The Heat Is On But Something Is Off

The Huffington Post (28 June 2012) ran an article this weekend called "Land of the Free, Home of the Unprepared."

This at a time, when the United States East Coast is battling a heat wave with temperatures over 100 degrees for days running.

Emergencies have been declared in many states, including Maryland, Virginia, West Virginia, Ohio, as well as in Washington, D.C.

On top of that, an early weekend storm with hurricane-force winds took out the power for millions!

Utilities described the damage to the power grid as "catastrophic" with restoration taking up to a week for some.

People were seeking refuge from the heat with no power at home for airconditioning, refrigeration, or telecommunications.

Everywhere--at Starbucks (the garbage was piled high), Barnes and Nobles, the Mall, people were sprawled out in chairs and even on the floors, and were powering up their devices wherever they could find an outlet.

Moreover, there were long lines at gas stations and supermarkets, where power was working for some.

Many street lights were out at intersections and many other stores were either closed or only taking cash.

While catastrophes do happen including natural disasters, the frequency, duration, and impact in the Washington, D.C. area--the Capital of the United States--is ridiculously high.

I could not help thinking that if something more serious struck--whether terrorism, pandemic flu, a serious earthquake, or whatever, 11 years after 9/11, we seem really ill prepared. 

We need to get our game on, not only when the heat is up, but for disaster preparedness in general.

(Source Photo: Andy Blumenthal)

The Heat Is On But Something Is Off

Security Advisory For Architecture Drawings

Dark Reading (21 June 2012) came out with security news of a AutoCAD Worm called ACAD/Medre.A that targets design documents.

I also found warnings about this vulnerability at PC magazine (24 June 2012).

This malware was discovered by computer security firm ESET. 

This is a serious exploitation in the industry leader for computer-aided design and drafting that is used to create most of our architectural blueprints.

Approximately 10,000 machines are said to have been affected in Peru and vicinity, with documents being siphoned off to email accounts in China. 

With information on our architectural structure and designs for skyscrapers, government building, military installations, bridges, power plants, dams, communication hubs, transportation facilities, and more, our critical infrastructure would be seriously jeopardized. 

This can even be used to steal intellectual property such as designs for innovations or even products pending patents. 

This new malware is another example of how cyber espionage is a scary new reality that can leave us completely exposed from the inside out.

Need any more reason to "air gap" sensitive information and systems?

(Source Photo: here with attribution to Wade Rockett)

Security Advisory For Architecture Drawings

Biosecurity--Where Every Moment Counts

A biological attack on the United States is a most frightening prospect and one that could present an existential threat to us. 

Just the very mention of bio-warfare agents such as anthrax, ebola, smallpox, bubonic plague, and others are enough to provoke sheer terror in most people. 

BioWatch is a program managed by the Department of Homeland Security (DHS) in partnership with the Centers for Disease Control (CDC) and the Environmental Protection Agency (EPA) to monitor for a biological attack.

According to Bloomberg Businessweek (21 June 2012) bio-surveillance is currently conducted in 30 metropolitan areas around the country using 600 air filters to detect pathogens, where samples are collected daily and taken to labs for analysis in what amounts to a 36 hour turnaround to determine if there is a hazard. 

A new technology made by Positive ID or Northrop Grumman collects samples four times a day and analyzes it on the spot for bateria, viruses, and toxins, and sends the results to officials by secure network in as little as two hours. 

The shorter time to detection will give more time to save lives by getting drugs and vaccines to the field sooner and prevent the spread from person to person.  

DHS wants to deploy 2,500 of these new sensors and the bio-attack alert system at a cost of approximately $5.7 billion, if Congress approves. 

If this bio-sensing system proves out functionally, then the price tag seems well worth it. 

Bioweapons like cyber-attacks can cause widespread panic as well as disruption to our everyday way of life, however a bio-attack has the added feature of making people symptomatic and infecting them with deadly and painful illnesses. 

Cyber attacks can infiltrate and take out our critical infrastructure, but biological attacks can directly destroy our physical bodies and the population itself. 

A bio-attack and a cyber-attack together could devastate us by attacking us while at the same time inhibiting our ability to deliver medication and quarantine those that are ill and so on. 

In addition to grossly improving on our cyber defensive (and offensive) capabilities, we must do everything we can to enhance our biosecurity--this mean upgrading our preparedness for bio-terrorism and bio-warfare using the latest technologies available to sniff out and identify a bio attack and alert us so we can respond timely, while we still can. 

