Balancing Cybersecurity And Citizen Freedom

There is a very interesting discussion of the protection of Federal Networks and the Fourth Amendment in “Cybersecurity, Selected Legal Issues,” Congressional Research Service (CRS) Report for Congress (3 May 2012). 

The Department of Homeland Security (DHS) in conjunction with the National Security Agency (NSA) rolled out EINSTEIN, an intrusion detection system (IDS) in early iterations, and later an intrusion prevention system (IPS) at all Internet points of presence (POPs) for the government.

The system works through copying, storage, and deep packet inspection of not only the metadata for addressing information, but also the actual contents of the flow. This handling is necessary in order to identify suspicious malware signatures and behavior and alert the United States Computer Emergency Response Team (US-CERT) in order to block, quarantine, clean, and respond to the attacks and share information about these.

However, the civil liberties and privacy issue with EINSTEIN is that according to the Fourth Amendment, we are protected from unreasonable search and seizures. Thus, there are concerns about the violation of the Fourth Amendment, when DHS monitors and inspects addressing and content of all email and Internet communications to and from federal agency employees and the public–including not only from government email accounts and systems, but also from private email accounts such as Yahoo and Gmail and social media sites like Facebook and Twitter.

 The justification for the use of EINSTEIN includes:

1.    The government cannot reasonably get warrants in real time in order to safeguard the federal network and systems at the speed that the attacks are occurring.

2.    The government places banners and user agreements on all Federal networks notifying users of monitoring, so there is no expectation of privacy in the communications.

3.    The monitoring is conducted only for malicious computer activity and not for other unlawful activities—so “clean” traffic is promptly removed the system.

4.    Privacy protections are ensured though review mechanisms, including Attorney General and Director of National Intelligence (DNI) reporting to Congress every six months and a sunset provision requiring monitoring reauthorization every four years.

This tension between monitoring of Federal networks and traffic and civil liberties and privacy is a re-occurring issue when it comes to cybersecurity. On one hand, we want cybersecurity, but on the other hand, we are anxious about this security infringing on our freedoms---whether freedom of expression, from search and seizure, from surveillance, or from potentially costly regulation, stifling innovation, and so forth.  It is this tension that has stalled many cybersecurity bills such as the Stop Online Privacy Act (SOPA), Cyber Intelligence Sharing and Protection Act (CISPA), The Computer Security Act of 2012 and more.

In the absence of a clear way forward with legislation to regulate and enforce, or incentivize, standards and best practices for cybersecurity, particularly for critical infrastructure protection, as well as information sharing, the White House released Presidential Policy Directive/PDD-21 on Critical Infrastructure Security and Resilience to establish DHS and other federal agency roles in cybersecurity and to manage these on a risk-based model, so that critical infrastructure is identified, prioritized, assessed, and secured accordingly.

While PDD-21 is a step in the right direction, it is an ongoing challenge to mediate a balance between maintaining our values and constitutional freedoms, while at the same time securing cyberspace.

One thought is that perhaps we can model cybersecurity after the Posse Comitatus Act of 1878 that separated federal military from domestic national guard and law enforcement powers. Using this model, we can create in cyberspace a separation of cybersecurity from our borders outward by the federal government, and within the domestic private networks by our national guard and law enforcement.

Thus, we can create stronger security radiating out at the national periphery, while maintaining our important freedoms within, but always working together to identify and neutralize any and all threats to cyberspace. ;-)

(Source Photo: Andy Blumenthal)

Balancing Cybersecurity And Citizen Freedom

Cyberweapons Power Up

In you haven't heard of Project Aurora, this is a wonderful segment from 60 Minutes on this cyberwar project. 

Faced with some of the worst case scenarios for cybergeddon, Idaho National Labs set out in 2007 to test what would happen to a 27-ton power generator if the researchers hacked into it from a mere laptop. 

The turbine was sent instructions that would essentially tear itself apart--and in the video you can see what happened--it shudders, shakes, smokes, and ultimately destroys itself. 

The test was a grand success demonstrating our capabilities to conduct cyberwar operations against an adversary.  

Interestingly, Reuters reported the Symantec researchers "uncovered a version of Stuxnet from the end of 2007 that was used to destroy two years later about 1,000 Iranian centrifuges used in their Natanz nuclear uranium enrichment facility for alleged development of weapons of mass destruction. 

The flip side of this cyberwar test is the realization of the potential blowback risk of cyberweapons--where adversaries can use similar technology over the Internet against our critical infrastructure--such as SCADA industrial control systems for the power grid, water treatment, manufacturing, and more--and cause potentially catastrophic events.

As stated toward the end of the video, this is a type of "pre 9/11 moment" where we identify a serious threat and our vulnerability and we need to act to prevent it--the question is will we? 

Cyberweapons Power Up

The Anti-Drone Drone

Last week Fox News reported on how the British were deploying tiny drones that can now fit in the palm of one's hand. The Black Hornet Nano is only 4 inches long, weighs about half an ounce, and carries a camera that can take stills and video and transmit them back to a remote terminal. 

Drones are becoming ubiquitous weapons of war, homeland security, law enforcement and more. 

