“Following this scandal we have made deep changes at the company to exclude such misappropriation in the future,” Deustsche Bahn released in a statement. The Deutsche Bahn million dollar fine is the ‘highest penalty that a German Data Protection Inspectorate has established’ according to the Berlin Data Protection agency.

Law enforcement professionals are understandable skeptical about this defense. As the director of the Cyber Law clinic at Harvard, Phil Malone, said “It’s an example of the old ‘dog ate my homework’ excuse. The problem is, sometimes the dog does eat your homework.” The investigators interviewed a number of individuals accused of possessing child porn who were later acquitted. A former Massachusetts government worker was fired for possessing child porn on his work issued laptop. After 11 months, his lawyers were able to demonstrate that his computer visited approximately 40 sites per minute, much faster than what is possible for a human. Nevertheless, he lost significant amount of money, his job and numerous friends over the incident. There have also been several similar incidents in the United Kingdom. A significant proportion of computer breaches are the result of software not being regularly updated. While many people are acquitted of the charges against them surrounding the child porn possession, the stigma of possessing a computer that accessed child porn can sometimes be damaging enough.

We left something out? Please feel free to leave a comment below to further enhance our ‘cyber jargon’ glossary.

Authentication: Confirms that a computer program or individual attempting to access a system is authorized and is not infected with malware.

Botnet: Short for robot network, refers to a series of computers that are linked through one ‘command and control center’ computer through installed viruses, that can be used to launch malicious attacks.

Cloud computing: Less is more. All business operation systems are stored in one hub or ‘cloud’ not connected to outside networks, reducing cost and increasing security and efficiency.

Cyber Command: Created by Defense Secretary Gates in the Summer of 2009 for the Department of Defense. Nicknamed CyberCom, the new Pentagon center’s purpose is to protect the United States military and government in cyberspace. CyberCom will be located at Fort Meade, Maryland beginning in October of 2009 and will be fully functional by October 2010.

Cyber Squatting: The use of a domain name similar to one commonly accessed, with the sole purpose of exploiting the site for an inflated amount of money. Cyber squatting lawsuits are often filed by celebrities, Oprah Winfrey, Madonna and Jay Leno are all cyber squatting victims and won their cases.

Identity Management: Or IDM, refers to the process of validating the identity of an individual on a secured technology network.

Malware: Short for malicious software.  Malicious code that is used to attack a computer by spreading viruses, stealing data, corrupting data, distributing false information, or crashing networks.

Phishing (and spear phishing): With the goal of acquiring personal information, phishing refers to a hacker’s use of fake portals that are almost identical to  common sites. The familiarity of these common websites (such as Twitter or online banking) makes the victim more likely to give up personal information.

SEO (search engine optimization): A technique used by hackers to make infected websites higher in search engine results by editing content to have an optimal amount of ‘key words’.

Smart Grid: A network infrastructure not connected to the internet that delivers power from providers to consumers using digital technology. The power generators save on power and are considered a way of addressing the concern over global warming. Supported by the Obama Administration. To read more click here.

Spam: The use of personal networks, such as email, to send indiscriminate information because there are little to no operating costs for the spreading of the information.

Spoofing: An email that is disgused by one source to look like another.

Spyware: Software placed in computers without the knowledge of the user so that an individual can secretly monitor the actions of the user. The GhostNet report is a recent example.

Trojan Horse: Malicious software disguised as a helpful computer program but once activated, infiltrates the computer’s hard-drive.

Worm: A type of malicious software that penetrates computer networks and needs no program to latch onto (unlike most malware). Mostly consumes bandwidth and usually does not corrupt current software programs.

The website, FRA.se, was subjected to the attack Monday evening and was eventually resolved on Thursday morning. Earlier this year, the Swedish parliament passed a law allowing the FRA to monitor all traffic that passed through networks in Sweden. It is presently unclear who was behind the attacks. However, the Finnish research organization F-Secure has pointed out that the majority of internet traffic from Russia passes through Sweden. Last week, a number of websites in Sweden were subjected to a mass DDoS attack. A DDoS attack involves a number of ‘bot’ computers that flood traffic to a site, overwhelming the websites capacity to respond to information requests.

