Homeland Security & The Internet; Gov't 2.0 | Security Debrief - a blog of homeland security news and analysis

Archive for the ‘Homeland Security & the Internet; Gov't 2.0’ Category

Senate Panel to Discuss Afghanistan Amid Leak of War Documents

Monday, July 26th, 2010

Senate Panel to Discuss Afghanistan Amid Leak of War Documents – Homeland Security CQ

The Senate Foreign Relations Committee will hold a hearing Tuesday to discuss options for bringing about political reconciliation in Afghanistan.

The hearing is likely to be overshadowed, however, by a larger discussion on overall U.S. policy in Afghanistan and Pakistan following the release by WikiLeaks over the weekend of more than 92,000 pages of classified documents tracking the war in Afghanistan from January 2004 to December 2009. The New York Times reported that the documents suggest Pakistan’s spy agency, Inter-Services Intelligence, has provided support to the Afghan insurgency and has worked with al Qaeda to plan attacks against U.S. and NATO forces.

Posted in Congress, Politics & PR, Homeland Security & the Internet; Gov't 2.0, Intelligence, International, Management & Administration, counterterrorism | Comments

Should We Seek Cyber Attribution?

Monday, July 26th, 2010

Several news items of late have addressed the thorny issue of cyber attribution; that is, the ability to identify the sources of Web and network attacks. For cyber companies and some government agencies, attribution is the Holy Grail. Without attribution, there can be no real retribution for cyber attacks. If you don’t know (with certainty) who did it, you cannot respond. If you cannot respond, even if you have the means to do so, you become an impotent giant and therefore have no deterrence.

The counter augment, made last week by several experts before Congress, is that if we develop a means of attribution (technology that attributes cyber attacks to the criminals who conducted them), soon bad governments will get it too. They will surely use it against dissident elements inside their own countries to suppress free speech and abridge other civil rights of all sorts. Some folks in the United States worry that our own government will use technology of this sort for similarly nefarious purposes.

So, should we consciously forgo the possibility of deterring bad guys from cyber crime, cyber terror and cyber war because the technology could be used badly? I think the answer is clearly “no.”

Even if the United States and our democratic allies chose not to pursue the sort of technology needed to attribute cyber attacks, repressive countries will still eventually develop their own and use it against their people. We should be as vigorous as possible in discouraging the repression of civil rights, but we cannot give up the possibility of adding to our own protection.

This is one of those situations where national interests trump our idealist desires. If we could keep the attribution technology away forever, you might have an argument, but that is a pipe dream. We should develop it as soon as possible, keep it as closely held as we can for as long as we can, and then use diplomacy to mitigate its improper use. In some cases, that is the best we can do.

Posted in Cyber Security, Homeland Security & the Internet; Gov't 2.0, Intelligence, International, Management & Administration, Science & Technology, counterterrorism | Comments

Secrets in the News: Classified Crossings that Go Too Far

Monday, July 26th, 2010

For the second straight week, Washington, DC and the nation are reeling from headlines and news coverage of events on the national security stage. Last week, it was the Washington Post’s series on Top Secret America, which details the explosive growth of the intelligence apparatus since 9/11. This week, it is the release of nearly 92,000 pages of classified details on the ongoing conflict in Afghanistan.

While the Post series had the cooperation of the public affairs operations with the various intelligence agencies, combined with the exhaustive research work of the series authors and support staff, the stories this week come courtesy of the WikiLeaks website. Described by CNN and other media outlets as a “whistleblower site,” WikiLeaks has effectively pulled back the curtain with U.S. military and intelligence documents that give no-holds-barred descriptions of the state of U.S. combat operations. Based upon what has been reported, the picture these documents paint is not very promising. While certainly making for an interesting and fascinating read, the release of these documents and the recent Post series begs the question: “Is there anything the media will not share?”

Despite the valid questions raised, I still have tremendous misgivings about what the Post printed last week, as I believe that in identifying the physical locations of critical public and private sector operations, the Post put every person at those places at a risk of greater harm from those who wish to do us harm.

As for the WikiLeaks postings, I find it equally deeply troubling that the President, his senior National Security Team and our military leadership can not obtain unvarnished reports without having the risk of someone, somewhere posting them for all to see. What has been shared is a tremendous violation of trust amongst military/intelligence personnel that goes beyond the traditional Washington leak to a reporter.

The actions taken by this leaker are also illegal. As anyone who has ever held a security clearance knows, when entrusted with such information, your mouth is to remain shut; you share nothing with anyone who is not properly cleared. If you have a problem with what you read and want to raise an objection, there are ways to do so without violating the code of trust you swore to uphold. If you break these tenets, you’ve committed a crime. Period.

I’m sure if the leaker of these documents is caught, he/she will claim all of the First Amendment, Freedom of the Press rights he/she can muster, but in the job they are supposed to be in, they are not acting as a journalist. They are acting as a criminal. Every military leader, including our Commander in Chief, should be afforded the ability to get unvarnished reporting of what is or is not happening on the battlefields where our military personnel serve and not have to see it spread over a newspaper or on the Internet for the world to also see.

The leaker in this case has a unique agenda to pursue and that should not be overlooked or forgotten. Regardless of whether the information is classified or unclassified, every leak to a reporter is about imposing an agenda for further distribution. It is obvious that the person behind this leak has grave reservations about a fight our President has declared “worth fighting.”

That is an argument that good people on both sides of that issue can debate, but doing so at the expense of releasing classified information is a bridge too far.

I am not naive enough to believe that everything in Afghanistan is going swimmingly. Nor do I believe that every word from our political and military establishment is absolute truth. But I am disturbed that in era where our media is in an ever present game of “gotcha,” media outlets feel the need to take one more step to share details that are classified for very good reasons.

For as interested as we may all be in what is really happening in the intelligence community and in Afghanistan, there is also a responsibility to not reveal everything. That is a line I think individuals and organizations like the WikiLeaks source, the Washington Post and others seem to cherish crossing. That’s an agenda in which I find little comfort.

