Cyber Security | Security Debrief - a blog of homeland security news and analysis

Archive for the ‘Cyber Security’ Category

Should We Seek Cyber Attribution?

Monday, July 26th, 2010

Several news items of late have addressed the thorny issue of cyber attribution; that is, the ability to identify the sources of Web and network attacks. For cyber companies and some government agencies, attribution is the Holy Grail. Without attribution, there can be no real retribution for cyber attacks. If you don’t know (with certainty) who did it, you cannot respond. If you cannot respond, even if you have the means to do so, you become an impotent giant and therefore have no deterrence.

The counter augment, made last week by several experts before Congress, is that if we develop a means of attribution (technology that attributes cyber attacks to the criminals who conducted them), soon bad governments will get it too. They will surely use it against dissident elements inside their own countries to suppress free speech and abridge other civil rights of all sorts. Some folks in the United States worry that our own government will use technology of this sort for similarly nefarious purposes.

So, should we consciously forgo the possibility of deterring bad guys from cyber crime, cyber terror and cyber war because the technology could be used badly? I think the answer is clearly “no.”

Even if the United States and our democratic allies chose not to pursue the sort of technology needed to attribute cyber attacks, repressive countries will still eventually develop their own and use it against their people. We should be as vigorous as possible in discouraging the repression of civil rights, but we cannot give up the possibility of adding to our own protection.

This is one of those situations where national interests trump our idealist desires. If we could keep the attribution technology away forever, you might have an argument, but that is a pipe dream. We should develop it as soon as possible, keep it as closely held as we can for as long as we can, and then use diplomacy to mitigate its improper use. In some cases, that is the best we can do.

Posted in Cyber Security, Homeland Security & the Internet; Gov't 2.0, Intelligence, International, Management & Administration, Science & Technology, counterterrorism | Comments

Did Richard Clarke’s Cyber Book Miss It?

Wednesday, July 21st, 2010

You always feel a little shaky when you are planning on asserting that someone else is wrong. You feel more so when it is someone who is known as darn near a prophet in the particular field. However, no one has ever said that I was unwilling to express my opinions, so here goes.

Richard Clarke, former adviser to multiple presidents, the Cassandra who warned of a coming attack before 9/11, now has a hit book out on the threat of a coming cyber war, why we are unprepared for it and what we must do. The book, “Cyber War: The Next Threat to National Security and What to do About It” (written with Robert Knake), is now being widely read. One recent attendee at a major one-day cyber security symposium in Washington opined that it seemed every one of the speakers had referred to the book. I was there too, and this is a bit of hyperbole, but several did mention it. While not everyone agrees with Clarke, his opinions in the areas of infrastructure and cyber security cannot be easily discounted.

I will not attempt to do a complete review of the book, because several others have already done so and because so many people have already read it. I do want to point out, however, two areas where I think Clarke missed the mark in his thinking. I am also adding to the mix remarks and Q&A Clarke did at the very fine Aspen Security Forum at the end of June, which I had the pleasure of attending.

Truth in writing: these are two areas which might be considered my pet rocks. I have written and spoken on both, and while it is daunting to disagree with a “big guy,” in this case, I cannot be intellectually honest if I just let it go.

The first area is the usefulness of wide-spread cyber education and awareness for the American people. Clarke basically discounts this as a waste of time. He says the benefit of such an effort is about nil. You cannot properly train every grandmother and retired auto worker to be a computer scientist. Clearly he is right, but just as clearly (to me anyway), that is not the point.

Right now, experts say that nearly 80 percent of cyber incidents could be stopped if people would merely have good cyber personal hygiene. In other words, if they would understand where not to go, what in general not to open, why they should have protective software, and why it must be updated regularly, many would do it. Also, many of those same “everyman” folks could apply the same hygiene principles they would use at home in their jobs, thus giving us improvements on two fronts.

Look, we are obviously never going to stop the big sophisticated penetrations simply by intellectually arming the masses. The high-end 20 percent require a completely different approach. Nor are we going to get everyone who uses a computer to do all the “right things” anymore than we can get every driver to stop speeding or rolling through stop signs. People are people, and many will do unhelpful things, even if they are told how to avoid them. However, to give up on this front and dismiss all education and awareness efforts as of no use is intellectual conceit. We can better “arm” our population, and most of them will respond. Let’s close the doors we can and at least shrink the opportunities the bad guys have to attack. This is NOT a battle that will only be fought by our high-end “mounted cyber knights.” We have to engage all our citizen yeoman as well.

The second area Clarke dismisses is the possibility of a significant terrorist cyber event. He, like many other experts, seem to think that it is simply impossible for a terrorist organization to have the wherewithal to pull off a “real” cyber event. Well, if you define it as only so large as to be an all-out cyber war, his position has validity. If you think, as I have written and spoken about, that a terrorist attack could focus on a specific geographic and single sector target, it is indeed quite feasible.

Terrorists no longer have to develop their own cyber army; they can rent one from the multiple criminal networks that exist and who regularly sell their services. By keeping their target restricted enough (one small city, the electrical grid in one part of the country, one specific bank, etc.), terrorists could pull it off. Terrorists do not have to bring down our entire system but only do enough to provoke fear and reaction. They could also use cyber as a significant enhancer for a more traditional attack. Police in many cities worry that someone will hack their dispatch systems and route responders to an ambush or route them away from real events, a tactic that might ensure more people die from an attack and one that will truly shake public confidence.

Clarke is “right” when he says public education will not solve the cyber problem and when he says that no terrorist group is capable of conducting cyber war on America. He is wrong to dismiss the value of that education and awareness in mitigating everyday dangers and difficulties, and he is wrong to give the impression that a terrorist cyber event would be of no consequence.

We cannot throw these babies out with the bathwater. Read Clarke’s book, particularly if you need to get a better understanding of the cyber threats we face. It is well written and a fairly easy read for a tough subject. But please do not think that because Clarke gives the two areas of education and terror short shrift that they are not significant. That would be a costly mistake.

Posted in Critical Infrastructure, Cyber Security, Homeland Security Industry & Private Sector, Homeland State & Local, Management & Administration, Science & Technology, Terror Strategic Analysis, counterterrorism | Comments

Reflections from the White House Cyber Anniversary

Thursday, July 15th, 2010

On short notice, the White House gathered a distinguished group of industry, academic and government types for a one-year anniversary of the President’s speech on cyber, hosted by Howard Schmidt. The President spoke for 10 minutes as well. No press attended, but an attendee gave me this summary of the event. A lot of what was said was known to all, but it was interesting to hear how they are bringing it together — especially the emphasis on industry partnerships, which every speaker (including the President) emphasized.

The main attendees, beside the POTUS, were: Howard Schmidt; DHS Sec. Napolitano; DoC Sec. Locke; Dep SecDef Lynne; and FCC Chair Julius Genachowski. A good number of the attendees were staff from Schmidt’s office, as well as from DHS, OMB, OSTP and DOD. If there were Hill staffers there, they were not in evidence.

