As a medium, the Internet has allowed its users an unprecedented level of anonymity. Usernames and avatars hide names and true identities in online forums and communities, and anyone can choose how much to disclose to others in cyberspace. However, while most understand how posting personal information could have severe consequences, very few realize their online activity can be monitored and cross-referenced to reveal clues about their identity.

“It’s important to think about every time that you interact with a third party online, they have information about you,” said Rebecca Jeschke, media relations director at Electronic Frontier Foundation.”You may buy your books online–lots of people buy things online. It’s not just social-networking sites where we volunteer this information; we volunteer it in a lot of ways.”

Take the simple task of doing a web search, for example. In 2006, The New York Times reported how leaked records from AOL revealed how users’ search-engine queries could be linked to their identities. By collecting and analyzing a user’s web searches, AOL’s researchers peeled away the many layers of cyber anonymity, unveiling the identity of user No. 4417749: Thelma Arnold, a 62-year-old widow who lived in Lilburn, Ga.

During a three-month period, Arnold typed into AOL’s search engine sentences such as “60 single men,” “landscapers in Lilburn, Ga” and “tea for good health,” clues that led AOL researchers to her. Commenting on AOL’s practice of storing users’ information, Arnold said to The Times, “We all have a right to privacy … Nobody should have found this all out.”

Search engines are just one of many places that–unknowingly to most–track users’ activity. Traveling through cyberspace, you provide information to others almost every click of the way, including to the ISP that knows your IP address, the browser that tracks which sites you have visited, and the cookies that store login or registration identification and user preferences.

And the tracking doesn’t stop there. Read digital books? Then your e-book provider probably knows which titles you have read, browsed and bought, and how long you looked at each page. Use email or IM? Do not assume your communications are private, unless OTR encryption is used on both ends. Make online purchases? Then your personal contact information, bank details and purchase and browsing history are mostly likely being tracked.

Although some argue their web activity would cause nothing worse than embarrassment if made public, privacy advocates say there is a lot more at stake than just the awkwardness of having those records exposed.

Commenting on the AOL case, Jeschke said it was a great example of how words put into a search engine “hold clues to very intimate details about your life.”

“How you read and gather information can be very sensitive,” she said. “People often go on an intellectual journey where they really discover and explore fringes of political thought or other thoughts. It’s not hard to imagine a young person reading up about homosexuality, for example, if they have questions of their sexual orientation. That’s something that’s far from illegal, but something they don’t want the world to know.”

As obvious as it may sound, many don’t realize how divulging even one personal identifier– Social Security numbers, location, date of birth, or even political, religious or philosophical opinions, among others–can unmask their identity. Whistle-blowers, for example, risk their shield of anonymity if they reveal too many clues about themselves. In repressive regimes, anonymity is crucial for citizens who speak out against the government: When Zimbabwean online journalists and bloggers documented atrocities committed by Robert Mugabe’s regime, they used various encryption techniques to protect their identities.

Even in democratic nations like the United States, anonymity holds a prominent place as a notion deeply rooted in First Amendment rights, Jeschke said.

“Without the right to speak anonymously, free speech is often killed,” she said. “[People] may want to speak about their workplace and their insight of their workplace without their boss knowing. … These aren’t things that are illegal, or that would people at legal risks, but these are things people may want to discuss in an anonymous fashion and anonymous speech is very well protected under the First Amendment.”

However, while anonymity allows people to express themselves freely without the fear of retaliation or persecution, there is always a darker side to it: It breeds criminal behavior.

From phishing and spam to botnets and DDoS attacks, global crime rings have been able to form in an environment that fosters concealment. While anonymity in cyberspace is “generally a good thing,” one imminent problem is how criminals are using it in combination with the borderless nature of the Internet to develop international crime rings, said Sean Sullivan, security adviser at F-Secure’s North American Labs.

“Cyber crime is an international problem and the lack of true authentication leads many to fall victim to scams–419 advance-fee frauds, for example,” he said. “Criminals can freely and openly do business via web forums because they are able to cloak themselves.”

As the majority of today’s cyber threats are profit based, criminals do not want to be caught or have their businesses hampered, either by law enforcement or by competitors, so almost all cyber threats work to be untraceable, Sullivan said. Compromised computers act as proxies and/or illicit bulletproof hosting is used to mask true sources. Unless serious investigations are made, at best, most cyber threats can only be traced to a proxy, he said.