As other nations advance their drone programs, our efforts must not only be offensively, but also defensive--The Guardian reported (22 April 2012) that Iran has already claimed to have reverse engineered the Sentinel drone they captured in 2011 and are making a copy of it--lending some credence to this perhaps, this past week, they also showed surveillance footage that they claim came from the captured drone. 

So how do you protect against drones-big and small?

While you can lock on and shoot down a big Predator drone out of the sky, drones as small as tiny bugs are going to be a lot harder to defend against. 

The bug-like drones may not only carry surveillance equipment in the future, but could even carry a lethal injection, chemical or biological agents to disable or kill, or perhaps even weapons of mass destruction. 

Moreover, they may not attack onsies-twosies, but in mass swarms like locusts ready to swoop down and destroy our crops, our lines of communications, and all sort of critical infrastructure. 

The Atlantic (6 Feb. 2013) describes the idea for a "Drone-Proof City" of the future that someone came up with for an extreme architecture class. 

Like cities in World War II that camouflaged entire sections with green military netting and other subterfuges, the idea here would be to create a "sanctuary" or "compound" that would provide a safe-zone from drones. 

Whether using tall Minarets, cooling towers, other high-rise buildings and even window grills to obstruct the drones, or a "latticed roof" to create distracting shade patterns, or a climate-controlled city interior that could confuse heat-seeking missiles--all good ideas are welcome. 

Of course, their are other options too such as anti-drone laser system that could shoot them down, electronic countermeasures that could confuse, self-destruct, or other take control of them, or even anti-drone drones--that would be specialized drones that could seek and destroy enemy drones in waiting or about to attack. 

Drones everywhere--and nowhere to hide--we will need some extreme architecture to take out these buggers. ;-)

(Source Photo: here with attribution to Ars Electronica)

The Anti-Drone Drone

Safeguarding Our Electrical Grid

Popular Science (28 January 2013) has an interesting article on "How To Save The Electrical Grid."

Power use has skyrocketed with home appliances, TVs, and computers, causing a significant increase in demand and "pushing electricity through lines that were never intended to handle such high loads."

Our electrical infrastructure is aging with transformers "now more than 40 years old on average and 70% of transmission lines are at least 25 years old" while at the same time over the last three decades average U.S. household power consumption has tripled!

The result is that the U.S. experiences over 100 mass outages a year to our electrical systems from storms, tornados, wildfires and other disasters.

According to the Congressional Research Service, "cost estimates from storm-related outages to the U.S. economy at between $20 billion and $55 billion annually."

For example, in Hurricane Sandy 8 millions homes in 21 states lost power, and in Hurricane Irene, a year earlier, 5.5 million homes lost electricity. 

The solution is to modernize our electrical grid:

- Replace a linear electrical design with a loop design, so a failure can be rerouted. (Isn't this basic network architecture where a line network is doomed by a single point of failure, while a ring or mesh topology can handle interruptions at any given point?)

- Install "fault-current limiters" as shock absorbers so when there is a surge in the grid, we can "absorb excess current and send a regulated amount down the line" rather than causing circuit breakers to open and stop the flow of electrical power altogether. 

- Create backup power generation for critical infrastructure such as hospitals, fire stations, police, and so on, so that critical services are not interrupted by problems on the larger grid. This can be expanded to installing solar and other renewable energy resources on homes, buildings, etc. 

- Replace outdated electrical grid components and install a smart grid and smart meters to "digitally monitor and communicate home power" and automatically adjust power consumption at the location and device level. Smart technology can help manage the load on the grid and shift non-essential use to off-hour use. The estimated cost for modernizing the U.S. grid is $673 billion--but the cost of a single major outages can run into the ten of billions alone. What will it take for this investment to become a national priority? 

I would add an additional solution for safeguarding our electrical grid by beefing up all elements of cyber security from intrusion detection and prevention to grid protection, response, and recovery capabilities. Our electrical system is a tempting target for cyber criminal, terrorists or hostile nation states that would seek to deprive us of our ability to power our economy, defense, and political establishments. 

While energy independence has become feasible by 2020, we need to make sure that we not only have enough energy resources available, but also the means for reliable and secure energy generation and distribution to every American family and business. ;-)

(Source Photo: Andy Blumenthal)

Safeguarding Our Electrical Grid

The Heat Is On But Something Is Off

The Huffington Post (28 June 2012) ran an article this weekend called "Land of the Free, Home of the Unprepared."

This at a time, when the United States East Coast is battling a heat wave with temperatures over 100 degrees for days running.

Emergencies have been declared in many states, including Maryland, Virginia, West Virginia, Ohio, as well as in Washington, D.C.

On top of that, an early weekend storm with hurricane-force winds took out the power for millions!

Utilities described the damage to the power grid as "catastrophic" with restoration taking up to a week for some.

People were seeking refuge from the heat with no power at home for airconditioning, refrigeration, or telecommunications.

Everywhere--at Starbucks (the garbage was piled high), Barnes and Nobles, the Mall, people were sprawled out in chairs and even on the floors, and were powering up their devices wherever they could find an outlet.

