July 12, 2015
The "Real" OPM Data Breach
Everyone rightly, although somewhat selfishly, is worried about identity theft and the compromised privacy of their information.
The government is worried about hostile nation states using the pilfered information to bribe or coerce military, intelligence, high-level politicals, and others to turn and work for them or otherwise to use against them.
But what is grossly missing in this discussion is not what information presumably the Chinese stole and how they will use it against us, but rather what information they inserted, altered, or otherwise compromised into the OPM personnel and security databases when they got root access to it.
Imagine for a moment what could hostile nations or terrorists can do to this crown jewel database of personnel and security information:
- They could insert phony records for spies, moles, or other dangerous persons into the database--voila, these people are now "federal employees" and perhaps with stellar performance records and high level security clearances able to penetrate the depths of the federal government with impunity or even as superstars!
- They could alter personnel or security records taking prominent or good government employees and sabotaging them to have questionable histories, contacts, financial, drug or criminal problems and thereby frame or take-down key government figures or divert attention from the real bad guys out there and tie our homeland security and law enforcement establishment in knots chasing after phony leads and false wrongdoers and villains.
Given that the timeline of the hack of OPM goes back to March and December 2014, this was more than enough time for our adversary to not only do to our data what they want, but also for the backup tapes to be affected by the corrupt data entering the system.
The damage done to U.S. national security is unimaginable. As is typically the case with these things, "An ounce of prevention is worth a pound of cure." Instead of investing in security, now we can invest in "credit monitoring and identity theft protection" for a very sparse three years, while federal employees will go a lifetime in information jeopardy, and the federal government will be literally chasing its tail on personnel security for decades to come.
With the price so low to our adversaries in attacking our systems, it truly is like stealing and much more. ;-)
(Source Photo: Andy Blumenthal)
June 5, 2015
People Are Our Greatest Asset, Goodbye!
They are suspected are having just stolen the personnel information of 4 million federal government workers.
And there are 4.2 million active, including 1.5 million military personnel.
So if as they are apt to say, "people are our greatest asset"...
...then we just sort of lost the CROWN JEWELS in terms of highly personal, sensitive, and critical information on the people that handle everything from defense and diplomacy to the economy, energy, the environment, justice, and health and wellbeing.
Oops!
This is getting scary folks.
When the adversary through cyber (and other) espionage can know our people, our technology, our communications, virtually everything...then we got some big vulnerabilities!
If we can't defend ourselves adequately (at least for now), I hope at least we are doing okay on the offense! ;-)
(Source Photo: Andy Blumenthal)
People Are Our Greatest Asset, Goodbye!
November 22, 2014
Dire Warnings On CyberSecurity
With our cybersecurity over the next decade, "It's only a matter of the 'when,' not the 'if,' that we are going to see something dramatic."
The Wall Street Journal reports that he gave " a candid acknowledgement that the U.S. ISN'T yet prepared to manage the threat!"
China and "one or two others" [i.e. Russia etc.] are infiltrating our SCADA networks that manage our industrial control systems, including our power turbines and transmission systems,.
The cyber spies from the nation states are "leaving behind computer code that could be used to disable the networks in the future."
Can you imagine...you must imagine, you must prepare--not if, but when.
(Source Photo: Andy Blumenthal)
Dire Warnings On CyberSecurity
January 25, 2014
Remodulate The Shields For Cyber Security
I really like the concept for Cyber Security by Shape Security.
They have an appliance called a ShapeShifter that uses polymorphism to constantly change a website's code in order to prevent scripted botnet attacks--even as the web pages themselves maintain their look and feel.
In essence they make the site a moving target, rather than a sitting duck.
This is like Star Trek's modulating shield frequencies that would prevent enemies from obtaining the frequency of the shield emitters so they could then modify their weapons to bypass the shield and get in a deadly attack.
In real life, as hackers readily change their malware, attack vectors, and social engineering tactics, we need to be agile and adapt faster than the enemy to thwart them.
Changing defense tactics has also been used by agencies like Homeland Security to alter screening methods and throw potential terrorists off from a routine that could be more easily overcome.
I think the future of IT Security really lies in the shapeshifter strategy, where the enemy can't easily penetrate our defenses, because we're moving so fast that they can't even find our vulnerabilities and design an effective attack before we change it and up our game again.
And hence, the evil Borg will be vanquished... ;-)
Remodulate The Shields For Cyber Security
October 2, 2013
Government Shutdown - Starbucks
This is a picture from the local Starbucks that is typically billowing at lunch time--as you can see it's basically a morgue.
Unfortunately, hard-working Federal employees, contractors, and local business are feeling the impact!
Even from those that are still working, there is word of "survivor's guilt"--like with a plane crash or other calamity, when those who survive the catastrophe question why they were so fortunate when the others weren't so lucky and perished.
