Showing posts with label Critical Infrastructure Protection. Show all posts
Showing posts with label Critical Infrastructure Protection. Show all posts

May 9, 2019

@National Cybersecurity Center of Excellence



So good today to visit the NIST Cybersecurity Center of Excellence (NCCoE).

The cybersecurity solutions developed are aligned to the well-known Cybersecurity Framework (CSF). 

Got to see some of the laboratories, including demonstrations for securing the Healthcare and Energy Sectors. 

Interesting to hear about examples for securing hospitals records and even things like infusion pumps.  

The medical devices are tricky to secure, because they are built to potentially last decades and are expensive to replace, but the underlying technology changes every couple of years. 

Also, learned more about securing the energy sector and their industrial control systems.  

One scary notable item mentioned was about the "big red button" for shutdown in many of these facilities, but apparently there is malware that can even interfere in this critical function. 

It is imperative that as a nation we focus on critical infrastructure protection (CIP) and continuously enhancing our security.

Time is of the essence as our adversaries improve their game, we need to be urgently upping ours. ;-)

(Source Photos: Andy Blumenthal)
Share/Save/Bookmark

April 25, 2018

Obsolesce Of Nuclear Weapons


This is one incredible video. 

It shows the killing power of micro killer drones. 

With a host of cameras and other sensors including facial recognition and GPS, plus a small amount of explosives, these drones can target individuals or critical infrastructure and take them out!

The drones can work alone or in swarms to get into and kill or destroy anything. 

No VIP (very important person) or CIP (critical infrastructure protected) is safe. 

We can wipe out entire cities or the nuclear infrastructure of our enemies. 

Despite the warning about artificial intelligence at the end of this video, rest assured these killer microdrones are coming. 

Big is the new small, and small is the new big. 

In fact, big things come in small packages--exactly!  

Iran and North Korea are chasing obsolete technology to harm the U.S. and Israel, and within a short time, they will see the error of their malevolent ways 

G-d foretells us all in the Bible and like David and Goliath--a slingshot to the forehead and the fight with the evil is over. ;-)

(Thank you to Itzchak for sharing this video with me). 
Share/Save/Bookmark

October 28, 2017

Deterrence Alone Is Not A Strategy

So there is a military doctrine that has been in place for decades. 

- MAD - Mutually Assured Destruction 

If you attack the USA with weapons of mass destruction, you'll get an overwhelming responses that will totally destroy your country. 

This was what supposedly held the USSR at bay during the cold war. 

And even recently, President Trump threatened North Korea that they would be "totally destroyed" if they try anything on us. 

The problem is that the MAD doctrine of deterrence assumes incorrectly that you are always dealing with rational actors and not with madmen.

Let's face it, their are plenty of crazies out there, and some of whom may be willing to go down in a "blaze of glory" as long as they stand up to the United States and die a heroes death for their radicalized or "subjected" people. 

Whether it's Iran or North Korea or others--we may not know what we are really dealing with here until it's too late. 

Life is not everything to these people--remember many a terrorist has died a martyrs death with the promise of 72 virgins in heaven awaiting them. 

To some, as Prime Minister Gold Meir stated:
"Peace will come when the Arabs will love their children more than they hate us!"

Hate by virtue of perceived injustice, required Jihad or "holy war," brainwashing or threats and the desire for a "glorious death" standing up to the infidels or the "great Satan...any of all of these can contribute to ignoring the consequences. 

Israel has tried to deter horrible homicide bombers/and other mad terrorists from performing their evil misdeeds on the civilian population by for example, demolishing the terrorist homes as a potent consequence that they know going into it, yet many terrorists still wear the explosive vests and detonate anyway.

Similarly, North Korea despite the President's threat that they "will be met with fire and fury like the world has never seen," brushed it off and shot off more volleys of ICBMs and threatened to engulf Guam in fire. 

- The point is that deterrence alone is not a strategy!

If our enemies can hit us with a devastating attack--whether WMD, cyber, EMP, or quantum attack-- that can inflict immeasurable harm on us--they may actually choose to take their best shot, rather than wait for us to hit them or continue to feel disrespected, subjected, inferior, and hopeless.

To someone on the radical fringes or the mental edge, maybe--just maybe--they will do the unthinkable and surprise us.

