the use of SkyGrabber software by insurgents to intercept Predator drone feeds in Iraq.

The insider threat is more difficult to combat. Earlier this month, a former TSA employee attempted to sabotage a terrorist database after he was fired. Insider threats are often difficult for IT security professionals to defend against, as insiders have easier access to the systems and often understand the system architecture better than outsiders.

At the time of writing, TSA has not yet responded to a request for comment on the set-up of the body scanning system.

According to the TSA website, the images are automatically deleted once they are cleared by the TSA employee viewing the image. Also, TSA officers viewing the images are in a “secure resolution room” and “are not permitted to take cameras, cell phones or photo-enabled devices into the resolution room.”

The process still remains optional for all passengers. Any passenger can refuse to undergo the body scan but is subjected to a pat-down search instead.

Recent polls suggest that the majority of Americans have no problem with the body scanning technology. Nevertheless, some experts question how effective the technology is at detecting small quantities of certain types of explosives, like that used by the underwear bomber.

To learn more about how body scanners work, click here

Skimming attacks almost always happen in the same way. Criminals paste a fake card reader over the actual reader. A PIN entry capture device, either a camera or fake PIN pad placed over the actual PIN pad, record the bank customers PIN. The resulting data (magnetic strip information and PIN) are then recorded, often in a cell phone, and wirelessly transmitted to a computer or laptop near the bogus ATM. Once criminals have both magnetic strip data and the PIN withdraws are made. Without the PIN, the magnetic card data is useless. For this crime, both data sets are needed.

Most withdraws happen over the weekend, when banks are slower to react and charges take longer to process.

Part of the appeal of skimming crime is the cost to the criminals. The technology and devices needed are extremely effective and hold a very low cost. Most are manufactured by the skimmers and some are purchased legally from localities such as China. Internationally, skimmers are particularly active in Turkey, Lebanon and South Africa and in major tourist centers.

Skimming crime is  hard for police and officials to catch. Most people caught in association with this crime are the low level criminals who are assigned to attaching devices to the machines.  Much is not known about the depth and structure of skimming organizations. “They’re not idiots or drug-addled junkies trying to get $20. They’re consummate businessmen. They adjust for the last countermeasure that we put in place. We build the wall higher, but they keep coming back with taller ladders,” said Detective Pedro Palenzuela, a detective from Palm Beach County responsible for cyber crime.

Banks hold the burden for this type of crime. If you suspect that you have been a victim of this crime, notify the bank immediately. They will need you to report the crime to the police and then monitor your account. Banks often replace the money stolen. Most police internationally shrug at this crime and write a report knowing that the perpetrators will not be caught. The recent successes in catching skimming rings in Romania and Bulgaria were a luck exception. Law enforcement does not know much about the skimmer criminal.

Germany has been having significant problems with skimming attacks. Last year 18,000 Germans were victim to these robberies. German banks are taking action to protect their customers.

EMV technology replaces the need for magnetic strip banking. Each card that bears a magnetic strip is replaced with a processor ship holding the same information as the magnetic strip. Named for the three largest credit card companies in the world, Europay, Mastercard and  Visa, companies are working fast to develop international standards for this technology.

Germany is taking this technology a step further. By 2011, all ATMs will use EMV rather than magnetic strip technology. The switch to EMV machines does hold significant cost to banks, but they are willing to make a step for security. This more secure platform is a major step by German banks, and they hope that customers will also take steps towards safety. Even with current magnetic strip machines simple safety steps such as covering you hand while entering PIN, checking for wobbly parts, wholes and additions especially around the card slots and by avoiding free standing machines.

Banks in Germany hope that if they take the first step, customers take more precautions and develop better practices. Domestically, EMV technology is most often seen in transit-fare collection systems. Earlier this month, at the 3rd Annual Smart Card Payment Summit, scholars and researchers see the wide-spread acceptance of automatic transit fare will lead to better acceptance of Smart Card technology. Experts at the conference also urged banks to offer EMV cards to customers that often travel abroad, as more countries, not just Germany transition to EMV only machines. Contactless cards have also found mild success in gas stations.