She also highlighted new detection and prevention capabilities that will come to bear on the cyber security effort. Napolitano said “In an increasingly networked world, our efforts to combat threats of terrorism rely more than ever on close collaboration with our partners across the globe. We are looking to a new generation of security professionals for innovative security strategies to confront a continually evolving array of threats.” Secretary Napolitano will later travel to the UAE to discuss cyber security and other issues.

Cyber security is one of most important issues being discussed in national security. Since 2005, Shane Harris has served as the intelligence and homeland security correspondent at the National Journal. He has watched cyber security move from a rarely discussed topic to the forefront of national security debates. Here Harris discusses his book The Watchers (forthcoming February 2010 with Penguin Press) and some of the current issues facing cyber security.

TNNI: I understand you recently authored a book called The Watchers. Could you tell us a bit about the book?

Harris: That is correct, it will be out February 18th and it is being published by the Penguin Press. Basically it is narrative non-fiction, meaning it reads like a novel but is nonfiction, its journalism. The story centers broadly on the rise of terrorist surveillance in the United States over the past 25 years. It looks at the evolution of programs that are aimed at gathering and crunching and analyzing huge amounts of data and information to detect the signals of a pending terrorist attack. I tell the story through the lives of 5 individuals who are the key players in this evolution over the past 25 years and through their interlocking stories. The individuals are actually the ones who have built and in many cases run and overseen these programs in the government. So it is told from their perspective, very behind the scenes kind of storytelling.

TNNI: That sounds very interesting. So where do you see the right balance between national security and civil liberties?

Harris: That is one of the constant tensions in the book. What I’ve settled on is that the key to achieving that balance is to have a level of public debate, which I think candidly we really haven’t had, certainly not in the past 8 to 10 years I would say.I think most people take it as a given that the government is monitoring broadly, things like the telecommunications network, it is looking at data. I don’t think they really know how they are doing it and the reason for that is partly because the operations are secret and the technology is secret, but the government hasn’t really courted a public debate about how do we strike that balance? I think to a certain degree, a lot of that is just the post 9/11 reflex to keep intelligence operations secret and to say that national security is a blanket that prohibits debate.

I am not sure how sustainable that actually is. I think that lawmakers and Congress have tried to get at this over the past few years with things like a new rewrite of the Foreign Intelligence Surveillance Act, trying to give the government the latitude it needs to collect and analyze information and at the same time implementing these ostensible checks and balances and safeguards in the system. The problem has been that the government has come down on the side of ‘lets collect as much as we possibly can’ and the law has been written to largely govern the acquisition of that information. Comparatively less attention has been paid to what does the government DO with it once it gets it. One of the things I go into in the book is exploring how a lot of these systems that are designed to ingest a lot of information and try and sift it really don’t work all that well and are not terribly effective. They are certainly not doing what they are designed to do, which is to somehow see into the future and predict when the next attack is coming. I think there has to be much more of a debate publicly about how the government goes about doing these things, which is what I explore in the book. But I am also not sure that the legislative prescription has been exactly right because it has been so focused on the acquisition of the information, the collection, and not what you do with it or the connecting of the dots.

TNNI: Let’s talk about cyber security a bit. It has become a buzzword recently, a lot of people are talking about it. There are several bills in Congress that are looking to strengthen cyber security. This past month, October, was National Cyber Security Awareness Month. How effective do you think this kind of push to educate the public has been? Do you really see education efforts having an effect or do you think people are still relatively unaware of the cyber threat?

