WebProNews

Category: CybersecurityUpdate

CybersecurityUpdate

  • Should You Be Concerned About The Return Of CISPA?

    On Wednesday of last week, we heard that the House Intelligence Committee was going to reintroduce CISPA after working with the White House on a revised bill that sufficiently addressed the Obama administration’s concerns. The hope of a reworked, and potentially privacy friendly, CISPA was good while it lasted because the bill’s co-sponsors aren’t going to change a thing.

    The Hill reports that House Intelligence Chairman Mike Rogers and ranking member Rep. Dutch Ruppersberger said that they will be reintroducing CISPA into the House. This new CISPA, however, will not be any different from the old one.

    Were you concerned about CISPA last year? Do you hate to see it back? Let us know in the comments.

    It’s been a while since the original CISPA was introduced though. What made this particular piece of legislation so bad again? The EFF released a statement when CISPA was a concern last year, and the group’s words are still applicable to this day:

    CISPA creates an exception to all privacy laws to permit companies to share our information with each other and with the government in the name of cybersecurity. Although a carefully-crafted information sharing program that strictly limits the information to be shared and includes robust privacy safeguards could be an effective approach to cybersecurity, CISPA lacks such protections for individual rights. CISPA’s ‘information sharing’ regime allows the transfer of vast amounts of data, including sensitive information like internet use history or the content of emails, to any agency in the government including military and intelligence agencies like the National Security Agency or the Department of Defense Cyber Command. Once in government hands, this information can be used for any nonregulatory purpose so long as one significant purpose is for cybersecurity or to protect national security. These are not meaningful use restrictions: “national security” use is one of the problems, and the White House recognized this immense problem by precluding such use in its own cybersecurity proposal. While the bill requires the Director of National Intelligence Inspector General to issue annual reports on the government’s use of information shared with it under the bill, such reports would only be provided to congressional intelligence committees, and IG reports are no substitute for meaningful use restrictions and they will do nothing to dissuade companies from misusing personal information shared under this broad new program.

    Despite this, CISPA enjoyed broad support from pretty much every major Internet-based company, with the exception of Mozilla. The same companies that came out swinging against SOPA voiced their support for CISPA. It’s pretty obvious that they supported it because it exonerates all companies from any liability should a customer’s data fall in the wrong hands when being transferred to the government, but the Telecommunications Industry Association argued last year that CISPA protected consumers:

    CISPA strikes the right balance between strong cyber protection and a flexible, innovation-friendly framework. The legislation takes a significant step forward in safeguarding consumers and businesses from increasingly aggressive and sophisticated cyber attacks. At the same time, it establishes a collaborative approach that won’t introduce heavy bureaucracy that could harm high tech innovation. The relationship between government and industry that this bill supports is critical to the current and future economic success and security of America.

    Is the TIA right in that CISPA helps protect consumers and companies? Or does it only serve to hurt them? Let us know in the comments.

    The old CISPA may have enjoyed broad support from Internet companies, but it lacked a very important ally – the President. Last year, the White House issued a statement threatening to veto CISPA for its lack of privacy protections. It was a good sign, but that may not the be the case the time around.

    In a statement released on Monday, the House Intelligence Committee says that CISPA was “developed in close consultation with a broad range of private sector companies, trade groups, privacy and civil liberties advocates, and the executive branch.”

    It’s that last group that should make CISPA opponents concerned. If the new/old CISPA has support from the White House, one of its toughest opponents will be dealt with. The only thing standing in its way this time would be the Senate. Last year, the Senate pushed its own cybersecurity legislation in the Cybersecurity Act of 2012. The bill was ultimately killed and the House-approved CISPA languished and died before it could come up for a vote. That all may change this year as the House and Senate may be united in pushing forward cybersecurity legislation to combat whatever is in Obama’s cybersecurity executive order that’s expected to be revealed on Wednesday.

    So, we come down to the all important question – should you be concerned? The answer is a resounding maybe. CISPA still has plenty of opponents even if the White House decides to announce its support for the bill. The Senate may try to push its own bill again thus killing it, and civil liberty groups will obviously campaign to have it killed.

    In short, CISPA faces the same uphill battle that it faced last year. It’s hard to say if it will be successful time time or not. Even if it isn’t, at least we can look forward to an executive order that may just contain what we hated about CISPA.

    Do you think an executive order would be preferable to CISPA? Do we even need cybersecurity legislation? Let us know in the comments.

  • Obama’s Cybersecurity Executive Order Is No CISPA, Contains Privacy Protections

    Near the end of President Obama’s State of the Union address, he addressed the need for cybersecurity reform. He also confirmed the long standing rumor that he would indeed be signing an executive order into law that helps increase information sharing between the government and private corporations. What’s surprising, however, is that it does address many of the privacy concerns that privacy proponents had with bills like CISPA and CSA.

    With that being said, let’s get into the nitty gritty of the executive order, shall we? First up are details on how information sharing between public government entities and private corporations will work:

    Sec. 4. Cybersecurity Information Sharing. (a) It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats. Within 120 days of the date of this order, the Attorney General, the Secretary of Homeland Security (the “Secretary”), and the Director of National Intelligence shall each issue instructions consistent with their authorities and with the requirements of section 12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity. The instructions shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations.

    (b) The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity. Such process shall also, consistent with the need to protect national security information, include the dissemination of classified reports to critical infrastructure entities authorized to receive them. The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a system for tracking the production, dissemination, and disposition of these reports.

    (c) To assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 U.S.C. 143 and in collaboration with the Secretary of Defense, shall, within 120 days of the date of this order, establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.

    (d) The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities), shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order.

    (e) In order to maximize the utility of cyber threat information sharing with the private sector, the Secretary shall expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.

    In short, this part of the order makes it easier for government and companies to share information between themselves. This is what CISPA and CSA hoped to accomplish, and this executive order accomplishes pretty much the same thing.

    What could be worrisome about this part of the order is that it makes it too easy to share information, but that would only be a concern if extensive privacy protections were not put in place. That’s where the next part of the order comes in:

    Sec. 5. Privacy and Civil Liberties Protections. (a) Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities. Such protections shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities.

    (b) The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the Secretary ways to minimize or mitigate such risks, in a publicly available report, to be released within 1 year of the date of this order. Senior agency privacy and civil liberties officials for other agencies engaged in activities under this order shall conduct assessments of their agency activities and provide those assessments to DHS for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revised as necessary. The report may contain a classified annex if necessary. Assessments shall include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities.

    (c) In producing the report required under subsection (b) of this section, the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS shall consult with the Privacy and Civil Liberties Oversight Board and coordinate with the Office of Management and Budget (OMB).

    (d) Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.

    As you can see, the above text illustrates that the Obama administration has built some decent privacy protections into the executive order. It’s a major relief since some were concerned that the executive order would be just like CISPA, privacy violations and all.

    If you don’t want to take my word for it, the privacy protections in the executive order also got a pass from the ACLU. The organization’s Legislative Counsel Michelle Richardson had this to say about it:

    “The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties. For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information. More encouragingly, the adoption of Fair Information Practice Principles for internal information sharing demonstrates a commitment to tried-and-true privacy practices – like consent, transparency, minimization and use limitations. If new information sharing authorities are granted—especially the overbroad ones being pondered by the House – these principles will be more important than ever. We look forward to working with the administration to make sure that the devil isn’t in the details when privacy regulations are drafted.”

    Section seven of the order contains a number of strategies to be implemented by the government to address and counter any cyber attacks directed at critical infrastructure. The central point is the creation of a “cybersecurity framework” that will include “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” Keeping transparency as a central theme, the Director of the National Institute of Standards and Technology will “engage in an open and public review and comment process” during the creation of said framework.

    Government agencies will be required to implement the above framework, but it’s entirely voluntary for private operators of critical infrastructure. That being said, the Obama administration will be doing its damnest to convince these private institutions to incorporate cybersecurity standards. One way the administration will be doing this is through the creation of an incentive program that will be pitched to the administration within 120 days. It will then be implemented by the President if it does not require the passage of new laws. If it does, Obama will take his case to Congress.

    Finally, the order calls upon the government to seek out infrastructure that’s at the greatest risk of cyberattacks. Once they’ve been identified, the government will work with these organizations to make sure that any risk of cyberattacks are mitigated. As such, these organizations have the chance to make their case, every two years, for whether the cybersecurity standards placed upon them are “regulatory burdens.”

    There’s sure to be a lot of talk about this cybersecurity executive order over the coming months. In his speech last night, President Obama indicated as much saying this order is meant to force Congress’ hand in passing extensive cybersecurity legislation. That being said, the order’s emphasis on privacy and civil rights protections makes me hopeful that the administration will smack down any attempts to revive CISPA this year.

  • Canada’s Internet Surveillance Bill Is Officially Dead

    Almost a year ago, Canada’s Public Safety Minister Vic Toews introduced an Internet surveillance bill called C-30 that would require ISPs to collect all information on their customers. The bill was met with a massive retaliation at the hands of clvil liberties groups and Anonymous. Now, after a year of bitter struggle, the Canadian government has killed the bill.

    The Globe and Mail reports that Canada’s Justice Minister Rob Nicholson announced this week that Bill C-30 is officially dead. In the announcement, Nicholson said the government abandoned the bill after listening “to the concerns of Canadians.” He also said that any attempts to modernize the country’s criminal code will not contain “warrantless mandatory disclosure of basic subscriber information or the the requirement for telecommunications service providers to build intercept capability within their systems.”

    The bad parts of the bill may be dead, but Canada is preserving one part of it for law enforcement. The police will be allowed to make use of warrantless wiretaps in the case of an emergency, but there are a few important caveats included in the legislation.