Howard Schmidt opened up by talking about four thematic areas his office is pursuing:
1) Raise price of success for adversaries (legal penalties, increasing cost to attack by harder targets)
2) Resilience/recovery after an incident
3) Protecting privacy and civil liberties, and
4) Industry partnerships – (on info sharing, introducing new technology, technological vulnerability reduction, and specifically, on the National Incident Response Plan, National Cyber & Communications Incident Center, and National Strategy on Trusted Identities in Cyberspace).

Schmidt later talked about the need to move from strategy to action, including through cooperation with Cyber Command and moving FISMA from reports to continuous monitoring and practical metrics. He asked for involvement in Cyber Awareness month this October.

Sec. Locke then spoke about the issues importance across DOC, especially at NIST and NTIA. His main points included:

Cyber is about confidence (consumers, businesses, military/trade secrets)
NTIA recently led activity to install DNSSEC at the root of the domain name system, working with ICAAN and Verisign
NIST is working with NSA to reconcile civilian and national security cyber standards
DoC wants to lead in working with industry to identify best practices
They are working with wireless groups on mobile computing security
NIST is leading the new version of the CNCI education initiative, the National Initiative on Cybersecurity Education or “NICE” (this also involves DHS, ED, DOL and OPM)
DoC is convening an Internet policy task force, addressing, among other things, privacy copyright, ecommerce
Regarding cybersecurity, there will be a 7/27 symposium and comments on cyber policy
Locke sees the private sector as a creator/innovator; the relationship should not be adversarial

The President then arrived, previously unannounced. He was accompanied by Dep National Security Advisor John Brennan. He spoke generally without notes, talked knowledgeably about his emphasis on cybersecurity working through Howard’s leadership. He cited the economic and social benefits of the internet and the need to protect that resource, in consultation with industry. He then discussed progress on a number of specific initiatives, including:

NSTIC
plan/capacity for unified incident response
stronger partnerships
R&D (broadband, health IT)
cyber education

DHS Dep Under Sec Phil Reitinger then led a panel that included Ed Amoroso from ATT, Curtis Brunson from L3, Edmund Schweitzer (electric industry), the CIO from St Judes on bioinformatics, Ari Schwartz from CDT, and Chris Painter who is Schmidt’s Deputy.

The panel did not say much that was new, though Painter asked for industry input on how to harden targets, and made the point that we need to move the security action away from end users, as this will never be as effective as handling it earlier in the chain (e.g., among Tier one providers).

DHS Sec Napolitano closed by noting that cyber was one of DHS’ five key priorities, including protecting civilian networks and working to protect critical infrastructures. She noted that Einstein would be deployed in all agencies by year-end, but did not discuss Einstein 3. She then announced eight winners of the “Cyber Challenge” on how to raise awareness. Most were small entities or individuals, but Cisco and Deloitte were among the winners as well. There was some Q&A, during which Vint Cerf humorously apologized for not making the Internet more secure at the beginning.

I love celebrations, but we really need to move forward more aggressively. Thanks to my colleague who attended the event for the summary.

Posted in Critical Infrastructure, Cyber Security, Management & Administration, Science & Technology, counterterrorism | Comments

U.S. nuclear safety agency unveils new data, physical security controls

Monday, July 12th, 2010

U.S. nuclear safety agency unveils new data, physical security controls – Homeland Security Newswire

The agency that oversees the U.S.’s nuclear weapons stockpile announced last week the rollout of new information and physical security controls aimed at balancing efficiency and safety. Officials said, though, that the implementation of cybersecurity improvements is about a year behind the progress the agency has made on physical protection.

The National Nuclear Security Administration (NNSA) adopted on 2 July new policies on information and physical security that replace existing rules. The changes were prompted by a yearlong review of the agency’s security posture.

Completion of the overhaul is not expected for several years. During the past decade, NNSA has suffered a series of high-profile data breaches.

Posted in Critical Infrastructure, Cyber Security, Emergency Preparedness & Response, Management & Administration, Private and Physical Security, WMD, Chemical & Biological, counterterrorism | Comments

Is the NSA’s “Perfect Citizen” Really Big Brother?

Monday, July 12th, 2010

OK, let me get this straight: a private sector company INVITES the National Security Agency (NSA) to place sensors on its privately owned network to help the company protect itself from unauthorized and unwanted cyber intrusions. Perfect Citizen, as it is called, is a program to detect cyber assaults on critical infrastructure, be they publically or privately held. The NSA will deploy sensors in critical infrastructure computer networks to detect a cyber attack.

With the U.S.’s eavesdropping agency working in private sector networks, some have worried that Perfect Citizen (a hideous name by the way) constitutes too much government monitoring in the private sector, conjuring comparisons to George Orwell’s 1984.

But how in the world does Perfect Citizen constitute “Big Brother”?!?

It still amazes me that the only entity that some American citizens seem to be afraid of in the cyber realm is own government. Yet, the same people demand that the government protect them from cyber attacks.

Come on folks, you are asking the impossible. When anyone says “security,” these individuals (and organizations) scream “Privacy!” What they really mean is privacy from the government. They do not seem to give a hoot about marketers, criminals or intelligence organizations from other countries reading anything and everything they have in digital format.

However, I do get the feeling that if these individuals’ identities were stolen, a bank account emptied, or their computer used in a BotNet to support a crime or terrorist incident, they will scream just as loudly that “the government should have done something!”

I am sorry that the NSA’s activities scare people. Much of the agency’s “scary” reputation is due to overblown Hollywood depictions of the organization (thank you “Enemy of the State” and other like films). I have worked with the NSA as an Intel Collector and while in the Pentagon’s Front Office. There are few organizations in the Federal Structure as obsessive about following the rules as the people at the Fort. These people are true patriots who do what they do to protect the Constitution and the American people, not to threaten them. The NSA is an American treasure, and we should be giving them raises, not attacking their integrity.

Perfect Citizen is NOT Big Brother. It is a program that is done only at the request of the people who own the infrastructure on which it resides. I predict that as this program goes forward, more firms will opt to join in. In fact, I also predict that once it starts to work for the Defense Industrial Base companies (which already have the best public/private info sharing arrangements in industry), others will clamor to join. Cyber Industrial Espionage is killing American businesses and will continue to do so until we can put effective monitoring capabilities in place. Perfect Citizen is good first step.

Posted in Civil liberties & Privacy, Critical Infrastructure, Cyber Security, Homeland Security Industry & Private Sector, Law Enforcement, Management & Administration, Science & Technology, counterterrorism | Comments

The Value of Aspen

Friday, July 9th, 2010

As we continue to swelter in the ongoing summer heat wave, it is easy for me to reminisce about my recent visit to Aspen, Colo. Tucked amongst the Rockies with its clean air, fervent green and majestic views, a town known primarily for its skiing with the rich and famous was home to what was, simply put, the best conference program I have ever attended.

The first annual Aspen Security Forum put forward a program that I can only describe as pleasant, informational waterboarding. By the time each of the presenters and panelists were done, my hand was dead from writing so much and my head hurt from being given the firehouse treatment of a candor and content overload.

With a venerable “who’s who” of notable names in the national security arena attending the two and a half day program, attendees had the opportunity to hear first-hand from the men and women who have served or continue to serve in some of the most demanding positions in the world. It was literally very hard to turn around and not see a face that you did not recognize from some recent event or news program, sharing insights on our country’s national and homeland security challenges.