Most of the world is adopting this technology and the United States is falling behind. “Once the world moves to EMV, the card companies have said they will get rid of the mag-stripe,” said Caroline Walpole, a smart card expert in the United Kingdom  ”But until everybody in the world is ready, we can’t lose the mag-stripe.”

A significant percentage of successful cyber attacks exploit users who click links to infected sites or open infected attachments. Commonly called phishing, these attacks look to convince the unsuspecting user to open what appears to be legitimate correspondence in their email inbox.

Companies are now struggling to provide adequate education to their employees that would help them to identify phishing attacks. The Intrepidus Group, a solutions and consulting company founded by Rohyt Belani and Aaron Higbee, seeks to help companies better educate their employees.

Aaron Higbee, CTO and co-founder of Intrepidus Group, recently told The New New Internet “Our people are the first line of defense.”

Belani and Higbee founded the company following a number of years in security. As they observed the maturation of security in companies, they noticed a lack of focus on the human vulnerabilities within a company.

“One of the things they haven’t really been paying attention to and that hackers are really getting into these days, is the spear phishing vector, so going after human targets,” says Higbee.

Intrepidus Group provides a number of solutions, including Phishme.com, an anti-phishing training solution. The site provides an on-going training platform that can be utilized by companies to train employees to spot phishing attacks.

The training scenarios can range from generic attacks, complete with spelling errors and lines like ‘you have a secret admirer at work,’ to phishing emails that utilize social engineering techniques.

An advantage of PhishMe is that employees are immersed in the real experience, the see “what a phishing email looks like in their inbox, what the URL looks like, and if they have clicked their way through, they get the education, as opposed to the traditional computer bases training where they just try to click through as fast as possible,” says Higbee.

In their testing, the Intrepidus Group has noticed that even generic phishing attacks have a relatively high success rate. One in four individuals would click the link in a generic phishing email the first time it was conducted, even when the email included spelling and grammatical errors.

They also noticed that with more customized phishing attacks (spear phishing) that utilize either social engineering or hijack a current trend (like the Haiti disaster); the first time click rate is around 75 percent.

The success of phishing attacks appears relatively consistent across sectors as well. In a test with a security department at a large financial institution, over half of the information security professionals were taken in by the phishing attack.

Ultimately, the goal of Intrepidus Group is to help clients consistently drop that statistic until it is near zero. The model of Phishme.com is a subscription service that utilizes continuing education.

The services offered by Intrepidus Group span a variety of sectors and include public and private sector customers. Government contractors make up a significant portion of their clientele as well as members of the financial sector and law firms.

“They are starting to realize that the humans are the front line of defense now,” said Higbee.

Janet Napolitano

Last week, RSA held its annual conference out in San Francisco, CA. The conference brought together cyber experts from around the world, along with notable speakers like DHS Secretary Janet Napolitano, FBI Director Robert Mueller and Howard Schmidt, the White House Cybersecurity Coordinator.

The topics discussed range from cloud computing to botnets to the need for public-private partnerships. Concerns over cyber crime and cyber espionage dominated the agenda while privacy issues also featured prominently.

One of the topics featured in the privacy debate was the issue of Einstein III, a proactive cyber defense program that DHS is seeking to implement.

“I don’t think you have to be Big Brother in order to provide a level of protection either for federal government systems or otherwise,” Greg Schaffer, assistant secretary for cybersecurity and communications, said. “As a practical matter, you’re looking at data that’s relevant to malicious activity, and that’s the data that you’re focused on. It’s not necessary to go into a space where someone will say you’re acting like Big Brother. It can be done without crossing over into a space that’s problematic from a privacy perspective.”

During one session, former DHS Secretary Michael Chertoff and Richard Clarke, former special adviser to President George W. Bush on cybersecurity, discussed the need to overhaul the current U.S. cybersecurity system.

“They’re stealing anything that’s worth stealing,” said Clarke, now chairman of Good Harbor Consulting. “All the little cyber devices that the companies here sell have been unable to stop that…We’re having little Pearl Harbors every day.”

Chertoff advocated for better education to produce more cyber aware citizens. “When we structure our security, we have to take into account how people behave,” he said.