What good will our fire and fury counterstrike do us, when our cities are in ruin and our people dead and dying en masse. 

Revenge isn't so sweet when your family, homeland, and virtually everything you know and held dear is gone.

The only real military strategy is to be able to defend ourselves and AVOID getting a homeland catastrophe!

We need massive investment and expertise in missile defense, bio defense, cyber defense, quantum computing, and expansive hardening of our critical infrastructure.

Unfortunately, as naysayers to the threats abound, we are no where near where we need to be in protecting the homeland.

If one person falls from the high wire and smashes their head, what good is it that the other person falls and suffers similarly or worse. 

The point is not to fall, not to get hurt, not to die, not to have our country and way of life destroyed.

Deterrence does not guarantee this security to the country--especially when dealing with no shortage of radicalized nuts out there. 

Only a genuine defense that can STOP and counter the threats BEFORE a devastating attack happens and hits us is a strategy worth pursuing ...and THEN you can punch the other person squarely in their devil's face!

Without an adequate defensive strategy, get ready, because every high flying act eventually falls to the ground and hits their head hard. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

October 23, 2017

Cybersecurity Vulnerabilities Database

There is a very useful article in Bloomberg about how the U.S. is taking too long to publish cybersecurity vulnerabilities. 

And the longer we take to publish the vulnerabilities with the patch/fix, the more time the hackers have to exploit it!

Generally, the U.S. is lagging China in publishing the vulnerabilities by a whopping 20-days!

Additionally, China's database has thousands of vulnerabilities identified that don't appear in the U.S. version. 

Hence, hackers can find the vulnerabilities on the Chinese database and then have almost three weeks or more to target our unpatched systems before we can potentially catch up in not only publishing but also remediating them. 

Why the lag and disparity in reporting between their systems and ours?

China uses a "wider variety of sources and methods" for reporting, while the U.S. process focuses more on ensuring the reliability of reporting sources--hence, it's a "trade-off between speed and accuracy."

For reference: 

The Department of Commerce's National Institute of Standards and Technology publishes the vulnerabilities in the National Vulnerability Database (NVD).

And the NCD is built off of a "catalog of Common Vulnerabilities and Exposures (CVEs) maintained by the nonprofit Mitre Corp."

Unfortunately, when it comes to cybersecurity, speed is critical.

If we don't do vastly better, we can be cyber "dead right" before we even get the information that we were vulnerable and wrong in our cyber posture to begin with.  ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

October 19, 2017

Never Ever More Vulnerable

So we have never been more technology advanced. And at the same time, we have never been more vulnerable

As we all know, our cybersecurity have not kept near pace with our ever growing reliance on everything technology.

There is virtually nothing we do now-a-days that does not involve networks, chips, and bits and bytes. 

Energy
Transportation
Agriculture
Banking
Commerce
Health
Defense
Manufacturing
Telecommunications

If ANYTHING serious happens to cripple our technology base, we are toast!

From a crippling cyberattack that disables or hijacks our systems, steals or locks down our data, or creates massive chaotic misinformation flow to a EMP blast that simply fries all our electronic circuitry--we are at the mercy of our technology underpinnings. 

Don't think it cannot happen!

Whether it's Wannacry ransonware or the Equifax breach of our privacy data or the Kaspersky Labs hidden backdoor to our top secret files or North Korea threatening to hit us with an EMP--these are just a few of the recent cyber events of 2017!

Technology is both a blessing and a curse--we have more capability, more speed, more convenience, more cost-effectiveness than ever before, but also there is greater vulnerability to complete and utter death and destruction!

This is not just a risk that life could become more difficult or inconvenient--it is literally an existential threat, but who wants to think of it that way?

People, property, and our very society is at risk when our cybersecurity is not what it must be.

It's a race of defensive against offensive capability. 

And we can't just play defense, we had better actually win at this! ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

January 14, 2017

Our Assets Are Compromised

So in the games that nations play, spy games is #1 on the hit parade.

Of course, it's about using information to get a strategic advantage. 

It runs the gamut from pure espionage in terms of stealing state secrets and intellectual property to conducting stealthy subversive acts to undermine enemies and competitors. 

Whatever spies do, it's all about compromising assets...whether they be human, information, or critical infrastructure. 

From turning patriots into traitors, words into info warfare, or critical infrastructure in trojan horses ready to im/explode...whatever leads to getting the upper-hand or advantage. 