Moreover, there were long lines at gas stations and supermarkets, where power was working for some.

Many street lights were out at intersections and many other stores were either closed or only taking cash.

While catastrophes do happen including natural disasters, the frequency, duration, and impact in the Washington, D.C. area--the Capital of the United States--is ridiculously high.

I could not help thinking that if something more serious struck--whether terrorism, pandemic flu, a serious earthquake, or whatever, 11 years after 9/11, we seem really ill prepared. 

We need to get our game on, not only when the heat is up, but for disaster preparedness in general.

(Source Photo: Andy Blumenthal)

The Heat Is On But Something Is Off

Security Advisory For Architecture Drawings

Dark Reading (21 June 2012) came out with security news of a AutoCAD Worm called ACAD/Medre.A that targets design documents.

I also found warnings about this vulnerability at PC magazine (24 June 2012).

This malware was discovered by computer security firm ESET. 

This is a serious exploitation in the industry leader for computer-aided design and drafting that is used to create most of our architectural blueprints.

Approximately 10,000 machines are said to have been affected in Peru and vicinity, with documents being siphoned off to email accounts in China. 

With information on our architectural structure and designs for skyscrapers, government building, military installations, bridges, power plants, dams, communication hubs, transportation facilities, and more, our critical infrastructure would be seriously jeopardized. 

This can even be used to steal intellectual property such as designs for innovations or even products pending patents. 

This new malware is another example of how cyber espionage is a scary new reality that can leave us completely exposed from the inside out.

Need any more reason to "air gap" sensitive information and systems?

(Source Photo: here with attribution to Wade Rockett)

Security Advisory For Architecture Drawings

Biosecurity--Where Every Moment Counts

A biological attack on the United States is a most frightening prospect and one that could present an existential threat to us. 

Just the very mention of bio-warfare agents such as anthrax, ebola, smallpox, bubonic plague, and others are enough to provoke sheer terror in most people. 

BioWatch is a program managed by the Department of Homeland Security (DHS) in partnership with the Centers for Disease Control (CDC) and the Environmental Protection Agency (EPA) to monitor for a biological attack.

According to Bloomberg Businessweek (21 June 2012) bio-surveillance is currently conducted in 30 metropolitan areas around the country using 600 air filters to detect pathogens, where samples are collected daily and taken to labs for analysis in what amounts to a 36 hour turnaround to determine if there is a hazard. 

A new technology made by Positive ID or Northrop Grumman collects samples four times a day and analyzes it on the spot for bateria, viruses, and toxins, and sends the results to officials by secure network in as little as two hours. 

The shorter time to detection will give more time to save lives by getting drugs and vaccines to the field sooner and prevent the spread from person to person.  

DHS wants to deploy 2,500 of these new sensors and the bio-attack alert system at a cost of approximately $5.7 billion, if Congress approves. 

If this bio-sensing system proves out functionally, then the price tag seems well worth it. 

Bioweapons like cyber-attacks can cause widespread panic as well as disruption to our everyday way of life, however a bio-attack has the added feature of making people symptomatic and infecting them with deadly and painful illnesses. 

Cyber attacks can infiltrate and take out our critical infrastructure, but biological attacks can directly destroy our physical bodies and the population itself. 

A bio-attack and a cyber-attack together could devastate us by attacking us while at the same time inhibiting our ability to deliver medication and quarantine those that are ill and so on. 

In addition to grossly improving on our cyber defensive (and offensive) capabilities, we must do everything we can to enhance our biosecurity--this mean upgrading our preparedness for bio-terrorism and bio-warfare using the latest technologies available to sniff out and identify a bio attack and alert us so we can respond timely, while we still can. 

(Source Photo: here with attribution to U.S. Department of Defense)

Biosecurity--Where Every Moment Counts

Raising The Bar On Cybersecurity

Good video by the The Washington Post (2 June 2012) on the importance and challenges of cybersecurity. 

There are 12 billion devices on the Internet today and this is projected to soar to 50 billion in the next decade.

Cybersecurity is paramount to protecting the vast amounts of critical infrastructure connected to the Internet.

There is a lot riding over the Internet--power, transportation, finance, commerce, defense, and more--and the vulnerabilities inherent in this is huge!

Some notable quotes from the video:

- "Spying, intrusions, and attacks on government and corporate networks occur every hour of every day."

- "Some sort of cyberwar is generally considered an inevitability."

- "Cyberwar although a scary terms--I think it is as scary as it sounds."

- "Right now the bar is so low, it doesn't take a government, it doesn't take organized crime to exploit this stuff--that's what's dangerous!"

We all have to do our part to raise the bar on cybersecurity--and let's do it--now, now, now.

Raising The Bar On Cybersecurity

Cyberwar, You're On

There was significant news this week about the U.S. and Israel making major inroads with cyberwar capabilities. 

First, the New York Times today (1 June 2011) writes about alleged Bush and Obama administrations' "increasingly sophisticated [cyber] attacks on the computer systems that run Iran's main nuclear enrichment facilities"--sabotaging as many as a 1000 centrifuges, delaying their deadly program by as much as 2 years, as well as conducting cyber espionage to strengthen our negotiating hand. 