(Source Photo: here with attribution to U.S. Department of Defense)

Biosecurity--Where Every Moment Counts

Understanding Risk Management

Information Security, like all security, needs to be managed on a risk management basis.  

This is a fundamental principle that was prior advocated for the Department of Homeland Security, by the former Secretary Michael Chertoff.  

The basic premise is that we have limited resources to cover ever changing and expanding risks, and that therefore, we must put our security resources to the greatest risks first.

Daniel Ryan and Julie Ryan (1995) came up with a simple formula for determining risks, as follows:

Risk = [(Threats x Vulnerabilities) / Countermeasures)]  x  Impact

Where:

- Threats = those who wish do you harm.

- Vulnerabilities = inherent weaknesses or design flaws.

- Countermeasures = the things you do to protect against the dangers imposed.

[Together, threats and vulnerabilities, offset by any countermeasures, is the probability or likelihood of a potential (negative) event occurring.]

- Impacts = the damage or potential loss that would be done.

Of course, in a perfect world, we would like to reduce risk to zero and be completely secure, but in the real world, the cost of achieving total risk avoidance is cost prohibitive. 

For example, with information systems, the only way to hypothetically eliminate all risk is by disconnecting (and turning off) all your computing resources, thereby isolating yourself from any and all threats. But as we know, this is counterproductive, since there is a positive correlation between connectivity and productivity. When connectivity goes down, so does productivity.

Thus, in the absence of being able to completely eliminate risk, we are left with managing risk and particularly with securing critical infrastructure protection (CIP) through the prioritization of the highest security risks and securing these, going down that list until we exhaust our available resources to issue countermeasures with.

In a sense, being unable to "get rid of risk" or fully secure ourselves from anything bad happening to us is a philosophically imperfect answer and leaves me feeling unsatisfied--in other words, what good is security if we can't ever really have it anyway?

I guess the ultimate risk we all face is the risk of our own mortality. In response all we can do is accept our limitations and take action on the rest.

(Source Photo: here with attribution to martinluff)

Understanding Risk Management

Don't Throw Out The Pre-Crime With the Bathwater

The Atlantic (17 April 2012) has an article this week called " Homeland Security's 'Pre-Crime' Screening Will Never Work." 

The Atlantic mocks the Department of Homeland Security's (DHS) Future Attribute Screening Technology (FAST) for attempting to screen terrorists based on physiological and behavioral cues to analyze and detect people demonstrating abnormal or dangerous indicators.

The article calls this "pre-crime detection" similar to that in Tom Cruise's movie Minority Report, and labels it a  "super creepy invasion of privacy" and of "little to no marginal security" benefit.

They base this on a 70% success rate in "first round of field tests" and the "false-positive paradox," whereby there would be a large number of innocent false positives and that distinguishing these would be a "non-trivial and invasive task." 

However, I do not agree that they are correct for a number of reasons: 

1) Accuracy Rates Will Improve--the current accuracy rate is no predictor of future accuracy rates. With additional research and development and testing, there is no reason to believe that over time we cannot significantly improve the accuracy rates to screen for such common things as "elevated heart rate, eye movement, body temperature, facial patterns, and body language" to help us weed out friend from foe. 

2) False-Positives Can Be Managed--Just as in disease detection and medical diagnosis, there can be false-positives, and we manage these by validating the results through repeating the tests or performing additional corroborating tests; so too with pre-crime screening, false-positives can be managed with validation testing, such as through interviews, matching against terrorist watch lists, biometric screening tools, scans and searches, and more. In other words, pre-crime detection through observable cues are only a single layer of a comprehensive, multilayer screening strategy.

Contrary to what The Atlantic states that pre-crime screening is "doomed from the word go by a preponderance of false-positives," terrorist screening is actually is vital and necessary part of a defense-in-depth strategy and is based on risk management principles. To secure the homeland with finite resources, we must continuously narrow in on the terrorist target by screening and refining results through validation testing, so that we can safeguard the nation as well as protect privacy and civil liberties of those who are not a threat to others. 

Additionally, The Atlantic questions whether subjects used in experimental screening will be able to accurately mimic the cues that real terrorist would have in the field. However, with the wealth of surveillance that we have gathered of terrorists planning or conducting attacks, especially in the last decade in the wars in Iraq and Afghanistan, as well as with reams of scientific study of the mind and body, we should be able to distinguish the difference between someone about to commit mass murder from someone simply visiting their grandmother in Miami. 

