The calls for a beefed-up workforce that specializes in cybersecurity are not new. In this highly critical arena, the demand for talent is sky-high and insatiable. But with a nationwide shortage of students of science, technology, engineering and math (STEM), where will tomorrow’s workforce – which is needed already – be found?

Leaders from across the federal government are following up on their calls for digital-era employees with a renewed sense of urgency, and with a range of initiatives designed to educate, train and incentivize work in the cyber field. They also are emphasizing that it is not just computer science majors and technological whizzes they seek.

“There’s a wide range of functions and skills that are required for us, whether you’re in industry, other elements of government, military – all across the board, there are a wide range of skills and functions we need,” said Army Maj. Gen. John Davis, senior military adviser for cyber to the under secretary of defense at the Defense Department. “Every person who touches a keyboard is in some way associated with the cyber domain, because there are disciplines and standards associated with protecting against the threats.”

Davis, who spoke Oct. 26 at the Center for Strategic and International Studies in Washington, noted that DOD, like the rest of the federal government, is feeling the shortage. That gap between supply and demand has deep roots, he said, and the problem begins with defining the need itself.

More from FCW.com at http://fcw.com/articles/2012/10/26/cyber-workforce.aspx

Rapid advances in the development of cyberweapons and malicious software mean that electronic-voting machines used in the 2012 election could be hacked, potentially tipping the presidential election or a number of other races.

Since the machines are not connected to the Internet, any hack would not be a matter of someone sneaking through cyberspace to change ballots. Rather, the concern is that an individual hacker, a partisan group, or even a nation state could infect voting machines by gaining physical access to them or by targeting the companies that service them.

The 2010 discovery of the Stuxnet cyberweapon, which used a thumb drive to attack Iran’s nuclear facilities and spread among its computers, illustrated how one type of attack could work. Most at risk are paperless e-voting machines, which don’t print out any record of votes, meaning the electronically stored results could be altered without anyone knowing they had been changed.

In a tight election, the result could be the difference between winning and losing. A Monitor analysis shows that four swing states – Pennsylvania, Virginia, Colorado, and Florida – rely to varying degrees on paperless machines.

“The risk of cyber manipulation of these machines is quite real,” says Barbara Simons, a computer researcher and author of “Broken Ballots,” a book documenting e-voting vulnerabilities. “Most people don’t understand that these computer-based voting machines can have software bugs or even election-rigging malicious software in them.”

There are plenty of software vulnerabilities to exploit, says Matt Blaze, a computer scientist at the University of Pennsylvania in Philadelphia. In 2007, he was on a team investigating touch-screen and other voting systems for California and Ohio. The resulting study concluded “virtually every important software security mechanism is vulnerable.”

The paperless machines, however, stand out as particularly vulnerable.

“If there’s no paper trail, you can have the corrupted software display on the voting-machine screen whatever you want to display – and then after the voter leaves, record something completely different inside,” says Richard Kemmerer, a computer scientist who heads the University of California, Santa Barbara, Computer Security Group.

From the The Christian Science Monitor (http://s.tt/1r7Gh)

Banking giant HSBC said Friday some of its websites had been hit by a “large scale” cyber attack that disrupted online services, but it assured customers that their data were not compromised.

The bank said in a statement that HSBC servers came under a “large scale denial of service attack” on Thursday.

It said a number of sites were affected around the world but did not give an exact number or say where they were.

“This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including Internet banking,” the bank said.

“We are taking appropriate action, working hard to restore service,” the bank added. It said some of the sites are back up and running.

A denial of service attack typically involves sites being saturated with requests.

The London-headquartered, Asia-focused lender said it is working with authorities to investigate the incident. It gave no indication of who it believed might be behind the attack.

From RawStory.com: http://www.rawstory.com/rs/2012/10/19/banking-giant-hsbc-websites-hit-by-large-scale-cyber-attack/

A new cyberespionage tool linked to the Flame virus has been infecting computers in Lebanon, Iran and elsewhere, security researchers said Monday.

Kaspersky Lab, which was credited with revealing the Flame virus earlier this year, dubbed the new malware “miniFlame,” and said it was “a small and highly flexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations.”

Russian-based Kaspersky said miniFlame “is based on the same architectural platform as Flame,” widely reported to be part of a US-Israeli effort to slow Iran’s suspected nuclear weapons drive.

The smaller version “can function as its own independent cyber espionage program or as a component” inside Flame and related malware.

Unlike Flame, which is designed for “massive spy operations,” miniFlame is “a high precision, surgical attack tool,” according to Alexander Gostev at Kaspersky Lab.

“Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack.”

Kaspersky Lab data indicates the total number of infections worldwide is just 50 to 60, including computers in Lebanon, France, the United States, Iran and Lithuania.

MiniFlame operates “as a backdoor designed for data theft and direct access to infected systems,” according to Kaspersky, which said development of the malware might have started as early as 2007 and continued until the end of 2011, with several variations.

“We believe that the developers of miniFlame created dozens of different modifications of the program,” Kaspersky said. “At this time, we have only found six of these, dated 2010-2011.”