While the presented content was outstanding, the best part about the entire program was that the overwhelming majority of notable speakers and presenters made themselves available to engage with the attendees. All too often, speakers rush in, deliver their canned pitch, say thanks to the crowd and are whisked away by their aides to get back to the office, leaving actual human contact an afterthought. To have the many distinguished speakers stick around and engage in that lost art-form of “CONVERSATION” was an absolute pleasure.

Hosted by Clark Ervin and the Aspen Institute, this was the first time they had put on a program with this particular focus. You can call it beginner’s luck if you want, but they put together a top notch effort that literally became a “must attend” for anyone who is interested in national and homeland security issues. Fortunately, for those who weren’t able to attend the program, it was taped for later broadcast by C-Span, hopefully sometime this summer. I have to tell you, there is a significant portion of C-Span’s programming that can cure insomnia, but when they broadcast the presenters and panels from the Aspen Security Forum, it will be as NBC used to call it, “Must See TV!”

To understand why I write that, here’s a rundown of some sessions (with video hyperlinks):

Adm. Mike Mullen, Chairman of the Joint Chiefs of Staff

When your opening speaker travels all the way from Kabul to Tel Aviv to Aspen to take part in the program, it’s a pretty good indicator that the organizers are up to something big. That was especially true with Adm. Mullen. Coming off a week where Gen. McChrystal was taken out by a large Rolling Stone and replaced by Gen. Petraeus, and then traveling to Afghanistan and Israel to assuage any fears and concerns they may have about the big changes, Mullen made news by essentially not making news. While his comments about the state of the nation’s counter insurgency policy dovetailed those of the White House’s, the plainspoken manner in which they were delivered conveyed the gravity of the situation our military forces are faced with in Afghanistan. His comments about Iran’s nuclear ambitions – “They’ve given us no reason to trust them” – also spoke volumes about what few measures the Administration has left at its disposal in dealing with them.

Aviation Security Panel

There is probably no other facet of the post-9/11 world that Americans gripe about more than dealing with aviation security, but as the CEO of the Air Transport Association (ATA), Jim May, said, “What’s your alternative?” Joined by Erroll Southers of USC’s CREATE Program (and the first Obama Administration nominee to lead TSA) and Christopher Bidwell of the Airport Council International, this panel laid on the table the very real threats and frustrations that accompany this portion of the security environment. One of the most interesting things discussed was the use of full-body imaging devices by airports to screen passengers. While recognizing the civil rights and privacy concerns that people have about them, Jim May of ATA shared that he thought they should be mandatory. When it came to addressing the Government Accountability Office’s recently issued criticisms of TSA’s Behavioral Detection efforts, May and the other panelists pointed out that this program was part of many layers of security, and there was no one-size-fits-all solution or silver bullet that would reduce the aviation risks faced today.

Fran Townsend, former Homeland Security Advisor to President Bush

There are many things that have been written and said about Fran Townsend, the former Homeland Security Advisor to President Bush (43), but the word “shy” is not one that would be used to describe her. The only thing that could possibly surpass the candor of her public comments when she was working as a government employee was her candor in being a former government employee. With no holds barred, Townsend explained that, “We have a reason to expect we can connect the dots this time” given all of the post 9/11 work that has been done.

In a more than hour-long conversation with Walter Isaccson, the CEO of the Aspen Institute, and the Security Forum audience, Townsend pounded on the fact that much still needs to be done to improve information sharing amongst intelligence and law enforcement agencies across the board. Her declaration that there still needed to be a senior level official or “Cabinet Agency,” but “not a czar,” to “pound these government agencies into submission to do information sharing.” Her proposal that an NGO, public-private partnership, rather than a solely government-led approach to address the growing cyber security risks, was also interesting.

Bill Bratton, former Chief, Los Angeles Police Department

Dubbed by many media outlets as “America’s Top Cop” for having led the police departments of Boston, New York City and Los Angeles, I think Bill Bratton surprised everyone at the program when he explained how the terror attacks in Mumbai, India caused him to change the entire structure of the LAPD. His interview with CNN’s Jeanne Meserve detailed how 60 days after those attacks, he was able to transform his police department with new training, exercises and more. The relatively simply trained Mumbai terrorists were not interested in holding hostages; in fact, they were using so-called negotiations to buy time to kill more people. This showed Bratton that he had to change how his department was positioned to respond to a similar event, should it occur in Los Angeles.

Michael Leiter, Director of the National Counter Terrorism Center

For a man that much of Washington thought would have his head handed to him following the failed information sharing efforts surrounding the failed Christmas Day attack, Michael Leiter, the Director of the National Counter Terrorism Center (NCTC), displayed all of the skill and confidence that make him one of a few Bush Administration appointees to successfully transition into the Obama Administration. His description of his job, his work with the President to report on the range of threats to the country and how he thinks information sharing needs to work made this particular presentation one of the most revealing and compelling of the entire program. Interviewed by Michael Isikoff, a former Newsweek reporter and now Chief Investigative Correspondent for NBC News, ended up producing some great back and forth between the two men that was as revealing as it was humorous. This session again explained more about Leiter’s job and the mission of the NCTC than any government report or Congressional hearing to date.

Border Security Panel

Despite the countless GAO and IG reports and the many hearings before the U.S. House and Senate, there was no better overview of America’s border security than a panel made up of:

Bob Mocny, Director of DHS’ US VISIT Program;
Mark Borkowski, Director of CBP’s Secure Border Initiative (SBI); and
Steve Oswald, Vice President of Boeing.

These three gentlemen described what worked, what didn’t, what could be better and what the future may look like on programs that have regularly been making news for years. In presenting the details of these newsworthy programs, they did so with none of the drama or hysterics that are so often associated with the Congressional hearings that have exhaustively covered the respective programs. What each of them said frankly offered more substantive insight than any of the previous Congressional hearings have produced to date. That was an observation made not just by the conference attendees but also by the first-tier media, congressional staff and others who have observed each of these respective programs closely. Truth be told, if you want to know what is really happening with US VISIT and the Secure Border Initiative (minus the belligerent questions and political posturing), spending 90 minutes watching this panel when it is aired on C-Span will be time well spent.

Attending News Media

As I mentioned, the conference was a literal “who’s who” of notable current and former national and homeland security leaders, and the same could be said for the attending members of the media. With CNN’s Jeanne Meserve, Fox News’ Catherine Herridge, the Washington Post’s Spencer Hsu, Newsweek’s/NBC News’ Michael Isikoff, and more, it seemed as if there was a representative from every major news outlet, print and broadcast media in attendance. While many of them were there to serve as session/panel moderators for the various parts of the program, the entire forum was a reservoir of information for them on today’s security concerns and a background on the actions of the past. It was also a treasure trove for journalists in developing future sources for national and homeland security news stories.

Michael Chertoff, former Secretary of Homeland Security

After consecutive 12-hour days of literally (albeit pleasantly) waterboarding attendees with tons of substantive content, it’s hard to figure out how to end a program such as that in Aspen, but they picked a great closer in former DHS Secretary Chertoff. Whether it was the fact that he’s been out of office for almost a year and half and doesn’t have to worry about a 2 AM phone call from National Operations Center about someone doing something vile to the homeland, Chertoff’s candor and demeanor crystallized for everyone the seriousness of the threats we face while also assuring we should continue to go about our regular lives. As one of the very few “senior statesmen” on homeland issues that we have in this country, his conversation with Fox News’ Catherine Herridge conveyed the balance that we need to have when planning for and operating against the range of risks we face.