    For one, police must alert citizens they were subject to a wiretap after an investigation has been closed. The government is also required to issue annual reports on how wiretaps are used. Finally, warrantless wiretaps are restricted to only certain officials for certain crimes.

    It’s certainly different from how wiretapping works in the U.S. FISA allows the government to wiretap anyone without a warrant, and without ever notifying them. Some members of Congress have worked towards making it more transparent, but proponents argue that it must be kept secret.

    Canada’s killing of C-30 comes on the heels of an expected cybersecurity executive order that may very well curtail more privacy on the Internet for Americans. Maybe it’s time American lawmakers looked north for a little inspiration for how Internet surveillance should really work – limited and transparent.

  • White House Will Issue Cybersecurity Executive Order On Wednesday [Rumor]

    It’s fairly common knowledge that the Obama administration has been crafting an executive order to address cybersecurity for quite some time now. The only thing we didn’t know was when such an order would be made public, but a new report is pegging the announcement for this week.

    Speaking to The Hill, sources close to the White House said that senior officials will announce Obama’s long in development cybersecurity mandate on Wednesday. The order will reportedly establish a voluntary program where “companies operating critical infrastructure would elect to meet cybersecurity best practices and standards crafted, in part, by the government.”

    The order will be announced at an event that is due to take place that U.S. Department of Commerce. In attendance will be a who’s who of major cybersecurity proponents, including White House Cybersecurity Coordinator Michael Daniel, Department of Homeland Security Deputy Secretary Jane Lute, and National Security Director Gen. Keith Alexander. You can expect some, or all, of them to talk about the grave threat our nation faces from cyberattacks from China and the like, and how this executive order will better protect our aging infrastructure from cyberattacks.

    Of course, members of Congress aren’t going to like it. They’re going to push for their own extensive cybersecurity legislation to replace whatever Obama’s administration cooks up. House Intelligence Committee Chairman Mike Rogers was already planning to reintroduce CISPA this week, but the executive order may force his hand in pushing the reviled legislation through the House even faster than before. Doing so would once again block all meaningful discussion on the privacy concerns present in the bill in favor of just pushing something through.

    Of course, the Senate will probably not like it either, and may very well introduce its own cybersecurity legislation as well. It may choose to vote on CISPA, if it passes the house, but the Senate may very well choose to go its own way once again by crafting its own legislation. If it does, we may very well end up with a situation just like last year where neither legislative branch can come up with anything, thus justifying the executive order.

    The Hill’s report doesn’t have any concrete details on what the executive order will entail, but we should probably prepare for the worst. Despite talking up a good game as a proponent on online privacy, President Obama has recently signed worrisome, and privacy infringing, legislation like the FISA extension into law.

    We’ll keep our ear to the ground to let you know when, and if, a cybersecurity executive order is announced, and what it entails.

    [Image: dcJohn/flickr]

  • House Intelligence Committee Collaborating With Obama Administration On New CISPA

    CISPA was one of the more worrisome Internet-related bills of 2012. It threatened the online privacy of just about everyone by allowing corporations to share information with governments in the hopes of sniffing out cyber threats. The House approved bill died while waiting for a vote from the Senate, but it looks like it will be back this year with some new protections in tow.

    The Hill reports that Rep. Dutch Ruppersberger, the ranking member of the House Intelligence Committee, is partnering with Intelligence Chairman Mike Rogers to re-introduce CISPA into the house this year. The original CISPA was threatened with a veto from the White House, but Ruppersberger hopes to avoid that this year by working directly with White House staff in the crafting of the bill.

    What kind of cybersecurity bill can we expect from a collaboration between the House and the Obama administration? It’s too early to tell, but Ruppersberger says that his team is “working with the White House to to make sure that hopefully they can be more supportive of our bill than they were last time.” These discussions with the White House are reportedly “working pretty well.”

    For the bill to have support from the White House, it will have to feature more of the privacy protections found in the Senate’s CSA. Both CISPA and CSA raised concern over their lack of privacy protections, but the White House seemed to favor CSA.

    The reemergence of CISPA is only the beginning of a year that will be putting a lot of emphasis on cybersecurity. The U.S. is already gearing up for what could turn into massive offensives that are carried out online. Calls for a cybersecurity bill that sets ground rules for what the nation can and can not do will only continue to grow as the year goes on.

  • White House Writing Rules For Cyber Engagement

    It’s been known for a while that the Obama administration has been at work on a cybersecurity directive. The executive order would be used to circumvent a Congress that failed numerous times in 2012 to pass a comprehensive cybersecurity law. The only thing we didn’t know is what that directive would entail, but a recent report serves to detail at least part of the United States’ “cyber arsenal.”

    In a report Monday morning, The New York Times spoke to senior officials involved in the creation of the White House’s cyber warfare directive. The officials reveal that the White House has been developing its cyber warfare rules for the past two years to address the growing threat that nations like China and Russia pose in regards to cyberattacks. These rules will govern how the U.S. military, which just recently expanded its cybersecurity force, can retaliate to cyberattacks and in what ways these new weapons can be used in traditional offensives.

    In regards to retaliation, the U.S. military is reportedly being held back by strict rules that state it can not act unless provoked by a major threat. Of course, this could lead to pre-emptive attacks which has some critics concerned that the U.S. would launch a major cyberattack against an innocent party. The officials stated that they understand the concern, and the rules seek to define “what constitutes reasonable and proportionate force” when it comes to pre-emptive or retaliatory attacks.

    As for traditional offensives, the use of cyberweapons will be strictly restrained. The officials claimed that the U.S. has the cyber equivalent of a nuclear warhead in its arsenal, but such an attack would be considered a last resort. It would also be deployed much like a nuclear attack, as it would require authorization directly from the president.

    Smaller cyberattacks, however, can be used by the military without the authorization of the President. An example would be the military using cyberweapons to disable automated defenses from afar to clear the way for a traditional strike.

    Of coures, all of this only applies to the military. What about domestic infrastructure that’s targeted by cyberattacks from foreign nations? That responsibility will fall to the Department of Homeland Security. That’s what proposed laws like CISPA and CSA would have, and could have, addressed if the bills didn’t contain wide spread privacy violations. The Obama administration is expected to issue an executive order for domestic cybersecurity in the near future as well that would free up communications between private and public entities to address cyberattacks.

    [h/t: techdirt]

  • Pentagon To Expand Its Cybersecurity Force To Over 4,000 People

    Cyber warfare has been a popular trope in books and film since the 80s, but it’s never really felt like a real thing until recently. Every day, there are new reports of hacking attacks made by individuals and countries against their rivals and adversaries. The U.S. military rightly thinks this trend is only going to continue, and is now preparing to greatly expand its cyber warfare capabilities.

    The New York Times reports that the Pentagon is preparing to expand the Defense Department’s Cyber Command to more than 4,000 people. The center only has about 900 personnel currently working for it. With the expansion, the Defense Department hopes to create three different forces – national mission forces, combat mission forces and cyber protection forces. The first would protect national infrastructure, the second would execute cyberattacks against enemies, and the third would protect the Pentagon’s computer systems from unauthorized intrusions.

    It’s an ambitious plan, but the Pentagon recognizes that it’s a challenging one as well. Defense officials say that it will be difficult to find and train thousands of people in something as complicated as cyber defense. That being said, the military says that the threat of a cyber attack is “real” and it needs to bolster its defenses before something disastrous like Stuxnet attacks U.S. infrastructure.

    The Pentagon’s move to expand its cyber forces comes as the number of cyber attacks against private and public organizations increase every year. Anonymous has been a major source of these attacks with its latest target being the U.S. government. The government also regularly attributes a number of attacks against its systems to China or Russia. The most recent being a supposed Chinese cyber attack against the White House’s servers.

    Alongside an increase to the Pentagon’s cyber defenses, the U.S. government will most assuredly propose more legislation that will beef up security. CISPA and CSA were defeated last year after privacy and government regulation concerns were brought to light, but some lawmakers will undoubtedly bring it up again this year. It’s also been suggested that President Obama will issue an executive order to institute a number of cybersecurity rules in the country.

    [Image]

  • IBM Earnings: IBM Posts $29.3 Billion In Revenue

    IBM released its Q4 and full-year earnings report today, posting $29.3 billion in revenue (down 1%, flat adjusting for currency, up 1% excluding divested RSS business adjusting for currency) for the quarter, and $104.5 billion for the year (down 2%, flat adjusting for currency).

    For the quarter, the company posted diluted earnings of $5.13 per share, up 11%. For the year, it was they were $14.37, up 10%.

    Net income was $5.8 billion for the quarter, up 6% year-over-year. Operating (non-GAAP) net income was $6.1 billion, up 10% year-over-year. For the year, net income was $16.6 billion, up 5%, and operating (non-GAAP) was $17.6 billion, up 8%.

    “We achieved record profit, earnings per share and free cash flow in 2012. Our performance in the fourth quarter and for the full year was driven by our strategic growth initiatives — growth markets, analytics, cloud computing, Smarter Planet solutions — which support our continued shift to higher-value businesses,” said Ginni Rometty, IBM chairman, president and CEO.

    Here’s the release in its entirety:

    IBM (NYSE: IBM) today announced fourth-quarter 2012 diluted earnings of $5.13 per share, compared with diluted earnings of $4.62 per share in the fourth quarter of 2011, an increase of 11 percent. Operating (non-GAAP) diluted earnings were $5.39 per share, compared with operating diluted earnings of $4.71 per share in the fourth quarter of 2011, an increase of 14 percent.