The cyber offensive program code-named Olympic Games allegedly involved cyber weapons codeveloped by the United States' National Security Agency and Israel's advanced cyber corps, Unit 8200.

The malware included such programs such as Stuxnet, Duqu, and The Flame and according to Bloomberg BusinessWeek (30 May 2012) may date as far back to 2007.

These cyber attacks have been viewed as the best hope of slowing the Iranian's sinister nuclear program while economic sanctions have a chance to bite. 

Additionally cyber attacks were viewed preferentially over using traditional kinetic military options and potentially causing a regional war in the Middle-east. 

At the same time, the use of cyber weapons is a double-edged sword--if we use it on others, this may encourage cyber proliferation and it's eventual use on us--and as the NYT writes, "no country's infrastructure is more dependent on computer systems and thus, more vulnerable to attack than the United States."

Therefore, it was good to see in The Washington Post yesterday (30 May 2012) that the Pentagon's Defense Advanced Research Projects Agency (DARPA) is pursuing Plan X--"ambitious efforts to develop technologies to improve its cyberwarfare capabilities, launch effective attacks, and withstand likely retaliation."

"If they achieve it, they're talking about being able to dominate the digital battlefield just like they do the traditional battlefield."
The "five-year $110 million research program" is seeking to accomplish three major goals in arming U.S. Cyber Command at Fort Meade for cyber war:

1) Mapping Cyberspace--create realtime mapping of the entire cyberspace and all its devices for commanders to use in identifying targets and disabling them and seeing enemy attacks. 

2) Building A Survivable O/S--Just like DARPA invented the Internet as a survivable messaging and communication system, so too, they want to develop a battle-ready operating system for our computers (like a tank) "capable of launching attacks and surviving counterattacks."

3) Develop (Semi-)Autonomous Cyber Weapons--so cyber commanders can engage in "speed-of-light attacks and counterattacks using preplanned scenarios that do not involve human operators manually typing in code."

Just to be clear, with cyber warfare, we are not just talking about computers taking out other computers--and end there, but rather this is where computers take out computers that are controlling critical infrastructure such as the power grid, transportation systems, financial systems, supply chain, command, control, and communications, weapons systems, and more.

"Cyberwar could be more humane than pulverizing [targets]...with bombs," but I doubt it will be. 

Imagine, everything you know coming to a complete halt--utter disruption and pandemonium--as well as the physical effects of that which would ensue--that's what cyber war is all about--and it is already on the way. 

So as, Richard M. George, a former NSA cyberdefense official stated: "Other countries are preparing for a cyberwar. If we're not pushing the envelope in cyber, somebody else will."

It is good to see us getting out in front of this cyber security monster--let's hope, pray, and do everything we can to stay on top as the cyberspace superpower. 

(Source Photo: Andy Blumenthal taken of mural at National Defense University, Washington D.C.)

Cyberwar, You're On

Understanding Risk Management

Information Security, like all security, needs to be managed on a risk management basis.  

This is a fundamental principle that was prior advocated for the Department of Homeland Security, by the former Secretary Michael Chertoff.  

The basic premise is that we have limited resources to cover ever changing and expanding risks, and that therefore, we must put our security resources to the greatest risks first.

Daniel Ryan and Julie Ryan (1995) came up with a simple formula for determining risks, as follows:

Risk = [(Threats x Vulnerabilities) / Countermeasures)]  x  Impact

Where:

- Threats = those who wish do you harm.

- Vulnerabilities = inherent weaknesses or design flaws.

- Countermeasures = the things you do to protect against the dangers imposed.

[Together, threats and vulnerabilities, offset by any countermeasures, is the probability or likelihood of a potential (negative) event occurring.]

- Impacts = the damage or potential loss that would be done.

Of course, in a perfect world, we would like to reduce risk to zero and be completely secure, but in the real world, the cost of achieving total risk avoidance is cost prohibitive. 

For example, with information systems, the only way to hypothetically eliminate all risk is by disconnecting (and turning off) all your computing resources, thereby isolating yourself from any and all threats. But as we know, this is counterproductive, since there is a positive correlation between connectivity and productivity. When connectivity goes down, so does productivity.

Thus, in the absence of being able to completely eliminate risk, we are left with managing risk and particularly with securing critical infrastructure protection (CIP) through the prioritization of the highest security risks and securing these, going down that list until we exhaust our available resources to issue countermeasures with.

In a sense, being unable to "get rid of risk" or fully secure ourselves from anything bad happening to us is a philosophically imperfect answer and leaves me feeling unsatisfied--in other words, what good is security if we can't ever really have it anyway?

I guess the ultimate risk we all face is the risk of our own mortality. In response all we can do is accept our limitations and take action on the rest.

(Source Photo: here with attribution to martinluff)

Understanding Risk Management

Taking Down The Internet--Not A Pipe Dream Anymore

We have been taught that the Internet, developed by the Department of Defense Advanced Research Projects Agency (DARPA), was designed to survive as a communications mechanism even in nuclear war--that was its purpose.