The Atlantic's position is that  terrorist screening's "(possible) gain is not worth the cost"; However, this is ridiculous since the only alternative to pre-crime detection is post-crime analysis--where rather than try and prevent terrorist attacks, we let the terrorists commit their deadly deeds--and clean up the mess afterwards. 

In an age, when terrorists will stop at nothing to hit their target and hit it hard and shoe and underwear bombs are serious issues and not late night comedy, we must invest in the technology tools like pre-crime screening to help us identify those who would do us harm, and continuously work to filter them out before they attack. 

(Source Photo: here with attribution to Dan and Eric Sweeney)

Don't Throw Out The Pre-Crime With the Bathwater

Where Is The Outrage?

This past week a self-professed Al Qaeda jihadist, trained in the militant camps of Pakistan and Afghanistan murdered in cold blood three Jewish children and a teacher (who happened to be the father of the two boys killed, ages 3 and 6).  

The 8-year old girl pictured above was the beautiful daughter of the school's headmaster and was yanked by hair while the killer reloaded his gun and then shot her in the head, point blank. 

A fifth victim, another student, a boy age 17 is critically wounded in the hospital.

The Killer, Mohamed Merah had just the prior week, in two attacks, murdered 3 black French solders as well. 

So why did he do it?  He tells us it was to avenge Palestinian children and for the French foreign interventions, as he said on the video "you kill my brothers, now I kill you."

So now this terrorist with an extensive rap sheet (as many as 18 prior acts of violence) is dead, and yet insanely, the terrorists consider him a martyr.

And while condolences are heard to all victims, is there sufficient outrage at the murder of innocent school children and terrorists' complete disregard for human life and societal norms? 

More than a decade after the tragedy of 9/11 with nearly 3,000 murdered, followed by almost 6,400 U.S. soldiers killed in Iraq and Afghanistan, we still cannot fully come to terms with the enemy we face and the threats they pose.   

The people killed in terrorist attacks around the world--whether in a school yard in Toulouse, a luxury hotel in Mumbai, train attacks in London and Madrid, a nightclub attack in the Philippines, a plane flight over Lockerbie Scotland, a truck bomb at the U.S. Marine Barracks in Beirut, a homicide attack at a pizza parlor in Jerusalem, and countless others around the world have stained our consciences with the blood of innocents, so that the girl pictured, killed this week with a bullet to the brain is no longer special to anyone except her family, friends, and people who loved her. 

The blood of the victims of terrorism is not cheap and neither is that of Jewish children--it is high time for outrage at the enemy that takes human life so gleefully. 

(Source Photo: here)

Where Is The Outrage?

Taking Down The Internet--Not A Pipe Dream Anymore

We have been taught that the Internet, developed by the Department of Defense Advanced Research Projects Agency (DARPA), was designed to survive as a communications mechanism even in nuclear war--that was its purpose.

Last year, I learned about studies at the University of Minnesota that demonstrated how an attack with just 250,000 botnets could shut down the Internet in only 20 minutes. 

Again last month, New Scientist (11 February 2012) reported: "a new cyberweapon could take down the entire Internet--and there is not much that current defences can do to stop it."

Imagine what your life would be like without Internet connectivity for a day, a week, or how about months to reconstitute!

This attack is called ZMW (after its three creators Zhang, Mao, and Wang) and involves disrupting routers by breaking and reforming links, which would cause them to send out border gateway protocol (BGP) updates to reroute Internet traffic.  After 20 minutes, the extreme load brings the routing capabilities of the Internet down--" the Internet would be so full of holes that communication would become impossible."  

Moreover, an attacking nation could preserve their internal network, by proverbially pulling up their "digital drawbridge" and disconnecting from the Internet, so while everyone else is taken down, they as a nation continue unharmed. 

While The Cybersecurity Act of 2012, which encourages companies and government to share information (i.e. cybersecurity exchanges) and requires that critical infrastructure meet standards set by The Department of Homeland Security and industry are steps in the right direction, I would like to see the new bills go even further with a significant infusion of new resources to securing the Internet.  

An article in Bloomberg Businessweek (12-18 March 2012) states that organizations "would need to increase their cybersecurity almost nine times over...to achieve security that could repel [even] 95% of attacks."

Aside from pure money to invest in new cybersecurity tools and infrastructure, we need to invest in a new cyberwarrior with competitions, scholarships, and schools dedicated to advancing our people capabilities to be the best in the world to fight the cyber fight. We have special schools with highly selective and competitive requirements to become special forces like the Navy SEALS or to work on Wall Street trading securities and doing IPOs--we need the equivalent or better--for the cyberwarrior.