“Other threats, such as worms, make tracing difficult by their very nature,” Sullivan said. “Computer worms are a form of artificial intelligence. They are their own source; they reproduce themselves, and can be designed to enter the cyber world with no trace of their authorship.”

Mischel Kwon, vice president of Public Sector Security Solutions for the Worldwide Professional Services unit at RSA, The Security Division of EMC, said many hackers will use bounce-off points for other people’s servers to traverse through their IP range so it looks like someone else is performing the malicious activity.

“That is illegal; that’s considering breaking and entering, and of course it has malicious intent behind it, and that is a problem,” said Kwon, a former director for US-CERT who has nearly three decades of experience in the design, implementation and management of critical IT infrastructure and security operations programs. “But that comes with the technology that we use, as part of how the Internet works … so it’s hard to prevent.”

Looking at the different kinds of cyber attacks currently occurring worldwide, botnet attacks are one of the largest ways and most common tactics of launching an anonymous attack, Kwon said. But implementing policies or legislations wouldn’t help preventing cyber attacks because the Internet sees no boundaries.

“You also have to remember this is a global Internet; just because we create one policy to one site that happens to be housed in the United States, that site still services the world,” she said. “And just because you’re accessing the site from the United States doesn’t mean that the policy you’d want to have established works because the site might reside in another country that has different laws and policies.”

Commenting on the topic of whether it will be more of less difficult for individuals in the future to remain anonymous online, Sullivan said it depends on the question of “where” in cyberspace.

“The future may bring a realignment of the Internet and its network of networks–untrustworthy networks that provide cloaking for criminals may be disconnected,” he said. “Businesses that are attacked from anonymous sources may well decide to pull out of those countries that allow for such attacks to [be] carried out. Google is now a prominent example of this.”

Janet Napolitano

Last week, RSA held its annual conference out in San Francisco, CA. The conference brought together cyber experts from around the world, along with notable speakers like DHS Secretary Janet Napolitano, FBI Director Robert Mueller and Howard Schmidt, the White House Cybersecurity Coordinator.

The topics discussed range from cloud computing to botnets to the need for public-private partnerships. Concerns over cyber crime and cyber espionage dominated the agenda while privacy issues also featured prominently.

One of the topics featured in the privacy debate was the issue of Einstein III, a proactive cyber defense program that DHS is seeking to implement.

“I don’t think you have to be Big Brother in order to provide a level of protection either for federal government systems or otherwise,” Greg Schaffer, assistant secretary for cybersecurity and communications, said. “As a practical matter, you’re looking at data that’s relevant to malicious activity, and that’s the data that you’re focused on. It’s not necessary to go into a space where someone will say you’re acting like Big Brother. It can be done without crossing over into a space that’s problematic from a privacy perspective.”

During one session, former DHS Secretary Michael Chertoff and Richard Clarke, former special adviser to President George W. Bush on cybersecurity, discussed the need to overhaul the current U.S. cybersecurity system.

“They’re stealing anything that’s worth stealing,” said Clarke, now chairman of Good Harbor Consulting. “All the little cyber devices that the companies here sell have been unable to stop that…We’re having little Pearl Harbors every day.”

Chertoff advocated for better education to produce more cyber aware citizens. “When we structure our security, we have to take into account how people behave,” he said.

The headline speakers produced some of the biggest splashes, with Secretary Napolitano announcing the beginning of a competition to develop a cybersecurity education plan for the U.S. and Schmidt announced the declassification of the Comprehensive National Cybersecurity Initiative (CNCI).

Mischel Kwon, former head of US-CERT, said “[I] heard Howard Schmidt and his announcement about the declassification of the CNCI which is very exciting information for everyone. It goes, coincidentally, very well with the Google announcement of what’s happening to them. It’s so good to see both sides of the fence opening up and sharing information. Because that’s so important, it’s not just the government, its also private sector being able to share what’s happening to them without affecting their reputation.”

During his address FBI Director Mueller said that the FBI views the threat from cyber terrorism as “real and expanding.”

Melissa Hathaway

Melissa Hathaway, who led the 60 Day Cyberspace Policy Review back in May 2009, also spoke about the need to “tell a simple story,” increase innovation and achieve broader public-private participation.

The RSA Conference always provides a useful venue for cybersecurity information and discussion. Many of the world leaders in cybersecurity attend the conference and it always features influential speakers.

