An ActiveX control (atucfobj.dll) that is used by the Cisco WebEx Meeting Manager contains a buffer overflow vulnerability that may result in a denial of service or remote code execution. The WebEx Meeting Manager is a client-side program that is provided by the Cisco WebEx meeting service. The Cisco WebEx meeting service automatically downloads, installs, and configures Meeting Manager the first time a user begins or joins a meeting.

As Cisco says:

“A buffer overflow vulnerability exists in an ActiveX control used by the WebEx Meeting Manager. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the user client machine. The WebEx Meeting Manager is a client-side program that is provided by the Cisco WebEx meeting service. The Cisco WebEx meeting service automatically downloads, installs, and configures Meeting Manager the first time a user begins or joins a meeting.”

Cisco WebEx is in the process of upgrading the meeting service infrastructure with fixed versions of the affected file.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml.

Full article at http://www.powerhomebiz.com/News/052009/smallbiz-security.htm:

Jason Miller never believed that he would need any additional security for his six sigma corporate consulting business. He had most of his business files stored safely on his laptop, which only he had the password to. He rarely kept documents in hard copy form, and even those were locked away safely in a file cabinet inside of a locked office. When sending files, instant messages, and presentations over the internet, he trusted they would get to their final destination. Why shouldn’t he, considering millions of americans do the same thing every day?His false sense of security was compromised on March 9th, following a visit to a local coffee house. During his visit there, he logged in with their free WiFi service, and conducted his business in true teleworking fashion. He sent several emails, updated his company payroll data, sent several instant messages, and distributed previously prepared reports to three different clients. Little did he know, a prankster had placed a “sniffer” on the WiFi network, and had compromised all of his typed communications for that hour, along with sent files, and email addresses.

By 10:00AM in the next day, his business was in tatters. The prankster had posted all three reports online, and notified the business contacts of that fact. Two of them had cancelled their contract with him citing gross negligence and a breech of confidentiality. The prankster had also sent a copy of his payroll report to the entire company, causing 2 of his consultants to quit over the recently discovered pay descrepancies. Sadly, it could have even been worse, had his financial institution log-ons also been compromised.

Many small businesses are finding out this lesson the hard way, and very few are guarding against it. This is especially critical for companies who deal in personnel records, financial data, health records, technology IP, planning, consulting, and anything else that is sensitive or jeapardizes their companies reputation. Many companies who lose data also find themselves receiving fines so large that it single-handedly forces bankruptcy.

HOW TO PROTECT YOURSELF:

If you never share files over the internet (email, IM attachments, etc..) you have to focus on “hardening” your laptop, with one of the known vendors in the industry. The key, is finding a solution that has 128-bit AES level security built in, so that if your laptop is compromised, all data stored on the harddrive is scrambled and encrypted. At that level of security, there isnt a single document which can be deciphered by a snooping thief. (www.PGP.com, www.guardianedge.com, www.safebit.com, and www.mcafee.com are some of the many vendors who sell this type of product)

If you share some files over the internet but do not send very many communications, you can compliment your disk protection with the use of a VPN solution to “harden” your pipes. Some VPN solutions for small business are (www.smallbusinessvpn.com, www.strongvpn.com, and www.openvpn.com)

If you share files over the internet, and send communications as well, you can use VIA3 from www.viack.com to protect everything you send from point to point. VIA3’s AES level 128 bit security can protect your instant messages, online presentations, online demos, online training, group chat, workspaces for document sharing, and removes the need for a VPN.

WHAT IS AES?

According to the Web Conferencing Council www.webconferencingcouncil.com , Encryption is the process of changing data into a form that can be read only by the intended receiver. To decipher the message, the receiver of the encrypted data must have the proper decryption key (password). AES stands for Advanced Encryption Standard. AES is a symmetric key encryption technique which will replace the commonly used Data Encryption Standard (DES).

It was the result of a worldwide call for submissions of encryption algorithms issued by the US Government’s National Institute of Standards and Technology (NIST) in 1997 and completed in 2000. The winning algorithm, Rijndael, was developed by two Belgian cryptologists, Vincent Rijmen and Joan Daemen. AES provides strong encryption and has been selected by NIST as a Federal Information Processing Standard in November 2001 (FIPS-197), and in June 2003 the U.S. Government (NSA) announced that AES is secure enough to protect classified information up to the TOP SECRET level, which is the highest security level and defined as information which would cause “exceptionally grave damage” to national security if disclosed to the public.