A wondering disappointment

I can say without doubt that I loved every moment at the Aspen Institute, but I can’t sign off without discussing the one disappointment that I and many others had in the presentation by DHS Deputy Secretary, Jane Holl Lute. Whether it was her discomfort at the conversational interview format led by CNN’s Jeanne Meserve, her fear in the week after the McChrystal debacle, not wanting to say anything to cause problems for herself or the Administration, or the fact that maybe she was having a bad day, her presentation left the overwhelming majority of attendees scratching their heads in wonder as to the real story at the Department.

All of the questions that were asked by Meserve were fair and nothing was out of the ordinary, but Lute’s responses were defensive, sometimes evasive and could have been dramatically better. Time and time again in her hour long session there were questions to which she could have responded with hard and fast examples of the Department’s accomplishments. Instead, she offered simplistic, almost apple-pie like anecdotal responses that left the audience wondering why she wouldn’t answer the most basic of questions.

When she stated, “the [U.S.] border has never been more secure,” and offered no facts to prove that statement, portions of the audience looked around at one another in shock while others openly chortled at the declaration.

When it came time for Q&A with the audience, the tenor of her responses seemed to be even more defensive. When Michael Isikoff asked her about her statement on the border’s security and her metrics to prove that it had never been more secure, Lute seemed to bristle at the question. She firmly retorted, “The Secretary has been very clear on what those metrics are,” and effectively cut him off.

Lute’s response referred to the speech Secretary Napolitano delivered at CSIS the week before, when she declared, “the U.S. border has never been more secure…but there is more work to be done” and that “no one is satisfied with the status quo.”

In that speech, Secretary Napolitano detailed a series of metrics to back up her statement, but none of those were shared by Lute with Isikoff or the observing audience. In speaking with Isikoff and some of the other attendees after her remarks, none of them were aware of the CSIS speech and the metrics behind the powerful declaration. To the credit of the Department, Bob Mocny and Mark Borkowski did an exceptional job during their joint appearance on the Border Security panel explaining why DHS leadership is stating things have improved on the border.

It is certainly a debatable point to make a declaration like the Secretary and the Deputy Secretary have made in recent forums about border security. When you back it up with information and facts, it provides some measure of credibility and fosters informed debate. When you state it and don’t want to defend it with facts, it leaves people wondering why you would state something like that and not be able to prove it. After her appearance in Aspen, a lot of people were left wondering about the Deputy Secretary, and after viewing her session either on-line or on C-Span, I expect there will be a lot more.

Final thoughts

All of our time is valuable, and God knows we don’t have enough of it, but if you can set your DVRs to record the Aspen Security Forum or go to the Aspen Institute webpage and download panels for your Ipod/MP3 player – DO IT. Think of each of the respective sessions as graduate level courses shared by esteemed faculty who have the real life scar tissue and experiences to tell you what happened and what we can all do better. If you do, I’m confident you will walk away from each session with a lot more knowledge and a bit of a mild headache too. That’s what pleasant informational waterboarding will do to you, but I have to say, it is much more enjoyable amongst the mountains and beautiful vistas of Aspen.

Posted in Aviation and airport security, Border Security, Congress, Politics & PR, Critical Infrastructure, Cyber Security, Homeland Security & the Internet; Gov't 2.0, Homeland Security Industry & Private Sector, Ideology & Public Diplomacy, Immigration & Visa Policy, Intelligence, International, Law Enforcement, Management & Administration, Military & Homeland Defense, Private and Physical Security, Science & Technology, Supply Chain Security, Terror Finance, Terror Strategic Analysis, Transportation Security, WMD, Chemical & Biological, counterterrorism | Comments

Spying at the Biggest Arms Show in the World

Wednesday, July 7th, 2010

At the recent Eurosatory Arms Show outside Paris, everyone seemed to be in dark suits and sunglasses. The show attracted all the major and most minor arms manufacturers in the world. It also brings in over 50,000 attendees. If you want a weapon or defense system, the latest hardware, or the means to stop it, this is your place.

Spying at such events has always happened. For the most part, it consists of taking pictures, some openly, asking “innocent” questions, or looking over the shoulder of a competitor as he makes a pitch. The risks at the arms show also range from petty theft to covert photography and electronic eavesdropping. Behind those suits and dark glasses there is an atmosphere of mutual distrust.

“Everyone is told to keep their eyes and ears open, watch that equipment doesn’t disappear. If people take photographs, we need to know who they are,” said a French Defense executive.

Today, however, the threat has expanded. Cyber spying is alive and well at this very lucrative target environment.

“It is very easy to go crawling over everybody’s systems here. Some people come and their approach is to grab everything they can,” said a senior Western Defense company official.

Given that many of the exhibitors now do much of their advertising digitally, they are vulnerable to either losing the content or having it corrupted by competitors. Events like this can be gold mines for cyber access that otherwise might require more sophisticated hacking skills. Throw in wireless networks, and there is a huge “harvest” all around.

Interestingly, defense companies are investing heavily in systems to fight the growing threat of cyber attacks on corporations, utilities, financial services companies and government computers. It should be a cautionary tale that many of those marketing their skills, methodologies and products for cyber security are often hit very hard at events like the Paris show. It is always a wise thing for a potential client to investigate how a company peddling security protects itself and its crown jewels.

Again, spying at arms shows is not really news, but much like espionage in general, cyber techniques have proven to be a boon to the hunters and a headache to those playing defense. It takes wisdom, good practices and constant vigilance to protect IP and other valuable data.

Posted in Cyber Security, Homeland Security Industry & Private Sector, Intelligence, Management & Administration, Science & Technology, counterterrorism | Comments

Cyber Criminals May be Talented but they are not Superhuman

Tuesday, June 29th, 2010

Even the bad guys have vulnerabilities. It is perhaps poetic that many of the “successful” cyber criminals can be and are being hacked in the same ways they attack their legitimate targets. We tend to attribute near god-like cyber powers to these miscreants, when in reality, they write into their software the same kind of weaknesses that they are so good at exploiting.

At the SyScan 2010 Security Conference in Singapore, Laurent Oudot of Tehtri Security made exactly this point. His brief demonstrated the numerous exploitable flaws in the hacker kits available on the Web. He showed 13 unpatched vulnerabilities in some of the most widely purchased and used kits.

Additionally, Billy Rios of Google gave a similar presentation at the New York State Cyber Conference. Rios, a former U.S. Marine Corps officer and security expert walked the audience through breaking the security of a botnet software kit that would allow the user to either create bots or go after them. The bad guys need to read their own products.

On the other side, one wonders why law enforcement is not doing more “reverse hacking.” Hackers turned white hats should be recruited to attack botnet controllers and malware distribution systems through their own vulnerabilities. In the same way cops “sting” drug dealers, unscrupulous government officials, and other criminals, they should be attacking cyber criminals.