Last year, I learned about studies at the University of Minnesota that demonstrated how an attack with just 250,000 botnets could shut down the Internet in only 20 minutes. 

Again last month, New Scientist (11 February 2012) reported: "a new cyberweapon could take down the entire Internet--and there is not much that current defences can do to stop it."

Imagine what your life would be like without Internet connectivity for a day, a week, or how about months to reconstitute!

This attack is called ZMW (after its three creators Zhang, Mao, and Wang) and involves disrupting routers by breaking and reforming links, which would cause them to send out border gateway protocol (BGP) updates to reroute Internet traffic.  After 20 minutes, the extreme load brings the routing capabilities of the Internet down--" the Internet would be so full of holes that communication would become impossible."  

Moreover, an attacking nation could preserve their internal network, by proverbially pulling up their "digital drawbridge" and disconnecting from the Internet, so while everyone else is taken down, they as a nation continue unharmed. 

While The Cybersecurity Act of 2012, which encourages companies and government to share information (i.e. cybersecurity exchanges) and requires that critical infrastructure meet standards set by The Department of Homeland Security and industry are steps in the right direction, I would like to see the new bills go even further with a significant infusion of new resources to securing the Internet.  

An article in Bloomberg Businessweek (12-18 March 2012) states that organizations "would need to increase their cybersecurity almost nine times over...to achieve security that could repel [even] 95% of attacks."

Aside from pure money to invest in new cybersecurity tools and infrastructure, we need to invest in a new cyberwarrior with competitions, scholarships, and schools dedicated to advancing our people capabilities to be the best in the world to fight the cyber fight. We have special schools with highly selective and competitive requirements to become special forces like the Navy SEALS or to work on Wall Street trading securities and doing IPOs--we need the equivalent or better--for the cyberwarrior.

Time is of the essence to get these cyber capabilities to where they should be, must be--and we need to act now. 

(Source Photo of partial Internet in 2005: here, with attribution to Dodek)

Taking Down The Internet--Not A Pipe Dream Anymore

SCADA Beware!

In case you thought hacking of our critical infrastructure and SCADA systems only happens in the movies, like with Bruce Willis in Live Free or Die Hard, watch these unbelievable videos of what Max Corne seemingly does to the energy, maritime infrastructure, and highway transportation systems.


Max apparently is able turn off (and on) the lights in entire office towers--one and then another, control a drawbridge (up and down)--and has people and cars waiting and backed up, and even changes traffic signals--from speeds of 50 to 5 as well the message boards to motorists. 

While I understand some have questioned the validity of these videos and have called them hoaxes, the point that I come away with is not so much whether this guy is or is not actually hacking into these computer and control systems as much as that the people and organizations with the right skills could do these things.


And rest assured that there those out there that can perform these hack attacks--reference the Stuxnet worm that attacks Siemen industrial control systems such as those used in the nuclear industry (June 2010).


I also heard a story that I don't know whether it is true or not, about how a cyber expert personally dealt with a very loud and unruly neighbor who was playing Xbox 360 at 3 AM and keeping him awake. So the cyber expert simply hacked into his neighbor's Xbox game over the Internet and set off a program that whenever his neighbor tried to play it, a timer would automatically turn the Xbox back off again (neighbor turns it on again, hack turns it off again....), until at one point, the cyber expert heard the neighbor pick something up (presumably the Xbox) and throw it against the wall. 


In this story, the damage was limited, in other cases as the Max Corne videos demonstrate (in terms of the realm of the possible), when hackers attack our critical infrastructure and control systems, the results can truly be life threatening, majorly disruptive, and can cause widespread chaos.


Every day, there are digital natives (in terms of their advanced computer skills) that are proving what they can do to bypass our firewalls, antivirus protection, intrusion detection systems, and more.


While in the case of the hack attack on the Xbox, that was the end of the problem for the loud playing neighbor keeping this other guy up at night, but in general, the unbelievable ability of some hackers to break into major systems and manipulate controls systems and disrupt critical infrastructure is certainly no game, no laughing matter, and something that should keeps us up at night (Xbox playing or not). 


The takeaway is that rather than demonize and discourage those who have the skills to figure this "stuff" out, we should actually encourage them to become the best white hat hackers they can be with it, and then recruit them into "ethical hacking" positions, so that they work for the good guys to defeat those who would do us all harm. 

SCADA Beware!

Cyber War - The Art of The Doable

CBS 60 Minutes had a great episode this past June called Cyber War: Sabotaging The System.

The host Steve Kroft lays the groundwork when he describes information or cyber warfare as computers and the Internet that is used as weapons and says that "the next big war is less likely to begin with a bang than with a blackout."

This news segment was hosted with amazing folks like Retired Admiral Mike McConnell (former Director of National Intelligence), Special Agent Sean Henry (Assistant Director of the FBI's Cyber Division), Jim Gosler (Founding Director of CIA's Clandestine Information Technology Office), and Jim Lewis (Director, Center for Strategic and International Studies).  

For those who think that cyber war is a virtual fantasy and that we are safe in cyberspace, it's high time that we think again.  