What one nation comes to rely on for their sustainment and survival is instead exploited and turned against them like a trojan horse or modern-day malware.

And with people, using money, sex, ideology, compromising material (Kompromat), or threats against loved ones--it's simply about appealing to either opportunism or extortion. 

So truly defense means protecting not only what before one's eyes, but also what in the rear and at the flanks. 

When the over 21 million personnel records and background investigations where stolen from OPM on virtually all federal employees (civilian, military, and intelligence personnel) a door was left open and the demon is still hiding and waiting to cross the threshold, infiltrate, exfiltrate, and compromise. 

As an society that meaningfully values an open and transparent democracy, we can perhaps too easily become lured or lax to common sense safeguards and vigilance, but that does not excuse negligence, incompetence or stupidity.

Rich people and countries around the world can unknowingly falter by becoming overly comfortable and full of themselves...to the point where many don't fully care about their jobs or their country, as they sit in their mansions, designer clothes, and with busting bellies.

From the need to vastly improve our competencies in cyberwarfare to defending ourselves from a tidel wave of global terrorism to upgrading the U.S. nuclear triad against resurgent superpowers and dangerous rogue dictators, we have let our guard down to compromise. 

Is expelling 35 Russian diplomats an effective strategy against their technical attempts to subvert our free and democratic elections or does it just underscore how vulnerable we continue to be?

When as a country and with our leadership, we decide to get serious rather than stay scared and war weary then we will not only stand firm again, but fight against weakness and compromise of ourselves. ;-)

(Source Photo: Rebecca Blumenthal)
Share/Save/Bookmark

October 6, 2016

Preventing Cyber Disaster

So I liked this ad from Palo Alto Networks on the side of the bus, over the windows:
"Dinosaurs react.
Professionals prevent."

That's some very good marketing for a cyber security company.

It's almost a daily occurrence now to hear about the infiltrations into our networks and exfiltrations or manipulations of data that is taking place across government and industry.

Just today again, another NSA contractor accused of stealing highly classified computer code.

The day before Guccifer 2.0 and Wikileaks releases trove of stolen documents from the Clinton Foundation

And again, J&J reveals that it's insulin pump is vulnerable to hacking following allegations in August that St. Jude heart devices were subject to life-threatening hacking. 

Certainly, we can't afford to sit back and wait to react to the next attack...damage control and remediation is much harder than getting out in front of the problem in the first place. 

Prevention and deterrence is really the only solution...keep the hackers out and make sure they know that if they mess with us and our systems that we can identify who they are, find them, and take them out. 

These are the capabilities we need and must employ to dominate the cyber realm. 

In the presidential debates, candidates struggled to articulate how to deal with cybersecurity

But this is not a game of cyberopoly, rather national security, critical infrastructure, vital intellectual property, and our economy is at risk. 

Giving away Internet control and trying to plug leaks after the fact on a sinking cyber ship is no way to manage our vital technology resources.

It's high time for the equivalent Cold War determination and investment that ensures we win a free and safe cyberspace with all our networks and data intact. 

This is the only way that we don't go the way of the dinosaurs. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

July 24, 2016

Defeating Terrorism Not Optional

So in today's New York Times Sunday Review, David Rieff provides some insights on the state of terrorism that we are living with. 

Two very concerning points he makes:

1) A resignation that not much can be done: There are limited security resources, but infinite points for terrorists to strike. As he says, "Not all these attacks can be stopped....there is no way to police every subway station, cafe, and public square."

2) Many of our leaders are in convenient denial or disengaged: They see the daily terrorist attacks and their response is a rote rejoinder to either join for a brief memorial, slough it off altogether, or even make a joke of it (as if murder is a laughing matter). Rieff repeats even a recent interview with President Obama where he makes light of the impact of terrorism in that doesn't pose "an existential threat to the United States of the world order." Unless of course, it escalates and involves weapons of mass destruction or potentially taking out significant portions of our nation's critical infrastructure.

This just seems so different that how our nation has raised itself up in past conflicts and to win them: 

In World War II, the Allies were committed to defeat Nazi Germany, and they did, including through D-Day, one of largest and bloodiest invasions in history. 