The headline speakers produced some of the biggest splashes, with Secretary Napolitano announcing the beginning of a competition to develop a cybersecurity education plan for the U.S. and Schmidt announced the declassification of the Comprehensive National Cybersecurity Initiative (CNCI).

Mischel Kwon, former head of US-CERT, said “[I] heard Howard Schmidt and his announcement about the declassification of the CNCI which is very exciting information for everyone. It goes, coincidentally, very well with the Google announcement of what’s happening to them. It’s so good to see both sides of the fence opening up and sharing information. Because that’s so important, it’s not just the government, its also private sector being able to share what’s happening to them without affecting their reputation.”

During his address FBI Director Mueller said that the FBI views the threat from cyber terrorism as “real and expanding.”

Melissa Hathaway

Melissa Hathaway, who led the 60 Day Cyberspace Policy Review back in May 2009, also spoke about the need to “tell a simple story,” increase innovation and achieve broader public-private participation.

The RSA Conference always provides a useful venue for cybersecurity information and discussion. Many of the world leaders in cybersecurity attend the conference and it always features influential speakers.

Adm. Mike McConnell

Over the weekend, Admiral Mike McConnell, former DNI and presently heading the cyber effort at Booz Allen, published an article in The Washington Post calling for a new strategy and thought process for cybersecurity in the US. The article highlighted a number of key strategies Adm. McConnell believes the US should look to actions, including reverse engineering the Internet and employing both deterrence and preemption capabilities.

The New New Internet had the opportunity to ask two cybersecurity experts, with years of government service, their reactions to Adm. McConnell’s suggestions. General Dale Meyerrose (AF, Ret) is the current Vice President and General Manager for Cyberspace Solutions at Harris Corporation and previously worked under Adm. McConnell. Lt. General Harry Raduege (AF, Ret) is the chairman of the Deloitte Center for Cyber Innovation, a senior counselor with the Cohen Group and is the former Director of DISA.

Gen. Dale Meyerrose

Gen. Dale Meyerrose:

“I think Admiral McConnell is exactly right in that if you have many of the assets in private ownership and most of the capability to do something about it in the public sector, figuring out how to get those two things to work properly is going to be the key. [Cyber] is a completely man-made domain, of which we don’t seem to have or want to have a lot of control over. Whereas the physical domains of air, land, sea and space, we have a lot easier time of dealing with than the man-made one. I think Admiral McConnell is spot on. We need to figure out how to think of these things differently than we have in the past. He is a thought leader in this area, a former boss of mine, and I think he understands this area as well as anyone around and his call for action is very appropriate.”

Lt. Gen. Harry Raduege

Lt. Gen. Harry Raduege:

“Many of the developed nations of the world are as dependent on a healthy, secure Internet as we are, so this is a multi-dimensional, global problem. Just as we had a triad of land, sea and airborne nuclear capabilities to deter the use of weapons of mass destruction during the Cold War, we need a cyber-triad today to deter weapons of mass disruption.  We need continuing resilience throughout our network infrastructure, so that our adversaries know that they cannot cripple our national security or economy with a cyber attack.  We must solve the attribution problem, because if we don’t know who is attacking us then we cannot impose measured consequences to deter or counter them.  And, we must develop offensive cyber capabilities.   Our enemies have to know that we can cripple their critical networks if they threaten ours.  If we set up this cyber-triad, our country’s national security and economic stability will be better protected.”

Jim Lewis

Jim Lewis, Director and Senior Fellow, Technology and Public Policy Program with the Center for Security and International Studies (CSIS), is widely regarded as one of the premier experts on cybersecurity issues. He headed the CSIS Commission on Cybersecurity for the 44th Presidency and has testified before Congress.

On March 25th, Dr. Lewis will be speaking at an event hosted by the Potomac Officers Club, a DC area non-profit.

Dr. Lewis recently spoke at the 2010 Government Solutions Forum hosted by CISCO, where he discussed the need for the US to rethink its strategy towards cyberspace.

“We’ve had market failure when it comes to cybersecurity,” Dr. Lewis said. “Security doesn’t come out of voluntary actions and market forces.”

“Private action cannot solve the cybersecurity problem by itself,” he said.