Posted in Homeland Security & the Internet; Gov't 2.0, Management & Administration, Military & Homeland Defense, counterterrorism | Comments

Data Mining Tools for Law Enforcement?

Thursday, July 22nd, 2010

Recently, there’s been a trend toward some agencies purchasing new data mining tools for their needs at fusion centers. It is great to see this investment in technology, but watch out – many of these solutions don’t have any inherent method for capturing Suspicious Activity Reports (SARs) and Request for Service (RFS) data, which fusion centers use to track case management activities.

Also, these new data mining tools typically don’t communicate bi-directionally with Regional Information Sharing Systems (RISS), nor can they communicate with National Data Exchange system (NDEX), the FBI’s information-sharing platform.

In fact, many of these software vendors don’t understand these systems need to comply with 28CFR23, the federal guideline that governs intelligence sharing.

Let’s review the four types of data that law enforcement officers encounter in their work:

1. Open-Source Data – Anything from the Internet, newspapers, other public sources [No prohibitions to sharing]

2. SARs – Information reported by citizens or police; no identifiable crime being committed but something’s suspicious [Can be shared between agencies under National SAR Initiative]

3. Investigative related – Evidence or information collected from a crime that has been committed with a goal to prosecute or prevent crimes [data sharing polices vary widely]

4. Intelligence – Important data in assessing threats to the community; proactive, strategic analysis conducted and patterns of activities are identified; resources focus on problem at hand, be it street gangs or organized crime [28CFR23 governs this type of data – If information rises to level of reasonable suspicion, then it can be entered into an intelligence system and shared with other agencies.]

All four types of data streams have separate and distinct laws governing what law enforcement can and cannot do with them.

Agencies want to ensure that they are holding data consistent with all the rules and regulations. But if the data mining technology companies have not considered any of the aforementioned issues, their tools are putting fusion centers at risk of violating statutes, laws and regulations.

One fusion center I use as an example vetted vendors with this criteria, and instead of settling for a one-size fits all intelligence analysis system, it selected one vendor for information/intelligence management and another for analyzing the information managed by the other system.

This is what should be happening more often – using the right tool for the right job.

Bottom line: Look for technology companies that know the compliance landscape.

Posted in Homeland Security & the Internet; Gov't 2.0, Homeland State & Local, Intelligence, Law Enforcement, counterterrorism | Comments

The New Face of Aviation Security?

Wednesday, July 21st, 2010

The hunt for someone to lead the Transportation Security Administration (TSA) began in 2009, but it wasn’t until June this year that the Senate confirmed John Pistole as administrator. Pistole was the third nominee for the job, after two earlier hopefuls pulled out (see Southers and Harding). Security Debrief followed the confirmation process every step of the way and found the latest development in this week’s Air Cargo Week.

If you visit TSA’s website, you’ll find Pistole’s photo, which looks like this:

In Air Cargo Week’s Arrivals & Departures section, there is a note on Pistole’s confirmation (first bullet, right column). But the photo referenced is clearly not John Pistole.

Who is this man? Nominee #4? A hero cargo pilot? The publisher’s cousin?

It’s Chris Battle, Security Debrief’s founder and editor.

That’s some good PR.

Posted in Aviation and airport security, Congress, Politics & PR, Critical Infrastructure, Featured Feed, Homeland Security & the Internet; Gov't 2.0, Homeland Security Industry & Private Sector, International, Law Enforcement, Management & Administration, Maritime & Seaport Security, Military & Homeland Defense, Narcotics, counterterrorism | Comments

The Value of Aspen

Friday, July 9th, 2010

As we continue to swelter in the ongoing summer heat wave, it is easy for me to reminisce about my recent visit to Aspen, Colo. Tucked amongst the Rockies with its clean air, fervent green and majestic views, a town known primarily for its skiing with the rich and famous was home to what was, simply put, the best conference program I have ever attended.

The first annual Aspen Security Forum put forward a program that I can only describe as pleasant, informational waterboarding. By the time each of the presenters and panelists were done, my hand was dead from writing so much and my head hurt from being given the firehouse treatment of a candor and content overload.

With a venerable “who’s who” of notable names in the national security arena attending the two and a half day program, attendees had the opportunity to hear first-hand from the men and women who have served or continue to serve in some of the most demanding positions in the world. It was literally very hard to turn around and not see a face that you did not recognize from some recent event or news program, sharing insights on our country’s national and homeland security challenges.

While the presented content was outstanding, the best part about the entire program was that the overwhelming majority of notable speakers and presenters made themselves available to engage with the attendees. All too often, speakers rush in, deliver their canned pitch, say thanks to the crowd and are whisked away by their aides to get back to the office, leaving actual human contact an afterthought. To have the many distinguished speakers stick around and engage in that lost art-form of “CONVERSATION” was an absolute pleasure.

Hosted by Clark Ervin and the Aspen Institute, this was the first time they had put on a program with this particular focus. You can call it beginner’s luck if you want, but they put together a top notch effort that literally became a “must attend” for anyone who is interested in national and homeland security issues. Fortunately, for those who weren’t able to attend the program, it was taped for later broadcast by C-Span, hopefully sometime this summer. I have to tell you, there is a significant portion of C-Span’s programming that can cure insomnia, but when they broadcast the presenters and panels from the Aspen Security Forum, it will be as NBC used to call it, “Must See TV!”

To understand why I write that, here’s a rundown of some sessions (with video hyperlinks):

Adm. Mike Mullen, Chairman of the Joint Chiefs of Staff

When your opening speaker travels all the way from Kabul to Tel Aviv to Aspen to take part in the program, it’s a pretty good indicator that the organizers are up to something big. That was especially true with Adm. Mullen. Coming off a week where Gen. McChrystal was taken out by a large Rolling Stone and replaced by Gen. Petraeus, and then traveling to Afghanistan and Israel to assuage any fears and concerns they may have about the big changes, Mullen made news by essentially not making news. While his comments about the state of the nation’s counter insurgency policy dovetailed those of the White House’s, the plainspoken manner in which they were delivered conveyed the gravity of the situation our military forces are faced with in Afghanistan. His comments about Iran’s nuclear ambitions – “They’ve given us no reason to trust them” – also spoke volumes about what few measures the Administration has left at its disposal in dealing with them.