President Reagan helped win the Cold War, by labeling the Soviets the "evil empire" and setting America on a major military buildup, one that the Soviet Union could not afford and eventually withdrew from. 

After 9/11, President Bush vowed that we would get Osama Bin Laden "dead or alive," no matter how long it takes, and eventually we did!

Over and over, the odds were not great and the stakes were enormous, but a positive attitude and the commitment to win took us a long way. 

In contrast now a attitude of defeatism has set in with Rieff declaring that "the stark truth is that the number and lethality of terrorist attacks are far likelier to rise than to diminish in the near future," and as he quotes the French Prime Minister Manuel Valls as saying, "Times have changed, and we should learn to live with terrorism."

How can anyone agree with that--should we really resign ourselves to learn to live with random acts of violence, murder, and terror? 

Rieff ends with that "the best we can hope for is to hold on to enough of our humanity to have a chance of clawing back the rest when the war ends, as all wars do."

I do not believe that this is good enough!

Not identifying the enemy, disengaging from global events or leading from behind, appeasement of sworn enemies, removing sanctions and releasing terrorists from GITMO, getting soft on terror saying it's not so bad out there that "the birds were [still] chirping and the sun was out,", and giving up on defeating it...is a losing attitude and proposition and one that will only result in more heartbreaking and innocent deaths. 

Dismissing or belittling the issue, defeatism, and jokes will not defeat terrorism, but a commitment to do whatever it takes to save lives and protect our nation will, as has been the case from Hitler to Bin Laden, and so it will be again. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

February 25, 2016

Terrified Of Terrorism

Sure there are terrorism scares that are just hoaxes, and generally-speaking, we feel quite protected by our nation's values, wealth, and entrepreneurial spirit, by Homeland Security, and by being surrounded with the Atlantic and Pacific Oceans and our friendly neighbors Mexico and Canada. 

So we can be very assured--no fear, right?  That's what we need and want to function normally in every day life.

But perhaps behind the veil of daily bravado is a not-so subtle fear about something really bad happening again--whether a 9/11 or a San Bernardino or a Boston Bombing or anything in between or even possibly more extreme, including attacks on our critical infrastructure (via kinetic means, cyber attacks, or EMP weapons) or even attacks with WMD (from anthrax to nukes in suitcases)--there is certainly plenty of attack vectors, means, and bad actors. 

It was interesting-scary, the other day, there was a video circulating on Facebook of a "radical Muslim"-like character with a turban or something distinctive (I can't really remember) and carrying a backpack. In scene after scene, the character goes up to innocent bystanders and throws his backpack in their direction. The people didn't know him or what was in the backpack or why he was throwing it in their direction. Yet, over and over again, the people jumped up hysterically in fear running for cover like there was very possibly no tomorrow. 

Similarly, we watch on the news almost daily of terrorist attacks around the world--school attacks, beach attacks, restaurants and cafe attacks, theater attacks, grocery store attacks, house of worship attacks, funeral attacks, ambulance attacks...and there literally is no end to this list of what and who is considered a legitimate target by terrorists--we all are.

In the last couple of weeks, there was surveillance captured of Muslim women visiting a number of synagogues in Miami around the same time and asking questions suspiciously--could they have been staking these out for possible future attack, similar to the attack on a Jerusalem synagogue with butcher knives, axes, and guns that massacred people praying and in devotion to their maker?

In the last half a year, we have seen terrorism morph in Israel from volleys of missiles indiscriminately shot at cities, tunnels to attack and abduct, and suicide/homicide bombings to become up close and personal butcher knife attacks in the throat, chest, and back of victims old, young, man, women. Everyone who is available to kill is being called to martyrdom, even the most little children being indoctrinated to slash and thrust a knife into any unsuspecting victim. 

So as we listen and watch the goings-on in the world and we say to ourselves those attacks happen in Paris and London and Turkey and Ukraine and Libya and Tunisia and Nigeria and Yemen and Lebanon and Syria and Iraq and Kuwait and Pakistan and Afghanistan and India and Indonesia and and and...but not [so much] over here. 

We say it, and we hope it, and we pray it, but in the back of our minds we instinctively fear otherwise. 