To register to attend the event, click here

Jeff Carr, CEO of Grey Logic

TNNI: You recently authored a book called Inside Cyber Warfare. Tell us a little about the book. What was your motivation for writing it?

Carr: What I tried to do with the book was take a more complex view of the scope of cyber warfare and really even the misnomer of cyber warfare, because there really isn’t any legal definition as such. There is a cyber component to an actual act of war, but in terms of a battle in cyberspace, we have not really seen that and there is no real definition to that. Instead, the book looks at the various ways that state and non-state actors interact in cyberspace, in order to exercise control or to commit crime or do espionage or any number of actions that network systems now enable actors to do.

TNNI: One of the areas that you just touched on was defining cyber war. Do you think we will ever reach a point where there is a commonly accepted definition, particularly in the international realm?

Carr: Probably. I imagine in time such a thing will occur, it is going to take an awful long time. The biggest problem is that the existing models of what treaties do is something that might not work for cyberspace, and I touch on this in the book.

In my view it is more of a law enforcement issue rather than an issue that can be prescribed through a treaty regime similar to way that Weapons of Mass Destruction are controlled. I think those treaties will just not be effective for cyberspace. However, I do hope that one day the principal nations will agree on the principals of a collaborative law enforcement effort to crackdown on abuses that are committed in that plane.

TNNI: Do you find cyber attacks to be a predominately the work of nation-sates or do you also see this as a proliferation of nationalist hackers, and who do you think poses the greater threat?

Carr: I don’t think hackers are going to waste time with anything that does not yield some type of profit. So then it really becomes the question of what was targeted. That is how Grey Logic looks at attribution when it comes to cyber espionage; what have we tied it to what was taken, who would have reason to have entered or accessed it; it has value to what party? Then you can start narrowing the field.

I categorize it in three areas, you have state actors, and state sponsored actors, which would typically be skilled hackers who have some type of handshake arrangement or some other compensation with the state entity but also at the same time create plausible deniability. Then you just have non-state actors.

The best example of that is in China, when Chinese activists respond to an action that negatively affects their country. There are multiple examples of that. There is also the distinction when what you look at what is referred to as hactivists between Russia and China. In the case of China, they are defensive. People act against their country, Chinese hackers react. In the case of Russia, it is not. It is much more offensive. And there are exceptions of course, for example, Estonia in 2007 can be interpreted as a defensive action. Because the Estonian authorities moved a Russian statue and the Russian hackers reacted.

TNNI: Do you see states concentrating more on offensive or defensive capabilities?

Carr: Most large countries are developing some type of capabilities, including the U.S., Russia, China, Germany, Israel, North Korea, South Korea, and then you can assume, I think you can safely assume that other members of the European Union are also developing there own capabilities.

Turkey, for example, I think it is safe to assume that they are developing, although they have not officially announced it. They have done some things which would indicate that they are creating that capability. India I believe is actively involved, because China has stated development, so I am sure that India must be developing a similar capability as well. I think everybody is going to wind up doing it just simply because it is necessary from a defensive point of view.

TNNI: How serious is the threat from cyber attacks, and is the U.S. government currently taking the necessary steps towards defending U.S. networks?

Carr: I think that it is very serious, potentially extremely serious. I think that the U.S. government is taking some measures but not nearly acting fast enough or at a scale equivalent to the severity of the matter. One big example that I frequently point to is that in a most recent report put out by Host Exploit; of the top 50 badware ISPs in the world, 20 are right here in the U.S. That is just an intolerable situation as far as I am concerned because you have the capability of non-state actors using servers in the U.S. to attack U.S. interests and U.S. networks. It is just silly to allow that to continue.

TNNI: What steps to you think the U.S., both from a government side and from a business side and even down to individuals, should all be taking to enhance cybersecurity?

Carr: What I just described would be in my opinion the very first step. So you require that ISPs do what they are supposed to do, which is every person who is purchasing a service from them, make sure they are providing accurate WHOIS information on their domain registration and hosting agreements; name, address and contact information. All of that has to be vetted effectively. In addition, ISPs should be held responsible for crawling their servers on a monthly basis to check for malware and other illegal activities, and then shut it down until the problem is corrected or the bad actor leaves that hosting service.