    Fourth-quarter net income was $5.8 billion compared with $5.5 billion in the fourth quarter of 2011, an increase of 6 percent. Operating (non-GAAP) net income was $6.1 billion compared with $5.6 billion in the fourth quarter of 2011, an increase of 10 percent.

    Total revenues for the fourth quarter of 2012 of $29.3 billion decreased 1 percent (flat adjusting for currency) from the fourth quarter of 2011. Without the impact of the divested Retail Store Solutions (RSS) business, revenue increased 1 percent, adjusting for currency.

    “We achieved record profit, earnings per share and free cash flow in 2012. Our performance in the fourth quarter and for the full year was driven by our strategic growth initiatives — growth markets, analytics, cloud computing, Smarter Planet solutions — which support our continued shift to higher-value businesses,” said Ginni Rometty, IBM chairman, president and chief executive officer.

    ”Looking ahead, we continue to invest to deliver innovations for the enterprise in key areas such as big data, mobile solutions, social business and security, while expanding into new markets and reaching new clients. We are well on track toward our long-term roadmap for operating EPS of at least $20 in 2015.”

    Fourth-Quarter GAAP – Operating (non-GAAP) Reconciliation

    Fourth-quarter operating (non-GAAP) diluted earnings exclude $0.26 per share of net charges: $0.21 per share for the amortization of purchased intangible assets and other acquisition-related charges, and $0.05 per share for retirement-related items driven by changes to plan assets and liabilities primarily related to market performance.

    Full-Year 2013 Expectation

    IBM said that it expects to deliver full-year 2013 GAAP earnings per share of at least $15.53; and operating (non-GAAP) earnings per share of at least $16.70. The 2013 operating (non-GAAP) earnings exclude $1.17 per share of charges for amortization of purchased intangible assets, other acquisition-related charges, and retirement-related items driven by changes to plan assets and liabilities primarily related to market performance.

    Geographic Regions

    The Americas’ fourth-quarter revenues were $12.5 billion, flat (up 1 percent, adjusting for currency) from the 2011 period. Revenues from Europe/Middle East/Africa were $9.1 billion, down 5 percent (down 3 percent, adjusting for currency). Asia-Pacific revenues increased 4 percent (up 5 percent, adjusting for currency) to $7.0 billion. OEM revenues were $679 million, down 5 percent compared with the 2011 fourth quarter.

    Growth Markets

    Revenues from the company’s growth markets increased 7 percent. Revenues in the BRIC countries — Brazil, Russia, India and China — increased 11 percent (up 14 percent, adjusting for currency).

    Services

    Global Technology Services segment revenues decreased 2 percent (flat adjusting for currency) to $10.3 billion. Global Business Services segment revenues were down 3 percent (down 2 percent, adjusting for currency) at $4.7 billion.

    Pre-tax income from Global Technology Services increased 5 percent; pre-tax margin increased to 19.2 percent. Global Business Services pre-tax income was flat; pre-tax margin increased to 17.2 percent.

    The estimated services backlog at December 31 was $140 billion, flat (up $1 billion, adjusting for currency).

    Software

    Revenues from the Software segment were $7.9 billion, an increase of 3 percent (up 4 percent, adjusting for currency) from the fourth quarter of 2011. Software pre-tax income of $4.0 billion increased 8 percent year over year.

    Revenues from IBM’s key middleware products, which include WebSphere, Information Management, Tivoli, Lotus and Rational products, were $5.5 billion, an increase of 5 percent (up 6 percent, adjusting for currency) versus the fourth quarter of 2011. Operating systems revenues of $709 million were flat (up 1 percent, adjusting for currency) compared with the prior-year quarter.

    Revenues from the WebSphere family of software products increased 11 percent year over year. Information Management software revenues increased 2 percent. Revenues from Tivoli software increased 4 percent. Revenues from Lotus software increased 9 percent, and Rational software increased 12 percent.

    Hardware

    Revenues from the Systems and Technology segment totaled $5.8 billion for the quarter, down 1 percent from the fourth quarter of 2011. Excluding Retail Store Solutions (RSS), revenues were up 4 percent. Systems and Technology pre-tax income was $1.0 billion, an increase of 23 percent.

    Total systems revenues, excluding RSS, increased 4 percent. Revenues from System z mainframe server products increased 56 percent compared with the year-ago period; revenue in the growth markets increased 68 percent. Total delivery of System z computing power, as measured in MIPS (millions of instructions per second), increased 66 percent versus the prior year and represented the largest MIPS shipment quarter in the company’s history. New workload specialty engines, including Linux, represented one-half of the MIPS shipped. Revenues from Power Systems decreased 19 percent compared with the 2011 period. Revenues from System x decreased 2 percent. Revenues from System Storage decreased 5 percent. Revenues from Retail Store Solutions decreased $239 million year over year as a result of the divestiture in the third quarter. Revenues from Microelectronics OEM increased 4 percent.

    Financing

    Global Financing segment revenues were down 2 percent (down 1 percent, adjusting for currency) in the fourth quarter to $535 million. Pre-tax income for the segment increased 1 percent to $518 million.

    Gross Profit

    The company’s total gross profit margin was 51.8 percent in the 2012 fourth quarter compared with 49.9 percent in the 2011 fourth-quarter period. Total operating (non-GAAP) gross profit margin was 52.3 percent in the 2012 fourth quarter compared with 50.2 percent in the 2011 fourth-quarter period, with increases in Services, Software and Hardware.

    Expense

    Total expense and other income decreased 2 percent to $7.3 billion compared with the prior-year period. S,G&A expense of $5.9 billion decreased 3 percent year over year compared with prior-year expense. R,D&E expense of $1.6 billion increased 2 percent compared with the year-ago period. Intellectual property and custom development income decreased to $227 million compared with $253 million a year ago. Other (income) and expense was income of $47 million compared with prior-year income of $44 million. Interest expense decreased to $109 million compared with $113 million in the prior year.

    Total operating (non-GAAP) expense and other income decreased 2 percent to $7.2 billion compared with the prior-year period. Operating (non-GAAP) S,G&A expense of $5.8 billion decreased 3 percent year over year compared with prior-year expense. Operating (non-GAAP) R,D&E expense of $1.6 billion increased 1 percent compared with the year-ago period.

    ***

    Pre-tax income increased 8 percent to $7.8 billion; total operating (non-GAAP) pre-tax income increased 10 percent to $8.1 billion. Pre-tax margin was 26.7 percent, up 2.1 points; total operating (non-GAAP) pre-tax margin was 27.7 percent, up 2.6 points.

    IBM’s tax rate was 25.5 percent, up 1.0 points year over year; total operating (non-GAAP) tax rate was 24.4 percent, flat compared to the year-ago period.

    Net income margin increased 1.3 points to 19.9 percent; total operating (non-GAAP) net income margin was 20.9 percent, an increase of 1.9 points.

    The weighted-average number of diluted common shares outstanding in the fourth-quarter 2012 was 1.14 billion compared with 1.19 billion shares in the same period of 2011.

    In the quarter, IBM generated free cash flow of $9.5 billion excluding Global Financing receivables, up $0.6 billion year over year.

    Full-Year 2012 Results

    Net income for the year ended December 31, 2012 was $16.6 billion compared with $15.9 billion in the prior year, an increase of 5 percent. Operating (non-GAAP) net income was $17.6 billion compared with $16.3 billion in 2011, an increase of 8 percent.

    Diluted earnings were $14.37 per share compared with $13.06 per diluted share in 2011, an increase of 10 percent. Operating (non-GAAP) diluted earnings were $15.25 per share, compared with operating diluted earnings of $13.44 per share in 2011, an increase of 13 percent. This was the company’s 10th consecutive year of double-digit EPS growth.

    Revenues for 2012 totaled $104.5 billion, a decrease of 2 percent (flat adjusting for currency), compared with $106.9 billion in 2011.

    GAAP – Operating (non-GAAP) Reconciliation

    Operating (non-GAAP) diluted earnings for the year exclude $0.88 per share of net charges: $0.55 per share for the amortization of purchased intangible assets and other acquisition-related charges, and $0.33 per share for retirement-related items driven by changes to plan assets and liabilities primarily related to market performance.

    Geographic Regions

    From a geographic perspective, the Americas’ full-year revenues were $44.6 billion, a decrease of 1 percent (flat adjusting for currency) from the 2011 period. Revenues from Europe/Middle East/Africa were $31.8 billion, a decrease of 6 percent (down 1 percent, adjusting for currency). Asia-Pacific revenues increased 3 percent to $25.9 billion. OEM revenues were $2.2 billion, down 18 percent compared with 2011.

    Growth Markets

    Revenues from the company’s growth markets increased 4 percent (up 7 percent, adjusting for currency), and represents 24 percent of IBM’s total geographic revenue. Revenues in the BRIC countries — Brazil, Russia, India and China — increased 7 percent (up 12 percent, adjusting for currency).

    Segments

    Total Global Services revenues decreased 2 percent (flat adjusting for currency). Revenues from the Global Technology Services segment totaled $40.2 billion, a decrease of 2 percent (up 1 percent, adjusting for currency) compared with 2011. Revenues from the Global Business Services segment were $18.6 billion, down 4 percent (down 2 percent, adjusting for currency). Software segment revenues in 2012 totaled $25.4 billion, an increase of 2 percent (up 4 percent, adjusting for currency). Systems and Technology segment revenues were $17.7 billion, a decrease of 7 percent (down 6 percent, adjusting for currency); excluding Retail Store Solutions, revenues were down 5 percent (down 4 percent adjusting for currency). Global Financing segment revenues totaled $2.0 billion, a decrease of 4 percent (down 1 percent, adjusting for currency).