Harris: Relatively unaware. We should recognize first that it is hard to get an exact measurement of how much this is resonating with the public. I suppose you could look at things like, have the rates of certain kinds of cyber crime that depend upon duping an unwitting victim, have those gone down? That would be one way to look at it perhaps. I think that overall though, this sort of raising public awareness is probably a good thing. I can remember when I was a kid we had, public service announcements talking about ‘if you give a hoot, don’t pollute’ and ‘only you can prevent forest fires’. It was the age of trying to almost indoctrinate a safety mentality into a younger generation. A lot of people I have talked to in government say that is kind of where we are at with cyber security now. That it’s ripe for this sort of very broad public information campaign. It’s not even so much aimed at making people aware of the dangers, but at the same time trying to inculcate good behavior from the outset. And I know that the White House, the administration, calls for some level of that. I think that that is just beginning to happen. We have a long way to go in terms of educating an entire generation of people. I think it is probably going to start with the young people now. It is not to say that if you are of a certain age you are hopeless, but I think you are more likely to ingrain it as a foundational kind of awareness if you are starting with kids.

TNNI: There has been some significant speculation around the naming of the cyber coordinator, or ‘cyber czar.’ Why do you think that it is taking so long and do you think that maybe we are missing some things currently by not having someone in that position?

Harris: I see a couple reasons about why it has been taking so long. One is I am not sure that the position has the authorities that a strong coordinator, quote unquote ‘czar’ would demand or need to really get the job done. If you look at broadly what that position is suppose to do, it is pretty daunting. You are talking about somebody who is essentially acting like a coach for a soccer team that has a lot of really aggressive and talented players on it and who is really going to corral all of them. It is probably not going to have budgetary authority, at least not directly. The position was originally conceived as having ‘direct access’ to the President; he has now said that the person will have ‘regular access’ to the President, which is a big change. I think that if you at least look at the list of names that has been vetted for the job, these are not people who I think are going to be inclined to take a position that is essentially a subordinate staff position. They are going to want some more authority; they are going to want some more power than that. I think the other part of it is that the administration has its hands full with healthcare legislation, the economy and I think that probably, to a degree, this cyber coordinator issue is just slipping a little bit in priority. Unless it gets that real focus from the top, it is not going to get any movement. You couple that with the fact that the position itself probably seems somewhat unattractive to a lot of people. I think that that helps explain why it is taking so long.

In terms of what we are missing, by that person not being in there, its interesting. If you look at this from the DoD’s prospective, from the military prospective, they are moving forward with plans to go ahead and set up a cyber command which will be run by the director of the National Security Agency, it will be a dual hat position. It seems to me that there is momentum behind these efforts, going forward independently of the coordinator. And I think that you could make the argument that the longer those kind of initiatives go on without somebody coordinating them, the less coordinated they will be. I have a sense that the White House probably grasps that, and now you are seeing lawmakers introducing measures to try and force them to go pick that person and put that person in there and to try to have a say over what those authorities will be. So I think the mood of lawmakers is probably becoming increasingly impatient on that issue.

TNNI: What do you see as the role for government contractors in the field of cyber security in the coming years? There has been a lot of talk about all this money that will likely become available in the field, how do you see that playing out?

Harris: I think the role is going to be absolutely central. If you just look at the numbers, just looking at it from a recruitment standpoint for instance, the government is, this is true across the board for any intelligence/security contracting space, it is always going to be at a disadvantage with private industry in terms of the money that they can pay, how quickly they can hire people. They are competing for this very specific kind of talent. From the perspective of an organization such as the National Security Agency, which plays a leading role in this, or the Homeland Security Department, which is going to play increasingly important roles still to be determined, they are looking for people with highly, highly developed technical skills and those people don’t just fall off of trees. They are competing for them with private industry.

You are also looking for a kind of person who might not be culturally predisposed to working in government or working in a bureaucracy. I think a lot of times the people who have these kinds of high-level computer security skills are by nature going to be more independent, perhaps even more rebellious. But the fact of the matter is that the government cannot do this cyber mission without private sector expertise and involvement. They don’t have enough people on there own and frankly the private sector is developing a lot of the technologies that are going to be central to doing cyber security. So the term, private-public partnership gets sort of bounced about and has become something of a cliché, but I think it is absolutely true in this case. I don’t sense that there is any backlash per se, against contractors being involved in cyber security, but of course, as you know, there is generally, particularly in the security and intelligence base over the past few years, a backlash generally against contractors. That could cause some problems ahead, but broadly speaking, that is not going to be a big issue. Your traditional Beltway companies that have always had a role in the space are just going to be increasing. You see them now, brand name contractors posting ads that say things like ‘cyber warriors wanted’, I mean, that is actually a real ad. They are out there recruiting very heavily, as is the NSA. The NSA four or 5 months ago took out a full page add for cyber specialists in WIRED magazine. So you are seeing a really high level of pitch and a lot of activity on both sides, private and public.

