Safeguarding Our Electrical Grid

Popular Science (28 January 2013) has an interesting article on "How To Save The Electrical Grid."

Power use has skyrocketed with home appliances, TVs, and computers, causing a significant increase in demand and "pushing electricity through lines that were never intended to handle such high loads."

Our electrical infrastructure is aging with transformers "now more than 40 years old on average and 70% of transmission lines are at least 25 years old" while at the same time over the last three decades average U.S. household power consumption has tripled!

The result is that the U.S. experiences over 100 mass outages a year to our electrical systems from storms, tornados, wildfires and other disasters.

According to the Congressional Research Service, "cost estimates from storm-related outages to the U.S. economy at between $20 billion and $55 billion annually."

For example, in Hurricane Sandy 8 millions homes in 21 states lost power, and in Hurricane Irene, a year earlier, 5.5 million homes lost electricity. 

The solution is to modernize our electrical grid:

- Replace a linear electrical design with a loop design, so a failure can be rerouted. (Isn't this basic network architecture where a line network is doomed by a single point of failure, while a ring or mesh topology can handle interruptions at any given point?)

- Install "fault-current limiters" as shock absorbers so when there is a surge in the grid, we can "absorb excess current and send a regulated amount down the line" rather than causing circuit breakers to open and stop the flow of electrical power altogether. 

- Create backup power generation for critical infrastructure such as hospitals, fire stations, police, and so on, so that critical services are not interrupted by problems on the larger grid. This can be expanded to installing solar and other renewable energy resources on homes, buildings, etc. 

- Replace outdated electrical grid components and install a smart grid and smart meters to "digitally monitor and communicate home power" and automatically adjust power consumption at the location and device level. Smart technology can help manage the load on the grid and shift non-essential use to off-hour use. The estimated cost for modernizing the U.S. grid is $673 billion--but the cost of a single major outages can run into the ten of billions alone. What will it take for this investment to become a national priority? 

I would add an additional solution for safeguarding our electrical grid by beefing up all elements of cyber security from intrusion detection and prevention to grid protection, response, and recovery capabilities. Our electrical system is a tempting target for cyber criminal, terrorists or hostile nation states that would seek to deprive us of our ability to power our economy, defense, and political establishments. 

While energy independence has become feasible by 2020, we need to make sure that we not only have enough energy resources available, but also the means for reliable and secure energy generation and distribution to every American family and business. ;-)

(Source Photo: Andy Blumenthal)

Safeguarding Our Electrical Grid

One-Two-Three Punch For Cyber Security

Here are three crafty ideas for improving our cyber security that can be used to protect, prevent, and recover from attacks:

1) Intrusion Deception (not detection)--Mykonos Software aims to protect websites by putting up a virtual minefield--"setting traps to confound hackers." When the software detects hackers trying to infiltrate, it can flood hackers with false information on vulnerabilities that goes nowhere, mess with the hackers computers such as by pop-up flashing maps of their locations and local defense attorneys, and disrupt their connections and slow down their hacking attempts (Bloomberg BusinessWeek).

2) Scamming The Scammers--Notorious email spams such as from Nigeria that look to ensnare victims into wiring money overseas in order to secure some lost fortune costs $9.3 billion in losses in 2009. Psychology professors Chris Chabris and Daniel Simons suggest that we can prevent many scammers from succeeding by raising the cost of their doing business by scamming them with " baiters" that send responses to scammers and occupy them but never actually send any money. They suggest that artificial intelligence could actually be used to create "automated scam-baiters bots" simulating potential gullible victims. These bots could even be programmed to provide phony account numbers and data to scammers to really get them spun up. (Wall Street Journal)

3) Insuring Again Losses--Insurance is a common way to manage risk by purchasing coverage for potential liabilities--this is used to indemnify against losses for everything from auto accidents to home fires, personal theft, and business interruptions. However, according to Bernard Horovitz, CEO of XL Insurance's Global Professional Operations, businesses (and of course, individuals) are rarely are covered by insurance for hacker attacks. Insurance companies are now offering specialty products to recover from the insuring liabilities. Additionally, the insurers will "help with preventing and mitigating cyber crime" through security audits. (Wall Street Journal)

These three cyber security strategies are great examples of how we can make it technically and financially more difficult for cyber attackers to succeed in geting in a knockout punch on their victims. ;-)

(Source Photo: Minna Blumenthal)

One-Two-Three Punch For Cyber Security

Resilience In The Face Of Disaster

This year when ball drops in Time Square next week to usher in the New Year, it will be a little different than in prior years, because rather than blanket cheer, there will be a good amount of consternation as we hit the debt limit of $16.4 trillion as well as the Fiscal Cliff where broad spending cuts and tax increases are to go into effect (whether in full, partial with some sort of deal, or in deferral).

Like the statue pictured here, the strength and resilience of the American people will be tested and we will need to stand tall and strong. 

In this context, it was interesting to read in Wired Magazine (January 2013) a interview with Andrew Zolli, the author of Resilience: Why Things Bounce Back, an exploration of the importance of resilience in the face of adversity. 

Whether in response to natural disaster like Hurricane Sandy or man-made ones like the financial crisis and terrorism, we need to be prepared to adapt to disaster, respond and continue operations, and recover quickly to rebuild and grow. 