In addition to that, we need to recognize that we cannot defend everything. Therefore I think you need to do a survey of your assets, identify what the most critical assets are, and that is what you need to protect.

TNNI: What are some of the greatest impediments to greater cooperation, both domestically and internationally, and what can be done to overcome them?

Carr: The biggest problem is exemplified by the Russian Federation. Their preference is a treaty regime to control or help govern cyberspace. What they would not agree to do is cross border law enforcement. That is a predicament because every instance, going back to even Chechnya in 2002, Russia has engaged or utilized non-state actors to run their cyber campaigns. They will only be discovered through cross border law enforcement arrangements. A treaty would have absolutely no effect on them whatsoever.

China on the other hand is setting, in my opinion, a very good example. They are cracking down on their internal ISPs that are hosting malware. They are making an effort to arrests hackers that engage in illegal activities, they are doing all the right things. I am not sure, frankly, if China is willing to agree to cross border law enforcement, but at least they are making the effort to clean their own house.

Melissa Hathaway

This week, RSA’s conference in California looks “ to drive the worldwide information security agenda,” says conference general manager Sandra Toms LaPedis.

As instances of cyber attacks continue to grow more prevalent, cyber warriors and national security officials are gathering in California to examine methods to enhance cyber defenses. The RSA conference, held in San Francisco this week, includes a number of headline government speakers, like Secretary of DHS Janet Napolitano, White House Cybersecurity Coordinator Howard Schmidt and FBI Director Robert Mueller.

The conference also includes industry leaders like Craig Newmark, founder of Craigslist, Enrique Salem, President and CEO of Symantec and David DeWalt, President and CEO, McAfee Inc.

On Tuesday, Melissa Hathaway will discuss how to develop a strong and cohesive national cybersecurity plan that includes cooperation between the private sector and government.

The conference will examine issues like security in the cloud, enabling the use of social networking sites and ensuring safe remote access of business networks.

Sandra Toms LaPedis, Area Vice President and General Manager of RSA Conference, said “As cyber warfare, cloud security and protecting the enterprise in the face of consumerization and mobility emerge as new challenges for IT departments, our attendees rely on RSA Conference for practical insights and real-world answers to these issues.”

Some of the more prevalent issues presently facing cyber defenders will dominate the agenda, particularly cyber crime and cyber espionage. Most recently, the highly publicized Aurora attacks against search engine giant Google has brought the issue of cyber espionage into the public eye.

“Malware has become important as the sophistication of the attacks has increased. That is underscored by the Google Aurora attack,” said Philippe Courtot, Chairman and CEO, Qualys Inc. “Now we know for a fact more than a hundred companies were compromised in very targeted attacks of industrial espionage.”

During the conference, FBI Director Mueller will discuss the variety of cyber threats currently arrayed against US interests, including cyber crime and how foreign government and terrorists exploit the Internet for nefarious purposes.

Schmidt will participate in a “town hall” style discussion and Secretary Napolitano will discuss the impact that cyber threats have on society at large.

In a session titled  “ Dealing with Sophisticated Threats in Cyberspace without Creating Big Brother ,” former Secretary of Homeland Security Michael Chertoff and former chief counterterrorism advisor to the NSC, Richard Clarke, will look at how the government can help to defend companies and citizens against cyber threats without eroding civil liberties or infringing on privacy rights.

The expanding use of mobile devices to access Internet services will also be a central discussion point at the conference.

“There are so many security topics high on the agenda. Certainly one of the topics is how mobile devices are becoming more like computers with the benefits and drawbacks as well,” said Simon Bransfield-Garth, CEO of Cellcrypt, a voice security solutions provider.

The conference also includes a number of tutorials taught by the SANS Institute, a cybersecurity training center headquartered in Bethesda, MD.

The conference will likely include the release of new threat studies and new services and products catering to the cyber defense community.

Sen. Al Franken

Late last year, President Obama signed into law the Franken Amendment, which is an amendment to the Defense Appropriations Bill. It took effect last Tuesday and received both praise and derision from interested parties.