Every year, the security industry gets together at the RSA Conference in San Francisco to learn new techniques for fighting the bad guys, who always seem to be a step ahead.

This year is no different. Security vendors say they are not doing enough and government officials say they are not doing enough because attacks are getting worse — in 30 minutes, Symantec blocks 200,000 attacks.

One problem is that computer systems are still too complicated, which makes them easier to attack and harder to protect.

“Separate groups (in a company) do testing, manage the data center and do security audits and a lot of what they do is manual,” said Enrique Salem, Symantec’s CEO. “If a security team needs information, they call a different department to get the logs, and it takes a couple of days for the logs to arrive. A week later, they change their audit procedures.”

If you listen to the director of the NSA, the government isn’t doing much better. “We don’t have a way today of sharing and seeing networks in a timely manner,” said Lt. General Keith Alexander. “How do we close that gap with the antivirus vendors [whose detection of threats tends to lag because cybercriminals create new threats so quickly]. And how do we provide early warning?”

Security vendors say they are making progress, although often to get their best security you have to buy more of their products.

Symantec is working on new technology to evaluate the reputation of applications — how many people are using them, for example, or how old they are — to help determine their safety, Salem said.

Microsoft corporate vice president Scott Charney promised better protection for applications and removable devices in the next version of Windows, Windows 7. Microsoft is also working on ways to protect the identities of people when they’re online.

Computer security would be better if all the vendors got together, admitted that their products have flaws and developed a standard way to fix them, said Niels Henrik Rasmussen, CEO of Secunia, a Danish vendor working to get business in the U.S.

Secunia has a tool (free for home use) that scans PCs for software flaws and tells users how to patch them. Rasmussen has been meeting with other security vendors this week to drum up support for his idea, but has nothing to report so far.

Full article at http://www.sfgate.com/cgi-bin/blogs/techchron/detail?entry_id=38883

In his first days in office as President, Barack Obama ordered a report to be generated investigating the state of our “cybersecurity” infrastructure, concerned with how our computer networks could withstand threats from terrorism and other attacks.

Now that report is in, and the results are sad, filled with terms like “broken,” “childlike,” and “embarrassing.”

The report and experts in the industry point to our antiquated approach to computer security as the primary reason for the rotten verdict: User names and passwords have been the basis for security protocols since the beginning of computing, and now experts are saying that method is simply obsolete, unable to compete with hackers who’ve long since figured out ways to steal or crack passwords on a massive scale.

Already politicians are looking for ways to beef up the nation’s security infrastructure. One noteworthy bill would give to the president the power to disconnect just about anyone — government, business, or individual — from the Internet in the event of a national computer security emergency.

But naturally, the security industry would prefer to address the issue from a prevention standpoint rather than the blunt tactic of pulling the plug when an attack is detected. Those technologies include the use of token-based authentication (as with smart cards or code-generating gizmos that constantly change your password), biometrics, and other related tools.

Meanwhile, attacks continue to arrive online from all fronts, not just consumer-level malware attacks that leave many users panicked and cost billions to clean up, but organized infiltrations into essential computer networks too, as was the case with the recent, well-publicized invasion into the national power grid earlier this month.

The official government report will be formally opened up for review and comment by the public in the coming days.

As many of you know, the US goverment was trolling for cyber hackers to help defend against cyber crimes against the US. Now the Obama administration plans to direct the DOD to establish a cyber command to manage security for military computer networks, reports the Washington Post. The command would coordinate the security of military computer networks and develop new offensive cyberweapons, sources told the newspaper.

Plans for a reorganization necessary to establish the command are underway and a formal decision is expected soon. The Wall Street Journal first reported the plans on April 21.

The new arrangement would affect the U.S Strategic Command and the National Security Agency, which shares cybersecurity responsibility with the Defense Information Systems Agency. It remains to be determined whether the command’s leader would be a military commander with a four-star rank. The NSA is led by Army Lt. Gen. Keith Alexander, who has three stars.

The development follows a 60-day White House review of cybersecurity efforts.

Web browsers offered soft and interesting targets for hackers in 2008, who took advantage of them to attack the increasingly rich Web experience, said security expert Jeremiah Grossman.