Unnamed government sources speaking with the Financial Times claim that the Chinese government had special access to the programmers work and that the programmer had posted some of his research on a hacking forum.

Mischel Kwon, former director of US CERT and now with RSA Security, said “We’re realizing there are other aspects of this problem beyond the technological and that there are other agencies that need to get involved.”

Government officials told the Financial Times that the code programmer did not carry out the attack and may not have even wanted to hand over his research. The attacks appear to have been launched from the schools identified last week.

Mischel Kwon of RSA

Cybersecurity is becoming a more central portion of the US national lexicon, particularly in Washington. Recently, the House passed the Cybersecurity Enhancement Act, which has gone to the Senate for approval, and a variety of recent attacks on private organizations has brought cyber attacks into the daily news. Mischel Kwon, presently VP of Public Sector Security Solutions at RSA, The Security Division of EMC, and former director of US CERT, is fully cognizant of some of the key challenges facing the government and private sector. The New New Internet recently had the opportunity to sit down with Mrs. Kwon to discuss the role of the government in cyber security, some of the obstacles to greater cooperation and the necessity of cyber education.

TNNI: So much of the U.S. critical infrastructure is in the hands of the private sector, what role can and should the government play concerning the security and the resiliency of private sector networks?

Kwon: I believe it is a group effort. This is not something that one entity can fight and make secure all on its own. Whether it’s a critical infrastructure, an organization, or whether it’s a government entity, the key to fighting this problem is information. The best thing the government can do is share the information they have with critical infrastructure and other private entities, as well as all parts of the government, so that they can fight the problem.

There is a lot of discussion about whether or not we need regulations that mandate different priorities, auditing, and other mechanisms. The answer to that is we are not there yet. We cannot get to a point where we can do that until we start sharing the information we have first. If you don’t know what you are supposed to be looking for, or defending against, it’s hard to be mandated to do that. The first step is trying to overcome some of our information sharing problems, whether those road blocks are acquisition-type road blocks, legislative road blocks, or just classification road blocks. We need to overcome those first in order to move to a place to say ‘ok, everyone has to do this’.  We also must be cautions of over prescriptive, rigid regulations.

TNNI: What are some of the major obstacles to increasing cooperation, and what are some positive steps that the U.S. should be moving towards to create more secure partnerships?

Kwon: There are a lot of obstacles. First of all, the classification obstacle is huge – figuring out what we can talk about and what we should talk about and what is actually harmful for us to talk about. As a nation, I don’t think we have figured that line out. And we need to figure out where that line is so we can appropriately classify moving forward.

This is not just a technical problem – nor is it just a problem that security people need to be involved with in solving. If you look at the international front, this is a diplomacy problem, a negotiation issue. This is no different from any other negotiations we might have with other countries. A lot of things are affected more than it just being a technical situation – for instance economies, intellectual property, and global policies. It is encouraging at least to see other entities and sectors entering into negotiations, like the State Department, making statements about recent activities. Becoming more involved in this type of negotiation is important, because this is more than just a technical problem, more than just a cyber problem. We need to bring others in to help with that international negotiation.

Howard Schmidt

In December, President Barack Obama announced the appointment of Howard Schmidt to the position of cybersecurity coordinator, which has sat vacant since its creation in May 2009. Schmidt, a veteran of industry and previous administrations, will be responsible for coordinating the national effort to better secure U.S. cyber infrastructure.

The U.S. is consistently under attack in cyberspace, from web assaults against federal systems to private citizens and companies being victimized. While some of these attacks are a byproduct of criminal activity, some stem from deliberate efforts by foreign governments, looking to steal U.S. intellectual property and information of intelligence value. The risks and challenges the U.S. faces in protecting cyberspace are complex and will prove difficult to surmount.

As the lead coordinator for U.S. cyber defense, Schmidt will be responsible for ensuring the nation continues to stay abreast the current and future threat environments. Some of his key tasks include creating a new national cyber strategy, strengthening partnerships, R&D, forming an organized response to attacks and educating the nation about cybersecurity.

The task is daunting and will take a strong measure of resolve from Schmidt to combat the challenges before him. Below are some of the most important challenges that Schmidt will face in 2010.

Domestic coordination

The U.S. is the most networked nation in the world. We depend on our IT networks for banking, communication, heating and even warfare. Our national infrastructure spans the public and private sectors and one of Schmidt’s major challenges will be developing and coordinating a national strategy to protect those interests.