    ***

    The company’s total gross profit margin was 48.1 percent in 2012 compared with 46.9 percent in 2011. Overall gross profit margins improved year over year for the 9th consecutive year. Total operating (non-GAAP) gross profit margin was 48.7 percent in the 2012 period compared with 47.2 percent in the 2011 period, with increases in Services and Software.

    The weighted-average number of diluted common shares outstanding in 2012 was 1.16 billion compared with 1.21 billion shares in 2011. As of December 31, 2012, there were 1.12 billion basic common shares outstanding.

    Debt, including Global Financing, totaled $33.3 billion, compared with $31.3 billion at year-end 2011. From a management segment view, Global Financing debt totaled $24.5 billion versus $23.3 billion at year-end 2011, resulting in a debt-to-equity ratio of 7.0 to 1. Non-global financing debt totaled $8.8 billion, an increase of $0.8 billion since year-end 2011, resulting in a debt-to-capitalization ratio of 36.1 percent from 32.0 percent.

    IBM ended 2012 with $11.1 billion of cash on hand and generated free cash flow of $18.2 billion excluding Global Financing receivables, up approximately $1.6 billion year over year. The company returned $15.8 billion to shareholders through $3.8 billion in dividends and $12.0 billion of share repurchases. The company’s balance sheet remains strong and is well positioned to support the business over the long term.

    Forward-Looking and Cautionary Statements

    Except for the historical information and discussions contained herein, statements contained in this release may constitute forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. Forward-looking statements are based on the company’s current assumptions regarding future business and financial performance. These statements involve a number of risks, uncertainties and other factors that could cause actual results to differ materially, including the following: a downturn in economic environment and corporate IT spending budgets; the company’s failure to meet growth and productivity objectives, a failure of the company’s innovation initiatives; risks from investing in growth opportunities; failure of the company’s intellectual property portfolio to prevent competitive offerings and the failure of the company to obtain necessary licenses; cybersecurity and data privacy considerations; fluctuations in financial results and purchases, impact of local legal, economic, political and health conditions; adverse effects from environmental matters, tax matters and the company’s pension plans; ineffective internal controls; the company’s use of accounting estimates; the company’s ability to attract and retain key personnel and its reliance on critical skills; impacts of relationships with critical suppliers and business with government clients; currency fluctuations and customer financing risks; impact of changes in market liquidity conditions and customer credit risk on receivables; reliance on third party distribution channels; the company’s ability to successfully manage acquisitions and alliances; risk factors related to IBM securities; and other risks, uncertainties and factors discussed in the company’s Form 10-Q, Form 10-K and in the company’s other filings with the U.S. Securities and Exchange Commission (SEC) or in materials incorporated therein by reference. Any forward-looking statement in this release speaks only as of the date on which it is made. The company assumes no obligation to update or revise any forward-looking statements.

    Presentation of Information in this Press Release

    In an effort to provide investors with additional information regarding the company’s results as determined by generally accepted accounting principles (GAAP), the company has also disclosed in this press release the following non-GAAP information which management believes provides useful information to investors:

    IBM results and expectations –

    • presenting operating (non-GAAP) earnings per share amounts and related income statement items;
    • presenting non-global financing debt-to-capitalization ratio;
    • adjusting for free cash flow;
    • adjusting for currency (i.e., at constant currency);
    • adjusting for the divestiture of RSS.

    The rationale for management’s use of non-GAAP measures is included as part of the supplementary materials presented within the fourth-quarter earnings materials. These materials are available on the IBM investor relations Web site at www.ibm.com/investor and are being included in Attachment II (“Non-GAAP Supplementary Materials”) to the Form 8-K that includes this press release and is being submitted today to the SEC.

    Conference Call and Webcast

    IBM’s regular quarterly earnings conference call is scheduled to begin at 4:30 p.m. EST, today. The Webcast may be viewed at www.ibm.com/investor/4q12. Presentation charts will be available on the Web site shortly before the Webcast.

    Financial Results Below (certain amounts may not add due to use of rounded numbers; percentages presented are calculated from the underlying whole-dollar amounts).