Time is of the essence to get these cyber capabilities to where they should be, must be--and we need to act now. 

(Source Photo of partial Internet in 2005: here, with attribution to Dodek)

Taking Down The Internet--Not A Pipe Dream Anymore

SCADA Beware!

In case you thought hacking of our critical infrastructure and SCADA systems only happens in the movies, like with Bruce Willis in Live Free or Die Hard, watch these unbelievable videos of what Max Corne seemingly does to the energy, maritime infrastructure, and highway transportation systems.


Max apparently is able turn off (and on) the lights in entire office towers--one and then another, control a drawbridge (up and down)--and has people and cars waiting and backed up, and even changes traffic signals--from speeds of 50 to 5 as well the message boards to motorists. 

While I understand some have questioned the validity of these videos and have called them hoaxes, the point that I come away with is not so much whether this guy is or is not actually hacking into these computer and control systems as much as that the people and organizations with the right skills could do these things.


And rest assured that there those out there that can perform these hack attacks--reference the Stuxnet worm that attacks Siemen industrial control systems such as those used in the nuclear industry (June 2010).


I also heard a story that I don't know whether it is true or not, about how a cyber expert personally dealt with a very loud and unruly neighbor who was playing Xbox 360 at 3 AM and keeping him awake. So the cyber expert simply hacked into his neighbor's Xbox game over the Internet and set off a program that whenever his neighbor tried to play it, a timer would automatically turn the Xbox back off again (neighbor turns it on again, hack turns it off again....), until at one point, the cyber expert heard the neighbor pick something up (presumably the Xbox) and throw it against the wall. 


In this story, the damage was limited, in other cases as the Max Corne videos demonstrate (in terms of the realm of the possible), when hackers attack our critical infrastructure and control systems, the results can truly be life threatening, majorly disruptive, and can cause widespread chaos.


Every day, there are digital natives (in terms of their advanced computer skills) that are proving what they can do to bypass our firewalls, antivirus protection, intrusion detection systems, and more.


While in the case of the hack attack on the Xbox, that was the end of the problem for the loud playing neighbor keeping this other guy up at night, but in general, the unbelievable ability of some hackers to break into major systems and manipulate controls systems and disrupt critical infrastructure is certainly no game, no laughing matter, and something that should keeps us up at night (Xbox playing or not). 


The takeaway is that rather than demonize and discourage those who have the skills to figure this "stuff" out, we should actually encourage them to become the best white hat hackers they can be with it, and then recruit them into "ethical hacking" positions, so that they work for the good guys to defeat those who would do us all harm. 

SCADA Beware!

Cyber War - The Art of The Doable

CBS 60 Minutes had a great episode this past June called Cyber War: Sabotaging The System.

The host Steve Kroft lays the groundwork when he describes information or cyber warfare as computers and the Internet that is used as weapons and says that "the next big war is less likely to begin with a bang than with a blackout."

This news segment was hosted with amazing folks like Retired Admiral Mike McConnell (former Director of National Intelligence), Special Agent Sean Henry (Assistant Director of the FBI's Cyber Division), Jim Gosler (Founding Director of CIA's Clandestine Information Technology Office), and Jim Lewis (Director, Center for Strategic and International Studies).  

For those who think that cyber war is a virtual fantasy and that we are safe in cyberspace, it's high time that we think again.  

Here are some highlights:

- When Retired Admiral McConnel is asked "Do you believe our adversaries have the capability of bringing down a power grid?"  McConnell responds "I do." And when asked if the U.S. is prepared for such an attack, McConnell responds, "No."

- Jim Gosler describes how microchips made abroad are susceptible to tampering and could "alter the functionality" of let's say a nuclear weapon that needed to go operational, as well as how they "found microelectronics and electronics embedded in applications that shouldn't be there." 

- Special Agent Henry talks about how thieves were able to steal more than a $100 million from banks in less than half a year, not by holdups but through hacking. 

- Jim Lewis tells of the "electronic Pearl Harbor" that happened to us back in 2007, when terabytes of information were downloaded/stolen from our major government agencies--"so we probably lost the equivalent of a Library of Congress worth of government information" that year and "we don't know who it is" who broke in.  

The point is that our computers and communications and all the critical infrastructure that they support--including our defense, energy, water, transportation, banking, and more are all vulnerable to potentially lengthy disruption.

What seems most difficult for people to grasp is that the bits of bytes of cyberspace are not just ephemeral things, but that thy have real impact to our physical universe.   