According to Zolli, we need shock absorbers for our social systems that can "anticipate events...sense their own state...and can reorganize to maintain their core purpose amid disruption."

Adaptability is important, so that we can continue to operate in an emergency, but also vital is "self-repair" so we can "bounce back."

These concepts for resiliency in emergency management are similar to how Government Computer News (December 2012) describes the desire for building autonomous self-healing computer systems that can defend and recover from attacks. 

The notion is that when our computer systems are under cyber attack, we need to be able to defend them in an automated way to counter the threats in a timely fashion. 

Thus, acccording to GCN, we need IT systems that have situational monitoring for self awareness, real-time identification of an attack, continuous learning to adapt and defend againt changing attack patterns, and self-healing to recover from them. 

Thus, bouncing back from social and cyber disasters really requires similar resilience, and for some challenges, it may be sooner than later that we are tested. ;-)

(Source Photo: Minna Blumenthal)

Resilience In The Face Of Disaster

Amazing Internet Statistics 2012

So what happens in only 1 minute on the Internet--this cool magazine Ideas and Discoveries (October 2012) provides some amazing examples:

- Information Sharing--639,800 gigabytes of data are exchanged
- Information Generation--6 new Wikipedia articles are created
- Information Visualization--20,000,000 photo looked at on Flickr
- eMail--204,000,000 emails are sent
- eCommerce--$83,000 of sales on Amazon
- Social Networking--320 new users on Twitter and 100 on LinkedIn (wonder how many for Facebook...)
- Cyber Crime--20 new victims of identity theft

And in the same month, Harvard Business Review reported on the growing significance to commerce with the Internet contributing to GDP (in 2010) as much as:

- 8.3% in the UK
- 7.3% in South Korea
- 5.5% in China
- 4.7% in the US
- 4.7% in Japan
- 4.1% in India

Moreover in HBR, this is what was reported that people are willing to give up instead of the Internet for a year--and the numbers are pretty startling--check this out:

- 91% of UK would give up fast food
- 89% of Indonesians would give up smoking
- 86% of Japanese would give up chocolate
- 85% of Chinese would give up coffee
- 78% of Indonesians would give up their shower
- 60% of Japanese would give up exercise
- 56% of Chinese would give up their car
- 56% of Japanese would give up sex--go figure! ;-)

While this is all sort of light, there is also a very seriousness dimension to this. For example, in the Wall Street Journal today, it quotes Secretary of Defense, Leon Paneta warning that with Iran's digital assault on the U.S., the concerns of cyberwar are growing with the SecDef going so far as to say "Is there a cyberwar going on? It depends on how you define war."

Yes, the Internet is amazing for so many reasons and we can't take it for granted--we need to be vigilant and defend the Internet (cyber) with the same zeal and commitment as the other domains of war--land, sea, and air--all are vital to national security and for the preservation of life, liberty, and the pursuit of happiness.

This is a lesson we need to learn quickly and decisively--before the old Star Wars is passe and cyberwar turns deadly. 

(Source Photo: Andy Blumenthal)

Amazing Internet Statistics 2012

IT Security, The Frankenstein Way

Here's a riddle: When is a computer virus not a dangerous piece of malware? Answer: when it is hidden as Frankenstein code. 

The Economist (25 August 2012) describes how computer viruses are now being secretly passed into computers, by simply sending a blueprint for the virus rather than the harmful code itself into your computer--then the code is harvested from innocuous programs and assembled to form the virus itself. 

Like the fictional character, Frankenstein, that is stitched together out of scavenged body parts, the semantic blueprint pulls together code from host programs to form the viruses. 

This results is a polymorphic viruses, where based on the actual code being drawn from other programs, each virus ends up appearing a little different and can potentially mask itself--bypassing antivirus, firewall, and other security barriers. 

Flipping this strategy around, in a sense, Bloomberg Businessweek (20 June 2012) reports on a new IT security product by Bromium that prevents software downloads from entering the entire computer, and instead sets aside a virtual compartment to contain the code and ensure it is not malicious--and if the code is deemed dangerous, the cordoned-off compartment will dissolve preventing damage to the overall system.

So while on the offensive side, Frankenstein viruses stitch together parts of code to make a dangerous whole--here on the defensive side, we separate out dangerous code from potentially infecting the whole computer.  

Computer attacks are getting more sinister as they attempt to do an end-run around standardized security mechanisms, leading to continually evolving computer defenses to keep the Frankensteins out there, harmless, at bay.

(Source Photo: here with attribution to Dougal McGuire)

IT Security, The Frankenstein Way

Stark Raving Internet Crazy

An article in the Daily Beast/Newsweek called "Is the Web Driving Us Mad?" postulates that we are addicted to the Internet by virtually every definition of the word. 

Physically:
- "Americans have merged with their machines"--literally starring at computer screen "at least eight hours a day, more time than we spend on any other activity, including sleeping."
- Most college students are not just unwilling, but functionally unable to be without their media links to the world."

Psychologically:
- "Every ping could be a social, sexual, or professional opportunity" so we get a (dopamine) reward for getting and staying online.
- Heavy internet use and social media is correlated with "stress, depression, and suicidal thinking" with some scientists arguing it is like "electronic cocaine" driving mania-depressive cycles. 