    INTERNATIONAL BUSINESS MACHINES CORPORATION
    COMPARATIVE FINANCIAL RESULTS
    (Dollars in millions except per share amounts)
    Three Months Ended Twelve Months Ended
    December 31, December 31,
    Percent Percent
    2012 2011 Change 2012 2011 Change
    REVENUE
    Global Technology Services $ 10,284 $ 10,452 -1.6 % $ 40,236 $ 40,879 -1.6 %
    Gross profit margin 37.6 % 36.6 % 36.6 % 35.0 %
    Global Business Services 4,720 4,877 -3.2 % 18,566 19,284 -3.7 %
    Gross profit margin 29.9 % 29.3 % 30.0 % 28.8 %
    Software 7,915 7,648 3.5 % 25,448 24,944 2.0 %
    Gross profit margin 90.6 % 89.8 % 88.7 % 88.5 %
    System and Technology 5,763 5,803 -0.7 % 17,667 18,985 -6.9 %
    Gross profit margin 44.1 % 40.5 % 39.1 % 39.8 %
    Global Financing 535 548 -2.3 % 2,013 2,102 -4.2 %
    Gross profit margin 43.8 % 49.7 % 46.5 % 49.8 %
    Other 87 159 -45.3 % 577 722 -20.1 %
    Gross profit margin -73.2 % -11.0 % -71.6 % -54.5 %
    TOTAL REVENUE 29,304 29,486 -0.6 % 104,507 106,916 -2.3 %
    GROSS PROFIT 15,167 14,722 3.0 % 50,298 50,138 0.3 %
    Gross profit margin 51.8 % 49.9 % 48.1 % 46.9 %
    EXPENSE AND OTHER INCOME
    S,G&A 5,921 6,076 -2.6 % 23,553 23,594 -0.2 %
    Expense to revenue 20.2 % 20.6 % 22.5 % 22.1 %
    R,D&E 1,580 1,555 1.6 % 6,302 6,258 0.7 %
    Expense to revenue 5.4 % 5.3 % 6.0 % 5.9 %
    Intellectual property
    and custom development
    income (227 ) (253 ) -10.1 % (1,074 ) (1,108 ) -3.0 %
    Other (income)and expense (47 ) (44 ) 7.3 % (843 ) (20 ) NM
    Interest expense 109 113 -3.8 % 459 411 11.8 %
    TOTAL EXPENSE AND
    OTHER INCOME 7,336 7,448 -1.5 % 28,396 29,135 -2.5 %
    Expense to revenue 25.0 % 25.3 % 27.2 % 27.3 %
    INCOME BEFORE
    INCOME TAXES 7,831 7,274 7.7 % 21,902 21,003 4.3 %
    Pre-tax margin 26.7 % 24.7 % 21.0 % 19.6 %
    Provision for income taxes 1,998 1,784 12.0 % 5,298 5,148 2.9 %
    Effective tax rate 25.5 % 24.5 % 24.2 % 24.5 %
    NET INCOME $ 5,833 $ 5,490 6.3 % $ 16,604 $ 15,855 4.7 %
    Net income margin 19.9 % 18.6 % 15.9 % 14.8 %
    EARNINGS PER SHARE
    OF COMMON STOCK:
    ASSUMING DILUTION $ 5.13 $ 4.62 11.0 % $ 14.37 $ 13.06 10.0 %
    BASIC $ 5.19 $ 4.68 10.9 % $ 14.53 $ 13.25 9.7 %
    WEIGHTED-AVERAGE NUMBER
    OF COMMON SHARES OUT-
    STANDING (M’s):
    ASSUMING DILUTION 1,136.4 1,188.7 1,155.4 1,213.8
    BASIC 1,124.7 1,172.2 1,142.5 1,197.0
    NM – – Not Meaningful
    INTERNATIONAL BUSINESS MACHINES CORPORATION
    CONSOLIDATED STATEMENT OF FINANCIAL POSITION
    At At
    (Dollars in Millions) December 31, December 31,
    2012 2011
    ASSETS:
    Current Assets:
    Cash and cash equivalents $ 10,412 $ 11,922
    Marketable securities 717
    Notes and accounts receivable – trade
    (net of allowances of $255 in 2012 and $256 in 2011) 10,667 11,179
    Short-term financing receivables
    (net of allowances of $288 in 2012 and $311 in 2011) 18,038 16,901
    Other accounts receivable
    (net of allowances of $17 in 2012 and $11 in 2011) 1,873 1,481
    Inventories, at lower of average cost or market:
    Finished goods 475 589
    Work in process and raw materials 1,812 2,007
    Total inventories 2,287 2,595
    Deferred taxes 1,415 1,601
    Prepaid expenses and other current assets 4,024 5,249
    Total Current Assets 49,433 50,928
    Property, plant and equipment 40,501 40,124
    Less: Accumulated depreciation 26,505 26,241
    Property, plant and equipment – net 13,996 13,883
    Long-term financing receivables
    (net of allowances of $66 in 2012 and $38 in 2011) 12,812 10,776
    Prepaid pension assets 945 2,843
    Deferred taxes 3,973 3,503
    Goodwill 29,247 26,213
    Intangible assets – net 3,787 3,392
    Investments and sundry assets 5,021 4,895
    Total Assets $ 119,213 $ 116,433
    LIABILITIES:
    Current Liabilities:
    Taxes $ 4,948 $ 3,313
    Short-term debt 9,181 8,463
    Accounts payable 7,952 8,517
    Compensation and benefits 4,745 5,099
    Deferred income 11,952 12,197
    Other accrued expenses and liabilities 4,847 4,535
    Total Current Liabilities 43,625 42,123
    Long-term debt 24,088 22,857
    Retirement and nonpension postretirement
    benefit obligations 20,418 18,374
    Deferred income 4,491 3,847
    Other liabilities 7,607 8,996
    Total Liabilities 100,229 96,197
    EQUITY:
    IBM Stockholders’ Equity:
    Common stock 50,110 48,129
    Retained earnings 117,641 104,857
    Treasury stock — at cost (123,131 ) (110,963 )
    Accumulated other comprehensive income/(loss) (25,759 ) (21,885 )
    Total IBM stockholders’ equity 18,860 20,138
    Noncontrolling interests 124 97
    Total Equity 18,984 20,236
    Total Liabilities and Equity $ 119,213 $ 116,433
    INTERNATIONAL BUSINESS MACHINES CORPORATION
    CASH FLOW ANALYSIS
    Three Months Ended Twelve Months Ended
    (Dollars in Millions) December 31, December 31,
    2012 2011 2012 2011
    Net Cash from Operating Activities per GAAP: $ 6,346 $ 7,097 $ 19,586 $ 19,846
    Less: the change in Global Financing (GF)
    Receivables (4,151 ) (2,927 ) (2,906 ) (817 )
    Net Cash from Operating Activities
    (Excluding GF Receivables) 10,497 10,024 22,492 20,663
    Capital Expenditures, Net (981 ) (1,059 ) (4,307 ) (4,059 )
    Free Cash Flow
    (Excluding GF Receivables) 9,515 8,965 18,185 16,604
    Acquisitions (1,455 ) (1,588 ) (3,722 ) (1,811 )
    Divestitures 13 10 599 14
    Dividends (957 ) (880 ) (3,773 ) (3,473 )
    Share Repurchase (3,006 ) (3,581 ) (11,995 ) (15,046 )
    Non-GF Debt (1,571 ) 599 713 1,692
    Other (includes GF Receivables, and
    GF Debt) (3,664 ) (2,906 ) (802 ) 2,291
    Change in Cash, Cash Equivalents and
    Short-term Marketable Securities ($1,125 ) $ 619 ($794 ) $ 271
    INTERNATIONAL BUSINESS MACHINES CORPORATION
    SEGMENT DATA
    FOURTH-QUARTER 2012
    (Dollars in Millions) Pre-tax
    Revenue Income/ Pre-tax
    External Internal Total (Loss) Margin
    SEGMENTS
    Global Technology Services $ 10,284 $ 297 $ 10,581 $ 2,027 19.2 %
    Y-T-Y change -1.6 % -0.6 % -1.6 % 5.0 %
    Global Business Services 4,720 181 4,901 841 17.2 %
    Y-T-Y change -3.2 % -5.9 % -3.3 % 0.1 %
    Software 7,915 815 8,730 4,017 46.0 %
    Y-T-Y change 3.5 % -4.2 % 2.7 % 8.3 %
    Systems and Technology 5,763 186 5,949 974 16.4 %
    Y-T-Y change -0.7 % 0.0 % -0.7 % 23.2 %
    Global Financing 535 568 1,103 518 46.9 %
    Y-T-Y change -2.3 % -0.1 % -1.2 % 0.7 %
    TOTAL REPORTABLE SEGMENTS $ 29,217 $ 2,048 $ 31,265 $ 8,377 26.8 %
    Y-T-Y change -0.4 % -2.4 % -0.5 % 7.6 %
    Eliminations / Other 87 (2,048 ) (1,961 ) (546 )
    TOTAL IBM CONSOLIDATED $ 29,304 $ 0 $ 29,304 $ 7,831 26.7 %
    Y-T-Y change -0.6 % -0.6 % 7.7 %
      FOURTH-QUARTER 2011
    (Dollars in Millions) Pre-tax
    Revenue Income/ Pre-tax
    External Internal Total (Loss) Margin
    SEGMENTS
    Global Technology Services $ 10,452 $ 299 $ 10,751 $ 1,930 18.0 %
    Global Business Services 4,877 193 5,069 841 16.6 %
    Software 7,648 851 8,499 3,710 43.7 %
    Systems and Technology 5,803 186 5,989 790 13.2 %
    Global Financing 548 569 1,116 514 46.1 %
    TOTAL REPORTABLE SEGMENTS $ 29,328 $ 2,098 $ 31,425 $ 7,786 24.8 %
    Eliminations / Other 159 (2,098 ) (1,939 ) (512 )
    TOTAL IBM CONSOLIDATED $ 29,486 $ 0 $ 29,486 $ 7,274 24.7 %
    INTERNATIONAL BUSINESS MACHINES CORPORATION
    SEGMENT DATA
    TWELVE-MONTHS 2012
    (Dollars in Millions) Pre-tax
    Revenue Income/ Pre-tax
    External Internal Total (Loss) Margin
    SEGMENTS
    Global Technology Services $ 40,236 $ 1,166 $ 41,402 $ 6,961 16.8 %
    Y-T-Y change -1.6 % -6.2 % -1.7 % 10.8 %
    Global Business Services 18,566 719 19,286 2,983 15.5 %
    Y-T-Y change -3.7 % -9.7 % -4.0 % -0.8 %
    Software 25,448 3,274 28,722 10,810 37.6 %
    Y-T-Y change 2.0 % -0.1 % 1.8 % 8.4 %
    Systems and Technology 17,667 676 18,343 1,227 6.7 %
    Y-T-Y change -6.9 % -19.3 % -7.5 % -24.9 %
    Global Financing 2,013 2,060 4,073 2,034 49.9 %
    Y-T-Y change -4.2 % -1.6 % -2.9 % 1.1 %
    TOTAL REPORTABLE SEGMENTS $ 103,930 $ 7,896 $ 111,826 $ 24,015 21.5 %
    Y-T-Y change -2.1 % -4.3 % -2.3 % 4.8 %
    Eliminations / Other 577 (7,896 ) (7,319 ) (2,113 )
    TOTAL IBM CONSOLIDATED $ 104,507 $ 0 $ 104,507 $ 21,902 21.0 %
    Y-T-Y change -2.3 % -2.3 % 4.3 %
    TWELVE-MONTHS 2011
    (Dollars in Millions) Pre-tax
    Revenue Income/ Pre-tax
    External Internal Total (Loss) Margin
    SEGMENTS
    Global Technology Services $ 40,879 $ 1,242 $ 42,121 $ 6,284 14.9 %
    Global Business Services 19,284 797 20,081 3,006 15.0 %
    Software 24,944 3,276 28,219 9,970 35.3 %
    Systems and Technology 18,985 838 19,823 1,633 8.2 %
    Global Financing 2,102 2,092 4,195 2,011 47.9 %
    TOTAL REPORTABLE SEGMENTS $ 106,194 $ 8,246 $ 114,440 $ 22,904 20.0 %
    Eliminations / Other 722 (8,246 ) (7,524 ) (1,901 )
    TOTAL IBM CONSOLIDATED $ 106,916 $ 0 $ 106,916 $ 21,003 19.6 %
    INTERNATIONAL BUSINESS MACHINES CORPORATION
    U.S. GAAP TO OPERATING RESULTS RECONCILIATION
    (Dollars in millions except per share amounts)
    FOURTH-QUARTER 2012
    Acquisition- Retirement-
    Related Related Operating
    GAAP Adjustments* Adjustments** (Non-GAAP)
    Gross Profit $ 15,167 $ 100 $ 60 $ 15,327
    Gross Profit Margin 51.8 % 0.3Pts 0.2Pts 52.3 %
    S,G&A 5,921 (91 ) (29 ) 5,801
    R,D&E 1,580 0 6 1,586
    Other (Income) & Expense (47 ) (7 ) 0 (54 )
    Total Expense & Other (Income) 7,336 (98 ) (23 ) 7,215
    Pre-Tax Income 7,831 198 83 8,112
    Pre-Tax Income Margin 26.7 % 0.7Pts 0.3Pts 27.7 %
    Provision for Income Taxes*** 1,998 (45 ) 30 1,983
    Effective Tax Rate 25.5 % -1.2Pts 0.1Pts 24.4 %
    Net Income 5,833 243 53 6,129
    Net Income Margin 19.9 % 0.8Pts 0.2Pts 20.9 %
    Diluted Earnings Per Share $ 5.13 $ 0.21 $ 0.05 $ 5.39
    FOURTH-QUARTER 2011
    Acquisition- Retirement-
    Related Related Operating
    GAAP Adjustments* Adjustments** (Non-GAAP)
    Gross Profit $ 14,722 $ 81 ($10 ) $ 14,793
    Gross Profit Margin 49.9 % 0.3Pts -0.0Pts 50.2 %
    S,G&A 6,076 (82 ) 2 5,996
    R,D&E 1,555 0 23 1,578
    Other (Income) & Expense (44 ) (2 ) 0 (46 )
    Total Expense & Other (Income) 7,448 (85 ) 25 7,388
    Pre-Tax Income 7,274 166 (35 ) 7,405
    Pre-Tax Income Margin 24.7 % 0.6Pts -0.1Pts 25.1 %
    Provision for Income Taxes*** 1,784 47 (24 ) 1,808
    Effective Tax Rate 24.5 % 0.1Pts -0.2Pts 24.4 %
    Net Income 5,490 119 (12 ) 5,597
    Net Income Margin 18.6 % 0.4Pts -0.0Pts 19.0 %
    Diluted Earnings Per Share $ 4.62 $ 0.10 ($0.01 ) $ 4.71
    * Includes amortization of acquired intangible assets and other acquisition-related charges.
    ** Includes retirement-related items driven by changes to plan assets and liabilities primarily related to market performance.
    *** Tax impact on operating (non-GAAP) pre-tax income is calculated under the same accounting principles applied to the GAAP pre-tax income which employs an annual effective tax rate method to the results.
    INTERNATIONAL BUSINESS MACHINES CORPORATION
    U.S. GAAP TO OPERATING RESULTS RECONCILIATION
    (Dollars in millions except per share amounts)
    TWELVE-MONTHS 2012
    Acquisition- Retirement-
    Related Related Operating
    GAAP Adjustments* Adjustments** (Non-GAAP)
    Gross Profit $ 50,298 $ 376 $ 264 $ 50,938
    Gross Profit Margin 48.1 % 0.4Pts 0.3Pts 48.7 %
    S,G&A 23,553 (349 ) (294 ) 22,910
    R,D&E 6,302 0 20 6,322
    Other (Income) & Expense (843 ) (13 ) 0 (857 )
    Total Expense & Other (Income) 28,396 (363 ) (274 ) 27,760
    Pre-Tax Income 21,902 739 538 23,179
    Pre-Tax Income Margin 21.0 % 0.7Pts 0.5Pts 22.2 %
    Provision for Income Taxes*** 5,298 98 156 5,552
    Effective Tax Rate 24.2 % -0.4Pts 0.1Pts 24.0 %
    Net Income 16,604 641 381 17,627
    Net Income Margin 15.9 % 0.6Pts 0.4Pts 16.9 %
    Diluted Earnings Per Share $ 14.37 $ 0.55 $ 0.33 $ 15.25
    TWELVE-MONTHS 2011
    Acquisition- Retirement-
    Related Related Operating
    GAAP Adjustments* Adjustments** (Non-GAAP)
    Gross Profit $ 50,138 $ 341 $ 2 $ 50,481
    Gross Profit Margin 46.9 % 0.3Pts 0.0Pts 47.2 %
    S,G&A 23,594 (309 ) (13 ) 23,272
    R,D&E 6,258 0 88 6,345
    Other (Income) & Expense (20 ) (25 ) 0 (45 )
    Total Expense & Other (Income) 29,135 (334 ) 74 28,875
    Pre-Tax Income 21,003 675 (72 ) 21,605
    Pre-Tax Income Margin 19.6 % 0.6Pts -0.1Pts 20.2 %
    Provision for Income Taxes*** 5,148 179 (40 ) 5,287
    Effective Tax Rate 24.5 % 0.1Pts -0.1Pts 24.5 %
    Net Income 15,855 495 (32 ) 16,318
    Net Income Margin 14.8 % 0.5Pts -0.0Pts 15.3 %
    Diluted Earnings Per Share $ 13.06 $ 0.41 ($0.03 ) $ 13.44