William Jackson of GCN has this to say on topic: There are a wide variety of encryption algorithms, techniques and products — and an equally wide variety of user devices and threats against them. So the National Institute of Standards and Technology has provided help in matching the proper cryptography to different devices and the threats they face. Special Publication 800-111, titled “Guide to Storage Encryption Technologies for End User Devices,” offers the following recommendations when selecting an encryption solution.

1. Consider solutions that use existing features and infrastructure of your information technology systems.

Some encryption solutions require that you deploy servers and install client software on the devices to be protected, while others can use existing servers and software already present on the devices. Some operating systems include encryption features approved under the Federal Information Processing Standard (FIPS). Generally, the more extensive the changes required to the infrastructure and devices, the more likely it is that the solution will interfere with functionality or create other problems with the devices. Compare loss of functionality with gains in security and decide if the trade-off is acceptable.

2. Use centralized management for all deployments of storage encryption except for stand-alone and very small-scale deployments.

Centralized management is recommended for storage encryption because it enables efficient policy verification and enforcement, key management, authenticator management, data recovery, and other management tasks. It also can automate deployment and configuration of encryption software, distribution and installation of updates, collection and review of logs, and recovery of information from local failures.

3. Ensure that cryptographic keys are secured and managed properly.

Encryption technologies use one or more cryptographic keys to encrypt and decrypt data. If a key is lost or damaged, data stored on the computer could be lost, so you need to thoroughly plan key processes, procedures and technologies. This should include all aspects of key management, including key generation, use, storage, recovery and destruction. Consider how to support the recovery of encrypted data if a key is destroyed or becomes unavailable. Also consider how changing keys will affect access to encrypted data on removable media and develop feasible solutions, such as retaining the previous keys in case they are needed.

4. Select appropriate user authenticators.

Common authentication mechanisms include passwords or personal identification numbers, cryptographic tokens, biometrics and smart cards. Consider using existing enterprise authentication tools such as Active Directory or a public-key infrastructure instead of adding another authenticator for users. This usually is acceptable if two-factor authentication already is being used. Organizations should not use any passwords that are transmitted in plain text as single-factor authenticators for encryption.

5. Take steps that support and complement encryption implementations.

Storage encryption by itself cannot provide adequate security. Select additional controls based on the categories for the potential impact of a security breach on a particular system outlined in FIPS 199 and NIST SP 800-53’s recommendations for minimum security controls. Supporting controls include:

Revising organizational policies to incorporate use of the storage encryption.
Properly securing and maintaining user devices to reduce the risk of compromise, including securing operating systems, applications and communications, as well as physically securing devices.
Making users aware of responsibilities for encrypting sensitive files, physically protecting devices and removable media, and promptly reporting loss or theft.

Another example of how IMPORTANT security is for intellectual property:  The Pentagon spent more than $100 million in the last six months responding to and repairing damage from cyber attacks and other computer network problems, military leaders said Tuesday.

Air Force Gen. Kevin Chilton, who heads U.S. Strategic Command, said the military is only beginning to track the costs, which are triggered by constant daily attacks against military networks ranging from the Pentagon to bases around the country.

“The important thing is that we recognize that we are under assault from the least sophisticated - what I would say the bored teenager - all the way up to the sophisticated nation-state, with some pretty criminal elements sandwiched in-between,” said Chilton, adding that the motivations include everything from vandalism to espionage. “This is indeed our big challenge, as we think about how to defend it.”

According to Army Brig. Gen. John Davis, deputy commander for network operations, the money was spent on manpower, computer technology and contractors hired to clean up after both external probes and internal mistakes. Strategic Command is responsible for protecting and monitoring the military’s information grid, as well as coordinating any offensive cyber warfare on behalf of the U.S.

Officials would not say how much of the $100 million cost was due to outside attacks against the system, versus viruses and other problems triggered accidentally by Defense Department employees. And they declined to reveal any details about suspected cyber attacks against the Pentagon by other countries, such as China.

Speaking to reporters from a cyberspace conference in Omaha, Neb., the military leaders said the U.S. needs to invest more money in the military’s computer capabilities, rather than pouring millions into repairs.

“You can either pay me now or you can pay me later,” said Davis. “It would be nice to spend that money proactively … rather than fixing things after the fact.”