Aviation Security Panel

There is probably no other facet of the post-9/11 world that Americans gripe about more than dealing with aviation security, but as the CEO of the Air Transport Association (ATA), Jim May, said, “What’s your alternative?” Joined by Erroll Southers of USC’s CREATE Program (and the first Obama Administration nominee to lead TSA) and Christopher Bidwell of the Airport Council International, this panel laid on the table the very real threats and frustrations that accompany this portion of the security environment. One of the most interesting things discussed was the use of full-body imaging devices by airports to screen passengers. While recognizing the civil rights and privacy concerns that people have about them, Jim May of ATA shared that he thought they should be mandatory. When it came to addressing the Government Accountability Office’s recently issued criticisms of TSA’s Behavioral Detection efforts, May and the other panelists pointed out that this program was part of many layers of security, and there was no one-size-fits-all solution or silver bullet that would reduce the aviation risks faced today.

Fran Townsend, former Homeland Security Advisor to President Bush

There are many things that have been written and said about Fran Townsend, the former Homeland Security Advisor to President Bush (43), but the word “shy” is not one that would be used to describe her. The only thing that could possibly surpass the candor of her public comments when she was working as a government employee was her candor in being a former government employee. With no holds barred, Townsend explained that, “We have a reason to expect we can connect the dots this time” given all of the post 9/11 work that has been done.

In a more than hour-long conversation with Walter Isaccson, the CEO of the Aspen Institute, and the Security Forum audience, Townsend pounded on the fact that much still needs to be done to improve information sharing amongst intelligence and law enforcement agencies across the board. Her declaration that there still needed to be a senior level official or “Cabinet Agency,” but “not a czar,” to “pound these government agencies into submission to do information sharing.” Her proposal that an NGO, public-private partnership, rather than a solely government-led approach to address the growing cyber security risks, was also interesting.

Bill Bratton, former Chief, Los Angeles Police Department

Dubbed by many media outlets as “America’s Top Cop” for having led the police departments of Boston, New York City and Los Angeles, I think Bill Bratton surprised everyone at the program when he explained how the terror attacks in Mumbai, India caused him to change the entire structure of the LAPD. His interview with CNN’s Jeanne Meserve detailed how 60 days after those attacks, he was able to transform his police department with new training, exercises and more. The relatively simply trained Mumbai terrorists were not interested in holding hostages; in fact, they were using so-called negotiations to buy time to kill more people. This showed Bratton that he had to change how his department was positioned to respond to a similar event, should it occur in Los Angeles.

Michael Leiter, Director of the National Counter Terrorism Center

For a man that much of Washington thought would have his head handed to him following the failed information sharing efforts surrounding the failed Christmas Day attack, Michael Leiter, the Director of the National Counter Terrorism Center (NCTC), displayed all of the skill and confidence that make him one of a few Bush Administration appointees to successfully transition into the Obama Administration. His description of his job, his work with the President to report on the range of threats to the country and how he thinks information sharing needs to work made this particular presentation one of the most revealing and compelling of the entire program. Interviewed by Michael Isikoff, a former Newsweek reporter and now Chief Investigative Correspondent for NBC News, ended up producing some great back and forth between the two men that was as revealing as it was humorous. This session again explained more about Leiter’s job and the mission of the NCTC than any government report or Congressional hearing to date.

Border Security Panel

Despite the countless GAO and IG reports and the many hearings before the U.S. House and Senate, there was no better overview of America’s border security than a panel made up of:

Bob Mocny, Director of DHS’ US VISIT Program;
Mark Borkowski, Director of CBP’s Secure Border Initiative (SBI); and
Steve Oswald, Vice President of Boeing.

These three gentlemen described what worked, what didn’t, what could be better and what the future may look like on programs that have regularly been making news for years. In presenting the details of these newsworthy programs, they did so with none of the drama or hysterics that are so often associated with the Congressional hearings that have exhaustively covered the respective programs. What each of them said frankly offered more substantive insight than any of the previous Congressional hearings have produced to date. That was an observation made not just by the conference attendees but also by the first-tier media, congressional staff and others who have observed each of these respective programs closely. Truth be told, if you want to know what is really happening with US VISIT and the Secure Border Initiative (minus the belligerent questions and political posturing), spending 90 minutes watching this panel when it is aired on C-Span will be time well spent.

Attending News Media

As I mentioned, the conference was a literal “who’s who” of notable current and former national and homeland security leaders, and the same could be said for the attending members of the media. With CNN’s Jeanne Meserve, Fox News’ Catherine Herridge, the Washington Post’s Spencer Hsu, Newsweek’s/NBC News’ Michael Isikoff, and more, it seemed as if there was a representative from every major news outlet, print and broadcast media in attendance. While many of them were there to serve as session/panel moderators for the various parts of the program, the entire forum was a reservoir of information for them on today’s security concerns and a background on the actions of the past. It was also a treasure trove for journalists in developing future sources for national and homeland security news stories.

Michael Chertoff, former Secretary of Homeland Security

After consecutive 12-hour days of literally (albeit pleasantly) waterboarding attendees with tons of substantive content, it’s hard to figure out how to end a program such as that in Aspen, but they picked a great closer in former DHS Secretary Chertoff. Whether it was the fact that he’s been out of office for almost a year and half and doesn’t have to worry about a 2 AM phone call from National Operations Center about someone doing something vile to the homeland, Chertoff’s candor and demeanor crystallized for everyone the seriousness of the threats we face while also assuring we should continue to go about our regular lives. As one of the very few “senior statesmen” on homeland issues that we have in this country, his conversation with Fox News’ Catherine Herridge conveyed the balance that we need to have when planning for and operating against the range of risks we face.