From RawStory.com: http://www.rawstory.com/rs/2012/10/15/new-version-of-cyberspying-flame-virus-uncovered/

The number of cyberattacks targeting US organizations has doubled over the past three years, leading to hefty losses, a study released Monday showed.

The study conducted by the Ponemon Institute and sponsored by Hewlett-Packard said most of the attacks involve malicious code, denial of service, stolen or hijacked devices, or “malevolent insiders.”

“The occurrence of cyberattacks has more than doubled over a three-year period, while the financial impact has increased by nearly 40 percent,” the report said.

The 2012 study showed organizations experiencing an average of 102 successful attacks per week, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010.

Among the organizations surveyed which were hit by successful cyberattacks, the average losses was $8.9 million, up six percent from 2011 and 38 percent increase over 2010.

“Organizations are spending increasing amounts of time, money and energy responding to cyberattacks at levels that will soon become unsustainable,” said HP’s Michael Callahan.

More from RawStory.com: http://www.rawstory.com/rs/2012/10/08/study-number-of-cyber-attacks-against-u-s-doubled-in-three-years/

The United States needs to develop offensive weapons in cyberspace as part of its effort to protect the nation from cyber attacks, a senior military official said Thursday.

“If your defense is only to try to block attacks you can never be successful,” General Keith Alexander, director of the National Security Agency and commander of the US Cyber Command, told a Washington symposium.

“At times, the government has to look at what you have to do to stop an attack — stop it before it happens. Part of our defense has to consider offensive measures.”

Alexander, who spoke at a cybersecurity summit sponsored by the US Chamber of Commerce, said any offensive cyber action would need to follow rules of engagement similar to those in other military situations.

More from RawStory,com at http://www.rawstory.com/rs/2012/10/04/nsa-director-u-s-needs-offensive-weapons-in-cyberwar/

Earlier this month, Bank of America, JP Morgan Chase, and Wells Fargo all reported major cyber attacks. The bank hacks, thought to sourced to Iran, were first realized mid September, although reportedly could be part of a broader campaign dating as far back as last year, according to Reuters.

The high-profile hacks initially affected the sites of both Chase and Bank of America, causing surges in traffic that resulted in Web site disruptions and outages.

Wells Fargo was the latest financial institution to report a massive cyber attacks, which affected more than 21 million online customers and 8.5 million mobile bankers.

All of cases, the targeted banks were pummeled with Distributed Denial of Service (DDoS) attacks, which bombard a network with more traffic than it can handle, causing it to stop functioning and shut down.

Reasons for the attacks are, at this point, speculative, although theories range from retaliation by Islamic extremists for a U.S.-made anti-Muslim film, to state sponsored retaliation for tighter U.S. imposed economic sanctions on Iran.

Wells Fargo was the latest financial institution to report a massive cyber attacks, which affected more than 21 million online customers and 8.5 million mobile bankers.

All of cases, the targeted banks were pummeled with Distributed Denial of Service (DDoS) attacks, which bombard a network with more traffic than it can handle, causing it to stop functioning and shut down.

Reasons for the attacks are, at this point, speculative, although theories range from retaliation by Islamic extremists for a U.S.-made anti-Muslim film, to state sponsored retaliation for tighter U.S. imposed economic sanctions on Iran.

But who is responsible might not be as ascertainable as how this problem can be addressed when–not if–it happens again.

Banks get hacked, and hacked with regularity, because, as the age-old joke makes clear, that’s where the money is. But the fact that banks are being easily targeted en mass undermine perceptions of them as being more secure than other market verticals. It also suggests that the financial services industry still has a long ways to go in terms of effective cybersecurity.

But security holes, illuminated by the spate of recent hacks, also means that there are still lots of opportunities for the channel. As such, partners will almost certainly be required to step up their game in financial services markets in the near future now that the industry is in the public spotlight.

Financial services and banking institutions are among the most heavily regulated in terms of cybersecurity, subjected to a plethora of regulatory compliance audits under the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act (GLBA), and the Bank Secrecy Act, as well as a slew of state cybersecurity regulations and data breach laws.

Historically, partners have gained entry into these markets by offering solutions and related services that play to these compliance mandates. And those solutions, which range from standard firewalls and antivirus to more complex data protection and encryption products, are still undeniably necessary.

From channelnomics.com at http://channelnomics.com/2012/10/02/bank-hacks-illuminate-security-shortfalls/

Hackers are stepping up the intensity of their attacks, moving from “disruption” to “destruction” of key computer systems, the top US cyber-defense official said Monday.

General Keith Alexander, who is director of the National Security Agency and commander of the US Cyber Command, told a Washington forum that the new tactics could move beyond mere annoyances and begin causing severe economic damage.

“We are seeing the threat grow from exploitation to disruption to destruction,” he told the group at the Woodrow Wilson Center.

He argued that these attacks could impact organizations ranging from stock markets to power grid operators — “all of that is in the realm of the possible.”

These types of destructive attacks can wipe out data, which could bankrupt a company or disable the control systems operating key infrastructure.

More from RawStory.com: http://www.rawstory.com/rs/2012/10/01/hackers-shifting-from-disruption-to-destruction-u-s-cyber-chief/