Officials said that while there has been a lot of anecdotal evidence on the spending estimate, they only began tracking it last year and are still not sure they are identifying all the costs related to taking computer networks down after a problem is noticed.

The Pentagon has acknowledged that its vast computer network is scanned or probed by outsiders millions of times each day. Last year a cyber attack forced the Defense Department to take up to 1,500 computers off line. And last fall the Defense Department banned the use of external computer flash drives because of a virus threat officials detected on the Pentagon networks.

The cost updates come as the Obama administration is completing a broad government-wide review of the nation’s cybersecurity.

In February, the White House announced that it would conduct a review to “ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector,” according to a release from the White House.

Some scary evidence that the 100M is needed:

The U.S. electrical grid is under attack from Russian and Chinese cyber spies who have inserted software that could disrupt the system, current and former national security officials tell the Wall Street Journal.

So far, these spies have not tried to damage the system, but the possibility remains likely should a war or national security crisis hit the United States, the officials said.

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” a senior intelligence official told the newspaper. “So have the Russians.”

In addition to electrical systems, nuclear power plants and financial networks; water and sewage systems are also at risk, officials said.

“There are intrusions, and they are growing. There were a lot last year,” a former Homeland Security official told the newspaper.

Air Force Gen. Kevin Chilton, who heads U.S. Strategic Command, said the military is only beginning to track the costs, which are triggered by constant daily attacks against military networks ranging from the Pentagon to bases around the country.

“The important thing is that we recognize that we are under assault from the least sophisticated - what I would say the bored teenager - all the way up to the sophisticated nation-state, with some pretty criminal elements sandwiched in-between,” said Chilton, adding that the motivations include everything from vandalism to espionage. “This is indeed our big challenge, as we think about how to defend it.”

When we use the World Wide Web, we’re not always just clicking around passively– a huge chunk of our time online involves sending others our own information. Ordering something over the Internet, whether it’s a book, a CD, a gift, or anything else from an online vendor it requires entering in a good deal of sensitive personal information. A typical transaction might include not only our names, email addresses and physical address and phone number, but also passwords and personal identification numbers.

The incredible growth of the Internet has excited businesses and consumers alike with its promise of changing the way we live and work. It’s extremely easy to buy and sell goods all over the world while sitting in front of a laptop. But security is a huge concern on the Web, especially when you’re using it to send sensitive information between parties.

Let’s face it, there’s a whole lot of information that we don’t want other people to see, such as:

• Credit-card information
• Social Security numbers
• Private correspondence
• Personal details
• Sensitive company information
• Bank-account information ­

­ Information security is provided on computers and over the Internet by a variety of methods. A simple but straightforward security method is to only keep sensitive information on removable storage media like portable flash memory drives or external hard drives. But the most popular forms of security all rely on encryption, the process of encoding information in such a way that only the person (or computer) with the key can decode it.

Computer encryption is based on the science of cryptography, which has been used as long as humans have wanted to keep information secret. Before the digital age, the biggest users of cryptography were governments, particularly for military purposes.

Most forms of cryptography in use these days rely on computers, simply because a human-based code is too easy for a computer to crack. Ciphers are also better known today as algorithms, which are the guides for encryption — they provide a way in which to craft a message and give a certain range of possible combinations. A key, on the other hand, helps a person or computer figure out the one possibility on a given occasion.

Computer encryption systems generally belong in one of two categories:

• Symmetric-key encryption
• Public-key encryption

Symmetric Key

Just like two Spartan generals sending messages to each other, computers using symmetric-key encryption to send information between each other must have the same key.

In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message.

Think of it like this: You create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alphabet. So “A” becomes “C,” and “B” becomes “D”. You have already told a trusted friend that the code is “Shift by 2″. Your friend gets the message and decodes it. Anyone else who sees the message will see only nonsense.

The same goes for computers, but, of course, the keys are usually much longer. The first major symmetric algorithm developed for computers in the United States was the Data Encryption Standard (DES), approved for use in the 1970s. The DES uses a 56-bit key.