A wondering disappointment

I can say without doubt that I loved every moment at the Aspen Institute, but I can’t sign off without discussing the one disappointment that I and many others had in the presentation by DHS Deputy Secretary, Jane Holl Lute. Whether it was her discomfort at the conversational interview format led by CNN’s Jeanne Meserve, her fear in the week after the McChrystal debacle, not wanting to say anything to cause problems for herself or the Administration, or the fact that maybe she was having a bad day, her presentation left the overwhelming majority of attendees scratching their heads in wonder as to the real story at the Department.

All of the questions that were asked by Meserve were fair and nothing was out of the ordinary, but Lute’s responses were defensive, sometimes evasive and could have been dramatically better. Time and time again in her hour long session there were questions to which she could have responded with hard and fast examples of the Department’s accomplishments. Instead, she offered simplistic, almost apple-pie like anecdotal responses that left the audience wondering why she wouldn’t answer the most basic of questions.

When she stated, “the [U.S.] border has never been more secure,” and offered no facts to prove that statement, portions of the audience looked around at one another in shock while others openly chortled at the declaration.

When it came time for Q&A with the audience, the tenor of her responses seemed to be even more defensive. When Michael Isikoff asked her about her statement on the border’s security and her metrics to prove that it had never been more secure, Lute seemed to bristle at the question. She firmly retorted, “The Secretary has been very clear on what those metrics are,” and effectively cut him off.

Lute’s response referred to the speech Secretary Napolitano delivered at CSIS the week before, when she declared, “the U.S. border has never been more secure…but there is more work to be done” and that “no one is satisfied with the status quo.”

In that speech, Secretary Napolitano detailed a series of metrics to back up her statement, but none of those were shared by Lute with Isikoff or the observing audience. In speaking with Isikoff and some of the other attendees after her remarks, none of them were aware of the CSIS speech and the metrics behind the powerful declaration. To the credit of the Department, Bob Mocny and Mark Borkowski did an exceptional job during their joint appearance on the Border Security panel explaining why DHS leadership is stating things have improved on the border.

It is certainly a debatable point to make a declaration like the Secretary and the Deputy Secretary have made in recent forums about border security. When you back it up with information and facts, it provides some measure of credibility and fosters informed debate. When you state it and don’t want to defend it with facts, it leaves people wondering why you would state something like that and not be able to prove it. After her appearance in Aspen, a lot of people were left wondering about the Deputy Secretary, and after viewing her session either on-line or on C-Span, I expect there will be a lot more.

Final thoughts

All of our time is valuable, and God knows we don’t have enough of it, but if you can set your DVRs to record the Aspen Security Forum or go to the Aspen Institute webpage and download panels for your Ipod/MP3 player – DO IT. Think of each of the respective sessions as graduate level courses shared by esteemed faculty who have the real life scar tissue and experiences to tell you what happened and what we can all do better. If you do, I’m confident you will walk away from each session with a lot more knowledge and a bit of a mild headache too. That’s what pleasant informational waterboarding will do to you, but I have to say, it is much more enjoyable amongst the mountains and beautiful vistas of Aspen.

Posted in Aviation and airport security, Border Security, Congress, Politics & PR, Critical Infrastructure, Cyber Security, Homeland Security & the Internet; Gov't 2.0, Homeland Security Industry & Private Sector, Ideology & Public Diplomacy, Immigration & Visa Policy, Intelligence, International, Law Enforcement, Management & Administration, Military & Homeland Defense, Private and Physical Security, Science & Technology, Supply Chain Security, Terror Finance, Terror Strategic Analysis, Transportation Security, WMD, Chemical & Biological, counterterrorism | Comments

Cyber Crime Continues to Grow Out of Control

Thursday, June 24th, 2010

A recent presentation by Special Agent Johnny Starrunner of the FBI at the NYS Cyber Conference in Albany was enlightening and frightening. To be honest, I have heard most of it before, but getting it all at once, from a front line guy fighting this war, drove it home. If we do not get hold of this threat, we are in deep trouble.

Cyber Crime comes in lots of flavors. It is diverse, sophisticated and expanding everyday. It includes Internet fraud, online banking fraud, a highly developed cyber underground, a growing number of targeted areas, and the “advanced persistent threat,” a term that until recently was classified.

It is almost impossible to accurately determine the “cost” of cyber crime. It is not just the dollars that must now be listed as losses but goes much wider. Reputations tarnished or destroyed are difficult to price. Additionally, many times we are dealing with unreported or under reported events. To give you at least an order of magnitude idea, the very conservative cost we know for the staggering 336,000 reported complaints in 2009 was $559.7 million – nearly double the numbers recorded in 2008. This does not include the loss of “pure” intellectual property, which is difficult to value accurately. Add that in and the numbers skyrocket.

Internet fraud (IF) is the best known form of cyber crime; it includes scams of all sorts. These have been tied to recent disasters (Haiti, tornados, the Gulf spill), electronic income taxes (give us your info, we’ll file for you), stimulus check collection and on line auctions – nearly anything that might convince the unwary to reveal personal information to the scammers. Many of these are crude but many are highly sophisticated and polished. Cyber criminals sometimes blast it out to anyone and everyone, but often, they are highly targeted and specific. The profit is potentially so big that the bad guys are highly motivated.

Online Banking Fraud (OBF) is more specific and aimed at bigger fish. These may start with attempts to steal individual information, but they are really desirous of stealing credentials, the higher the better, through malware or scams. They then use them for transactions all under $10,000 to keep it under the radar. They sometimes make false cards or simply do electronic transactions directly with the data. They can raise credit limits (it seems to be easier for them to do than for legitimate customers!), and then begin to transfer funds to “money mules.” These are individuals who work from home in online jobs. These folks then send the money on to overseas recipients. The main methods used to place malware for this sort of crime are the ZeuS Trojan, Clampi, and Bugat Trojan, according to Starrunner.

The Cyber Underground began as a completely decentralized activity but now operates like a corporation; it is transnational, very efficient and very evolved. They have huge numbers of the most talented cyber practitioners in the world working for them everyday. The compensation is lucrative, and the crime is relatively safe. They also reach out to unskilled folks and recruit them into the market. They use them for various low-level tasks, and test them to see if they have skills worth developing.