As long as we let cyber crime grow and prosper, they will become increasingly bold. My concern is the increasing likelihood that the most capable cyber criminal networks will connect with terrorist organizations. The lure of hard cash will not be turned down by the Cyber Organized Crime Underworld when offered, regardless of the source. They have large chinks in their armor, and they should be exploited now. If we continue to give the criminals a pass, and do not begin to retaliate, they will become a national security threat. Then it might be too late.

Posted in Critical Infrastructure, Cyber Security, International, Law Enforcement, Science & Technology, counterterrorism | Comments

Cyber Crime Continues to Grow Out of Control

Thursday, June 24th, 2010

A recent presentation by Special Agent Johnny Starrunner of the FBI at the NYS Cyber Conference in Albany was enlightening and frightening. To be honest, I have heard most of it before, but getting it all at once, from a front line guy fighting this war, drove it home. If we do not get hold of this threat, we are in deep trouble.

Cyber Crime comes in lots of flavors. It is diverse, sophisticated and expanding everyday. It includes Internet fraud, online banking fraud, a highly developed cyber underground, a growing number of targeted areas, and the “advanced persistent threat,” a term that until recently was classified.

It is almost impossible to accurately determine the “cost” of cyber crime. It is not just the dollars that must now be listed as losses but goes much wider. Reputations tarnished or destroyed are difficult to price. Additionally, many times we are dealing with unreported or under reported events. To give you at least an order of magnitude idea, the very conservative cost we know for the staggering 336,000 reported complaints in 2009 was $559.7 million – nearly double the numbers recorded in 2008. This does not include the loss of “pure” intellectual property, which is difficult to value accurately. Add that in and the numbers skyrocket.

Internet fraud (IF) is the best known form of cyber crime; it includes scams of all sorts. These have been tied to recent disasters (Haiti, tornados, the Gulf spill), electronic income taxes (give us your info, we’ll file for you), stimulus check collection and on line auctions – nearly anything that might convince the unwary to reveal personal information to the scammers. Many of these are crude but many are highly sophisticated and polished. Cyber criminals sometimes blast it out to anyone and everyone, but often, they are highly targeted and specific. The profit is potentially so big that the bad guys are highly motivated.

Online Banking Fraud (OBF) is more specific and aimed at bigger fish. These may start with attempts to steal individual information, but they are really desirous of stealing credentials, the higher the better, through malware or scams. They then use them for transactions all under $10,000 to keep it under the radar. They sometimes make false cards or simply do electronic transactions directly with the data. They can raise credit limits (it seems to be easier for them to do than for legitimate customers!), and then begin to transfer funds to “money mules.” These are individuals who work from home in online jobs. These folks then send the money on to overseas recipients. The main methods used to place malware for this sort of crime are the ZeuS Trojan, Clampi, and Bugat Trojan, according to Starrunner.

The Cyber Underground began as a completely decentralized activity but now operates like a corporation; it is transnational, very efficient and very evolved. They have huge numbers of the most talented cyber practitioners in the world working for them everyday. The compensation is lucrative, and the crime is relatively safe. They also reach out to unskilled folks and recruit them into the market. They use them for various low-level tasks, and test them to see if they have skills worth developing.

The underground is agile and adaptable. They move fast, and once a vulnerability is identified, within days they can pull off huge operations. They find an opening, develop the exploit that will allow them to grab as much useful data as possible in a short period, emplace it, and use it to extract the information they need. They use this to makes false cards, often with elevated account limits, then use them to pull lots of money out in near simultaneous transactions in multiple cities (and/or countries) using mules world wide. The last step in the operation is for the mules to send on the profits (minus their agreed upon commission) to the underground.

Another speaker at the NYS Cyber Conference described an operation where the bad guys replaced the self check out machines in 67 stores of a major supermarket chain, and for weeks harvested all credit card data from customers who used the machines. There were five to seven machines in each store, times 67, times “weeks” – you do the math. It was quick, slick and targeted normal folks just trying to buy groceries.

The highly developed social structure of the underground includes:

Coders/programmers: write the malware
Techies: develop the way in
Hackers: actually break in
Vendors: sell the kits and products (true capitalist diversification)
Fraudsters: English speakers who write phishing e-mails or may even do calls.
Carders: make the fake cards and machines to do so
Cashers: convert the data to cash
Money mules/Reshippers: the bad guys move the money to them, and they send it on. They do the same with merchandise
Tellers: convert money to other currency

There are Carding Forums where the underground sells info, credit card data and other criminal assets. They have websites, tech support organizations, entire structures to ensure they squeeze as much profit out of the enterprise as possible. They are now expanding their targets to include targeting Medical Personal Info, Electronic Health Records (EHR), etc. These are used to blackmail people, to perpetrate insurance fraud and to extort insurance companies. The target for this sort of information theft is individuals, hospitals, HR Departments, Government Offices and insurance companies. As we move toward greater use of EHR’s, we can only expect this to grow.

Social networking sites are also huge target areas for the bad guys. They use the ever-growing popularity of the sites (millions of participants) as vehicles for spam, to post fake adverts to launch malware, to harvest personal data to build a profile and figure out answers to “change your password questions.” These are subsequently used to hack you and go after all your friends next.

The really dangerous enemies use what is now referred to as the Advanced Persistent Threat (APT). This is a high level, extremely sophisticated class of threat that for now seems to be confined to nation-state intelligence organizations. How long it will remain in that area is unknown. These threats place long term leave behinds in order to steal information – IP, National security secrets, and other valuable info (they are after personal data). Their methodology is as follows:

Recon and find the vulnerabilities;
Execute the network intrusion;
Obtain user credentials (they work this until they can get administrator level);
Establish backdoors to enable multiple return capabilities;
Install multiple utilities;
Data Extraction is their goal, for the long term, but may also include potentially damaging booby traps for future use; and
Resilience (They will actually “clean up” the network of other maleware to ensure theirs works well).

APT’s will target the government and military, cleared Defense contractors, and lucrative Private Industry concerns (pharmaceutical, energy, high tech).

In short, this problem must be addressed, and it must be now. The bad guys are getting better at this, and law enforcement needs help. This is no longer a purely “criminal” activity but quickly shades into national security. There must be more cooperation, and it must be soon.

Posted in Critical Infrastructure, Cyber Security, Homeland Security & the Internet; Gov't 2.0, International, Law Enforcement, Management & Administration, Science & Technology, counterterrorism | Comments

A Challenge to the US STRATCOM Commander

Monday, June 21st, 2010

At day two of the AFCEA STRATCOM Cyber Security Symposium, I was a member of the Industry Panel. I took a breath and issued my challenge. Our moderator had asked each of the four panelists to make brief opening remarks on the state of industry in the cyber security issue space and to end with a “memorable” bumper sticker. It was my turn to make opening remarks.

Well, being a former Army Green Beret in the middle of a sea of engineers, scientists, astronauts and nuclear specialists, I knew I was not going to discuss tech issues. (OK, I have a Ph.D., but it is in International Relations.)

So I went with my strong suit: directness, passion and leadership. I issued a challenge directly to Commanding General of StratCom, who had graciously stayed with us throughout the day and a half conference.