Jim Lewis says that "it doesn't seem to be sinking in. And some of us call it 'the death of a thousand cuts.' Every day a little bit more of our intellectual property, our innovative skills, our military technology is stolen by somebody. And it's like little drops.  Eventually we'll drown. But every day we don't notice."

Our computer systems are vulnerable and they control virtually all facets of lives, and if the enemy strikes at our cyber heart, it is going to hurt more than most of us realize.  

We are taking steps with cyber security, but we need to quickly shift from a reactive stance (watching and warning) to a proactive posture (of prevention and protection) and make cyber warfare a true national priority.

Cyber War - The Art of The Doable

A Race To The Future

This last week, we learned of the new defense policy that shifts the U.S. from a full two war capability to a "win-spoil" plan, where we have the ability to fight one war, but still disrupt the military aspirations of another adversary elsewhere.
While we would all like to have unconstrained capabilities for both "guns and butter", budget realities do not permit limitless spending on anything or anytime.
The Wall Street Journal (7-8 January 2012) had an interesting editorial that cautioned against reduced military spending and latched on specifically to focusing too much on the Asia-Pacific region and somehow neglecting other danger spots around the globe.
Basically, the author says it is dangerous for us to put all our proverbial eggs in one basket. As he writes, this single-focus approach or "strategic monism" is predicated on our ability to accurately predict where the trouble spots will be and what defensive and offensive capabilities we will need to counter them.
In contrast, the author promotes an approach that is more multifaceted and based on "strategic pluralism," where we prepare ourselves for any number of different threat scenarios, with a broad array of capabilities to handle whatever may come.
What is compelling about this argument is that generally we are not very good at forecasting the future, and the author points out that "the U.S. has suffered a significant surprise once a decade since 1940" including Pearl Harbor (1941), North Korea's invasion of the South (1950), the Soviet testing of the Hydrogen bomb (1953), the Soviet resupply of Egypt in the Yom Kippur War (1973), the Iranian Shah's fall from power (1979), the Soviet Union collapse (1991), and the terrorist attacks of 9-11 (2001).
Similarly, Fortune Magazine (16 January 2012) calls out "the dangers inherent in...long-term forecasting" and points how almost comically "the 1899 U.S. patent chief declares that anything that can be invented has been."
The Fortune article goes on to say that a number of the experts interviewed for their Guide To The Future issue stated that "cyberterrorism, resource shortages, and political instability around the world are all inevitable."
In short, the potential for any number of catastrophes is no more relevant now in the 21st century, than at any other time in history, despite all our technological advances and maybe because of it.
In fact, Bloomberg Businessweek (19-25 December 2012) actually rates on a scale of low to high various threats, many of which are a direct result of our technology advancement and the possibility that we are not able to control these. From low to high risk--there is climate change, synthetic biology, nuclear apocalypse, nanotechnology weaponry, the unknown, and machine super intelligence. Note, the second highest risk is "unknown risks," since they consider "the biggest threat may yet be unknown."
So while risks abound and we acknowledge that we cannot predict them all or forecast their probability or impact accurately, we need to be very well prepared for all eventualities.
But unfortunately, being prepared, maintaining lots of options, and overall strategic pluralism does not come cheaply.
In fact, when faced with weapons of mass destruction, threats to our homeland, and human rights abuses is there any amount of money that is really enough to prepare, protect, and defend?
There is no choice but to take the threats--both known and unknown seriously--and to devote substantial resources across all platforms to countering these. We cannot afford to be caught off-guard or prepared to fight the wrong fight.
Our adversaries and potential adversaries are not standing still--in fact, they are gaining momentum, so how much can we afford to recoil?
We are caught between the sins of the past in terms of a sizable and threatening national deficit and an unpredictable future with no shortage of dangers.
While everyone has their pet projects, we've got to stop fighting each other (I believe they call this pork barrel politics) and start pulling for the greater good or else we all risk ending up on the spit ourselves.
There is no option but to press firmly on the accelerator of scientific and technological advancement and break the deficit bounds that are strangling us and leap far ahead of those who would do us harm.
(All opinions my own)
(Source Photo: here)

A Race To The Future

Nuclear Weapons--A Scary Infographic

As you already know, I appreciate a good infographic.
Unfortunately, I think many of the ones coming out recently are too jumbled, long and complex and read more like a "Megilla" (no disrespect intended).
I was a little surprised to find a infographic on Nuclear Weapons online, but then again it's not a "cookbook" and hopefully those are not being posted.
This one was interesting to me, not only because of the topic of weapons of mass destruction, but also because in 11 factoids, the graphics takes you through a pretty clear and simple overview of the subject matter.
No, its not getting into the physics and nuclear engineering depths of the whole thing, but at the same time, you have starting with the Manhattan Projects in the 30's, some nice history on the following:

• Invention
• Cost
• Types, both fission and fusion
• Testing
• Use
• Inventories, although based on recent articles on the 3,000 miles of Chines tunnels in the Wall Street Journal (25 October 2011) and Washington Post (30 November 2011), the Chinese number may be way too low--the WSJ based on Chinese media reports has it as high as 3,500!
• Even numbers "lost and not recovered"--11!--not comforting, who would've thought?