The underground is agile and adaptable. They move fast, and once a vulnerability is identified, within days they can pull off huge operations. They find an opening, develop the exploit that will allow them to grab as much useful data as possible in a short period, emplace it, and use it to extract the information they need. They use this to makes false cards, often with elevated account limits, then use them to pull lots of money out in near simultaneous transactions in multiple cities (and/or countries) using mules world wide. The last step in the operation is for the mules to send on the profits (minus their agreed upon commission) to the underground.

Another speaker at the NYS Cyber Conference described an operation where the bad guys replaced the self check out machines in 67 stores of a major supermarket chain, and for weeks harvested all credit card data from customers who used the machines. There were five to seven machines in each store, times 67, times “weeks” – you do the math. It was quick, slick and targeted normal folks just trying to buy groceries.

The highly developed social structure of the underground includes:

Coders/programmers: write the malware
Techies: develop the way in
Hackers: actually break in
Vendors: sell the kits and products (true capitalist diversification)
Fraudsters: English speakers who write phishing e-mails or may even do calls.
Carders: make the fake cards and machines to do so
Cashers: convert the data to cash
Money mules/Reshippers: the bad guys move the money to them, and they send it on. They do the same with merchandise
Tellers: convert money to other currency

There are Carding Forums where the underground sells info, credit card data and other criminal assets. They have websites, tech support organizations, entire structures to ensure they squeeze as much profit out of the enterprise as possible. They are now expanding their targets to include targeting Medical Personal Info, Electronic Health Records (EHR), etc. These are used to blackmail people, to perpetrate insurance fraud and to extort insurance companies. The target for this sort of information theft is individuals, hospitals, HR Departments, Government Offices and insurance companies. As we move toward greater use of EHR’s, we can only expect this to grow.

Social networking sites are also huge target areas for the bad guys. They use the ever-growing popularity of the sites (millions of participants) as vehicles for spam, to post fake adverts to launch malware, to harvest personal data to build a profile and figure out answers to “change your password questions.” These are subsequently used to hack you and go after all your friends next.

The really dangerous enemies use what is now referred to as the Advanced Persistent Threat (APT). This is a high level, extremely sophisticated class of threat that for now seems to be confined to nation-state intelligence organizations. How long it will remain in that area is unknown. These threats place long term leave behinds in order to steal information – IP, National security secrets, and other valuable info (they are after personal data). Their methodology is as follows:

Recon and find the vulnerabilities;
Execute the network intrusion;
Obtain user credentials (they work this until they can get administrator level);
Establish backdoors to enable multiple return capabilities;
Install multiple utilities;
Data Extraction is their goal, for the long term, but may also include potentially damaging booby traps for future use; and
Resilience (They will actually “clean up” the network of other maleware to ensure theirs works well).

APT’s will target the government and military, cleared Defense contractors, and lucrative Private Industry concerns (pharmaceutical, energy, high tech).

In short, this problem must be addressed, and it must be now. The bad guys are getting better at this, and law enforcement needs help. This is no longer a purely “criminal” activity but quickly shades into national security. There must be more cooperation, and it must be soon.

Posted in Critical Infrastructure, Cyber Security, Homeland Security & the Internet; Gov't 2.0, International, Law Enforcement, Management & Administration, Science & Technology, counterterrorism | Comments

A Challenge to the US STRATCOM Commander

Monday, June 21st, 2010

At day two of the AFCEA STRATCOM Cyber Security Symposium, I was a member of the Industry Panel. I took a breath and issued my challenge. Our moderator had asked each of the four panelists to make brief opening remarks on the state of industry in the cyber security issue space and to end with a “memorable” bumper sticker. It was my turn to make opening remarks.

Well, being a former Army Green Beret in the middle of a sea of engineers, scientists, astronauts and nuclear specialists, I knew I was not going to discuss tech issues. (OK, I have a Ph.D., but it is in International Relations.)

So I went with my strong suit: directness, passion and leadership. I issued a challenge directly to Commanding General of StratCom, who had graciously stayed with us throughout the day and a half conference.

“Give us your Commander’s Intent.” For the military, commander’s intent is everything. It gives subordinate and supporting parties exactly what the commander wants done. It is clear unambiguous direction, and it outlines what success will look like. The situation may change, you may have unforeseen difficulties, but you know that you must continue to fulfill the commanders intent. Your original plan to get there may (and almost always does) change, but the intent does not. It is the most critical part of the military’s operations order, the format that governs pretty much whatever the military does.

We in industry want to help StratCom, and its newest subordinate command, U.S. CyberCom, accomplish their mission. We want to do that, not just because it would be good business, but because we’re citizens too. To maximize our ability to do that, we need to know what the commander wants.

“Then bring us in to help you hash out how we get there.” We can tell you if your intent is achievable today. We can tell you how much we can do tomorrow, and how much in a year, 3 years, or 5 years. To do that, the military needs to invite the individuals and firms that truly want to help, not just seek business. And you must invite little guys too, not just the behemoths. If the military doesn’t invite the small firms to the table (they have some of the most innovative ideas), the big guys will not correct the omission.

“Demand new thinking of Industry.” The military cannot accept the same old ways of doing business, with marginal improvements around the edges. They have to make industry think big and deliver. If a company fails to deliver, they should be punished. I do not mean companies who try to innovate and fail; they should be encouraged. What I refer to are companies that make claims and promises but do not deliver. There should be a “price” for such a breach of trust and confidence.

“Help us force the lawyers and policy makers to find a way to efficiently and seamlessly share information about cyber attacks and probes.” Industry understands that government must protect it’s sources and methods, but government must also understand that industry has analogous information. We have proprietary data, methods and techniques. Firms that do stumble but choose to share the information should be protected from damaging public scrutiny. If you want to shine a light on anyone, do it to the firms who do not share when something happens, not the ones who cooperate.