Chemically:
- "The brains of Internet addicts...look like the brains of drug and alcohol addicts."
- Videogame/Internet addiction is linked to "structural abnormalities" in gray matter, namely shrinkage of 10 to 20% in the areas of the brain responsible for processing od speech, memory, motor control, emotion, sensory, and other information,."
- The brain "shrinkage never stopped: the more time online, the more the brain showed signs of 'atrophy.'"

Socially:
- "Most respondents...check text messages, email or their social network 'all the time' or 'every 15 minutes.'
- "Texting has become like blinking" with the average person texting (sending or receiving) 400 times3,700 times!
- "80% of vacationers bring along laptops or smartphones so they can check in with work while away."
- "One in 10 users feels "fully addicted' to his or her phone," with 94% admitting some level of compulsion!

At the extreme:
- "One young couple neglected its infant to death while nourishing a virtual baby online."
- "A young man bludgeoned his mother for suggesting he log off."
- "At least 10...have died of blood clots from sitting too long" online. 

These are a lot of statistics, and many of these are not only concerning, but outright shocking--symptoms of bipolar disorder, brain shrinkage, and murderous behavior to name a few.

Yet, thinking about my own experiences and observations, this does not ring true for the vast majority of normal Internet users who benefit from technology intellectually, functionally, socially, and perhaps even spiritually. 

Yes, we do spend a lot of time online, but that is because we get a lot out of it--human beings, while prone to missteps and going to extremes, are generally reasoned decision-makers. 

We aren't drawn to the Internet like drug-abusers to cocaine, but rather we reach for the Internet when it serves a genuine purpose--when we want to get the news, do research, contact a friend or colleague, collaborate on a project, make a purchase, manage our finances, watch a movie, listen to music or play a game and more. 

These are not the benefits of a drug addict, but the choices of rational people using the latest technology to do more with their lives. 

Are there people who lose control or go off the deep-end, of course. But like with everything, you can have even too much of a good thing--and then the consequences can be severe and even deadly. 

Certainly people may squirrel away more often then they should for some un-G-dly number of hours at a computer rather than in the playground of life--but for the most part, people have taken the technology--now highly mobile--into the real world, with laptops, tablets, and smartphones being ubiquitous with our daily rounds at the office, on the commute, walking down the street, and even at the dinner table.  

Is this a bad thing or are we just afraid of the (e)merging of technology so deeply into every facet of lives?

It is scary in a way to become so tied to our technology that it is everywhere all the time--and that is one major reason why cyber attacks are such a major concern now--we are hopelessly dependent on technology to do just about everything, because it helps us to do them. 

From my perch of life, the Internet does not break people or attract broken souls except on the fringes; more typically it puts people together to achieve a higher individual and social aggregate capability then ever before.

If the pressure to achieve 24/7 would just come down a few notches, maybe we could even enjoy all this capability some more.

Now I just need to get off this darn computer, before I go nuts too!  ;-)

(Source Photo: here adapted from and with attribution to Cassie Nova)

Stark Raving Internet Crazy

Security Advisory For Architecture Drawings

Dark Reading (21 June 2012) came out with security news of a AutoCAD Worm called ACAD/Medre.A that targets design documents.

I also found warnings about this vulnerability at PC magazine (24 June 2012).

This malware was discovered by computer security firm ESET. 

This is a serious exploitation in the industry leader for computer-aided design and drafting that is used to create most of our architectural blueprints.

Approximately 10,000 machines are said to have been affected in Peru and vicinity, with documents being siphoned off to email accounts in China. 

With information on our architectural structure and designs for skyscrapers, government building, military installations, bridges, power plants, dams, communication hubs, transportation facilities, and more, our critical infrastructure would be seriously jeopardized. 

This can even be used to steal intellectual property such as designs for innovations or even products pending patents. 

This new malware is another example of how cyber espionage is a scary new reality that can leave us completely exposed from the inside out.

Need any more reason to "air gap" sensitive information and systems?

(Source Photo: here with attribution to Wade Rockett)

Security Advisory For Architecture Drawings

Securing Transport To The Cloud

A new article by Andy Blumenthal on cyber security and cloud computing in Public CIO Magazine (June 2012) called Securing Cloud Data Means Recognizing Vulnerabilities.

"It’s the principle of inertia: An object in motion stays in motion unless disturbed. Just like a car on a highway, everything zips along just fine until there’s a crash. This is similar with information on the superhighway."

Let's all do our part to secure cyberspace.

Hope you enjoy!

(Source Photo: here with attribution to Kenny Holston 21)

Securing Transport To The Cloud

Raising The Bar On Cybersecurity

Good video by the The Washington Post (2 June 2012) on the importance and challenges of cybersecurity. 

There are 12 billion devices on the Internet today and this is projected to soar to 50 billion in the next decade.

Cybersecurity is paramount to protecting the vast amounts of critical infrastructure connected to the Internet.

There is a lot riding over the Internet--power, transportation, finance, commerce, defense, and more--and the vulnerabilities inherent in this is huge!

Some notable quotes from the video:

- "Spying, intrusions, and attacks on government and corporate networks occur every hour of every day."

- "Some sort of cyberwar is generally considered an inevitability."

- "Cyberwar although a scary terms--I think it is as scary as it sounds."

- "Right now the bar is so low, it doesn't take a government, it doesn't take organized crime to exploit this stuff--that's what's dangerous!"

We all have to do our part to raise the bar on cybersecurity--and let's do it--now, now, now.