The initial impetus behind the Franken Amendment was a result of the alleged rape by fellow contracting employees of Jamie Lee Jones. Based on arbitration agreements signed with the company, Jones was unable to move the case through court channels.

The Amendment states that funds in the Defense Appropriations Act cannot be used to fund new or existing contracts in which a contractor or subcontractor requires employees to sign an agreement to resolve claims related to the Civil Rights Act of 1964 or any instances related to sexual assault or harassment. This means that any contractor currently operating in Iraq or Afghanistan now needs to go back and re-negotiate its contracts with its employees, which will likely prove to be an expensive undertaking.

An interesting side to the Franken Amendment, which is not specifically spelled out, is the issue of cyber sexual harassment or bullying. In recent years, increasing levels of attention have been paid to cyber bullying of young children, which has led to instances of suicide.

So, does the Franken Amendment extend into the cyber arena? What are some of the implications and challenges that it will face?

The Amendment most certainly would extend into sexual harassment actions that emanate from cyberspace. As the Amendment fails to define a particular medium under which such harassment must occur, it is necessary to take the broadest interpretation.

The extension of the Amendments reach could certainly prove a significant aid to victims seeking justice. However, it also opens up a range of difficulties that arbitration could potentially be the more appropriate venue.

While instances of rape and other versions of sexual harassment/assault are not necessarily easy to attribute, it is generally more definitive than the cyber realm. Cyberspace provides a level of anonymity that in today’s age is difficult to achieve in the physical realm.

Cyber bullying or harassment could appear to come from a particular email address or even IP address. However, criminals that utilize cyberspace are perfectly adept at hijacking valid credentials to carry out their misdeeds.

In these instances, arbitration would have significant advantages over court procedures. Individuals who are accused of being perpetrators of sexual harassment (but are in fact innocent) would suffer less through an arbitration process.

While victims of sexual assault and harassment certainly deserve unfettered access to court procedures, information and evidence in the cyber domain can prove incredibly complex. In the realm of cyberspace, the Franken Amendment has the potential to make more victims, despite its good intentions.

Gen Dale Meyerrose

Recently, The New New Internet had the opportunity to speak with General Dale Meyerrose (Air Force, ret.) who currently serves as the Vice President and General Manager for Cyberspace Solutions at Harris Corporation. In the interview, Gen Meyerrose discusses the importance of building partnerships and the challenges to building them, making more people ‘cyber aware’ and the issue of cyber crime.

TNNI: Just to start off, could you tell me a little about your background?

Meyerrose: Sure. I’ve spent over three and a half decades in public service. The first 30+ years I was in the United States Air Force, the last three years in public service I was the first Presidentially appointed, Senate confirmed Chief Information Officer of the Intelligence community. I spent most of that service in cyber communications, information technology intelligence, command control operations and space support. I graduated from the United States Air Force Academy in 1975 with a degree in Economics, I have a masters in Business Administration from University of Utah.

TNNI: As the Vice President and General Manager for Cyberspace Solutions at Harris Corporation, what do your duties entail?

Meyerrose: I lead all aspects for the company in terms of strategy for cyber business development and program execution for cyber initiatives.

TNNI: Earlier this month, in a statement before Congress on the annual threat assessment of the U.S. Intelligence committee, Dennis Blair highlighted some of the issues facing the U.S. in cyberspace and the need to build partnerships between the public and private sectors. How important is it to build partnerships and what obstacles or challenges will such efforts face?

Meyerrose: It’s absolutely critical, in my view. 90% of the critical infrastructure in the United States is in private ownership and there is, I think, an inherent responsibility of protection from the government. Most of the sophisticated capability with regard to cyberspace, both capability and protection, reside in the government and a lot of it in the United States Military. So we have a series of legal and cultural barriers towards parts of the government, particularly the United States Military, to help out on domestic affairs. So there’s this almost dichotomy between where the critical infrastructure is in our country and where the means to protect it and take care of it reside.

TNNI: The White House recently named Howard Schmidt to the position of Cybersecurity Coordinator late in December of 2009. What challenges do you think Schmidt will face in the coming year?