Because computers have become increasingly faster since the ’70s, security experts no longer consider DES secure — although a 56-bit key offers more than 70 quadrillion possible combinations (70,000,000,000,000,000), an attack of brute force (simply trying every possible combination in order to find the right key) could easily decipher encrypted data in a short while. DES has since been replaced by the Advanced Encryption Standard (AES), which uses 128-, 192- or 256-bit keys. Most people believe that AES will be a sufficient encryption standard for a long time coming: A 128-bit key, for instance, can have more than 300,000,000,000,000,000,000,000,000,000,000,000 key combinations

Public Key Encryption

One of the weaknesses some point out about symmetric key encryption is that two users attempting to communicate with each other need a secure way to do so; otherwise, an attacker can easily pluck the necessary data from the stream. In November 1976, a paper published in the journal IEEE Transactions on Information Theory, titled “New Directions in Cryptography,” addressed this problem and offered up a solution: public-key encryption.

Also known as asymmetric-key encryption, public-key encryption uses two different keys at once — a combination of a private key and a public key. The private key is known only to your computer, while the public key is given by your computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. Although a message sent from one computer to another won’t be secure since the public key used for encryption is published and available to anyone, anyone who picks it up can’t read it without the private key. The key pair is based on prime numbers (numbers that only have divisors of itself and one, such as 2, 3, 5, 7, 11 and so on) of long length. This makes the system extremely secure, because there is essentially an infinite number of prime numbers available, meaning there are nearly infinite possibilities for keys. One very popular public-key encryption program is Pretty Good Privacy (PGP), which allows you to encrypt almost anything.

To implement public-key encryption on a large scale, such as a secure Web server might need, requires a different approach. This is where digital certificates come in. A digital certificate is basically a unique piece of code or a large number that says that the Web server is trusted by an independent source known as a certificate authority. The certificate authority acts as a middleman that both computers trust. It confirms that each computer is in fact who it says it is, and then provides the public keys of each computer to the other.

SSL and TLS

A popular implementation of public-key encryption is the Secure Sockets Layer (SSL). Originally developed by Netscape, SSL is an Internet security protocol used by Internet browsers and Web servers to transmit sensitive information. SSL has become part of an overall security protocol known as Transport Layer Security (TLS).

In your browser, you can tell when you are using a secure protocol, such as TLS, in a couple of different ways. You will notice that the “http” in the address line is replaced with “https,” and you should see a small padlock in the status bar at the bottom of the browser window. When you’re accessing sensitive information, such as an online bank account or a payment transfer service like PayPal or Google Checkout, chances are you’ll see this type of format change and know your information will most likely pass along securely.

TLS and its predecessor SSL make significant use of certificate authorities. Once your browser requests a secure page and adds the “s” onto “http,” the browser sends out the public key and the certificate, checking three things: 1) that the certificate comes from a trusted party; 2) that the certificate is currently valid; and 3) that the certificate has a relationship with the site from which it’s coming.

The browser then uses the public key to encrypt a randomly selected symmetric key. Public-key encryption takes a lot of computing, so most systems use a combination of public-key and symmetric key encryption. When two computers initiate a secure session, one computer creates a symmetric key and sends it to the other computer using public-key encryption. The two computers can then communicate using symmetric-key encryption. Once the session is finished, each computer discards the symmetric key used for that session. Any additional sessions require that a new symmetric key be created, and the process is repeated.

Hashing Algorithm

The key in public-key encryption is based on a hash value. This is a value that is computed from a base input number using a hashing algorithm. Essentially, the hash value is a summary of the original value. The important thing about a hash value is that it is nearly impossible to derive the original input number without knowing the data used to create the hash value. 

Public keys generally use complex algorithms and very large hash values for encrypting, including 40-bit or even 128-bit numbers. A 128-bit number has a possible 2¹²⁸, or 3,402,823,669,209,384,634,633,746,074,300,000,000,000,000,000,000,000,000,000,000,000,000 different combinations. 

Authentication

As stated earlier, encryption is the process of taking all of the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Another process, authentication, is used to verify that the information comes from a trusted source. Basically, if information is “authentic,” you know who created it and you know that it has not been altered in any way since that person created it. These two processes, encryption and authentication, work hand-in-hand to create a secure environment.