In the graphic, it would be interesting to see a breakdown by land-, bomber-, and submarine-based, (some nice graphics available for that) but perhaps a number 12 item on the infographic would've been getting too much in the weeds.
Also, a similar graphic for chemical and biological weapons while interesting, would be scary indeed.
(Source Graphic: here)

Nuclear Weapons--A Scary Infographic

Losing The Edge, No More

For years, there has been all sorts of uproar about the U.S. and its citizens and businesses losing their edge.

From critics who point out to how our educational system (especially through high school) is not keeping up, how we are not attracting and graduating enough folks in science, technology, engineering, and math (STEM), how our inventions are freely copied overseas, and how innovation and entrepreneurship is suffering at home whether due to challenging economic or social conditions.

Yet, when it comes to losing our edge, nothing is more maddening than when the technological advances we do have are taken from us--this happens in numerous ways, including:

- Cyber Attacks: According to the Pentagon Strategy on Cyberwar as per the Wall Street Journal (15 July 2011) "each year a volume of intellectual property the size of the Library of Congress is stolen from U.S. government and private-sector networks." Cyber espionage has affected a broad range of our prized national assets: from Space Shuttle designs to the Joint U.S. Defense Strategy with South Korea as del as the plans for the F-35 Joint Strike Fighter and more. Moreover and unfortunately, this is only the tip of the iceberg. For example, this past August, McAfee disclosed a cyber spying operation dubbed Operation Shady Rat that infiltrated some 71 government and corporate entities of which 49 were in the U.S. and which included more than a dozen defense firms over five years, compromising a massive amount of information.

- Spies/Insider Threats: Spies and insider threats can turn over state secrets to foreign powers or entities causing a major lose to our competitive advantage. This has happened with convicted spies from Aldrich Ames to FBI agent Robert Hanssen, and more recently to Army Corporal Bradley Manning accused of turning over troves of restricted documents to WikLleaks. And despite the amazing efforts to catch these subversives, presumably, there are plenty more where they came from.

- Expropriations: We lose our edge to foreign nations and organizations when our high-technology or intellectual assets are used without our consent or otherwise seized and compromised. This can happen from having our copyrights trampled on, our designs simply copied and "knockoffs" produced and peddled, or even when we are in a sense forced to exchange our intellectual property for basic entry into foreign markets. But this also happens more explicitly and violently when our assets are literally taken from us. For example this happened in April 2001, when Chinese fighter jets intercepted (in international air space) and crashed a U.S. EP-3 reconnaissance plane and didn't return it until July in disassembled pieces. Similarly, when the tail of the stealth modified MH-60 Black Hawk helicopter, with sensitive military technology, used in the raid in Osama bin Laden's was recovered and held by Pakistan for weeks before it was returned to the U.S. And we saw this again this week when the Iranians showed off a prized RQ-170 Sentinel stealth drone they now have seized, and which secrets presumably may end up in Russian, Chinese, or ultimately terrorist hands.

Developing an edge is not something we should take lightly or for granted--It is based on lots of talent, experience, and hard work and we do not have an exclusive hold on any of these.

We must prize our scientific and technological advances and secure these the way a mother protects it's young--fiercely and without compromise.

No matter how much or fast we churn out the advances, it will not matter if we do not safeguard our investments from those who would take it right out from under us. We can do this by significantly increasing investment in cyber security, strengthening counterespionage efforts, and not letting any nation or organization take something that doesn't belong to them without consequences--economic or military--that restore our edge and then some.