Meyerrose: Clearly, he is occupying a new position, never before been a part of our government. And so the first thing is to make sure that he’s part of the right processes, that he has the right roles outlined for how other parts of the government will interface with him. I think he needs to outline the priorities that he’ll focus on that were a result of the 60 day cyber review taken earlier last year. Probably the most difficult to figure out is how to get the 22 different governmental departments and many agencies to give credence to working together in solving jointly the issues in front of our government, and our country.

TNNI: Recently there have been calls for better educational efforts targeting both employees and the public at large, some going so far as suggesting a ‘Smokey the Bear’ model for cyberspace. How important is education to cybersecurity and what are some positive steps both government and companies can take toward nurturing more cyber aware citizens?

Meyerrose: I’m not exactly sure what a Smokey the Bear for cyberspace would be, but in my view, cyberspace skills may soon rival the 3 R’s in being able to be a productive citizen in our society. Cyberspace is a part of almost everything we do– whether it’s opening a hotel door; getting money to spend, to order things, to pay bills, to do banking; our transportation and power—so cyberspace is becoming almost inseparable from most pursuits in American life. There is a responsibility of our citizenry to protect not only themselves, but other users. I don’t think the importance of this social responsibility has been articulated, nor what these problems might be. The government can take part in this education through public service announcements and other such devices. And as I alluded to earlier, with so much critical infrastructure being in private ownership, there’s an inherent accountability for folks who own that critical infrastructure. So how do companies reward and punish behavior in cyberspace that they’re accountable for?

TNNI: One of the essential issues in both the public and private sectors is ensuring that organizations are able to recruit and retain skilled cyber professionals. How does Harris seek to retain the top talent?

Meyerrose: First of all, we have a very close working relationship with several educational institutions. In particular, we’ve spent about 5 million dollars in both facilities and in an information assurance center at the Florida Institute of Technology. We also, last fall, contributed over 3 million dollars to University of Florida to fund engineering programs. We also fund scholarships and internships at the local level in various locations where Harris facilities reside, and they reside in virtually almost every state in the country. Clearly the elements of technical education are what is most important to cyberspace. Those that were traditionally important to information technology, communications industries and all those kinds of things are indeed part of what is important to cyber: math, science and engineering.

TNNI: What kind of issues in cybersecurity are of greatest concern to you, and why?

Meyerrose: The one of most concern to me is cyber crime. It’s the most insidious, I think. I know there’s a propensity for folks to want to demonize and look for radicals or other countries to be the cause of bad things that happen in cyber space. Those are there and those threats are very real, but the elements of cyber crime I think, particularly economically for our country, have come to the point where we need to really be concerned. There have been estimates that we’ve lost over a trillion dollars a year to cyber crime in the last couple years. And it now exceeds all other crime in terms of the amount of money. So it’s something that undermines the trust in our economy and something that I worry about, not only as a citizen, but also as a steward of a company’s assets.

TNNI: What sort of positive steps do you think the government or companies or both really, can take towards combating this threat?

Meyerrose: Well, there are lots of things that we really need to do. There are elements of legislation, so much of our law knows how to deal with things in the physical sight, like a burglary, robbery, an assault, a theft, those kinds of things. But when those things happen in cyberspace it’s not quite so clear. First of all, cyberspace is borderless. So where’s the jurisdictional lines for taking action against somebody. It is also something that you don’t immediately see. You know, people talk about a Katrina or a 9/11 or a Pearl Harbor as a description of wide-ranging destruction, damage, and even death. Well, in cyber you don’t see that.  But what does happen is people lose confidence in cyber’s ability to do what it says and also there are real assets that end up changing hands almost invisibly through cyberspace.

TNNI: Those were all the questions I had. Is there anything you wanted to add?

Meyerrose: I think that this more and more needs to become a national priority and a priority of companies and citizenry. For the past decade we’ve had this convergence of social networking and universal access to information and that’s not going to go away. That’s all propelled by cyberspace. There are no pedestrians in cyberspace. Everyone is a victim, a user, a threat to somebody else because you may be passing a malicious code along inadvertently. So the concept that it doesn’t affect me, or that I’m not a part of the problem is indeed the conundrum that we have in getting cyberspace the right kind of priority.