There are several ways to authenticate a person or information on a computer:

• Password - The use of a user name and password provides the most common form of authentication. You enter your name and password when prompted by the computer. It checks the pair against a secure file to confirm. If either the name or the password does not match, then you are not allowed further access.
• Pass cards - These cards can range from a simple card with a magnetic strip, similar to a credit card, to sophisticated smart cards that have an embedded computer chip.
• Digital signatures - A digital signature is basically a way to ensure that an electronic document (e-mail, spreadsheet, text file) is authentic. The Digital Signature Standard (DSS) is based on a type of public-key encryption method that uses the Digital Signature Algorithm (DSA). DSS is the format for digital signatures that has been endorsed by the U.S. government. The DSA algorithm consists of a private key, known only by the originator of the document (the signer), and a public key. The public key has four parts, which you can learn more about at this page. If anything at all is changed in the document after the digital signature is attached to it, it changes the value that the digital signature compares to, rendering the signature invalid.

Recently, more sophisticated forms of authentication have begun to show up on home and office computer systems. Most of these new systems use some form of biometrics for authentication. Biometrics uses biological information to verify identity. Biometric authentication methods include:

• Fingerprint scan
• Retina scan
• Face scan
• Voice identification

Checksum and CRC

Another secure-computing need is to ensure that the data has not been corrupted during transmission or encryption. There are a couple of popular ways to do this:

• Checksum - Probably one of the oldest methods of ensuring that data is correct, checksums also provide a form of authentication because an invalid checksum suggests that the data has been compromised in some fashion. A checksum is determined in one of two ways. Let’s say the checksum of a packet is 1 byte long. A byte is made up of 8 bits, and each bit can be in one of two states, leading to a total of 256 (2⁸ ) possible combinations. Since the first combination equals zero, a byte can have a maximum value of 255.
  • If the sum of the other bytes in the packet is 255 or less, then the checksum contains that exact value.
  • If the sum of the other bytes is more than 255, then the checksum is the remainder of the total value after it has been divided by 256.

• Cyclic Redundancy Check (CRC) - CRCs are similar in concept to checksums, but they use polynomial division to determine the value of the CRC, which is usually 16 or 32 bits in length. The good thing about CRC is that it is very accurate. If a single bit is incorrect, the CRC value will not match up. Both checksum and CRC are good for preventing random errors in transmission but provide little protection from an intentional attack on your data. Symmetric- and public-key encryption techniques are much more secure.

All of these various processes combine to provide you with the tools you need to ensure that the information you send or receive over the Internet is secure. In fact, sending information over a computer network is often much more secure than sending it any other way. Phones, especially cordless phones, are susceptible to eavesdropping, particularly by unscrupulous people with radio scanners. Traditional mail and other physical mediums often pass through numerous hands on the way to their destination, increasing the possibility of corruption. Understanding encryption, and simply making sure that any sensitive information you send over the Internet is secure (remember the “https” and padlock symbol), can provide you with greater peace of mind.

GCN reports that legislation in the Senate would consolidate the leadership of federal cybersecurity programs in a new advisory office in the Executive Office of the President. The legislation also calls for new enforceable cybersecurity standards for the public and private sectors, and a licensing and certification program for cybersecurity professionals.

Sens. John “Jay” Rockefeller (D-W.Va.), chairman of the Commerce, Science and Transportation Committee, and Olympia Snowe (R-Maine) announced the legislation today. They seek to streamline cybersecurity authorities, promote public awareness, enhance cybersecurity cooperation between government and industry, and increase cybersecurity education and research and development efforts, according to a statement.

According to a summary, the legislation would give the new national cybersecurity adviser authority to disconnect a federal or critical infrastructure network from the Internet if they are found to be at risk of a cyberattack. The new adviser would also oversee the development of a comprehensive national strategy for cybersecurity and lead quadrennial reviews of cybersecurity.

The senators also called for a public awareness campaign, a review of the laws that apply to cybersecurity and a report on identity management and civil liberties. They would also further involve the private sector in cybersecurity efforts through the establishment of:

• A group that would certify that products purchased by the federal government meet cybersecurity standards.
• A panel of outside experts to advise the president on cybersecurity.
• A public-private clearinghouse for information sharing on cyberthreats.
• State and regional cybersecurity centers to help small and medium-sized businesses.

Meanwhile, the Obama administration’s security advisers continue their 60-day review of the country’s cybersecurity efforts. That effort review is expected to produce a series of recommendations for how the federal government should organize cybersecurity efforts and engage with the private sector.