“Give us your Commander’s Intent.” For the military, commander’s intent is everything. It gives subordinate and supporting parties exactly what the commander wants done. It is clear unambiguous direction, and it outlines what success will look like. The situation may change, you may have unforeseen difficulties, but you know that you must continue to fulfill the commanders intent. Your original plan to get there may (and almost always does) change, but the intent does not. It is the most critical part of the military’s operations order, the format that governs pretty much whatever the military does.

We in industry want to help StratCom, and its newest subordinate command, U.S. CyberCom, accomplish their mission. We want to do that, not just because it would be good business, but because we’re citizens too. To maximize our ability to do that, we need to know what the commander wants.

“Then bring us in to help you hash out how we get there.” We can tell you if your intent is achievable today. We can tell you how much we can do tomorrow, and how much in a year, 3 years, or 5 years. To do that, the military needs to invite the individuals and firms that truly want to help, not just seek business. And you must invite little guys too, not just the behemoths. If the military doesn’t invite the small firms to the table (they have some of the most innovative ideas), the big guys will not correct the omission.

“Demand new thinking of Industry.” The military cannot accept the same old ways of doing business, with marginal improvements around the edges. They have to make industry think big and deliver. If a company fails to deliver, they should be punished. I do not mean companies who try to innovate and fail; they should be encouraged. What I refer to are companies that make claims and promises but do not deliver. There should be a “price” for such a breach of trust and confidence.

“Help us force the lawyers and policy makers to find a way to efficiently and seamlessly share information about cyber attacks and probes.” Industry understands that government must protect it’s sources and methods, but government must also understand that industry has analogous information. We have proprietary data, methods and techniques. Firms that do stumble but choose to share the information should be protected from damaging public scrutiny. If you want to shine a light on anyone, do it to the firms who do not share when something happens, not the ones who cooperate.

“Give up the model of a medieval castle for cyber security and adopt one more akin to public health.” We are all info / intel gathers, and we all need to feed into the common pool of data. Only if we change the way we think, to spur real information sharing, will we get ahead of the bad guys in this space.

“The Bumper Sticker: Make the Public-Private Partnership Real.” Make it something that can be operationalized. Everyone says that this is the key, but we leave it limp and symbolic when it needs to deliver added value to all our efforts.

“You need this, we need this, and Lord knows the Nation needs it.”

At the end of the conference, Air Force Gen. Chilton specifically stated that he had accepted my challenge and would indeed be issuing just such an intent statement. Thank you General. We in industry are standing by to work with your team on the next step.

Posted in Cyber Security, Homeland Security & the Internet; Gov't 2.0, Homeland Security Industry & Private Sector, Law Enforcement, Management & Administration, Science & Technology, counterterrorism | Comments

GSA to move e-mail to the cloud

Wednesday, June 16th, 2010

GSA to move e-mail to the cloud – NextGov

The General Services Administration’s move to a cloud-based e-mail system is the start of a significant effort to increase efficiency governmentwide, according to an analyst from the Washington-based Brookings Institution.

GSA last week issued a request for proposals for a “software as a service” e-mail and collaboration system. The agency last month reopened a procurement for cloud computing infrastructure, including storage services and Web hosting, in an effort to move information technology to a shared mobile platform.

Darrell West, vice president and director of governance studies at Brookings, said the RFP is a big move for government, whose cloud efforts thus far have been “scattershot.”

Posted in Cyber Security, Homeland Security & the Internet; Gov't 2.0, Management & Administration, Science & Technology | Comments

NSA’s Meyerricks Addresses Cyber Audience

Tuesday, June 15th, 2010

At the Defense Daily Cyber Summit, Dawn Meyerricks, Deputy Director for Science and Technology at NSA stated without hesitation that Cyber Security is NOT the same as Information Assurance (IA). Many of us gave her hearty “amens.” However, she continued to say that IA was more comprehensive and was mainly about risk management. She said cyber security was a smaller category that did not encompass risk management. I was perplexed.

In the Q&A session, I asked her if this distinction was her personal opinion or if it was an NSA position. Before she answered, I pointed out that in many circles, particularly the Department of Defense, cyber security is all about risk management and mission assurance. They see IA as a subset of cyber security. She admitted that others, many of her own colleagues, used the concepts as I outlined them. She smiled, said she was not doctrinaire about it but was willing to engage in debate. Meyerricks then made the point that the differences between various experts were evidence that we badly needed to resolve these definitional differences.

She made three other points:

1. There is a need for tailored trustworthy spaces. Clearly, everything is not the same (we behave differently in movies vs. ballgames), so we must acknowledge that we need different levels of security for different cyber activities. You demand that your online banking works all the time, but when you are using Google to do a search, you are OK with refreshing if needed.

2. We must add speed to the process to make our cyber structures moving targets. We should get the updates out FAST and look at “places” of potential vulnerabilities and give them extra protection.

3. We need to provide cyber economic incentives. These could be positive or negative. It must be determined what is the pain point needed to provoke good cyber hygiene.

She also made the point that forcing software designers to ensure their products probably would not work. After all, health insurance will not stop cancer. Will software insurance stop software problems?

Her closing points were that we must all focus on mission outcomes, solve problems collaboratively and Innovate relentlessly.

It was a useful session but would have done better to have a longer Q&A.

Posted in Critical Infrastructure, Cyber Security, Homeland Security & the Internet; Gov't 2.0, Homeland Security Industry & Private Sector, Management & Administration, Science & Technology, counterterrorism | Comments

Survey: Cloud computing to make huge strides by 2020

Monday, June 14th, 2010

Survey: Cloud computing to make huge strides by 2020 – NextGov

Mobile computing will outpace desktop technology in the next 10 years if challenges to access, security and interoperability are overcome, according to a study from the Pew Research Center’s Internet and American Life Project released on Friday.

The report, a survey of nearly 900 Internet and technology experts, found that 72 percent of respondents believed technology users will conduct business using shared mobile platforms and smart phone applications rather than desktop computing. Easy access to information and the growing use of mobile devices will be key drivers of this trend, they said.

Posted in Critical Infrastructure, Cyber Security, Homeland Security & the Internet; Gov't 2.0, Science & Technology | Comments

Is Cyber War an International Inevitability?

Friday, June 11th, 2010

There is great debate on the possibility, existence, inevitability and reality of Cyber War. Some say we are in the midst of one everyday. Others say that this is just technologically enabled espionage, nowhere near a “war.”

The stand up of U.S. Cyber Command and the confirmation of its new commander, Gen. Keith Alexander, is read by many people in many ways. It is either the panacea through which America’s networks will be protected (Just military networks? All government networks? Everything?) or a harbinger of the cyber conflagration its very existence will provoke. Frankly, many countries see the United States as the biggest cyber threat because we do OPENLY have a cyber command.

Those that think this is all a tempest in a teapot were dealt a blow recently when it was revealed that a special NATO Commission led by former U.S. Secretary of State Madeleine Albright is warning that the next aggression against a NATO member country will probably come via the cyber realm. Further, the commission believes that in such a scenario, NATO can invoke Article 5 (collective defense), without any modifications to existing treaties.

This is a victory for one of NATO’s newest members, Estonia. That small country was hit by a cyber attack in 2007 and called for help under Article 5. NATO could not come to agreement at that time. Since then, NATO opened a Cyber Defense Center in Estonia, and the Estonians have led the calls for NATO to define a policy on cyber. The Albright Commission is the result of their efforts, along with the growing concern that cyber will be used in war because of the economy of it and the anonymity/deniability of such a method.