Jim Lewis

Individual agencies and departments have been moving forward in the absence of a cyber coordinator. “Schmidt’s biggest challenge will be building coordination among the cyber initiatives already under way,” according to James Lewis of the Center for Security and International Studies, who led the CSIS Commission for Cybersecurity for the 44^th Presidency. Schmidt will need to look to bring these efforts together into a coherent and usable policy that advances cybersecurity across the disparate initiatives within government and the private sector.

Schmidt will need to bring together the powerful voices along with people who have traditionally been on the fringes of the cyber issue. Mischel Kwon, vice president of public sector security solutions at RSA, The Security Division of EMC, and former director of USCERT, said: “One of his biggest challenges is getting everyone to the table. We’ve had a history of not having everyone at the table.”

Along with bringing everyone into the debate, Schmidt is tasked with forming an organized response to any future cyber incidents. Given that different stake holders have different concerns in the cyber arena, it will take all of Schmidt’s considerable experience and expertise to gain consensus on the appropriate response to cyber attacks.

Authority

One of Schmidt’s earliest tasks will be to define his level of authority among the disparate entities involved in securing the national cyber infrastructure. During the seven month search for the cybersecurity coordinator, it was rumored that a number of prospective appointees turned the position down due to the positions perceived lack of authority. Schmidt will have “regular access” to the president, but fundamentally has little established authority, especially among the other government “heavyweights.”

Currently, Painter conducts meetings on a weekly basis with a number of federal cyber security officials. He says “We’re dealing with all the agencies. This isn’t an issue that will be resolved overnight. A coordinator will add a lot to this effort, but we’re making progress on core issues. We’re not sitting around.”

Following the Cyberspace Policy Review conducted back in May 2009 by Melissa Hathaway, President Obama announced his intention to appoint a cyber coordinator who would be based in the White House. However, now seven months on, he has yet to appoint when. The majority of suspected candidates have all withdrawn from the running.

The problem is the position itself. Individuals, like Mischel Kwon, former head of US CERT, point out that the authority of the position and who the coordinator would report to does not give the individual enough power to actually coordinate cyber security on the national level.

At a recent conference hosted by Federal Computer Week and Juniper Networks, several former government cybersecurity professionals addressed a number of concerns surrounding the growing debate in the cyber arena. Mischel Kwon, former director of US CERT, highlighted several of the fundamental problems surrounding discussions of cybersecurity. She pointed to the need to find ways to discuss the problem in an unclassified manner, citing how U.S. enemies know the United States is aware of ongoing cyber attacks.

Ken Minihan, former director of NSA, highlighted several key points. He said discussions of cybersecurity must be part of the national security debate and not separate from it, the threat is real and the United States has mismanaged the issue, and finally the United States needs to take the lead in the international arena to ensure the U.S. influences the debate, saying “shame on us if we lose that advantage.”

Sciarrone provided some useful suggestions on moving forward domestically and abroad with cybersecurity plans. Domestically, she suggests the turf battles need to end, both between agencies and in Congress. The United States needs to decide what needs to be accomplished and then determine which agency is the best lead to accomplish that particular task.

Perhaps a good model for increasing international cooperation would be to give the State Department the lead for the issue abroad, and hold it accountable for it, according to Sciarrone.

In a recent interview with Nextgov, Mischel Kwon, former head of USCERT and currently serving as VP for RSA’s Public Sector Security Solutions, questioned this model and advocated spreading the cyber responsibilities around while doing better to educate the private sector, rather than dictate what must be done.

Kwon discussed the problem of consistently seeing DHS as a dumping ground for new solutions. She would rather like to see if DHS can handle its current load without continuously giving it more responsibilities.

She also believes FISMA was well written, but poorly implemented. As the government considers its cybersecurity policy, Kwon cautions against being “overly prescriptive.” She also believes the security model needs to change from compliance in time limits to considering the issue as a series of competing priorities. The area that is of highest priority should be focused on, but time limits are counterproductive, according to Kwon.

Mischel Kwon, the fourth U.S. CERT director in five years, resigned on Friday. A Bush administration holdover, she took office in June 2008. Before that, she headed Information Security for the Department of Justice.  This announcement comes on the heels of Melissa Hathaway’s resignation as Acting Cyber Coordinator, and after Rod Beckstrom’s resignation as Director of the National Cybersecurity Center, also part of DHS, in March.