TNNI: Finally, how do you see cyber security developing in the coming years?

Harris: I think it is going to become increasingly central to national security policy. I think that cyber security has arrived in terms of the attention that people are paying to it at a very high level in the government. I think that you are not going to see its profile diminish. It is not going to suddenly become an issue that is only the domain of technical officials and not getting a lot of high-level attention and a lot of money. I think what it is lacking at this point in terms of really shaking up the system even more, and this is not something that anybody hopes for, is a very public, massive kind of attack, something on the order of, not necessarily 9/11, that extreme, but something that certainly gets a lot of people’s attention. Something that breaks through the technical barrier and makes everybody in America aware of the risks on the network. You saw this happen to a degree in an attack a few years ago in Estonia and the attack in Georgia as well, which I think most experts blame on either the Russian government or sources inside Russia acting on behalf of the government. You saw this massive assault on a nation’s critical infrastructure. The government of Estonia essentially came under this digital barrage and was knocked offline for a period of time. An event like that in the United States would galvanize policy very quickly. That is certainly a real possibility and we need to take this issue seriously, which is why you are seeing it getting such high levels of attention from the White House.

The bill, titled the “Cybersecurity Coordination and Awareness Act,” also looks to target NIST’s role in education, research and development and amending the Cybersecurity Research and Development Act of 2002. NIST would be required to present its plan for coordinating US government approaches to international cyber security standards and solutions within one year of the act being passed.

The Information Systems Audit and Control Association has raised some significant concerns surrounding the move. By allowing non-Latin scripts, such as the Cyrillic alphabet (used in Russian and the basis for several other Eastern European languages), the potential for cyber squatting has greatly expanded. Peter Wood, a member of the ISACA, recently highlighted the problem. If someone where to register a domain address using the Cyrillic alphabet, they would be able to utilize the the Cyrillic character ‘a’ which looks the same as the Latin character ‘a.’ This would allow a user to register a domain at amazon.com, using the Cyrillic character.

Users with a non-technical background will not necessarily be able to understand the difference between the two web pages, particularly if they arrive via a search engine. More importantly, phishing emails using the Cyrillic address, will be indistinguishable from legitimate emails. The only method of adequately identifying the difference is by examining the code behind the website, which many individuals are not trained to do. As ICANN looks to move towards the new model, which will begin this month, users should remain particularly vigilant with emails arriving from companies. Always use the legitimate web page (found by physically typing in the web address) to conduct business with the company. Businesses can also choose to register domain names in various languages that can look similar to their website.

The CyberWatch Center is tasked with advancing cyber security education by helping to develop curriculum and Collegiate Cyber Defense Competitions. CSC presently serves in an advisory capacity to the CyberWatch Center and is dedicated to developing top flight, future cyber professionals. Ron Knode, director of Global Security Solutions at CSC said “As government agencies and commercial firms call for a dramatic increase in the immediate need for cyber experts, the education of our future cyber professionals through this partnership is critical to our success.” The effort is part of a much broader push throughout government and the private sector to ensure that the US has adequate numbers of future cyber professionals to help defend networks. Alan Paller of the SANS Institute recently said “The United States has only about 1,000 people who can fight at world class levels in cyberspace…How does the United States get another 20-30,000 people who can fight at world class levels?” Dr. Robert Spear of the CyberWatch Center hopes “this increased level of commitment will yield measurable progress in the education of the nation’s next generation of cyber experts.”

The report examined present public-private partnerships and put forth several recommendations for effective partnerships for cyber security, including a representatives committee an oversight organization in government. The report also called for leadership from the executive, congressional involvement and self regulation in the private sector. Another possibility highlighted in the report was that initiatives from the private sector to create a charter for cyber security collaboration with government would likely be helpful in speeding up the partnership process.