“Give up the model of a medieval castle for cyber security and adopt one more akin to public health.” We are all info / intel gathers, and we all need to feed into the common pool of data. Only if we change the way we think, to spur real information sharing, will we get ahead of the bad guys in this space.

“The Bumper Sticker: Make the Public-Private Partnership Real.” Make it something that can be operationalized. Everyone says that this is the key, but we leave it limp and symbolic when it needs to deliver added value to all our efforts.

“You need this, we need this, and Lord knows the Nation needs it.”

At the end of the conference, Air Force Gen. Chilton specifically stated that he had accepted my challenge and would indeed be issuing just such an intent statement. Thank you General. We in industry are standing by to work with your team on the next step.

Posted in Cyber Security, Homeland Security & the Internet; Gov't 2.0, Homeland Security Industry & Private Sector, Law Enforcement, Management & Administration, Science & Technology, counterterrorism | Comments

GSA to move e-mail to the cloud

Wednesday, June 16th, 2010

GSA to move e-mail to the cloud – NextGov

The General Services Administration’s move to a cloud-based e-mail system is the start of a significant effort to increase efficiency governmentwide, according to an analyst from the Washington-based Brookings Institution.

GSA last week issued a request for proposals for a “software as a service” e-mail and collaboration system. The agency last month reopened a procurement for cloud computing infrastructure, including storage services and Web hosting, in an effort to move information technology to a shared mobile platform.

Darrell West, vice president and director of governance studies at Brookings, said the RFP is a big move for government, whose cloud efforts thus far have been “scattershot.”

Posted in Cyber Security, Homeland Security & the Internet; Gov't 2.0, Management & Administration, Science & Technology | Comments

NSA’s Meyerricks Addresses Cyber Audience

Tuesday, June 15th, 2010

At the Defense Daily Cyber Summit, Dawn Meyerricks, Deputy Director for Science and Technology at NSA stated without hesitation that Cyber Security is NOT the same as Information Assurance (IA). Many of us gave her hearty “amens.” However, she continued to say that IA was more comprehensive and was mainly about risk management. She said cyber security was a smaller category that did not encompass risk management. I was perplexed.

In the Q&A session, I asked her if this distinction was her personal opinion or if it was an NSA position. Before she answered, I pointed out that in many circles, particularly the Department of Defense, cyber security is all about risk management and mission assurance. They see IA as a subset of cyber security. She admitted that others, many of her own colleagues, used the concepts as I outlined them. She smiled, said she was not doctrinaire about it but was willing to engage in debate. Meyerricks then made the point that the differences between various experts were evidence that we badly needed to resolve these definitional differences.

She made three other points:

1. There is a need for tailored trustworthy spaces. Clearly, everything is not the same (we behave differently in movies vs. ballgames), so we must acknowledge that we need different levels of security for different cyber activities. You demand that your online banking works all the time, but when you are using Google to do a search, you are OK with refreshing if needed.

2. We must add speed to the process to make our cyber structures moving targets. We should get the updates out FAST and look at “places” of potential vulnerabilities and give them extra protection.

3. We need to provide cyber economic incentives. These could be positive or negative. It must be determined what is the pain point needed to provoke good cyber hygiene.

She also made the point that forcing software designers to ensure their products probably would not work. After all, health insurance will not stop cancer. Will software insurance stop software problems?

Her closing points were that we must all focus on mission outcomes, solve problems collaboratively and Innovate relentlessly.

It was a useful session but would have done better to have a longer Q&A.

Posted in Critical Infrastructure, Cyber Security, Homeland Security & the Internet; Gov't 2.0, Homeland Security Industry & Private Sector, Management & Administration, Science & Technology, counterterrorism | Comments

Louisiana’s Emergency Agency “Following” Hundreds Of Citizens On Twitter To Gather, Distribute Oil Spill Info; Embrace Of Social Media’s 2-Way Potential Is Model For Govt.

Monday, June 14th, 2010

Louisiana’s Emergency Agency “Following” Hundreds Of Citizens On Twitter To Gather, Distribute Oil Spill Info; Embrace Of Social Media’s 2-Way Potential Is Model For Govt. – In Case of Emergency

In the weeks since Deepwater Horizon explosion, the Louisiana Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP) has found itself in the middle of an evolving and unprecedented crisis. And, the agency has been relying on its new Twitter feed @GOHSEP, which has become a vital communications platform and resource.

Though the @GOHSEP feed has been up for only a month and a half, it has already become a useful model of Twitter’s use by government in emergency management crisis communications. Last month, I wrote about GOHSEP’s extra effort to thank users who were ‘retweeting’ the agency’s announcements on the oil spill — it’s the kind of small (and cost-free) reward/positive reinforcement for the public not normally done by government entities.

Posted in Critical Infrastructure, Emergency Preparedness & Response, Homeland Security & the Internet; Gov't 2.0, Science & Technology | Comments

Survey: Cloud computing to make huge strides by 2020

Monday, June 14th, 2010

Survey: Cloud computing to make huge strides by 2020 – NextGov

Mobile computing will outpace desktop technology in the next 10 years if challenges to access, security and interoperability are overcome, according to a study from the Pew Research Center’s Internet and American Life Project released on Friday.

The report, a survey of nearly 900 Internet and technology experts, found that 72 percent of respondents believed technology users will conduct business using shared mobile platforms and smart phone applications rather than desktop computing. Easy access to information and the growing use of mobile devices will be key drivers of this trend, they said.

Posted in Critical Infrastructure, Cyber Security, Homeland Security & the Internet; Gov't 2.0, Science & Technology | Comments

SCADA Systems: Are they our soft underbelly?

Monday, May 10th, 2010

If you want to scare a cyber-lay person, have them watch Bruce Willis chase virtual terrorists in “Live Free or Die Hard” and tell them it is all possible. In the film, the entire digital infrastructure of our country is brought to a stand still by a small group of very talented hackers. OK, professional analysts have told me it could not happen today. It could, however, happen in the not too distant future, particularly if present trends continue. The keys to that scenario are SCADA systems.