So while panic is certainly not helpful, perhaps phony bravado is not what is really needed either, but rather a renewed focus, investment, and commitment to our security--with more gates, guns, guards, intelligence, and advances in technology to stop the next attack(s). ;-)

(Source Photo: here with attribution to Irina Slutsky)

Share/Save/Bookmark

February 9, 2016

Cybersecurity Lost In Unknowns

Today unveiled is a new Cybersecurity National Action Plan

This in the wake of another Federal data breach on Sunday at the Department of Justice where hackers stole and published online the contact information for 9,000 DHS and 20,000 FBI personnel

And this coming on the heels of the breach at OPM that stole sensitive personnel and security files for 21 million employees as well as 5.6 million fingerprints.

While it is nice that cybersecurity is getting attention with more money, expertise, public/private poartnerships, and centers of excellence. 

What is so scary is that despite our utter reliance on everything cyber and digital, we still have virtually no security!

See the #1 definition for security--"the state of being free from danger or threat."

This is nowhere near where we are now facing threats every moment of every day as hackers, cybercriminals, cyber spies, and hostile nation states rapidly cycle to new ways to steal our secrets and intellectual property, commit identity theft, and disable or destroy our nation's critical infrastructure for everything from communications, transportation, energy, finance, commerce, defense, and more. 

Unlike with kinetic national security issues--where we regularly innovate and build more stealthy, speedy, and deadly planes, ships, tanks, surveillance and weapons systems--in cyber, we are still scratching our heads lost in unkowns and still searching for the cybersecurity grail:

- Let's share more information

- Let's throw more money and people at the problem.

- Let's seek out "answers to these complex challenges"

These have come up over and over again in plansreviewsinitiatives, and laws for cybersecurity.

The bottom line is that today it's cyber insecurity that is prevailing, since we cannot reliably protect cyber assets and lives as we desperately race against the clock searching for real world solutions to cyber threats. 

Three priorities here...

1) Build an incredibly effective intrusion protection system
2) Be able to positively tag and identify the cyber attackers 
3) Wield a powerful and credible offensive deterrent to any threats ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

June 25, 2015

18 Million--Change The SSNs

So, maybe one of the most detrimental hysts of information from the Federal government in history. 

Now involving over 18 million current and former federal employees, including military and intelligence personnel. 

No getting around it, but we are major screwed here--this is a treasure trove of personal and privacy information ready to use for identity theft, blackmail, assassination/decapitation attacks at home and work addresses, kidnapping of family members, and literally attacking our national security apparatus from the very inside out--it's people. 

Imagine, if at the time of its choosing, an adversary attacks our nation, but preempts this with sophisticated and coordinated attacks on our critical government personnel--generals, spy masters, political kingpins, and other key decision makers--thereby distracting them from their duties of safeguarding our nation. 

This is our new Achilles Heel and overall a security disaster bar none!

Well, we can't go back and put the genie back in the bottle--although wouldn't it be nice if such critical information (if not encrypted--already unforgivable) would have a self-destruct mechanism on it that we could at least zap it dead.

But for the people whose personal identities are at risk--whose social security numbers (SSNs) and dates of birth (DOBs) have been compromised what can we do? 

While we can't very well change people DOBs, why not at least issue them new SSNs to help thwart the adversaries peddling in this information in the black markets. 
 
If we can put a man on the moon, surely we can issue some 18 million new SSNs and mandate government and financial institutions to make the necessary updates to the records. 

This is not rocket science, and certainly we owe this much to our people to help protect them.

Will our government be there for it's own employees and patriots? ;-)

(Source Photo: here with attribution to Donkey Hotey)
Share/Save/Bookmark

June 5, 2015

People Are Our Greatest Asset, Goodbye!

The Chinese are smart and talented, and there is a cyberwar going on. 

They are suspected are having just stolen the personnel information of 4 million federal government workers.

And there are 4.2 million active, including 1.5 million military personnel. 

So if as they are apt to say, "people are our greatest asset"...

...then we just sort of lost the CROWN JEWELS in terms of highly personal, sensitive, and critical information on the people that handle everything from defense and diplomacy to the economy, energy, the environment, justice, and health and wellbeing. 

Oops!

This is getting scary folks. 

When the adversary through cyber (and other) espionage can know our people, our technology, our communications, virtually everything...then we got some big vulnerabilities!

If we can't defend ourselves adequately (at least for now), I hope at least we are doing okay on the offense! ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

March 2, 2015

Metro Wide Open

I took this photo in the Washington, D.C. Metro today. 