The NATO position will also put pressure on the Obama Administration to more definitively lay out the U.S. position on cyber offense, defense and the large, grey area between them.

Posted in Critical Infrastructure, Cyber Security, Intelligence, International, Management & Administration, Science & Technology, counterterrorism | Comments

What comes around goes around – DHS is getting it right, again

Wednesday, June 9th, 2010

I was delighted to read in last week’s Homeland Security Newswire report on Secretary Napolitano’s consideration of “re-merging” the Infrastructure Protection and Cyber Security units.

When we stood up the Department in 2003, I was tasked with the responsibility for infrastructure protection, and at that time, Secretary Ridge charged the Office of Infrastructure Protection with the responsibility for both physical and cyber infrastructure protection. It made sense then as it does now. Trying to cut the Gordian Knot – artificially segregating physical infrastructure from cyber infrastructure when the threats to each are so intertwined – is naïve, ineffective, costly and dangerous.

There is plenty of evidence that terrorists and organized criminals have significant technological capabilities to conduct attacks that simultaneously exploit the vulnerabilities of both domains. Securing a physical structure while leaving it vulnerable to a cyber attack can have the same catastrophic result as could a car bomb.

Information sharing between the domains is still far from where it needs to be – correlating terrorist planning events (surveillance, hacking, etc.) in the cyber world to terrorist planning events in the physical world will serve to better identify and prevent future terrorist attacks. Our homeland security strategy needs to ensure that the government and private sector are assessing and protecting infrastructure holistically and on a rational risk-based approach.

The private sector has finally recognized that the investment in physical security can be negated with a cyber attack and has begun to organize its resources to map into that reality. It is good to see that DHS recognizes that sound ideas transcend politics and is taking steps to merge these two key areas in order to improve our nation’s security.

Posted in Critical Infrastructure, Cyber Security, Homeland Security Industry & Private Sector, Management & Administration, Science & Technology, counterterrorism | Comments

Botnets Continue to Grow

Wednesday, June 9th, 2010

More and more people are becoming aware of Botnets and the problems they can cause. What used to be an esoteric technical subject has entered the common vernacular, and well it should. A recent Computer World article goes into a great deal of the technical aspects. I will not attempt to do the same here, so check out the article if you’re unfamiliar with the topic.

The size and complexity of these zombie computer networks is staggering. Many have over a million personal computers as “members.” Obviously the vast majority of these have been incorporated without the knowledge or consent of the owners. They are used by their handlers (BotHerders) to do everything from spam distribution, to malware spreading, to actual attacks.

Botnets can develop in several ways:

You can write your own code for a unique network;
You can buy an existing package, and customize it for your use;
You can contract with a criminal enterprise, and they will either “rent” you their Bot, or they will customize one for you; or
You can simply buy a “kit” and go into business for yourself.

As you can see, while some routes require a lot of tech sophistication, others require next to none. The two individuals who worked the Mariposa BotNet out of Spain turned out to have fairly low level skills. They obtained the software and used it effectively. To paraphrase one commentator, “I can write papers using Word, but that doesn’t mean I can write the code to develop a word processing program.”

The bottom line is this: you must be aware that Bots are out there, and they “want” your computer. Good cyber hygiene (staying away from bad sites, not opening unknown attachments or e-mails, patching quickly and correctly, etc.) will not guarantee you will be safe, but poor hygiene will pretty much guarantee that you will become a zombie for some one.

Learn all you can, be smart, and hope we find a way to fight this growing scourge.

Posted in Critical Infrastructure, Cyber Security, Homeland Security Industry & Private Sector, International, Science & Technology, counterterrorism | Comments

Each Service Sees Cyber a Little Differently

Tuesday, June 1st, 2010

Now that Congress has finally confirmed Gen. Keith Alexander for his fourth star and the duty of Commander, US Cyber Command, he has a tough road ahead. Cyber Command will be a sub-unified command under U.S. Strategic Command. It is not an intelligence organization – despite Alexander being dual hated as the Director of the National Security Agency – but is what the military refers to as a warfighting command.

Like U.S. Special Operations Command, Cyber Command will provide forces to the Geographic Combatant Commanders and in some cases will directly execute over-arching/global missions. To do this, Alexander will have control of components from each of the services. The Air Force will “give” its 24th Air Force, the Navy its 10th Fleet, the Army its Cyber Command, and the Marines their Marine Forces, Cyber.

Alexander is a Joint Commander who must blend these elements into a cohesive force to deal with an enormous set of challenges in a unified manner. The first challenge he faces is getting all his serviced components on the same sheet of music. Please note, this is no mean task. They are all different and all had diverse “birthing” processes. None of the differences are born of malice, or even inter-service rivalries; they are simply products of each organization’s respective cultures.

The 24th Air Force came first. The AF originally wanted to “own” cyber much the way they really own space today. They saw logic in this approach and roared down the road to capture the prize, offering the others a fait accompli. They were disappointed when the Secretary of Defense said “no” and backed off making cyber a Major Command with a four star commander.

Today it is a numbered Air Force (three star level) under Air Force Space Command. The organization is fairly conventional and is based on the model of other AF set ups. They have made the specialty designations indicate that it is an operational, vice a support-type command. They have made a great deal of progress in designing and re-orienting the career paths and education tracks for both their enlisted and officer level personnel.

The Navy came next, with the 10th Fleet. This is a reactivation of a historic (WW II) organization to take on a twenty-first century task. This is also a three-star level command, and it at least appears to be modeled on other more conventional Navy organizations. In reality it is not.

The Navy has pushed together its Intel and Communications organizations to create both the command and the Navy Staff entities with which it will work. They gave the command to a gruff Surface Warfare officer who was told to get it up and running as fast as he could. They are taking a look at many innovations that will “break the mold” as far as Navy practices go. Things like every sailor going to sea, which has long been a virtual commandment in the Navy. The cyber forces may never leave home. The Navy has not gotten too far into how all this will happen yet, but their boss has said it publicly, and in the Navy, that means it will happen.

The Army has gone very slowly. Initially, the only real element they had was a battalion, commanded by a lieutenant colonel. Rather than jumping right into a solution, the Army (again following service character) began to conduct a Capabilities Based Assessment for Cyber. This is a laborious, detailed (OK, painful) process that analyzes the needs, the intent, and the missions, and at the end of its long pipeline, spits out a full DOTMLPF solution set (Doctrine, Organization, Training, Manpower, Logistics, Policy, Facilities). Based on that study, the Army is now standing up a Cyber Command that will reside at Ft. Belvoir, VA. They had previously established a Task Force on the Army Staff that combined Intel, Signal, and operations elements under the Director of Operations. Where the Air Force and the Navy see themselves as possible leaders of strategic cyber, the Army has focused primarily on protecting its own networks and executing tactical and operational-level missions in support of its commanders in the field.

I confess to a lack of hard knowledge on the Marine Corps plans but have been told they are thus far separate from the Navy and more akin to the Army in that they are more tactically focused. Their contribution will be small and specialized, as befitting the Marine Corps missions and size.