SCADA stands for System Control and Data Acquisition. These are really one type of Industrial Control System; however, SCADA has become the most common way to refer to them all. The simplest definition for SCADA is a computer system that monitors and controls a process, be it industrial, infrastructure or facility. Originally, they were all autonomous and monolithic; every one stood alone and was pretty much unique. The present second generations are distributed, and the third generations are networked. These systems make nearly everything we depend on run correctly; without them our lives would be quite different.

Many people think these systems are protected because most are not connected to the Internet. This is a mistake. A noted scientist from one of our national laboratories recently said that despite the fact that only 10 percent of SCADA systems are attached to the Internet, they are under constant attack. As an example, attacks on our water systems have gone up 300 percent and on the electric grids, 30 percent. The situation is similar with most of our critical infrastructure sectors.

The Department of Homeland Security (DHS) recognizes the importance of these assets. They have put together a special Industrial Control System CERT that not only deals with attacks, but does fly away responses and special training/red teams. This development is a welcome improvement, and DHS should be commended for it.

Unfortunately, two trends are making things worse. As noted, the newest systems are networked. Additionally, they are becoming more standardized. This is understandable, because they make the systems they serve more efficient and cost effective. Unfortunately, they also make them more vulnerable to cyber attack.

We need to continue the efforts to defend our SCADA systems. If they are under assault when only 10 percent are Internet connected, what will happen when they are all online? DHS has made a great start, and industry is finally “getting it.” One only hopes the positive trends can catch up with the economic ones, which are driving the vulnerabilities. The bad guys know SCADA’s importance. We need to give it even more effort.

Posted in Critical Infrastructure, Cyber Security, Homeland Security & the Internet; Gov't 2.0, International, Science & Technology, counterterrorism | Comments

Is Cloud Computing Losing Some of its Allure?

Thursday, May 6th, 2010

At a Cloud Computing Summit this week, the questions began as, well, just questions. They were simple and basic: “Exactly what do we consider Cloud Computing;” answer, (my paraphrase), “Lots of things to lots of people.”

Later, the question grew almost hostile: “What are we gaining by this;” “What is the real benefit;” and “Is this really just clever marketing?”

I remain an advocate for Cloud Computing. I am convinced that its economic, ecological and efficiency pluses will out weigh its potential downsides in the end. Talking about the cloud for the government, perhaps Air Force Maj. Gen. Dale Meyerrose, the former CIO of the Intelligence Community, said it best: “We need to stop trying to fight the inevitable.” The mostly government crowd was not so sure. They were asking tough questions and were more than a little skeptical.

Frankly, I am OK with that. Cloud Computing is a reach right now for most Government clients. Given the importance of the data with which they routinely work, I want them to ask the hard questions. Every potential cloud consumer should do the same. Often, you see clients moving toward the Cloud simply because they think “they should.” Fashion is a bad reason to go to the Cloud.

It was pounded home by the speakers that any organization considering a cloud model should follow a few key steps. Analyze what you have now (level of security, ability to retrieve data, compliance, cost of infrastructure, etc), decide where you want to go, and then make any erstwhile cloud provider PROVE to you they can deliver on their promises. All the speakers said to go slow. Run trials and then pick non-critical data or apps and try it out. An incremental way forward is the only wise course.

In this case, the naturally conservative and cautious tendencies of government agencies display the right way to approach this new way to do business. We will go to the Cloud, but let’s do it right.

DHS Cyber Progress – Why Not Tell Us?

Tuesday, May 4th, 2010

I attended a superb cybersecurity event, and while I would love to give you a complete blow-by-blow recount of the excellent panel presentations and the Q&A, it was all done on a non-attribution basis.

Despite that, I do feel compelled to share some of what I heard. Hopefully by not mentioning the location of the event or the actual speaker in question, I will not forfeit my seat at the table for next time.

I have been critical in the past of the fact that DHS has not done enough about cybersecurity. I believe DHS is the correct part of the federal government to lead on cyber issues, but it always seemed that everything was on hold. It turns out I was wrong.

I knew they had established the National Cybersecurity and Communications Integration Center (NCCIC), finally giving us one central op-center for cyber. But did you know they also established a Computer Emergency Readiness Team (CERT) for industrial control system (such as SCADA) incidents? This is an enormous accomplishment and includes fly away teams to do on-site investigations to protect these crucial parts of our infrastructure.

They have ratcheted up their efforts for real cooperation with industry, including more information sharing than ever before. There is still much to do, but they have made real progress.

There has also been a deep expansion of the DHS departments that deal with cyber issues. Some do not see expansion of a federal agency as a positive thing, but in this case, it is badly needed.

When you combine this with the quiet work being done by White House Cyber Coordinator Howard Schmidt, there indeed has been progress.

I offer my apologies to the fine folks at the Department. I do still have one other question: Why are you not trumpeting this from the rooftops? People want to know what you are up to. Tell them. Get out and spread the word. It is a good news story.

Posted in Critical Infrastructure, Cyber Security, Emergency Preparedness & Response, Homeland Security & the Internet; Gov't 2.0, Management & Administration, Science & Technology, counterterrorism | Comments

Cyber Concern In the Heartland

Thursday, April 29th, 2010

I had the privilege this past weekend to do several non-Beltway speaking engagements. They were in Michigan and included a medical conference, several college classes and a general civic group. I spoke about 9/11, the war in Iraq and Afganistan, my old boss (Secretary of Defense Donald H. Rumsfeld), terrorism and cybersecurity.

These groups proved to be articulate, well educated and positively starving for information they expected to come from their government. But that did not surprise me as much as the fact that by far I received the most questions about cybersecurity.

These folks knew in their guts that this was a key issue for the nation but also for them as individuals. Given that I had actually thrown out some other potentially “red meat” topics (for any end of the political spectrum), the weight of the cyber focus amazed me.

This told me something very important. Cyber is not a subject only for the denizens of DC or for the tech and security industries. America wants to join the dialog. We need to invite them in.