Raising The Bar On Cybersecurity

Cyberwar, You're On

There was significant news this week about the U.S. and Israel making major inroads with cyberwar capabilities. 

First, the New York Times today (1 June 2011) writes about alleged Bush and Obama administrations' "increasingly sophisticated [cyber] attacks on the computer systems that run Iran's main nuclear enrichment facilities"--sabotaging as many as a 1000 centrifuges, delaying their deadly program by as much as 2 years, as well as conducting cyber espionage to strengthen our negotiating hand. 

The cyber offensive program code-named Olympic Games allegedly involved cyber weapons codeveloped by the United States' National Security Agency and Israel's advanced cyber corps, Unit 8200.

The malware included such programs such as Stuxnet, Duqu, and The Flame and according to Bloomberg BusinessWeek (30 May 2012) may date as far back to 2007.

These cyber attacks have been viewed as the best hope of slowing the Iranian's sinister nuclear program while economic sanctions have a chance to bite. 

Additionally cyber attacks were viewed preferentially over using traditional kinetic military options and potentially causing a regional war in the Middle-east. 

At the same time, the use of cyber weapons is a double-edged sword--if we use it on others, this may encourage cyber proliferation and it's eventual use on us--and as the NYT writes, "no country's infrastructure is more dependent on computer systems and thus, more vulnerable to attack than the United States."

Therefore, it was good to see in The Washington Post yesterday (30 May 2012) that the Pentagon's Defense Advanced Research Projects Agency (DARPA) is pursuing Plan X--"ambitious efforts to develop technologies to improve its cyberwarfare capabilities, launch effective attacks, and withstand likely retaliation."

"If they achieve it, they're talking about being able to dominate the digital battlefield just like they do the traditional battlefield."
The "five-year $110 million research program" is seeking to accomplish three major goals in arming U.S. Cyber Command at Fort Meade for cyber war:

1) Mapping Cyberspace--create realtime mapping of the entire cyberspace and all its devices for commanders to use in identifying targets and disabling them and seeing enemy attacks. 

2) Building A Survivable O/S--Just like DARPA invented the Internet as a survivable messaging and communication system, so too, they want to develop a battle-ready operating system for our computers (like a tank) "capable of launching attacks and surviving counterattacks."

3) Develop (Semi-)Autonomous Cyber Weapons--so cyber commanders can engage in "speed-of-light attacks and counterattacks using preplanned scenarios that do not involve human operators manually typing in code."

Just to be clear, with cyber warfare, we are not just talking about computers taking out other computers--and end there, but rather this is where computers take out computers that are controlling critical infrastructure such as the power grid, transportation systems, financial systems, supply chain, command, control, and communications, weapons systems, and more.

"Cyberwar could be more humane than pulverizing [targets]...with bombs," but I doubt it will be. 

Imagine, everything you know coming to a complete halt--utter disruption and pandemonium--as well as the physical effects of that which would ensue--that's what cyber war is all about--and it is already on the way. 

So as, Richard M. George, a former NSA cyberdefense official stated: "Other countries are preparing for a cyberwar. If we're not pushing the envelope in cyber, somebody else will."

It is good to see us getting out in front of this cyber security monster--let's hope, pray, and do everything we can to stay on top as the cyberspace superpower. 

(Source Photo: Andy Blumenthal taken of mural at National Defense University, Washington D.C.)

Cyberwar, You're On

A Cyber Security House Of Cards

Yesterday there were reports of a new "massive cyber attack" called the Flame.

A U.N. Spokesperson called it "the most powerful [cyber] espionage tool ever."

The Flame ups the cyber warfare ante and is "one of the most complex threats ever discovered"--20 times larger than Stuxnet--and essentially an "industrial vacuum cleaner for sensitive information."

Unlike prior cyber attacks that targeted computers to delete data ("Wiper"), steal data ("Duqu"), or to disrupt infrastructure ("Stuxnet"), this malware collects sensitive information. 

The malware can record audio, take screenshots of items of interest, log keyboard strokes, sniff the network, and even add-on additional malware modules as needed. 

Kaspersky Labs discovered the Flame visus, and there have been greater than 600 targets infected in more than 7 countries over the last 2 years with the greatest concentration in Iran. 

This is reminiscent of the Operation Shady Rat that was a 5-year cyber espionage attack discovered by McAfee in 2011--involving malware that affected more than 72 institutions in 14 countries. 

Separately, an attack on the U.S. Federal government's retirement investments--the Thrift Saving Plan --impacted the privacy and account information of 123,000 participants and "unathroized access"--and was reported just last week after being discovered as far back as July 2011.

Regardless of where the particular cyber attacks are initiating from, given the scale and potential impact of these, it is time to take cyber security seriously and adopt a more proactive rather than a reactive mode to it.

One can only wonder how many other cyber attacks are occuring that we don't yet know about, and perhaps never will.

We can't afford to fumble the countermeasures to the extraordinary risk we face in the playing fields of cyber warfare. 

We have to significantly strengthen our cyber defenses (and offenses) -- or else risk this "cyber house of cards" come crashing down. 

It's time for a massive infusion of funds, talent, tools, and leadership to turn this around and secure our nation's cyber infrastructure.   