Here are some highlights:

- When Retired Admiral McConnel is asked "Do you believe our adversaries have the capability of bringing down a power grid?"  McConnell responds "I do." And when asked if the U.S. is prepared for such an attack, McConnell responds, "No."

- Jim Gosler describes how microchips made abroad are susceptible to tampering and could "alter the functionality" of let's say a nuclear weapon that needed to go operational, as well as how they "found microelectronics and electronics embedded in applications that shouldn't be there." 

- Special Agent Henry talks about how thieves were able to steal more than a $100 million from banks in less than half a year, not by holdups but through hacking. 

- Jim Lewis tells of the "electronic Pearl Harbor" that happened to us back in 2007, when terabytes of information were downloaded/stolen from our major government agencies--"so we probably lost the equivalent of a Library of Congress worth of government information" that year and "we don't know who it is" who broke in.  

The point is that our computers and communications and all the critical infrastructure that they support--including our defense, energy, water, transportation, banking, and more are all vulnerable to potentially lengthy disruption.

What seems most difficult for people to grasp is that the bits of bytes of cyberspace are not just ephemeral things, but that thy have real impact to our physical universe.   

Jim Lewis says that "it doesn't seem to be sinking in. And some of us call it 'the death of a thousand cuts.' Every day a little bit more of our intellectual property, our innovative skills, our military technology is stolen by somebody. And it's like little drops.  Eventually we'll drown. But every day we don't notice."

Our computer systems are vulnerable and they control virtually all facets of lives, and if the enemy strikes at our cyber heart, it is going to hurt more than most of us realize.  

We are taking steps with cyber security, but we need to quickly shift from a reactive stance (watching and warning) to a proactive posture (of prevention and protection) and make cyber warfare a true national priority.

Cyber War - The Art of The Doable

Architecting Crowd Control

Last week (19 October 2011) T3 Motion Inc. in CA launched their all electric Non-Lethal Response Vehicle (NLRV) for "crowd control."

The vehicle is a souped-up three-wheeled Segway equipped two compressed air powered rifles able to shoot 700 non-lethal rounds per minute of pepper, water, dye, or rubber projectiles, and each vehicles can carry 10,000 rounds.

According to Trendhunter, the NLRV also has a "40,000-lumen LED strobe light, a riot shield, a P.A. system, and puncture-proof tires" as well as a video camera.

The notion of a law enforcement officer shooting an automatic (non-lethal, as it may be) to quell a riot does not quite fit in with general first amendment rights for peaceful assembly and typical demonstrations that as far as I know are generally NOT an all heck break loose scenario.

I wonder whether instead of a NLRV for handling riot control, a better idea would be a Lethal Response Vehicle (LRV)--with proper training and precautions--to handle homeland security patrols at major points of entry and around critical infrastructure.

From an architecture perspective, this seems to me to be a clear case of where a "desirement" by somebody out there (gaming, fantasy, or what not) should be channeled into fulfilling a more genuine requirement for people actually protecting our homeland.

The benefits of speed and maneuverability can benefit field officers in the right situations--where real adversaries need to be confronted quickly with the right equipment.

Architecting Crowd Control

Keeping All Our Balls In The Air

This is the throwable panoramic ball camera.

It has 36 cameras and when thrown in the air, takes 360-degree pictures of it's surroundings as it reaches it's apex (i.e. the highest point in the air).

You can see behind you, above you, all around you even things that you didn't even know where there.

And you can pan, zoom, and scroll to get the precise view you want.

The pictures are amazing--instantly, you have a birds eye view, but only better, because even a bird can't see behind it's head, but you can.

The implications for artists, photo hobbyists, and outdoor enthusiasts is one thing, but then there are the possibilities for improved surveillance and reconnaissance for homeland and national security.

Watch for camera balls to be used not only for throwing in beautiful and/or dangerous environments, but also for posting at security checkpoints, critical infrastructure, transportation hubs and more.

One question I have is, whether the camera ball become a one-time use device, if you don't catch it and it ends up smashing into the ground.

Situational awareness is about to get a real bounce out of this one.

Keeping All Our Balls In The Air

Getting To Swift Cyber Justice

The first Department of Defense Strategy for Operating in Cyberspace is out (July 2011).

Of course, like the plans that came before (e.g. Cyberspace Policy Review), it emphasizes the imperative for cyberspace protection. Some highlights:

• "DoD is particularly concerned with three areas of potential adversarial activity: theft or exploitation of data; disruption or denial or service of access or service..., and the destructive action--including corruption, manipulation, or direct activity that threatens to destroy or degrade network or connected systems."

• "Cyber threats to U.S. national security go well beyond military targets and affects all aspects of society. Hackers and foreign governments are increasingly able to launch sophisticated intrusions into the networks and systems that control civilian infrastructure."

• "Every year, an amount of intellectual property larger than that contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government departments and agencies."

The strategies for cyberspace protection in the DoD plan include treating cyberspace as an operational domain; innovation; partnership; and so on. But we need to leverage our strengths even more.

As the Wall Street Journal pointed out on 15 July 2011: "The plan as described fails to engage on the hard issues, such as offense and attribution." If we can't even identify who's attacking us, and fight back with precision, then we're flailing.