With both the budget shutdown and the impending debt ceiling showdown--we are facing the perfect storm, with real negotiation and compromise yet to emerge.
With this all, our significant national problems aren't going away--to the contrary, Iran and North Korea are still global nuclear threats, Syria still has chemical weapons, the economy remains on shaky ground (in the paper today, the once high-flying pharmaceutical company Merck is planning to lay off 20%!), the national debt continues to spiral out of control (albeit at a "slower pace"), cybersecurity remains a major national security risk (although Cyber Command continues to stand up its new headquarters and firepower), and so much more.
Bubble stocks rose again yesterday after an almost 20% one-year return. Not only that, but the safety of gold took a beating again after an almost 40% one-year decline (full disclosure, I am a recent investor in the latter). One has to wonder how long it will take for sanity to prevail once again.
(Source Photo: Andy Blumenthal)
Government Shutdown - Starbucks
June 3, 2012
Raising The Bar On Cybersecurity
Good video by the The Washington Post (2 June 2012) on the importance and challenges of cybersecurity.
There are 12 billion devices on the Internet today and this is projected to soar to 50 billion in the next decade.
Cybersecurity is paramount to protecting the vast amounts of critical infrastructure connected to the Internet.
There is a lot riding over the Internet--power, transportation, finance, commerce, defense, and more--and the vulnerabilities inherent in this is huge!
Some notable quotes from the video:
- "Spying, intrusions, and attacks on government and corporate networks occur every hour of every day."
- "Some sort of cyberwar is generally considered an inevitability."
- "Cyberwar although a scary terms--I think it is as scary as it sounds."
- "Right now the bar is so low, it doesn't take a government, it doesn't take organized crime to exploit this stuff--that's what's dangerous!"
We all have to do our part to raise the bar on cybersecurity--and let's do it--now, now, now.
Raising The Bar On Cybersecurity
June 1, 2012
Cyberwar, You're On
First, the New York Times today (1 June 2011) writes about alleged Bush and Obama administrations' "increasingly sophisticated [cyber] attacks on the computer systems that run Iran's main nuclear enrichment facilities"--sabotaging as many as a 1000 centrifuges, delaying their deadly program by as much as 2 years, as well as conducting cyber espionage to strengthen our negotiating hand.
The cyber offensive program code-named Olympic Games allegedly involved cyber weapons codeveloped by the United States' National Security Agency and Israel's advanced cyber corps, Unit 8200.
The malware included such programs such as Stuxnet, Duqu, and The Flame and according to Bloomberg BusinessWeek (30 May 2012) may date as far back to 2007.
These cyber attacks have been viewed as the best hope of slowing the Iranian's sinister nuclear program while economic sanctions have a chance to bite.
Additionally cyber attacks were viewed preferentially over using traditional kinetic military options and potentially causing a regional war in the Middle-east.
At the same time, the use of cyber weapons is a double-edged sword--if we use it on others, this may encourage cyber proliferation and it's eventual use on us--and as the NYT writes, "no country's infrastructure is more dependent on computer systems and thus, more vulnerable to attack than the United States."
Therefore, it was good to see in The Washington Post yesterday (30 May 2012) that the Pentagon's Defense Advanced Research Projects Agency (DARPA) is pursuing Plan X--"ambitious efforts to develop technologies to improve its cyberwarfare capabilities, launch effective attacks, and withstand likely retaliation."
"If they achieve it, they're talking about being able to dominate the digital battlefield just like they do the traditional battlefield."
The "five-year $110 million research program" is seeking to accomplish three major goals in arming U.S. Cyber Command at Fort Meade for cyber war:
1) Mapping Cyberspace--create realtime mapping of the entire cyberspace and all its devices for commanders to use in identifying targets and disabling them and seeing enemy attacks.
2) Building A Survivable O/S--Just like DARPA invented the Internet as a survivable messaging and communication system, so too, they want to develop a battle-ready operating system for our computers (like a tank) "capable of launching attacks and surviving counterattacks."
3) Develop (Semi-)Autonomous Cyber Weapons--so cyber commanders can engage in "speed-of-light attacks and counterattacks using preplanned scenarios that do not involve human operators manually typing in code."
Just to be clear, with cyber warfare, we are not just talking about computers taking out other computers--and end there, but rather this is where computers take out computers that are controlling critical infrastructure such as the power grid, transportation systems, financial systems, supply chain, command, control, and communications, weapons systems, and more.
"Cyberwar could be more humane than pulverizing [targets]...with bombs," but I doubt it will be.
Imagine, everything you know coming to a complete halt--utter disruption and pandemonium--as well as the physical effects of that which would ensue--that's what cyber war is all about--and it is already on the way.
So as, Richard M. George, a former NSA cyberdefense official stated: "Other countries are preparing for a cyberwar. If we're not pushing the envelope in cyber, somebody else will."