(Source Photo: here with attribution to Dave Rogers)

A Cyber Security House Of Cards

Those In The Know, Sending Some Pretty Clear Warnings

There have been a number of leaders who have stepped up to tell people the real risks we are facing as a nation. 

They are not playing politics--they have left the arena. 

And as we know, it is much easier to be rosy and optimistic--let's face it, this is what people want to hear. 

But these leaders--national heros--sacrifice themselves to provide us an unpopular message, at their own reputational risk. 

That message is that poor leadership and decision-making in the past is threatening our present and future. 

Earlier this week (15 May 2011), I blogged about a documentary called I.O.U.S.A. with David Walker, the former Comptroller General of the United States for 10 years!

Walker was the head of the Government Accountability Office (GAO)--the investigative arm of Congress itself, and has testified before them and toured the country warning of the dire fiscal situation confronting us from our proclivity to spend future generation's money today--the spiraling national deficit.

Today, I read again in Fortune (21 May 2012) an interview with another national hero, former Admiral Mike Mullen, who was chairmen of the Joint Chiefs (2007-2011).

Mullen warns bluntly of a number of "existential threats" to the United States--nukes (which he feels is more or less "under control"), cyber security, and the state of our national debt. 

Similarly, General Keith Alexander, the Director of the National Security Agency (NSA) and the head of the Pentagon's Cyber Command has warned that DoD networks are not currently defensible and that attackers could disable our networks and critical infrastructure underpinning our national security and economic stability.

To me, these are well-respected individuals who are sending some pretty clear warning signals about cyber security and our national deficit, not to cause panic, but to inspire substantial change in our national character and strategic priorities.

In I.O.U.S.A., after one talk by Walker on his national tour, the video shows that the media does not even cover the event.

We are comfortable for now and the messages coming down risk shaking us from that comfort zone--are we ready to hear what they are saying?

(Source Photo: here with attribution to Vagawi)

Those In The Know, Sending Some Pretty Clear Warnings

Governing the Internet Commons

Recently, I've been watching a terrific series called America: The Story of Us (12 episodes)--from the History Channel. 

It is a beautiful portrayal of the the founding and history of America.

One theme though that repeats again and again is that as a nation, we use the common resources and deplete them until near exhaustion. 

The show portrays an America of lush forests with billions of trees that are chopped down for timber, herds of 30 million buffalo slaughtered for their hides, rollings plains of cotton for a thriving clothing industry that is over-planted, a huge whaling industry used for oil that is over-fished.  

Unfortunately, as we know, the story is not just historical, but goes on to modern-day times, with fisheries depleted, whole species of animals hunted to extinction, energy resources furiously pumped and mined to a foreseen depletion, city streets turned into slushy slums, and national forests carelessly burned down, and more. 

The point is what is called the "Tragedy of the Commons"--where items held in trust for everyone is misused, overused, and ultimately destroyed. With private property, people are caretakers with the incentive to maintain or raise the value to profit later. However, with common property, people grab whatever they can now, in order to profit from it before someone else gets it first. 

This phenomenon was first laid out in the Torah (Bible) with a law for a "Shabbath Year" called Shmita mandating that people let fields (i.e agriculture) lie fallow for a full year every 7 years and similarly, the law of Jubilee (i.e. Yovel), that slaves be freed and loans forgiven every 50 years. I think that the idea is to regulate our personal consumption habits and return what the historical 
"commons" back to its normal state of freedom from exploitation.  

This notion was echoed by ecologist Garrett Harden in the journal Science in 1968, where he described European herders overgrazing common land with their cows to maximize their short-term individual profits at the expense of longer-term term societal benefits. Harden suggested that regulation or privatization can help to solve the "Tragedy of the Commons." 

In the 21st century, we see the modern equivalent of the commons with the Internet, which is an open, shared networking resource for our computing and telecommunications.Without protection, we have the Wild West equivalent with things like spam, malware, and attacks proliferating--clogging up the network and causing disruptions and destruction, and where some people use more than their fair share 

Here are some examples of the Tragedy of the Internet:

- Symantec reports that even with spam decreasing with the shutdown of spam-hosting sites, in 2011, it is still 70% of all emails.

- McAfee reports that malware peaked as of the first half of 2010, with 10 million new pieces.

- Kaspersky reports that web-based attacks were up to 580 million in 2010--8 times the amount of the previous year.

- Verizon Wireless reports 3% of their users use 40% of their bandwidth.

If we value the Internet and want to continue using and enjoying it, then like with our other vital resources, we need to take care of it through effective governance and prudent resource management.  

This means that we do the following:

1) Regulation--manage the appropriate use of the Internet through incentives and disincentives for people to behave civilly online. For example, if someone is abusing the system sending out millions or billions of spam messages, charge them for it!

2) Privatization--create ownership over the Internet. For example, do an Internet IPO and sell shares in it--so everyone can proverbially, own a piece of it and share financially in it's success (or failures). 

3) Security Administration--enhance security of the Internet through public and private partnership with new tools, methods, and advanced skills sets. This is the equivalent of sending out the constable or sheriff to patrol the commons and ensure people are doing the right thing, and if not then depending on who the violating actor(s) are take appropriate law enforcement or military action.

Only by managing the Internet Commons, can we protect this vital resource for all to use, enjoy, and even profit by. 

(Source Photo: here)

Governing the Internet Commons

Securing The Internet: A Historical Perspective

This week, I had the opportunity take a great class in Cyber Security / Information Assurance.