Some may express the concern that we would have all-out war by attacking those who attack us. However, what is the alternative besides confronting our aggressors?

The concept of operations is straightforward: Any computer device that is used to attack us, would immediately be blocked and countered with equivalent or greater force and taken out of play.

This would mean that we are able to get past cyber-bot armies to the root computers that are initiating and controlling them, and dealing with them decisively. This would hold regardless of the source of the attack--individual or nation-state.

The DoD plan acknowledges our own unpreparedness: "Our reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity."

As in the Cold War, there must be no doubt with Cyber Warfare (as with nuclear) of our ability to inflict devastating second-strike or preemptive attacks with deadly precision.

Until we have unambiguous hunter-killer capability to identify and locate perpetrators of cyber attacks against us and the ability to impose swift justice, we are at the mercy of our aggressors.

We can only have peace in cyberspace when we have the strength to stand up and defend it.

Now we must move with cyber speed to build this capability and stand ready to execute our defenses.

Admiral Mike Mullen was quoted this week (18 July 2011) in Federal Times as saying: "The single biggest existential threat that's out there is cyber...It's a space that has no boundaries. It has no rules."

We must become even better--much better!

(Source Photo: here)

Getting To Swift Cyber Justice

Crashing The Internet--Are We Prepared?

Almost week after week, I read and hear about the dangers of cyber attacks and whether "the big one" is coming.

The big one is what some experts have called a pending "digital Pearl Harbor."

Just last week, the Federal Times (13 June 2011) wrote that the "U.S. government computer networks are attacked about 1.8 billion times per month."

The Center for New American Security (CNAS) states that deterring and preventing cyber attacks will require "stronger and more proactive leadership."

Charles Dodd, a cyber security consultant in D.C. warns that "You've bought a stick to a gunfight, and you're arrogant about your capabilities."

So the question is--are we really paying attention to and being realistic about the probability and magnitude of the impact of the cyber threat out there?

Certainly, with so much critical infrastructure--from government, military, and private industry--dependent on the Internet, the effects of a concerted or prolonged cyber attack on our country would be devastating as documented most recently in The Lipman Report (October 2010) on "Threats to the Information Highway: Cyber Warfare, Cyber Terrorism, and Cyber Crime" as follows:

--"There is a great concern regarding the types of destructive attacks that are already occurring, but an even greater concern for the unknown that is yet to happen but is almost certainly even now in development. Cyberspace touches nearly every part of our daily lives."

It is in this regard that I read with serious concern today in ID Magazine (August 2011) that the University of Minnesota has "demonstrated in a simulation how an attack with a large botnet (a network of remotely-controlled PCs) could shut down the Internet."

And it took only 20 minutes to trigger the chain reaction in which "manipulated routers overloaded all other Internet routers worldwide...mak[ing] it impossible for Internet address to be found."

Granted it would take around 250,000 computers to carry out such an attack, but with the billions of people online with computer devices of all sorts...that does not seem like an inordinate amount to press forward with for a coordinated attack.

So the Internet in theory can be crashed!

Just think for a moment about how that would impact you and what you do every day...would anything be the same? Could we even function normally anymore?

As we move more and more of our applications, data, and infrastructure online to the cloud, we need to consider what additional risks does this bring to the individual, the organization, and the nation and how we can respond and recover should something happen to the Internet.

In the Federal government there are many agencies, commands, task forces, and groups working to secure the Internet, and at the same time, there are separate efforts to modernize and reform IT and reduce unnecessary expenditures, so what we need to do is better integrate the drive to the cloud with the urgency of securing our data, so that these efforts are strong and unified.

This is one of the things that I was trying to achieve when I created the CIO Support Services Framework in synthesizing the functions of IT Security with the other strategic CIO functions for Enterprise Architecture, IT Investment Management, Project Management, Customer Relationship Management, and Performance Management.

If the Internet can indeed be crashed, we had all better be prepared and make the right IT investment decisions now, so that we won't be sorry later.

(All opinions are my own)

(Source Photo: Heritage and History.com)

Crashing The Internet--Are We Prepared?

Video Surveillance Made Easier

One of the big problems with video surveillance is that even the most alert security team can be lulled by fatigue and boredom into missing critical events and details on the closed-circuit television (CCTV).

Now there is a new technology called BriefCam (founded in 2007) from Hebrew University in Israel that summarizes hours of video in brief minutes.

What differentiates this new technology, according to The Economist (15 February 2011) is that rather than fast-forwarding or using motion detection to capture or select images, BriefCam captures everything, but "creates a summary of all moving events and play back a synopsis...not speeded up, each person moves at their actual pace. And at any time during the review an operator can switch [click-on the time stamp of the event of interest] to see the original video footage."

BriefCam creates like a time warp where "all moving events from the period of interest are collected and shifted in time to create the synopsis."

Essentially objects are overlaid on a timeless background, so you are seeing them occur simultaneously, each with a timestamp that can be selected and clicked to isolate the event.

What makes this an incredible forensic tool, is that there are controls for speed and density of what you watching, and for even moving objects out of the way on the screen.