    * Includes amortization of acquired intangible assets and other acquisition-related charges.
    ** Includes retirement-related items driven by changes to plan assets and liabilities primarily related to market performance.
    *** Tax impact on operating (non-GAAP) pre-tax income is calculated under the same accounting principles applied to the GAAP pre-tax income which employs an annual effective tax rate method to the results.

  • Your Computer And Mobile Device Remain At Risk In 2013

    Your Computer And Mobile Device Remain At Risk In 2013

    Cybersecurity is a serious issue, and one that needs to be taken up by everybody. It’s not just a matter of some state hackers breaking into servers owned by a rival government. Cybersecurity affects you as well when a for-profit hacker goes after your credit card numbers with targeted malware. These issues didn’t subside in 2012, and it’s only going to get worse in 2013.

    Computer security company AVG released its list of the top threats facing computer, and mobile device, users in 2013. Not surprising, the list contains a number of threats that were already at large or growing to be a major threat last year.

    First up, AVG predicts that Java will continue to be the most exploited software on computers. That may just be the case as Oracle already had to deal with a major zero-day exploit last year along with other various security loopholes that hackers always seem to find before security researchers. The software’s spread across over 1 billion computers ensures it will remain a desirable target.

    Besides Java’s vulnerabilities, the biggest threat facing users is mobile malware. Android is especially susceptible to malware as many people download malicious apps from unofficial app stores that don’t properly screen their services for malware. Google Play or Amazon’s Android Appstore are the safest bets for avoiding mobile malware, but no promises can be made.

    Other threats include an increase in ransomware, cloud service breaches and other scary things that lawmakers and government agencies refer to when trying to push new cybersecurity laws that curb your privacy rights.

    AVG’s report may sound like a lot of fear mongering, but it’s seemingly appropriate in an age where people are falling for obvious malware attacks all the time. People need to be more vigilant when browsing the Internet or checking email and avoid any links that look even remotely suspicious. Another handy rule of thumb is to disable Java or any other vulnerable Web plugin before visiting a site that doesn’t look legitimate. You should also stop using dumb passwords, like “password.”

    On a final note, you should probably stop using Internet Explorer.

  • Senate Kills Cybersecurity Bill One Last Time

    Cybersecurity has become somewhat of a buzzword in Washington over the last year. Various government agencies and lawmakers from both sides have made it clear that something needs to be done about cybersecurity. Their efforts resulted in CISPA and CSA – two equally reviled bills that sacrificed privacy in favor of more government regulation of private communications.

    CISPA passed in the House, but the Senate’s rejection of CSA made it hard to move forward. The bill’s sponsor, Majority Leader Harry Reid, tried to push CSA through one more time, but the senate rejected his motion for cloture earlier this week.

    So what does this mean? The US won’t have a cybersecurity bill before the end of the year. It was a long shot already, but this just cements it. There might be efforts to revive CISPA or CSA next year, but the public’s resistance to these bills might force lawmakers to write entirely new bills to address cybersecurity concerns.

    In the meantime, there’e are rumors that President Obama will be signing off on an executive order that would implement much of CSA. Bloomberg reports that the executive order would seek to protect vital computer networks from cyber attacks. It’s unknown if the executive order contains any of the privacy concerns that were found in both CSA and CISPA.

    The chances of an executive order are pretty high at this point. Cybersecurity is a major concern of the military, and Obama has already taken action in the form of a secret directive. The Washington Post reports that Obama has already signed a directive allowing the military to be more aggressive in preventing cyber attacks on government and private networks.

    The directive doesn’t have quite the power of an executive order, but it should be a sign of things to come. The White House has already been targeted by hackers earlier this year, and Obama obviously wants to avoid any more scenarios like that. Giving the military more freedom in directing its own cybersecurity campaigns is just one part of whatever form the executive order takes.

  • Cybersecurity Awareness Month Is Nearly Over, But Here Are Some Password Tips

    October is National Cyber Security Awareness Month, but it’s almost over. Here’s what the Department Of Homeland Security says about it:

    Today, we are more interconnected than ever before. Not only do we use the Internet to stay connected, informed, and involved, but we rely on it for all of our day-to-day needs. The nation’s critical infrastructure relies heavily on the Internet for everything from submitting taxes, to applying for student loans, to following traffic signals, to even powering our homes. Can you imagine our lives without the Internet?

    Yet, for all of its advantages, increased connectivity brings increased risk of crime – thus making cybersecurity one of our country’s most important national security priorities.

    Passwords continue to be a concern. This week, we looked at new data about some of the recent big password leaks, finding that the most common password on the Internet is password, followed by 123456 and 12345678. Suffice it to say, passwords aren’t being taken seriously enough.

    Software developer Siber Systems has put out a set of simple password-related tips for consumers to consider:

    1. Create passwords that are difficult for anyone to guess, including friends, family and hackers. Avoid passwords that relate on a personal level, instead use upper and lower case letters, random symbols, and do not use any word found in the dictionary. One trick is to choose the first letters of each word from a random phrase such as “I like to eat pineapple daily”, to get “iLtEPd”, with the addition of a symbol and number for added measure. Also change passwords every 30 days.

    2. Do not utilize default passwords such as “1234” that were provided automatically or by system administrators. Using such a password means someone else or a system has a record of the current password, making it unsecure. Change defaults immediately to a memorable and random password.

    3. Writing down passwords is an especially troublesome habit. Pieces of paper provide others with a simple way to capture and exploit passwords. Use a secure tool to manage various passwords, or take parts of a unique and memorable phrase to create a password.

    4. Avoid duplication at all costs. Using the same or very similar passwords (Charles10 and Charles17 for example) across multiple logins exposes individuals and entire enterprises to significant risk. Be sure to use different passwords for every login.

    5. Utilize technology tools to make password management and selection easier.

    Setting a strong password is the top recommendation from the Department of Homeland Security, when it comes to practicing cybersecurity. Other recommendations include: keeping your operating system, browser and other software optimized by installing updates, maintaining an open dialogue with family, friends and community about Internet safety, limiting the amount of personal info you post online and using privacy settings, and being cautious about what you receive or read online.

  • Cybersecurity Act Of 2012 Killed In The Senate

    The Senate had until tomorrow to vote on the Cybersecurity Act of 2012. The amendments that were being proposed suggested that we may be onto something decent here. Unfortunately, or fortunately depending on how you look at it, we’re not going to have a cybersecurity bill this year.

    The Senate voted this morning to kill the CSA. According to The Hill, the bill only needed 60 votes to move forward with the legislation. It only received 52 votes with 46 voting to kill the bill as it stands. It’s essentially the final nail in the coffin for all the cybersecurity bills that were proposed this year.

    Depending on how you stand, this is actually good news. It means that the Senate won’t be rushing a bill out the door this year just to get some kind of cybersecurity law on the book. Hopefully this will give the Senate and House time to properly prepare a better bill that takes the concerns of the privacy-minded citizens into consideration.

    Senate Minority Leader Mitch McConnell attributed the defeat of the bill to Senate Majority Leader, Harry Reid. McConnell said that he recognizes the need for better cybersecurity, but said that the CSA was not properly thought out. He accused Reid of trying to “steam roll the bill.”