The bottom line of all this is that Gen. Alexander now has to make these elements work in harmony. The military is much better at this sort of collaboration today than it has ever been before. In cyber, however, differences can be more problematic than in the other domains. Alexander must push for more unity of method and not just unity of purpose. Cyber is not the realm to allow service distinctions to continue if they in anyway hinder mission accomplishment.

Alexander is uniquely suited for this job. In fact, one Senator lamented during his confirmation process that while he knew Alexander could do this job, he was not sure that in a few years we could find a replacement. His task is a difficult one, but in the end, the nation’s military networks should be better protected and our enemies suitably deterred. Additionally, Alexander’s forces should also be able to support and advise their counterparts at DHS in the protection of our civilian networks.

Posted in Congress, Politics & PR, Critical Infrastructure, Cyber Security, Military & Homeland Defense, Science & Technology, counterterrorism | Comments

Was the Stock Market Crash a Cyber Attack?

Wednesday, May 12th, 2010

Last week we experienced a major “event” in the financial world. In a matter of minutes, the New York Stock Exchange lost nearly 1000 points or about $1 trillion. It caused panic and kicked off numerous investigations as to the catalyst of the dramatic and expensive incident.

There are five possible reasons for the black day.

1. It was a “simple” computer glitch. The systems used to manage the incredibly fast and complicated buying and selling has a hiccup, and when the human traders saw the mistaken results, they piled on.

2. A trader typed “b” instead of “m,” turning a sale of several million into one of several billion and precipitating the rush to sell.

3. The ongoing financial crisis in Greece was the cause. The market had already lost over 900 points that week due to the shakiness of the European economies and the possibility of it spreading from Greece to Spain, Portugal and beyond. (In any case, Greece’s financial troubles probably contributed to whichever reason turns out to be the primary catalyst).

4. It was deliberately caused by crooked and unscrupulous traders seeking to cash in.

5. It was a deliberate attack trying to destroy confidence in the American (and Western) economic system.

As stated, investigations to determine the cause are underway. At the AFCEA Joint Warfare Conference in Virginia Beach, former DHS Secretary Mike Chertoff and retired Adm. Tim Keating, former Commander of both U.S. Northern Command and U.S. Pacific Command, were asked if it was possible that the market fall was the work of terrorists. Both felt that it was not. John Brennan, the President’s advisor for Homeland Security and Counter Terrorism has stated without hesitation that this was not cyber terrorism. Despite lots of hand wringing and conspiracy theorizing, pretty much all the experts agreed that it was not a terrorist incident.

Does this mean that all the earlier prophecies of doom about cyber terrorism were Chicken Little? Unfortunately, no they are not. Cyber terrorists going after our financial sector or other critical infrastructures are a real danger.

Not every “bad” thing that happens will be caused by cyber terrorism, but that does not then mean that cyber terrorism is not a threat. In fact, I am concerned that our enemies will look at last week’s events and see how easy it may be to cause us great harm and concern. The bad guys do analysis too. They are watching how we respond to natural disasters, how we respond to nearly everything, and they learn.

We need to be as least as good at learning as they are. We need to anticipate how they may perceive events and how they may adapt based on their analysis. And we must be prepared to deal with the results.

Posted in Critical Infrastructure, Cyber Security, Emergency Preparedness & Response, Homeland Security Industry & Private Sector, Intelligence, International, Law Enforcement, Management & Administration, counterterrorism | Comments

SCADA Systems: Are they our soft underbelly?

Monday, May 10th, 2010

If you want to scare a cyber-lay person, have them watch Bruce Willis chase virtual terrorists in “Live Free or Die Hard” and tell them it is all possible. In the film, the entire digital infrastructure of our country is brought to a stand still by a small group of very talented hackers. OK, professional analysts have told me it could not happen today. It could, however, happen in the not too distant future, particularly if present trends continue. The keys to that scenario are SCADA systems.

SCADA stands for System Control and Data Acquisition. These are really one type of Industrial Control System; however, SCADA has become the most common way to refer to them all. The simplest definition for SCADA is a computer system that monitors and controls a process, be it industrial, infrastructure or facility. Originally, they were all autonomous and monolithic; every one stood alone and was pretty much unique. The present second generations are distributed, and the third generations are networked. These systems make nearly everything we depend on run correctly; without them our lives would be quite different.

Many people think these systems are protected because most are not connected to the Internet. This is a mistake. A noted scientist from one of our national laboratories recently said that despite the fact that only 10 percent of SCADA systems are attached to the Internet, they are under constant attack. As an example, attacks on our water systems have gone up 300 percent and on the electric grids, 30 percent. The situation is similar with most of our critical infrastructure sectors.

The Department of Homeland Security (DHS) recognizes the importance of these assets. They have put together a special Industrial Control System CERT that not only deals with attacks, but does fly away responses and special training/red teams. This development is a welcome improvement, and DHS should be commended for it.

Unfortunately, two trends are making things worse. As noted, the newest systems are networked. Additionally, they are becoming more standardized. This is understandable, because they make the systems they serve more efficient and cost effective. Unfortunately, they also make them more vulnerable to cyber attack.

We need to continue the efforts to defend our SCADA systems. If they are under assault when only 10 percent are Internet connected, what will happen when they are all online? DHS has made a great start, and industry is finally “getting it.” One only hopes the positive trends can catch up with the economic ones, which are driving the vulnerabilities. The bad guys know SCADA’s importance. We need to give it even more effort.

Posted in Critical Infrastructure, Cyber Security, Homeland Security & the Internet; Gov't 2.0, International, Science & Technology, counterterrorism | Comments

Is Cloud Computing Losing Some of its Allure?

Thursday, May 6th, 2010

At a Cloud Computing Summit this week, the questions began as, well, just questions. They were simple and basic: “Exactly what do we consider Cloud Computing;” answer, (my paraphrase), “Lots of things to lots of people.”

Later, the question grew almost hostile: “What are we gaining by this;” “What is the real benefit;” and “Is this really just clever marketing?”

I remain an advocate for Cloud Computing. I am convinced that its economic, ecological and efficiency pluses will out weigh its potential downsides in the end. Talking about the cloud for the government, perhaps Air Force Maj. Gen. Dale Meyerrose, the former CIO of the Intelligence Community, said it best: “We need to stop trying to fight the inevitable.” The mostly government crowd was not so sure. They were asking tough questions and were more than a little skeptical.

Frankly, I am OK with that. Cloud Computing is a reach right now for most Government clients. Given the importance of the data with which they routinely work, I want them to ask the hard questions. Every potential cloud consumer should do the same. Often, you see clients moving toward the Cloud simply because they think “they should.” Fashion is a bad reason to go to the Cloud.

It was pounded home by the speakers that any organization considering a cloud model should follow a few key steps. Analyze what you have now (level of security, ability to retrieve data, compliance, cost of infrastructure, etc), decide where you want to go, and then make any erstwhile cloud provider PROVE to you they can deliver on their promises. All the speakers said to go slow. Run trials and then pick non-critical data or apps and try it out. An incremental way forward is the only wise course.

In this case, the naturally conservative and cautious tendencies of government agencies display the right way to approach this new way to do business. We will go to the Cloud, but let’s do it right.