The Chairman of BriefCam explains, "We don't try to replace human eyes, we just report what we see so that it is more comprehensible."

This is particularly helpful since according to CNBC (July 2010), which awarded BriefCam as number 2 of Europe's 25 Most Creative Companies, noted "the average person viewing surveillance footage has an effective attention span of about [only] 20 minutes."

This is why BriefCam can help our law enforcement and security personnel overcome the traditional video surveillance issues that the Wall Street Journal (27 September 2010) put as "there's not enough time and manpower to watch it all." This is one reason that the WSJ awarded BriefCam their 2010 Innovation Award.

Potential customers for this physical security technology includes police, homeland security, military, as well as commercial customers.

This is a very promising technology tool that with the addition or integration of recognition software and metadata tagging can help us monitor and safeguard our borders, streets, and critical infrastructure.

Video Surveillance Made Easier

Wake Up To Advanced Technology

Yet another air traffic controller asleep on the job today--OMG.

Everyone is upset--as they should be--safety and lives are at stake.

Hello.

Come in...

Is anyone down there?

We need to land.

We have an emergency on board (someone is sick or perhaps the plane is in imminent danger or maybe it's been hijacked).

I guess we need to call back later.

That's CRAZY!

Silence is not golden, in these cases.

In the government (as in private sector control rooms), there are a lot of round the clock duty stations--watching our airports, our borders, and critical infrastructure.

We rely on people to be alert for any problems and be prepared to step up to the plate to take necessary action to safeguard our nation.

When people are "asleep at the switch," they are not only abrogating their basic duty (for which they are getting paid), but they are endangering others and this is obviously unacceptable.

We know this intuitively.

Why has this gotten so out of control lately--Is this a new phenomenon or just one that is coming to light now? Are people taking advantage of the system, genuinely exhausted, or disillusioned with their jobs and giving up--so to say?

There are a lot of questions that need to be explored and answered here and I would expect that these answers will be forthcoming.

Because it is not just a matter of reacting with a doubling of the shift or clamping down on the people involved--although that maybe a good first step to stop the proverbial bleeding; but obviously more needs to be done.

For decades, air traffic control (ATC) has relied on controllers on the ground to guide planes on the ground and in the air, despite new technologies from autopilot to Global Positioning System (GPS) and from on-board transponders to advanced cockpit displays.

Many hardworking government and commercial sector employees have been working to change this through modernization of the processes and systems over the years.

By increasingly leveraging advances in technology, we can do more of what people--like the ATCs and many other of our hardworking watchstanders--are currently being asked to do manually.

This doesn't mean that there is no human (AWAKE! is the expectation) watching to make sure that everything is working properly, but it does mean that the people may be in some instances an augmentation, rather than the primary doers.

In the end, people have got be in control, but technology should be doing as much of the heavy lifting as it can for us and perhaps, as we are a failsafe for technology, technology can in some instances be a backstop for human error and frailty.

It doesn't make us weak to admit our limitations and look not only for people and process changes, but also for technology solutions to help augment our personal capabilities.

(Credit Picture: PN.PsychiatryOnline.org)

Wake Up To Advanced Technology

Now The Computer War Games Are Real

The Associated Press is reporting that the Iranian Bushehr Nuclear Plant has been hit with a sophisticated computer worm called Stuxnet.

The Iranian nuclear program hit has been claimed for civil nuclear power but has long been suspected of being a cover for making weapons, and Iran has been unabashedly vocal about its hostile intent to many nations, even going so far as to openly threaten some, especially Israel, with complete “annihilation.”

The technical aspects of Stuxnet as a weapon are fascinating, for this is the first computer program “specifically created to take over industrial control systems.” Another article in U.K.’s The Guardian quotes another source as saying it is “one of the most refined pieces of malware ever discovered.”

This worm works by exploiting Windows operating systems security holes and taking over critical infrastructure SCADA systems (AKA Supervisory Control And Data Acquisitions systems or industrial control systems).

What is maybe even more amazing than the technical feat of Stuxnet, is that for months or years, everyone has been focused on and hypothesizing about when a traditional military strike was going to occur to the ever menacing Iranian nuclear threat. However, instead of conventional planes and bombs making a big bang (remember “shock and awe”), we get a silent but “very sophisticated” cyber worm that no one seems to have expected.

So times have certainly changed and with it warfare. Prior military engagements occurred on land, sea, and air with kinetic “bang/boom” weapons. Today they have a new domain in cyberspace with bits and bytes that are just as impactful. But I think what hasn’t really hit home with most people is that cyber war is not just virtual, like playing a video game (like the SIMS) or acting out in virtual reality (like Second Life); cyberwarfare starts online but has real physical ramifications as we see with the Stuxnet worm. Industrial systems like nuclear plants or hosts of other critical infrastructure (in manufacturing, energy, telecommunications, etc.) can be taken out with cyber bombs just like with real bombs maybe even better, faster, cheaper, and cleaner (less collateral damage).

We had all better be prepared for the fight in this new realm as the potential damage is as real as any we have ever seen before.

Now The Computer War Games Are Real