What do you think it is?

Lots of electronics, wires, lights--and in front of it and holding the door open is a "caution" pylon. 

This is one of the faregates to get into the metro system for the Capital region. 

Now how "smart" is it to leave the door wide open to this contraption. 

Usually the basics of physical security is gates, guards, and guns--in this case, the gates part is broken. 

The Department of Homeland Security was provided another week of funding to work out the immigration mess pitting Congress against the President...

But even with DHS still up and running, security is looking a little too wide open again. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

January 26, 2015

Safeguarding D.C.

I took this photo the other day of a truck loaded from front to back with compressed gas cylinders in downtown, Washington, D.C.

I understand that there are strict safety regulations for this. 

Although with this truck just sitting out on the street, appapently not moving or even attended as far as I could see, I was a little concerned. 

At the same time, coming to work today, there was someone marching down the street yelling "Allah"--again and again--sort of talking to themselves yet screaming something that wasn't intelligible, at least to me. 

Not that there is anything wrong with freedom of expression, but it just seemed a little wild and scary on the darkened streets. 

I couldn't help think about this gas truck with all these gas containers from the other day...and are we keeping things as safe as they need to be. 

We take a lot for granted in terms of our security, but are we perhaps getting a little overconfident so many years after 9/11 now. 

Hopefully, we're all good, but we need to be careful, vigilant, and safe! ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

December 16, 2014

Chaos On Metro

Sheer chaos on the Washington, D.C. Metro this morning. 

A water main break suspended the running of the Orange, Blue, and Silver lines.

The Metro spokeperson told me pointing with his hand up to his the neck that the water was filling the tunnels and getting way up there--nice!

At the same time, disabled trains on the Red line brought things to a "Major Delay," followed by the offloading of crowded trains because the conductors couldn't get the doors shut.

At the stations themselves, numerous escalators were out of commission, you can see them at boths ends of the station here, and the people were backed up all along the platforms. 

At one point, I got caught on the edge of a platform with a huge crowd pushing up against me, and had to tell the person behind me to please take a step back (that I didn't want to end up on the tracks, why thank you, and believe it or not, some not-so-nice people actually laughed at that!). 

Ufortunately, it didn't take much to see how most of the city can be brought to a snarl or taken right out of commission. 

After 9/11, one has to ask, what have we learned as the Capital of the nation that our basic infrastructure and support systems cannot endure the ups and downs of weather and age, let alone G-d forbid another attack on our soil. 

Hopefully, someone will wake up and step up the planning and preparations here, rather than just spending trillions abroad and with what results. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

September 13, 2014

6 D's Of Cyberwar

Popular Science had a interesting article that spelled out the six D's of Cyberwar:

On the offensive side, you want to destroy, deny, degrade, disrupt, and deceive.

"Unlike World War II code breaking, cyber attacks offer the potential to not just read the enemy's radio, but to seize control of the radio itself."

- Step 1: Infiltrate the enemy's networks and communications and gather/exfiltrate information.

- Step 2:  Compromise the enemy's information either by:

1) Corrupting the enemy's information, planting misinformation, sewing erroneous reports, and causing poor decision-making. 
2) Taking control of their networks, disabling or jamming them, and disrupting their command and control or harming their critical infrastructure and causing mass confusion, destruction, and death.

Examples are "not merely to destroy the enemy's tanks, but to make them drive in circles--or even attack each other" or to cyber attack an enemies control systems for electricity, dams, transportation, banking, and so on. 

With the ability to steal information, sow misinformation, seize control, or even stop the information flow altogether, cyberwar is not just another weapon in our arsenal, but "a tool to help achieve the goals of any given operation."

On the flip side, you want to defend against the enemy's use of cyberspace to hurt us.

We need to continue to get serious about cyberwarfare and cybersecurity and become the masters in the information domain, and quickly. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

July 21, 2013

Like Buying A Nuke On The Black Market

Buying a serious computer vulnerability is now like acquiring a nuke on the black market. 

Nations and terrorists will pay to find the fatal flaw in computer programs that will enable them to perpetrate everything from subversive cyber spying to potentially massively destructive cyber attacks. 

As the world is focused on nuclear non-proliferation, computer weapons are the new nukes--able to do everything from a targeted strike on an organization or agency to taking out vast swaths of our nation's critical infrastructure.