It is good to see us getting out in front of this cyber security monster--let's hope, pray, and do everything we can to stay on top as the cyberspace superpower.
(Source Photo: Andy Blumenthal taken of mural at National Defense University, Washington D.C.)
Cyberwar, You're On
May 19, 2012
Those In The Know, Sending Some Pretty Clear Warnings
They are not playing politics--they have left the arena.
And as we know, it is much easier to be rosy and optimistic--let's face it, this is what people want to hear.
But these leaders--national heros--sacrifice themselves to provide us an unpopular message, at their own reputational risk.
That message is that poor leadership and decision-making in the past is threatening our present and future.
Earlier this week (15 May 2011), I blogged about a documentary called I.O.U.S.A. with David Walker, the former Comptroller General of the United States for 10 years!
Walker was the head of the Government Accountability Office (GAO)--the investigative arm of Congress itself, and has testified before them and toured the country warning of the dire fiscal situation confronting us from our proclivity to spend future generation's money today--the spiraling national deficit.
Today, I read again in Fortune (21 May 2012) an interview with another national hero, former Admiral Mike Mullen, who was chairmen of the Joint Chiefs (2007-2011).
Mullen warns bluntly of a number of "existential threats" to the United States--nukes (which he feels is more or less "under control"), cyber security, and the state of our national debt.
Similarly, General Keith Alexander, the Director of the National Security Agency (NSA) and the head of the Pentagon's Cyber Command has warned that DoD networks are not currently defensible and that attackers could disable our networks and critical infrastructure underpinning our national security and economic stability.
To me, these are well-respected individuals who are sending some pretty clear warning signals about cyber security and our national deficit, not to cause panic, but to inspire substantial change in our national character and strategic priorities.
In I.O.U.S.A., after one talk by Walker on his national tour, the video shows that the media does not even cover the event.
We are comfortable for now and the messages coming down risk shaking us from that comfort zone--are we ready to hear what they are saying?
(Source Photo: here with attribution to Vagawi)
Those In The Know, Sending Some Pretty Clear Warnings
August 20, 2011
Cloud Second, Security First
Cloud Second, Security First
December 7, 2009
Let's Not Understate the Cyber Threat
Wow. I read with some surprise and consternation an article in Government Computer News, 4 December 2009. In this article, the author portrays the fears of a “digital Pearl Harbor” or overwhelming cyber attack on the United States as overblown—almost as if it’s of no real possibility or significant impact. In short, the article states:
“What good would it do an attacker to take down the vital U.S. networks? While the damage to this country could be great, the benefit to an attack would be nil if it could not be followed up. The real threat of cyber warfare is not in stand-alone attacks, but in attacks coordinated with military action.”
While, I agree that a coordinated attack is obviously more dangerous than a cyber attack alone, the threat and potential damage of a cyber attack could potentially be devastating—with or without military action.
Let’s think for a second about how the military traditionally projects force around the world through conventional warfare—taking control of the air, land, and sea. Control the sea-lanes and you have power over 90%+ of international commerce. Control the land and you have power over people’s daily lives—including their ability to satisfy even basic needs for food, clothing, and shelter, their personal safety, and even their ability to govern themselves. Control the air and you control freedom of movement on the ground, people’s basic comings and goings. Traditional military power can affect just about every facet of people’s lives including ultimately the taking of life itself i.e. paying “the ultimate price.”
Now think for a second, about what a massive cyber attack could potentially do to us. At this stage in history, we have to ask ourselves not what elements could be affected by cyber attack, but what elements of our lives would not be impacted? This is the case since virtually our entire civil and elements of the military infrastructure are dependent on the Internet and the computers that are connected to them. If you “pull the plug” or corrupt the interconnected systems, “watch out” seems apropos.
The same areas that are vulnerable to traditional military attack are threatened by cyber attack: Commerce, Energy, Transportation, Finance, Health, Agriculture, (Defense)…are all deeply interwoven and dependent on our interconnected computer systems—and this is the case more and more.
Think e-Commerce, online banking and finance, manufacturing production systems, transportation systems, food production and safety, the energy grid, electronic health records, C4ISR, and so on.
While thank G-d, we have been spared a really devastating attack to date (if you exclude the massive data compromised/stolen in recent cyber attacks), we would be derelict in responsibilities for ensuring safety and security if we thought that was it.
Further, while unpleasant as it may be, we should consider the impact in terms of potential for physical harm or loss of life in the event of a serious cyber attack?
While many brush aside this possibility, there is certainly the potential. Even putting aside the potential public panic/chaos and ensuing loss of life and property that could occur in a serious attack, how about just taking out a single, major facility—like a dam, power plant, reservoir, electrical hub, transportation system, and so on. This is an important focus of efforts to ensure critical infrastructure protection, a public-private sector partnership initiative.