As part of the class, we had to do a team project and my part was to present a brief history of the Internet and how this best positions the Federal Government to take the lead in securing the Internet.

Here is my part of the presentation:

Good morning. I am Andy Blumenthal, and I am here to talk with you today about the wealth of historical experience that the U.S. Federal Government has with managing the Internet and why we are best positioned to govern the security of it in partnership with the private sector and international community.

As you’ll see on the timeline, the U.S. Government has played a major role in virtually every development with the Internet from inventing it, to building it, and to governing it, and it is therefore, best prepared to lead in securing it.

It all started with the invention of the Internet by the government.

Starting in 1957 with the Sputnik Crisis, where the Soviets leaped ahead of us in putting the first satellite in Earth’s orbit—this caused great fear in this country and ultimately led to a space and technology race between us and the Soviet Union.

As a result of this, in 1958, the U.S. Government established the Advanced Research Projects Agency (or ARPA) to advance our technology superiority and prevent any future technology surprises.

In 1962, ARPA created the Information Process Techniques Office (IPTO) for enhancing telecommunications for sharing ideas and computing resources.

Finally in 1964, the concept of the Internet was founded with the publication by RAND (on contract with the Air Force) of “On Distributed Communications,” which essentially invented the idea of a distributed computing network (i.e. the Internet) with packet switching and no single point of failure.  This was seen as critical in order to strengthen the U.S. telecomm infrastructure for survivability in the event of nuclear attack by the Soviets.

The Internet era was born!

The U.S. government then set out to build this great Internet.

In 1968, ARPA contracted for first 4 nodes of this network (for $563,000).

Then in 1982, after 8 years of antitrust litigation, the U.S. government oversaw the breakup of AT&T into the Baby Bells in order to ensure competition, value, and innovation for the consumer.

In 1983, ARPANET split off MILNET, but continued to be linked to it through TCP/IP.

In 1987, the National Science Foundation (NSF) built a T1 “Internet Backbone” for NSFNET hooking up the nation’s five supercomputers for high-speed and high capacity transmission.

And in 1991, the National Research and Education Network (NREN, a specialized ISP) was funded for a five-year contract with $2 billion by Congress to upgrade the Internet backbone.

At this point, the Internet was well on its way!

But the U.S. government’s involvement did not end there, after inventing it and building it, we went on to effectively govern it. 

In 2005, the Federal Communication Commission (FCC) issued the Internet Policy Statement (related to Net Neutrality) with principles to govern an open Internet—where consumers are entitled to choice of content, apps, devices, and service providers.

And now, most recently, in 2012, we have a proposed bill for the Cybersecurity Act to ensure that companies share cyber security information through government exchanges and that they meet critical infrastructure protection standards.

You see, the government understands the Internet, it’s architecture, it’s vulnerabilities, and has a long history with the Internet from its invention, to its building, and its governance.

It only makes sense for the government to take the lead in the security of the Internet and to balance this effectively with the principles for an open Internet.   

Only the government can ensure that the private sector and our international partners have the incentives and disincentives to do what needs to be done to secure the Internet and thereby our critical infrastructure protection.

Thank you for your undivided attention, and now I will now turn it over to my colleague who will talk to you about the legal precedents for this. 

(Source Graphic: Andy Blumenthal)

Securing The Internet: A Historical Perspective

Cyberwar--Threat Level Severe

!
This video is of an incredible opening statement by Rep. Michael McCaul (R-TX), Subcommittee Chairman on Oversight, Investigations, and Management on the topic--Cybersecurity Threats to the United States.

Some of the highlights from his statement:

- America's computers are under attack and every American is at risk.

- The attacks are real, stealthy, persistent, and can devastate our nation.

- Cyber attacks occur at the speed of light, are global, can come from anywhere, and can penetrate our traditional defenses.

- In the event of a major cyber attack, what could we expect? Department off Defense networks collapsing, oil refinery fires, lethal clouds of gas from chemical plants, the financial systems collapsing with no idea of who owns what, pipeliness of natural gas exploding, trains and subways derailed, a nationwide blackout. This is not science fiction scenarios. (Adapted from Richard Clark, former Senior Advisor of Cyber Security)

- It is not a matter of if, but when a Cyber Pearl Harbor will occur.  We have been fortunate [so far]. (Adapted from General Keith Alexander, Director of the NSA).

I believe we must address these threats and our vulnerabilities in at least five main ways:

1) Increase research and development for new tools and techniques--both defensive and offensive--for fighting cyberwar.

2) Establish a regulatory framework with meaningful incentives and disincentives to significantly tighten cybersecurity across our critical infrastructure.

3) Create a cybersecurity corps of highly trained and experienced personnel with expertise in both the strategic and operational aspects of cybersecurity.

4) Prepare nationwide contingency plans for the fallout of a cyberwar, if and when it should occur. 

5) Create a clear policy for preventing cyberattacks by taking preemptive action when their is a known threat as well as for responding with devastating force when attacks do occur. 

With cyberwar, just as in conventional war, there is no way to guarantee we will not be attacked, but we must prepare with the same commitment and zeal--because the consequences can be just, if not more, deadly.

Cyberwar--Threat Level Severe

Which Big Brother

About a decade ago, after the events of 9/11, there was a program called Total Information Awareness (TIA) run out the Defense Advanced Research Projects Agency (DARPA).