According to the New York Times (13 July 2013), there is a great interest in buying "zero-day exploits"--one where governments or hackers can strike using a computer vulnerability before anyone even knows about it and can correct it. 

The average zero-day exploit persists for "312 days--before it is detected"--giving amble time for attackers to cash-in!

Brokers are now working to market the computer flaws for a 15% cut, with some even "collecting royalty fees for every month their flaw is not discovered."

The average flaw "now sells for around $35,000 to $160,000" and some companies that are selling these are even charging an annual $100,000 subscription fee to shop their catalog of computer vulnerabilities in addition to the cost for each one that varies with it's sophistication and the pervasiveness of the operating system behind the exploit. 

While governments and terrorists are on the prowl to buy the exploits for offensive purposes, technology companies are competing to purchase them and are offering "bug bounties" in order to identify the flaws and fix them before they are exploited. 

We've come a long way from people and organizations buying software with their regular upgrades and patches to nations and hackers buying the knowledge of the flaws--not to patch--but to spy or harm their adversaries. 

You can buy the bomb shelter or software patch, but someone else is buying the next more lethal bomb or vulnerability--the question is who will pay more to get the next exploit and when and how will they use it. 

(Graphic by Andy Blumenthal adapted from here with attribution for the mushroom cloud photo to Andy Z.)
Share/Save/Bookmark

May 22, 2013

Blackout Nation

We are reaching an exciting but dangerous phase of technology adoption where our dependence is virtually complete. 

From mobile to social computing, from telecommunications to transportation, from industrial systems to electronic health records, from banking to eCommerce, from homeland security to national defense--we are dependent on technology.

But while technology proliferates everywhere, so do the risks. 

Bloomberg BusinessWeek (16 May 2003) in an article called "The City That Runs On Sensors" talks about how initiatives like IBM's smart-cities is bringing sensors and technology to everything running our towns--"Smart [city] innovation is improving our economic fabric and the quality of our life."

The flip side is an editorial in today's Wall Street Journal by former CIA director James Woolsey and Peter Pry who served on the congressional EMP commission warning how "A single nuke exploded above America could cause a national blackout for months" or years (stated later in article)

They write that "detonating a nuclear weapon high above any part of the U.S. mainland would generate a catastrophic electromagnetic pulse" (EMP)--and that this "would collapse the electric grid and other infrastructure that depends on it."

This would be a national blackout of epic proportions that would impact all areas for 21st century sustainment of 311 million lives. Think for yourself--what would you be able to do and not do without the computers and telecommunications that you use every day? 

Woolsey and Pry call for a preemptive surgical strike, for example, to prevent North Korean development of an ICMB capable of inflicting a nuclear EMP strike, but you can imagine other nations that pose a similar threat. 

While be beef up our Cyber Corps and attempt to strengthen our tools, methods, and configurations, this is just the tip of the iceberg when it comes to securing cyberspace. 

Cybersecurity is more than just protecting us from malware infiltration and exfiltration--because the whole IT system that our society is built on can be wiped out not by cyber attack alone, but rather by collapsing the very electronic infrastructure that we rely on with a pulse of electromagnetic radiation that will fry the very circuits that run our devices. 

While we build firewalls and put up intrusion detection and prevention guards and establish a court system of antivirus and spamware to put away violators and so on, how shall we prepare for a pulse attack that can incapacitate the electronics underpinnings--security and all? 

"Star Wars" missile defense, preemptive action, and hardening of critical infrastructure are all security options--it costs money to keep the IT lights on, but better to pay now, then pay catastrophically bigger later. ;-)

(Source Photo: Andy Blumenthal)


Share/Save/Bookmark

April 20, 2013

Survivable Water Pipes

When an earthquake strikes, it is not just the immediate loss of life that is a concern, but the longer-term damage to critical infrastructure and the effect on human survival. 

As we know, water is critical to every living creature, and in an earthquake, when there is damage to the water infrastructure, such as the underground piping, people can be left without this basic life-sustaining commodity. 

When traditional solid cast-iron piping is used, an earthquake can cause these to deform and buckle. However, with a new ductile pipe design by Japanese company, Kubota--the pipes are built in a chain-like fashion and expand and contract, flex and bend, but do not easily break.  