Rep. Lamar Smith, R-Texas said "Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives.”
Sure, a severe and consequential attack would require ample skills, knowhow, resources, and sophistication—it is no small feat—but with the hosts of cyber criminals, terrorists, and hostile nation states out there increasingly trying to hack our systems, there is valid cause for concern.
This recognition of what’s possible does not mean it is probable or imminent. However, the awareness and understanding of our increasing dependence on the Internet and related systems and the acknowledgement that there are those out there—as in 9-11—who seek to do our country harm, should not blind us with fear, but rather spark us to constructively deal with the challenge and take proactive actions to secure the ever expanding realm of cyberspace.
The Executive Summary in the CyberSpace Policy Review that was conducted by the White House in 2009 sums it up, this way:
“The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.”
We should not and cannot understate the possible threats against our nation, but rather we need to act responsibility and rationality, with resolve to protect our nation, before and not only after. As the CyberSpace Policy Review states:
“The Nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat. We need to demonstrate abroad and at home that the United States takes cybersecurity-related issues, policies, and activities seriously.”
Fortunately, our nation has recognized the potential threat and is acting, as Security Focus reported on June 24, 2009: “The U.S. Secretary of Defense ordered the military to create a unified command to act as the nation's central hub for cyber capabilities and commanded the Pentagon to develop a policy framework for cyberspace operations.”
On a personal note, I am grateful for the many good, hardworking people in our military, civilian and private sector that are working to secure cyberspace for us, and believe we need to do this with vigor and resolve. It’s necessary in order to safeguard our future that is ever reliant on technology.
Let's Not Understate the Cyber Threat
July 14, 2009
A Call to IT Arms
Recently, I heard a colleague say that we should view IT not as a cost center, but as a resource center—and I really liked that.
In fact, IT is a cost center and a resource center, but these days there is an overemphasis on it being a cost center.
On the negative side, people seem to like to criticize IT and point out the spectacular failures there have been, and in fact, according to Public CIO “a recent study by the Standish Group showed that 82% of all IT project were either failures or were considered challenged.”
This is the dark side of IT that many would like to dwell on.
However, I would argue that while we must constantly improve on IT project delivery, IT failures can be just a point in time on the way to tremendous success and there are many of these IT successes that we benefit from in big and small ways every day.
Moreover, it may take 1000 failures to achieve that one great breakthrough success. That is the nature of innovation and experimentation.
Of course, that does not mean we should do stupid or negligent things that results in failed IT projects—we must do our best to be responsible and professional stewards. But, we should not be afraid to experiment and fail as a healthy part of the creative process.
Thomas Edison said: “I have not failed. I’ve just found 10,000 ways that won’t work.”
So why are we obsessed with IT failures these days?
Before the dot com bust, when technology was all the rave, and we enjoyed the bounty of new technologies like the computer, cell phones, handhelds, electronics galore, the Internet and all the email, productivity software and e-commerce and business applications you could ask for, the mindset was “technology is the engine that drives business.” And in fact, many companies were even changing their names to have “.com” in them to reflect this. The thinking was that if you didn’t realize the power and game-changing nature of technology, you could just as well plan to be out of business in the near future. The technologies that came out of those years were amazing and you and I rely on these every day.
Then after the dot-com burst, the pendulum swung the other way—big time! IT became an over zealous function, that was viewed as unstructured and rampant, with runaway costs that had to be contained. People were disappointed with the perceived broken promises and failed projects that IT caused, and IT people were pejoratively labeled geeks or techies and viewed as being outside the norm—sort of the societal flunkies who started businesses out of home garages. People found IT projects failures were everywhere. The corporate mindset changed to “business drives technology.”
Now, I agree that business drives technology in terms of requirements coming from the business and technology providing solutions to it and enabling it. But technology is also an engine for growth, a value creator, and a competitive advantage!
Further, while some would argue these days that IT is “just a tool”, I would counter that IT is a true strategic asset to those who understand its role in the enterprise. I love IT and I believe we all do and this is supported by the fact that we have become basically insatiable for IT. Forrester predicts U.S. IT budgets in 2009 will be in the vicinity of $750 billion. (http://it.tmcnet.com/topics/it/articles/59200-it-market-us-decline-51-percent-2009-researchers.htm) Think about what you want for the holidays—does it have IT in it?
A recent article in the Wall Street Journal was about how the homeless are so tied to technology that many have a computer with Internet access, even when they don’t have three square meals a day or a proper home to live in.
Another sign of how critical IT has become is that we recently stood up a new Cyber Command to protect our defense IT establishment. We are reliant indeed on our information technology and we had better be prepared to protect and defend it.
The recent White House 2009 Cyberspace Policy Review states: “The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security.”
It's time for the pendulum to swing back in the other direction and to view IT as the true strategic asset that it is.
A Call to IT Arms