The intent was develop and use technology to capture data (lots of it), decipher it, link it, mine it, and present and use it effectively to protect us from terrorists and other national security threats. 

Due to concerns about privacy--i.e. people's fear of "Big Brother"--the program was officially moth-balled, but the projects went forward under other names.  

This month Wired (April 2012) reports that the National Security Agency (NSA) has almost achieved the TIA dream--"a massive surveillance center" capable of analyzing yottabytes (10 to the 24th bytes) of data that is being completed in the Utah desert. 

According to the article, the new $2 billion Utah Data (Spy) Center is being built by 10,000 construction workers and is expected to be operational in a little over a year (September 2013), and will capture phone calls, emails, and web posts and process them by a "supercomputer of almost unimaginable speed to look for patterns and unscramble codes."

While DOD is most interested in "deepnet"--"data beyond the reach of the public" such as password protected data, governmental communications, and other "high value" information, the article goes on to describe "electronic monitoring rooms in major US telecom facilities" to collect information at the switch level, monitor phone calls, and conduct deep packet inspection of Internet traffic using systems (like Narus).

Despite accusations of massive domestic surveillance at this center, Fox News (28 March 2012) this week reported that those allegations have been dismissed by NSA. The NSA Director himself, General Keith Alexander provided such assurances at congressional hearings the prior week that the center was not for domestic surveillance purposes, but rather "to protect the nation's cyber security," a topic that he is deeply passionate about. 

Certainly new technologies (especially potentially invasive ones) can be scary from the perspective of civil liberties and privacy concerns.

However, with the terrorists agenda very clear, there is no alternative, but to use all legitimate innovation and technology to our advantage when it comes to national security--to understand our enemies, their networks, their methods, their plans, to stop them, and take them down before they do us harm.

While, it is true that the same technologies that can be used against our enemies, can also be turned against us, we must through protective laws and ample layers of oversight ensure that this doesn't happen. 

Adequate checks and balances in government are essential to ensure that "bad apples" don't take root and potentially abuse the system, even if that is the exception and not the rule. 

There is a difference between the big brother who is there to defend his siblings from the schoolyard bully or pulls his wounded brother in arms off the battlefield, and the one who takes advantage of them.

Not every big brother is the Big Brother from George Orwell's "1984" totalitarian state, but if someone is abusing the system, we need to hold them accountable. 

Protecting national security and civil liberties is a dual responsibility that we cannot wish away, but which we must deal with with common sense and vigilance.  

(Source Photo: here)

Which Big Brother

Taking Down The Internet--Not A Pipe Dream Anymore

We have been taught that the Internet, developed by the Department of Defense Advanced Research Projects Agency (DARPA), was designed to survive as a communications mechanism even in nuclear war--that was its purpose.

Last year, I learned about studies at the University of Minnesota that demonstrated how an attack with just 250,000 botnets could shut down the Internet in only 20 minutes. 

Again last month, New Scientist (11 February 2012) reported: "a new cyberweapon could take down the entire Internet--and there is not much that current defences can do to stop it."

Imagine what your life would be like without Internet connectivity for a day, a week, or how about months to reconstitute!

This attack is called ZMW (after its three creators Zhang, Mao, and Wang) and involves disrupting routers by breaking and reforming links, which would cause them to send out border gateway protocol (BGP) updates to reroute Internet traffic.  After 20 minutes, the extreme load brings the routing capabilities of the Internet down--" the Internet would be so full of holes that communication would become impossible."  

Moreover, an attacking nation could preserve their internal network, by proverbially pulling up their "digital drawbridge" and disconnecting from the Internet, so while everyone else is taken down, they as a nation continue unharmed. 

While The Cybersecurity Act of 2012, which encourages companies and government to share information (i.e. cybersecurity exchanges) and requires that critical infrastructure meet standards set by The Department of Homeland Security and industry are steps in the right direction, I would like to see the new bills go even further with a significant infusion of new resources to securing the Internet.  

An article in Bloomberg Businessweek (12-18 March 2012) states that organizations "would need to increase their cybersecurity almost nine times over...to achieve security that could repel [even] 95% of attacks."

Aside from pure money to invest in new cybersecurity tools and infrastructure, we need to invest in a new cyberwarrior with competitions, scholarships, and schools dedicated to advancing our people capabilities to be the best in the world to fight the cyber fight. We have special schools with highly selective and competitive requirements to become special forces like the Navy SEALS or to work on Wall Street trading securities and doing IPOs--we need the equivalent or better--for the cyberwarrior.

Time is of the essence to get these cyber capabilities to where they should be, must be--and we need to act now. 

(Source Photo of partial Internet in 2005: here, with attribution to Dodek)

Taking Down The Internet--Not A Pipe Dream Anymore

In The Year 2032 And Beyond

Trends help us to see where things are coming from and potentially where they are going.

There is a Cisco Visual Networking Index (VNI) Forecast for 2010-2015 that projects global IP traffic (voice, video, and data) and the numbers are ginormous!

Here are some highlights from their highlights for where we will be in only 3 years--by 2015: 

- Annual global IP traffic will reach one zettabyte (which is about 100 million x all printed material in the U.S. Library of Congress (which is 10 terabytes)).