Losing The Edge, No More

Espionage, Social Media Style

You are being watched!
Good guys and bad guys are tracking your movements, rants and raves, photos, and more online.
For example, The Atlantic reported on 4 November 2011 in an article titled How the CIA Uses Social Media to Track How People Feel that "analysts are tracking millions of tweets, blog posts, and Facebook updates around the world."
Further, in January 2009, "DHS established a Social Networking Monitoring Center (SNMC) to monitor social networking sites for 'items of interest.'"
And even more recently in August 2011, DARPA invited proposals for "memetracking" to identify themes and sentiments online and potentially use this for predictive analysis.
The thinking is that if you can use online information to predict stock market movements as some have attempted, why not criminal and terrorist activity?
Similarly, The Guardian reported on 16 March 2010 FBI using Facebook in fight against crime and cautions that "criminals dumb enough to brag about their exploits on social networking sites have now been warned: the next Facebook 'friend' who contacts you may be an FBI agent."
This is reminescent of the work of private sector, Dateline NBC in using Internet chat rooms to catch sexual predators online by luring them to a house where the predators believed they were going to meet up with a underage girl for a tryst.
While these efforts are notable and even praiseworthy by the good guys--assuming you can get over the privacy implications in favor of the potential to have a safer society to live in--these activities should be carefully safeguarded, so as not to infringe on the rights and freedoms of those who behave legally and ethically.
But the good guys are not the only ones using the tools of the trade for monitoring and analyzing social networking activities--the bad guys too recognize the implicit information treasure trove available and have you in their crosshairs.
For example, in the last years Arab Spring, we have nation states tracking their citizens political activities and using their power over the Internet to shut off access and otherwise surpress democracy and human rights. Further, we have seen their use for cyberspying and testing offensive cyber attack capabilities--only the most recent of which was the alleged infiltration of a SCADA system for a Illinois water plant.
Moreover, this past week, Forbes (21 November 2011) reported in The Spy Who Liked Me that "your social network friends might not be all that friendly."
From corporate espionage to market intelligence, there are those online who "steadfastly follows competitors' executives and employees on Twitter and LinkedIn."
In fact, the notion of online monitoring is so strong now that the article openly states that "if you're not monitoring your competitors activity on social media, you may be missing out on delicious tidbits" and warns that "it's easy to forget that some may not have your best intersts at heart."
Additionally, while you may not think your posts online give that much away, when your information is aggregated with other peoples posts as well as public information, it's possible to put together a pretty good sketch of what organizations and individuals are doing.
Forbes lists the following sites as examples of the "Web Spy Manual" with lots of information to pull from: Slideshare, Glassdoor.com, Quora, iSpionage, Youtube as well as job postings and customer support forums.
When you are on your computer in what you believe to be the privacy of your own home, office, or wherever, do not be deceived, when you are logged on, you are basically as open book for all the world to see--good guys and bad guys alike.

(Source Photo: here)

Espionage, Social Media Style

Will You Survive?

If you are interested in your chances of survival in the event of a nuclear blast, check out the website for Would I Survive a Nuke?

I ran the simulation as if was still living in my old neighborhood of Riverdale, New York and 50 megaton bombs were hitting 5 cities with populations over 1 million people.

On the map, you can see the horrible destruction--gone is Boston, New York, Philadelphia, Baltimore, and Washington, D.C.

The concentric circles around each blast shows 5 levels of devastation as follows (associated with the colors zones of red, pink, orange, yellow, and clear/outside the blast):

This is not a pretty picture and warrants our consideration of how critically important is missile defense and homeland security is.

This position was advocated by the late Dr. Fred Ikle the former Pentagon official who passed away this week on 10 November 2011--Ikle challenged the status quo policy of MAD asking "Why should mutually assured destruction be our policy?" -WSJ

I, for one, don't like any of the 5 scenarios above and would like to keep our society and way of life going with a strong national security posture that includes the gamut of diplomatic, defensive, and offensive capabilities for safeguarding our national security.

With this in mind, this coming week with the deadline for Super Committee to come up with recommendations for reducing our budget deficit or else the automatic $1.2 trillion cut goes into effect--half of which is to come from the Department of Defense is extremely concerning.

Moreover, with well-known hostile nations having achieved (North Korea) or very near to achieving (Iran) nuclear weapons capabilities, we must take the threats of nuclear attack to us and our allies very seriously or else we can end up with not just scary looking colored concentric circles on a map, but the very real deadly effects they represent.

Will You Survive?

Tougher Than An iPad

Panasonic unveiled their ToughPad this week--the FZ-A1.

This is a hardened device ready for outdoor use. Rated for MIL-STD-810G, the device is 4' shock-resistant, rated for extreme temperatures, and is resistant to water and dust with IP65 sealed design.

Currently comes in 10" size, but the FZ-B1 device is slated for a smaller 7" screen in Q2 2012.