The National Cyber Education and Awareness Campaign called for by President Obama needs to begin now! OK, this has been (and will continue to be) one of my pet rocks, but I did not go looking for this one – it found me. The need for cyber information is huge and so is the desire to have it.

I urge the President and Secretary Napolitano to end the “studying” of this issue and take action. If nothing else, they should deploy experts around the nation to do hundreds of town hall meetings, and the effort should start tomorrow.

Posted in Cyber Security, Homeland Security & the Internet; Gov't 2.0, Intelligence, Management & Administration, Science & Technology, counterterrorism | Comments

Former NSA executive accused of leaking classified information

Friday, April 16th, 2010

Former NSA executive accused of leaking classified information – Government Executive

A federal grand jury has indicted a former National Security Agency senior executive on 10 felony counts related to sharing classified information with the media, the Justice Department announced on Thursday.

The indictment alleges that Thomas A. Drake, a high-ranking NSA employee from 2001 through 2008, served as a source in 2006 and 2007 for newspaper articles about the intelligence agency. The indictment claims that some of the information he disclosed was classified. It does not name the newspaper, but The Washington Post has reported that it was The Baltimore Sun.

Also included in the indictment are specific references to hundreds of e-mails exchanged containing classified information. “As alleged, this defendant used a secret, nongovernment e-mail account to transmit classified and unclassified information that he was not authorized to possess or disclose,” Assistant Attorney General Lanny Breuer said. “As if those allegations are not serious enough, he also allegedly later shredded documents and lied about his conduct to federal agents in order to obstruct their investigation.”

Posted in Homeland Security & the Internet; Gov't 2.0, Intelligence, Management & Administration, counterterrorism | Comments

Great Leaders Are Only One Step in Achieving Cybersecurity

Thursday, April 15th, 2010

Cybersecurity remains a key issue in the nation’s security. Numerous stories in the news show that while big things are happening, we badly need them to move in a positive direction, and soon. We have passed this ball between the branches of our government for far too long. Decisions need to be made and action taken.

Lt. Gen. Keith Alexander is now in the middle of the confirmation process that many observers hope will lead to his assuming the duties of the four-star Commander of U.S. Cyber Command. Facing intense questioning about the “dangers” of having too much power centralized in one position, Alexander continues to calmly assert that if he is confirmed, he will present no threat to Americans’ rights and privacy. Many people, including many on the Hill, still seem to fear our government more than they do the persistent and pervasive threats that bedevil our digital infrastructure and networks.

This comes at the same time that Howard Schmidt, the Cyber Coordinator on the National Security Staff, has stated that the country has “intractable” weaknesses in our abilities to defend against the cyber threats we face.

Schmidt continues a very low key execution of his duties. Often mischaracterized as the “cyberczar,” his duties do not include direct authority over the key parts of our cyber defenses. Schmidt is supremely qualified to be the senior staffer who watches over the interplay of cyber issues in the complicated federal interagency process. His job is absolutely needed, and he is the right man for it.

That said, his appointment is not and will not be a panacea for our cyber ills. We need even more leadership from DHS, DoD and DoJ. The intelligence community is also a key player but not as critical in the security sense as the others.

Congress continues to try to be helpful. Their efforts are broad and sweeping but unfortunately with little internal coordination and insufficient cooperation with the administration on many fronts. The numerous bills (some comprehensive, some with isolated provisions) that address cyber issues are often conflicting and counterproductive. All were written with the best intentions, but the result is not helpful. This too needs to be sorted out.

As an optimist by nature, I believe that we are now more secure than we were a few years ago. Unfortunately, the threats are growing faster than we can react to them. All of the imagination and intellectual power of this great nation must be unleashed on this problem.

We have made strides; the internal DoD activities of the services is heartening, as are many of the DHS initiatives. But we need so much more. Perfect security in cyber is not achievable, but we must get far better than we are now.

Posted in Congress, Politics & PR, Critical Infrastructure, Cyber Security, Homeland Security & the Internet; Gov't 2.0, Homeland Security Industry & Private Sector, Intelligence, Law Enforcement, Management & Administration, Science & Technology, counterterrorism | Comments

NSA on the Flash-Media Hunt

Tuesday, April 13th, 2010

NSA on the Flash-Media Hunt – NextGov

Shh, the National Security Agency has developed a software tool that detects thumb drives or other flash media connected to a network, and any federal agency can get a copy free — no box tops or coupons required.

The NSA provided a brief tantalizing description of its USBDetect 3.0 Computer Network Defense Tool in the unclassified part of its fiscal 2011 budget request.

The software, the NSA said, provides “network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks. This tool closes potential security vulnerabilities; a definite success story in the pursuit of the [Defense Department] and NSA protect information technology system strategic goals.”

Posted in Critical Infrastructure, Cyber Security, Homeland Security & the Internet; Gov't 2.0, Intelligence, Law Enforcement, Science & Technology, counterterrorism | Comments

The 10 Riskiest Cities for Cyber-Crime

Monday, April 12th, 2010

The 10 Riskiest Cities for Cyber-Crime – Government Technology

The threat of falling victim to cyber-crime is so ubiquitous today, and some of America’s biggest cities are even more prone than elsewhere in the country, according to a well known producer of cyber-security software.

Norton from Symantec, a popular antivirus provider, teamed up with the research organization Sperling BestPlaces to discern which cities were the riskiest hot spots for cyber-security, publishing the results March 22 in The Norton Top 10 Riskiest Online Cities report. The 50 cities identified in the report make up a laundry list of the most famous places in the country.

The top 10 listed are:

1. Seattle
2. Boston
3. Washington, D.C.
4. San Francisco
5. Raleigh, N.C.
6. Atlanta
7. Minneapolis
8. Denver
9. Austin, Texas
10. Portland, Ore.

Posted in Critical Infrastructure, Cyber Security, Homeland Security & the Internet; Gov't 2.0, Homeland State & Local, Intelligence, International, Law Enforcement, Management & Administration, Science & Technology, counterterrorism | Comments