- Devices connected to the network will be 2 for 1 for every person on this planet (and many people who live in 3rd world conditions do not have any devices, so what does that say for how many devices the rest of us have?).

- Non-PC traffic (from TVs, tablets, smartphones, more) will reach 15% and is more than doubling every year (makes you think about when you fridge and toaster are going to be connected to the Internet).

- Mobile Data traffic is practically doubling (or 92%) annually meaning a growth of 2,600% over 5 years (and according to the New York Times (5 Jan 2012) "The Top 1% of Mobile Users Consume Half of The World's Bandwidth" and the top 10% of users consume 90%!).

- Video traffic (TV, Video on Demand, Peer to Peer, etc.) will be almost 2/3 (or 62%) of all consumer internet traffic (and services like YouTube, Skype, FaceTime, Hulu are WebEx all play a role as we want to see as much or more than hear what is going on).

The takeaway for me from all this is that truly information transmission is exploding over the Internet, and we will continue to need more advanced technologies to "pipe" it all to where its going and do it faster than ever. 

However to build on these forecasts, over the longer term (further out in time, so more risky, of course)--say 20 years or so--some of my colleagues and I studying at National Defense University project the following:

- Rather than transmitting voice, video, and data over the Internet, we will be focused on transmitting thoughts (mental activity rather than spoken) and transmitting matter (like the Transporter on Star Trek).  

- Transmission of thoughts will occur in real-time, through persistent connections, probably implants in teeth, glasses, subcutaneous, etc.

- Safety and health will be monitored through these same "connections" and medicine or other physiological treatments for routine things will be administered remotely through the same.

- Education will be through instantaneous zaps of information to your brain (like in The Matrix) from a universal database, rather than through traditional in-class or online courses.

- Like now, the contextual policy and legal issues will be around privacy and security--and you will need to pay dutifully for each in a world where not only what you say and do, but rather what you think, can get you in lots of trouble. 

Okay, for these things to happen by 2032 is probably a little aggressive, but don't rule any of them out over time.  ;-)

In The Year 2032 And Beyond

The Star Wars Internet

I just love the creativity of this Star Wars-like animation video to explain how we communicate over the Internet (using the guidelines of Transmission Control Protocol/Internet Protocol, TCP/IP). From the initiation of the data packets to the transport over the LAN, WAN, and Internet, and through the routers, switches, proxy servers, and firewalls. The data is packed, addressed, transmitted, routed, inspected, and ultimately received. This 13 minutes video explains Internet communications in a simple, user-centric approach. It helps anyone to understand the many actors and roles involved in ensuring that our communication get to where it's going accurately, timely, and hopefully safely. I guess to make this really like Star Wars, we need the evil Darth Vader to (cyber) attack and see how this system all holds up. Where is Luke Skywalker when we need him? ;-) Great job by Medialab!

The Star Wars Internet

Big Phish, Small Phish

Phishing is an attack whereby someone pretends to be a trustworthy entity, but is really trying to get your personal information in order to steal from you or an organization.

Phishing is a type of social engineering where fraudsters try to deceive and spoof their victims by sending email or instant messages (or even by calling) and pretending to be a legitimate private or public sector organization. They then either request personal information, provide links to fake websites, or even create unauthorized pop-ups from legitimate websites to get you to give them your personal data.

Additionally, phishing emails can contain attachments that infect recipient's computers with malware, creating a backdoor to control or compromise a system and its information.

In all of these cases, the intent of phishing is impersonate others and lure consumers into providing information that can be used to steal identities, money, or information.

The word phishing alludes to the technique of baiting people and like in real fishing, fooling at least some into biting and getting caught in the trap. 

In this fraudulent type, perpetrators pretend to be legitimate financial institutions, retailers, social media companies, and government agencies in an attempt to get you to divulge private information like date of birth, social security numbers, mother maiden names, account numbers, passwords and more.

Once criminals have this valuable information, they can commit identity theft, break into your accounts, and steal money or information.

Spear-phishing is a derivative of this scam that is targeted on specific people, and whaling is when the scam is perpetrated on organization executives or other high profile targets,  which can be especially compromising and harmful to themselves or the organizations they represent.

The first recorded phishing attack was in 1987.  Over the years, the prevalence of these attacks have steadily increased. According to the Anti-phishing Working Group (APWG), there were some 20,000-25,000 unique phishing campaigns every months through the first half of 2011, each targeting potentially millions of users.  Additionally, as of March 2011, there were as many as 38,000 phishing sites.  The most targeted industry continues to be financial services with 47% of the attacks.

There are a number of ways to protect yourself against phishing attacks.

1. Delete email and messages that are unwarranted and ask for personal information
2. Do not click on links, instead go directly to a website by using a search engine to locate it or copying the link and pasting it into the browser
3. Configure your browser to block pop-ups
4. Use anti-virus, firewalls, and anti-spam software
5. Set up automatic security updates
6. Input personal information only into secure sites, such as those that begin with "https"
7. Only open attachments when you are expecting them and recognize where they are coming from
8. Check financial statements upon receipt for any fraudulent activity
9. If you are caught in a phishing scheme, notify law enforcement and credit reporting authorities immediately
10. Always be cautious in giving out personal information

Whether you consider yourself a big fish or a small fish, beware of those trying to catch you up on the Internet--hook, line, and sinker.

Big Phish, Small Phish