According to the Wall Street Journal (14 April 2011), Kubota earthquake-resistant pipes even withstood the 9.0 quake in Japan in 2011, and it can withstand "shaking, landslides, and extreme temperatures. 

Now Los Angeles is piloting this pipe along 2 miles of its 7,000 miles of piping--they are focusing on "the most vulnerable, fault-line-adjacent areas," since the piping is 2 1/2 times the price of regular piping. 

In the absence of having a device like the Star Trek Replicator to synthesize food and water on the fly, it makes a lot of sense to upgrade our water systems and other critical infrastructure to protect us from the disasters that come. 

"Tea, Earl Grey, Hot" needs to be available not just in good times, but also in bad. ;-) 

(Source Photo: Kubota)
Share/Save/Bookmark

March 13, 2013

Balancing Cybersecurity And Citizen Freedom


There is a very interesting discussion of the protection of Federal Networks and the Fourth Amendment in “Cybersecurity, Selected Legal Issues,” Congressional Research Service (CRS) Report for Congress (3 May 2012). 

The Department of Homeland Security (DHS) in conjunction with the National Security Agency (NSA) rolled out EINSTEIN, an intrusion detection system (IDS) in early iterations, and later an intrusion prevention system (IPS) at all Internet points of presence (POPs) for the government.

The system works through copying, storage, and deep packet inspection of not only the metadata for addressing information, but also the actual contents of the flow. This handling is necessary in order to identify suspicious malware signatures and behavior and alert the United States Computer Emergency Response Team (US-CERT) in order to block, quarantine, clean, and respond to the attacks and share information about these.

However, the civil liberties and privacy issue with EINSTEIN is that according to the Fourth Amendment, we are protected from unreasonable search and seizures. Thus, there are concerns about the violation of the Fourth Amendment, when DHS monitors and inspects addressing and content of all email and Internet communications to and from federal agency employees and the public–including not only from government email accounts and systems, but also from private email accounts such as Yahoo and Gmail and social media sites like Facebook and Twitter.

 The justification for the use of EINSTEIN includes:

1.    The government cannot reasonably get warrants in real time in order to safeguard the federal network and systems at the speed that the attacks are occurring.

2.    The government places banners and user agreements on all Federal networks notifying users of monitoring, so there is no expectation of privacy in the communications.

3.    The monitoring is conducted only for malicious computer activity and not for other unlawful activities—so “clean” traffic is promptly removed the system.

4.    Privacy protections are ensured though review mechanisms, including Attorney General and Director of National Intelligence (DNI) reporting to Congress every six months and a sunset provision requiring monitoring reauthorization every four years.

This tension between monitoring of Federal networks and traffic and civil liberties and privacy is a re-occurring issue when it comes to cybersecurity. On one hand, we want cybersecurity, but on the other hand, we are anxious about this security infringing on our freedoms---whether freedom of expression, from search and seizure, from surveillance, or from potentially costly regulation, stifling innovation, and so forth.  It is this tension that has stalled many cybersecurity bills such as the Stop Online Privacy Act (SOPA), Cyber Intelligence Sharing and Protection Act (CISPA), The Computer Security Act of 2012 and more.

In the absence of a clear way forward with legislation to regulate and enforce, or incentivize, standards and best practices for cybersecurity, particularly for critical infrastructure protection, as well as information sharing, the White House released Presidential Policy Directive/PDD-21 on Critical Infrastructure Security and Resilience to establish DHS and other federal agency roles in cybersecurity and to manage these on a risk-based model, so that critical infrastructure is identified, prioritized, assessed, and secured accordingly.

While PDD-21 is a step in the right direction, it is an ongoing challenge to mediate a balance between maintaining our values and constitutional freedoms, while at the same time securing cyberspace.

One thought is that perhaps we can model cybersecurity after the Posse Comitatus Act of 1878 that separated federal military from domestic national guard and law enforcement powers. Using this model, we can create in cyberspace a separation of cybersecurity from our borders outward by the federal government, and within the domestic private networks by our national guard and law enforcement.

Thus, we can create stronger security radiating out at the national periphery, while maintaining our important freedoms within, but always working together to identify and neutralize any and all threats to cyberspace. ;-)

(Source Photo: Andy Blumenthal)

Share/Save/Bookmark