    Reid blamed the failed passage on the Republicans and lack of support from the Chamber of Commerce. The Chamber of Commerce has been against the bill from the start because it didn’t provide ample protection for businesses. Sen. John McCain suggested that any future bills have more input from the business community.

    It’s clear that the bill failed because we’re in an election year. If the bill were to be proposed next year in the exact same manner, I think it would at least go up for a vote. The fact that both sides are vying for votes through political grandstanding instead of focusing on the actual bills means that not much is going to get done.

    We’ll continue to follow the trials and tribulations of bills that affect the Internet, but don’t expect much news for the rest of the year. We’ll probably see the bill brought up again in some form in January of next year.

  • Cybersecurity Act Of 2012 Might Actually End Up Being Pro-Privacy

    The latest bill to address the flaws in our nation’s cybersecurity is now in the stage where senators can introduce amendments. While CISPA didn’t get that many amendments added on to it, the Cybersecurity Act of 2012 is getting bombarded with amendments from the left and right. Funny enough, some of the amendments don’t even have anything to do with cybersecurity.

    For the moment, let’s stick with the amendments that matter most – cybersecurity related ones. Out of the 70 plus amendments that are being tossed at the bill, it would seem that most are related to cybersecurity. Sen. Ron Wyden of Oregon is leading the pack with three amendments that address major concerns that people had with CISPA. In his amendments, Wyden wants to prevent warrantless GPS tracking, limit access the government has to information stored on cloud networks, and make it so that the President must get any cybersecurity treaty approved by Congress.

    Sen. Al Franken of Minnesota introduced an amendment that would get rid of Section 701, a provision that allows ISPs to monitor consumer communications without any kind of oversight. Sen. Patrick Leahy of Vermont also introduced some great amendments. His amendments would make it a crime for companies to hide data breaches from consumers, and another creates a national standard for data-breach notification. He also wants to get rid of that silly law that prevents the sharing of video-viewing online, which has been the thorn in Netflix’ side in the U.S.

    It was mentioned at the beginning that some senators have been introducing some amendments that have nothing to do with cybersecurity. Some of these amendments include stricter gun control in the wake of the Aurora shooting or amendments that would undermine Obamacare. CSA’s sponsor, Sen. Joseph Lieberman of Connecticut, told senators to stop adding “these irrelevant amendments.”

    I think we can safely say that CSA is on its way to being a much better bill than CISPA. The privacy protections that are being introduced give people, including yours truly, hope that Washington knows what it’s finally doing. Given that Obama has already said that he vastly favors CSA to CISPA, this might be the bill that we get in the end. If it can keep all of its privacy protections and survive the House, we might just get a decent cybersecurity bill that is able to protect consumers and companies.

    [h/t: CNET]

  • The Cybersecurity Act Of 2012 Goes Up For Debate In The Senate Tomorrow

    2012 is shaping up to be the year of cyber legislation. After SOPA and PIPA were defeated early this year, all attention turned towards CISPA. Even though the Internet put forth a strong effort, the lack of support from major giants like Google or Wikipedia ensured its passing in the House. Whereas CISPA was passed without adding any amendments to protect consumer privacy, the Cybersecurity Act of 2012 will be going up for debate tomorrow over any proposed amendments.

    One of the major champions of Internet freedom, Sen. Ron Wyden, plans to introduce an amendment into the CSA tomorrow that would prevent warrantless GPS tracking. According to The Hill, Wyden feels it’s a natural fit with the CSA’s consumer protections:

    “Because the law has not kept up with the pace of innovation, it makes sense to include the GPS Act’s requirement that law enforcement obtain a warrant for GPS tracking in the Cybersecurity Act. This will protect Americans’ location information from misuse. Part of the goal of the cybersecurity legislation is to update rules for information collection and privacy for the digital age, which is what the GPS Act is all about.”

    Wyden’s amendment would be the latest privacy protection that has been introduced to the CSA. It would appear that the Senate is taking privacy concerns seriously as they debate and change the wording in their version of a cybersecurity bill. One such change is a clarification in the bill that only allows companies to share cybersecurity information with civilian agencies. CISPA puts this information in the hands of the NSA, a military agency.

    After the debate process, the CSA will be going up for a vote before the Senate leaves for its August recess. If we’re lucky, all the privacy protections will be retained. There will definitely be some skepticism in regards to the proceedings after CISPA was up for debate, but was instead pushed for an impromptu vote without allowing any amendments to be considered.

    We’ll keep you up to date on any changes that CSA may face. It’s the cybersecurity bill favored by President Obama so it may be the one that gets through.

  • Sen. Wyden Comes Out Against Cybersecurity Act of 2012

    The drama surrounding the various cybersecurity bills floating around Congress is never ending. CISPA passed the House, but what’s next? The controversial bill will head to the Senate, but they have their own cybersecurity bill to deal with – the Cybersecurity Act of 2012.

    When the White House came out against CISPA last month, they offered their support for the CSA. They said that it offered better protection of personal privacy than CISPA. That may be true, but it’s still not good enough according to Sen. Ron Wyden.

    Speaking to The Hill, Wyden says that the CSA is similar to CISPA in that it “subordinate(s) all existing privacy rules and constitutional principles to the poorly defined interest of ‘cybersecurity.’” He says that the bill should be more specific about what kind of data can be shared between corporations and government. He also argues that it should companies should be not be able to get legal immunity so easily.

    Wyden’s remarks jive with the argument that the ACLU made last week. Their main contention was also in regards to how the bill can essentially ignore privacy laws. The ACLU addressed another point of the bill that Wyden neglected to mention though. CSA allows the government to share the data they collect with any governmental agency including the NSA.

    Where Wyden really hits it home, however, is when he says that the debate over CISPA and CSA is just like the debate from earlier this year on SOPA and PIPA. He says that both of these debates presented a “false choice” to congressmen. They either had to choose one or the other. Those in support of the bill argue that being for privacy rights make a congressman also in support of cyberterrorism. There is no middle ground, only extremes. Unfortunately, that seems to be the only way of debate in Washington these days.

    Wyden has a tough fight ahead of him though. Even though it seems more and more likely that CISPA will die in the Senate, CSA will probably pass in some form or another. The White House seems all too willing to sign the CSA into law so that’s where we’re obviously in trouble.

    As always, if you feel particularly strong about this issue, you can contact your senator via ACLU’s contact form. I received a pretty standard issue reply from Sen. Rand Paul when I sent one in, but maybe you’ll have better luck. At least it lets them know that their constituents, the ones that voted them in, are watching their every move.

  • White House Cybersecurity Coordinator is Retiring

    The timing of this announcement is odd, especially when you consider the ongoing struggle with CISPA, ACTA, and whatever SOPA derivatives remain, but what we have is the retirement of Howard Schmidt, previously the White House’s Cybersecurity Coordinator.

    When he accepted the position, Schmidt agreed to a two-year term, which was extended by six months, thanks in large part to the SOPA/CISPA issues that gripped the public earlier this year. In fact, Schmidt was still an active spokesperson for the White House earlier this month, reaffirming the White House’s anti-CISPA position. Schmidt cites a desire to spend more time with his family, while pursuing a career teaching about the tech industry.

    Schmidt, according to the Washington Post, will be succeeded by Michael Daniel, who also works for the White House staff as the chief of the budget office’s intelligence department.

    While Schmidt did reinforce the White House’s position on CISPA–a threat to personal privacy–he did offer support for the Joe Lieberman-sponsored Cybersecurity Act of 2012:

    White House Cybersecurity Coordinator Howard Schmidt indicated that while he would still recommend that President Obama veto CISPA, the Administration is now pushing for passage in the Senate of the Lieberman-Collins bill, mainly because of a package of regulations it contains for critical infrastructure, like the electrical grid and transportation systems, that is not in CISPA.

    On Twitter, the reaction, thankfully, hasn’t been trend-worthy, but there have been a few notable acknowledgements of Schmidt’s imminent departure:

    Jim Langevin
    @jimlangevin     My best to Howard Schmidt, retiring as WH #cybersecurity coordinator. Played vital role shaping country’s cyber policies @ critical time
    3 hours ago via web · powered by @socialditto
     Reply  · Retweet  · Favorite

    andrew howell
    @andrew_p_howell     Howard Schmidt’s retirement a real loss for fed govt, #cyber #security: http://t.co/znUVHvWH
    1 hour ago via web · powered by @socialditto
     Reply  · Retweet  · Favorite

    Your reaction to Schmidt’s departure will largely depend on your point of view concerning government-based cybersecurity measures. If you’re of the mind that the United States government is not capable of regulating the Internet, Schmidt’s retirement will probably go unnoticed, if not celebrated. If, however, you think the government is quite capable of making the Internet safe and sound for all users, his presence may be missed.

  • White House Openly Criticizes CISPA After Cybersecurity Briefing

    While the Internet has been increasing its opposition to CISPA over the past few weeks, the White House has been relatively quiet on the issue. The administration broke its silence last night when it announced its opposition to the controversial legislation.

    The Hill reports that the administration held a briefing with all members of the House, where CISPA is currently doing the rounds, to discuss the legislation and other cybersecurity concerns. The briefing was led by Homeland Security Secretary Janet Napolitano, FBI Director Robert Mueller, NSA Director Keith Alexander and Principal Deputy Director of National Intelligence Stephanie O’Sullivan.

    After this briefing, National Security Council spokeswoman Caitlin Hayden issued a statement to The Hill saying that “any cybersecurity legislation should include strong privacy protections and should set mandatory security standards for critical infrastructure systems.”

    The full statement provided to The Hill details the administration’s thoughts on the matter:

    “The nation’s critical infrastructure cyber vulnerabilities will not be addressed by information sharing alone. Also, while information sharing legislation is an essential component of comprehensive legislation to address critical infrastructure risks, information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens. Legislation without new authorities to address our nation’s critical infrastructure vulnerabilities, or legislation that would sacrifice the privacy of our citizens in the name of security, will not meet our nation’s urgent needs.”

    The troubling part about this is that Hayden never explicitly mentioned CISPA when providing this statement. While it’s pretty obvious she means CISPA since the statement is directed at privacy concerns, it’s still not an outright declaration of opposition.

    In other worrying news, it was also revealed that the White House is in favor of granted the government “new regulatory powers” to protect the U.S. from “devastating cyber attacks.” The Hill points out that the White House currently backs Senator Joe Lieberman’s cybersecurity bill that would put the power of enforcing cybersecurity into the hands of the Homeland Security department. Senator John McCain introduced a similar bill that would put that power into the hands of the NSA.

    CISPA is wholly unique in that it goes above and beyond the powers listed in the previous two bills by allowing corporations to share a user’s private information with the government and spy agencies without a warrant.

    While it wasn’t the outright opposition we wanted, it’s good to know that the White House is at least aware of CISPA and the concerns that groups like the EFF have brought against it. CISPA goes up for a vote next week. We’ll keep you updated if the White House voices opposition or if anything else happens.

  • The EFF’s Handy Cybersecurity FAQ Answers Many Questions

    Considering the tumultuous atmosphere surrounding the concepts of cybersecurity and Internet regulation, all in the name of CISPA, the Electronic Frontier Foundation has released a FAQ discussing the privacy threat such pieces of legislation contain. After a quick glance at the document, it’s clear that if the government gets its way and CISPA passes as is, Internet privacy will be something we look back on, wondering how it got away from us so easily.

    Aside from the intellectual property portions of CISPA, which now has an amendment attached to it, there are other privacy issues to be aware of, something the EFF’s FAQ discusses at length. It should be noted the EFF is at odds with much of what CISPA stands for, including the bill’s premise:

    The bill purports to allow companies and the federal government to share information to prevent or defend from cyberattacks. However, the bill expressly authorizes monitoring of our private communications, and is written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight—effectively creating a “cybersecurity” loophole in all existing privacy laws.

    As you can see, the EFF’s initial position has nothing to do with overreaching methods of piracy prevention. They’re just as concerned with the privacy implications CISPA poses. One area of focus has to do with privacy surrounding emails, a right CISPA threatens:

    Under CISPA, can a private company read my emails?

    Yes. Under CISPA, any company can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company. This phrase is being interpreted to mean monitoring your communications—including the contents of email or private messages on Facebook… Right now, well-established laws, like the Wiretap Act and the Electronic Communications Privacy Act, prevent companies from routinely monitoring your private communications… CISPA destroys these protections by declaring that any provision in CISPA is effective “notwithstanding any other law” and by creating a broad immunity for companies against both civil and criminal liability. This means companies can bypass all existing laws, as long as they claim a vague “cybersecurity” purpose.

    How does that strike you? Hopefully, the fact that, by invoking CISPA, your private email and your social media accounts can be monitored by non-law enforcement officials is a scary one.

    Furthermore, that, alone should be enough to oppose the bill, but the EFF continues with these personal communication warnings:

    Under CISPA, can a company hand my communications over to the government without a warrant?

    Yes. After collecting your communications, companies can then voluntarily hand them over to the government with no warrant or judicial oversight whatsoever as long is the communications have what the companies interpret to be “cyber threat information” in them. Once the government has your communications, they can read them too.

    With that in mind, how does Facebook’s (among others) support for this bill strike you? Are you ready to boycott Zuckerberg’s omnipresent creation? Under the stipulations of CISPA, Facebook can hand over your messages and other account information without a warrant. If that doesn’t strike a little fear, or at least, give you pause about Facebook’s support of CISPA, I’m not sure anything will.

    As for the intellectual property protections CISPA provided, a recent amendment implies some progress has been made on that particular front, but it’s not completely dead, either:

    In response to the overwhelming protest from the Internet community that this bill would become a backdoor for SOPA 2, the bill authors have proposed an amendment that rids the bill of any reference to “intellectual property…” But it is important to remember that this proposed amendment is just that: proposed. The House has not voted it into the bill yet, so they still must follow through and remove it completely.

    With intellectual property protections being potentially removed from CISPA, now the focus is on the potential invasions of privacy the bill represents. With that in mind, the EFF suggests you take the following steps, provided you’re a CISPA opponent:

    What can I do to stop this bill?

    It’s vital that concerned Internet users tell Congress to stop this bill. Use EFF’s action center to send an email to your Congress member urging them to oppose this bill.

    Does the potential removal of “intellectual property” literature change your postion on the bill or is the threat to privacy CISPA potentially represents enough for you to maintain your opposition?

  • Senator John McCain Proposes Cybersecurity Bill

    Cybersecurity is one of those funny things that is talked about, but nothing is really ever done about it. We can, and have implemented new safeguards on our infrastructure. It doesn’t change the fact that there isn’t a national standard at which all infrastructure owners must operate under.

    The good news is that there was a cybersecurity bill making its way through Congress that was supported by both parties and it would have addressed that very issue. As Wired reports, however, the key word there is “was.” Senator John McCain came in with seven other Senators to slam the current bill and propose a new one.

    At a hearing for the proposed bill, the Cybersecurity Act of 2012, McCain made clear his objections to the bill, including but not limited to, the power it gave to the Department of Homeland Security and not enough power being given to the National Security Agency:

    General Keith Alexander, the Commander of U.S. Cybercommand and the Director of the NSA stated that if a significant cyber attack against this country were to take place there may not be much that he and his teams at either Cybercommand or NSA can legally do to stop it in advance. According to General Alexander, ‘in order to stop a cyber attack you have to see it in real time, and you have to have those authorities. Those are the conditions we’ve put on the table … Now how and what the Congress chooses, that’ll be a policy decision.’ This legislation does nothing to address this significant concern and I question why we have yet to have a serious discussion about who is best suited to protect our Country from this threat we all agree is very real and growing.

    Additionally, if the legislation before us today were enacted into law, unelected bureaucrats at the DHS could promulgate prescriptive regulations on American businesses – which own roughly 90 percent of critical cyber infrastructure. The regulations that would be created under this new authority would stymie job-creation, blur the definition of private property rights and divert resources from actual cybersecurity to compliance with government mandates. A super-regulator, like DHS under this bill, would impact free market forces which currently allow our brightest minds to develop the most effective network security solutions.

    McCain ended his comments by saying that he was going to introduce the new bill after the President’s Day recess.

    The current bill that McCain wants to shoot down would make the government pick out which sectors of the nation’s infrastructure poses the most immediate risk and then give the DHS the authority to combat those problems.

    The real kicker in the bill, however, is that it would require companies that own “critical infrastructure” to meet security standards created by the National Institute of Standards and Technology as well as the NSA. If they did not meet these standards, they would be slapped with civil penalties.

    Those affected by these new standards would be allowed to come up with their own ways to meet the standards, but would be required to annually review their practices to confirm that they are meeting standards.

    One part of the bill that is suspect is that it would allow these companies to self-certify themselves over the proposed standards. While they can hire a third party to perform the audit, self-certification would probably be the preferred method as it’s easier and cheaper. It’s also ripe for incompetence since auditing yourself doesn’t get the best results.

    We’ll have to wait for McCain’s bill to emerge before we can compare the two to see where each of their strengths lie. Once it does emerge though, you can bet that we’ll be on it to let you know what’s in it.

    If Congressional hearings are your thing, you can watch the full three hour long committee meeting at the Senate’s Web site.

    If you prefer reading, the bill in its entirety can also be downloaded from the Senate’s Web site.

    As it stands now, however, would you be more comfortable with the NSA or DHS monitoring our nation’s cybersecurity? Let us know in the comments.

  • House Passes Cybersecurity Bill

    The U.S. House of Representatives today passed the Cybersecurity Enhancement Act by a vote of 422 to 5.

    The bill is aimed at improving cybersecurity within the federal government as well as the public and private sectors by helping to develop a skilled cybersecurity workforce along with coordinating and prioritizing federal research and development.

    The bill also seeks to improve the transfer of cyber security technologies to the marketplace and promote cybersecurity education for the public.

    Bart-Gordon "The Internet does not stop at our borders; the consequences of poor cybersecurity measures can greatly impact our national security and economy," said bill cosponsor and Science and Technology Committee Chairman Bart Gordon (D-TN).

    "Improving cybersecurity will require a collaborative effort both domestically and internationally. H.R. 4061 accomplishes this by coordinating U.S. representation in the development of international cybersecurity technical standards and best practices and by creating a strategic vision for federal cybersecurity R&D."

    The bill reauthorizes a number of National Science Foundation cyber security programs, providing $396 million in research grants over the next four years and offering $94 million in cyber security scholarships.

    The bill would also require the Administration to conduct an assessment of cybersecurity workforce needs across federal agencies. In addition the bill requires the Administration’s Office of Science and Technology Policy Director to put together a university task force to find new models for putting in place collaborative R&D.

    "H.R. 4061 is a good bipartisan bill that strengthens public-private partnerships, ensures an overall vision for the federal cybersecurity R&D portfolio, trains the next generation of cybersecurity professionals, and improves cybersecurity technical standards," added Gordon.

    > Spam Is Getting More Malicious

    >Stealth Phishing Attack Looks Like Internal Email

    >Security A Concern For Online Holiday Shoppers