The toughPad packs a lot of punch: This is an Android 3.2 device with 1.2 GHz dual core,1 GB RAM, 16 GB storage, 2 cameras (back 5 megapixel and front 2 megapixel), anti-glare multitouch screen 768 x 1024 megapixels, a 10 hour repalceable battery, USB, GPS, WIFI 802.11, Bluetooth, and optional 3G mobile broadband.

Optional accessories for vehicle mounting and hands-free holsters.

Priced at around $1299.

Great option for the warfighter, law enforcement, and homeland security professional as well as others working in challenging environments.

Tougher Than An iPad

What's In That Container?

Ever since 9-11, there has been acute concern about preventing "the next" big attack on our nation.

Will it be a suitcase bomb, anthrax in the mail, an attack on our mass transit systems, or perhaps a nuclear device smuggled into one of our ports--all very frightening scenarios!

The last one though has been of particular fascination and concern given the amount of commerce that passes through our ports--more than 95% of our international trade--and hence the damage that could be done to our economy should these ports be hit as well as the challenges in being able adequately screen all the containers coming through--a massive undertaking.

Wired Magazine (November 2011) did a feature story on this topic in an article called "Mystery Box."

The article highlights the unbelievable damage that could occur if a dirty bomb ("a radiological dispersion device") were to get through in one of the millions of 20 foot long by 8 foot wide shipping containers out there--aside from the risk to lives, "it would result in a major national freak-out...cause billions and billions of dollars in economic damage...dirty bombs are weapons of mass disruption."

While 99% of shipping containers are scanned when they arrive in the U.S., DHS is supposedly challenged in implementing a bill requiring scanning every container before they enter the U.S.--"some 66,000 [containers] a day."

Instead "100 percent screening" is being pursued where, shipping information is checked before arrival--including vessel, people, and cargo, origination, and destination--and when an anomaly or cause for concern is detected--if there is a U.S. Customs Officer at the origination port, they can check it there already.

However, there are still at least four major issues affecting our port security today:

1) Most containers are still checked only once they actually get onshore.

2) The scanners are too easily foiled--"most detectors are set to ignore low radiation levels. [And] basic shielding would be enough to mask all but the strongest sources."

3) Thoroughly scanning every container is considered too time-consuming using current processes and technology and therefore, would adversely affect our commerce and economy.

4) Around the world "Customs tends not focus on containers being transshipped [those moving from ship to ship]. Their attitude is 'It's not my container, it's just passing through.'"

This is a perfect example of technology desperately needed to address a very serious issue.

Certainly, we cannot bring our economy to a standstill either by unnecessarily checking every "widget" that comes over or by risking the catastrophic effects of a WMD attack.

So for now, we are in a catch-22, darned if we do check everything as well as if we don't.

This is where continued research and development, technological innovation, and business process reengineering must be directed--to secure our country sooner than later.

The risks are being managed best we can for now, but we must overcome the current obstacles to screening by breaking the paradigm that we are boxed into today.

(Source Photo: here)

What's In That Container?

Architecting Crowd Control

Last week (19 October 2011) T3 Motion Inc. in CA launched their all electric Non-Lethal Response Vehicle (NLRV) for "crowd control."

The vehicle is a souped-up three-wheeled Segway equipped two compressed air powered rifles able to shoot 700 non-lethal rounds per minute of pepper, water, dye, or rubber projectiles, and each vehicles can carry 10,000 rounds.

According to Trendhunter, the NLRV also has a "40,000-lumen LED strobe light, a riot shield, a P.A. system, and puncture-proof tires" as well as a video camera.

The notion of a law enforcement officer shooting an automatic (non-lethal, as it may be) to quell a riot does not quite fit in with general first amendment rights for peaceful assembly and typical demonstrations that as far as I know are generally NOT an all heck break loose scenario.

I wonder whether instead of a NLRV for handling riot control, a better idea would be a Lethal Response Vehicle (LRV)--with proper training and precautions--to handle homeland security patrols at major points of entry and around critical infrastructure.

From an architecture perspective, this seems to me to be a clear case of where a "desirement" by somebody out there (gaming, fantasy, or what not) should be channeled into fulfilling a more genuine requirement for people actually protecting our homeland.

The benefits of speed and maneuverability can benefit field officers in the right situations--where real adversaries need to be confronted quickly with the right equipment.

Architecting Crowd Control

Keeping All Our Balls In The Air

This is the throwable panoramic ball camera.

It has 36 cameras and when thrown in the air, takes 360-degree pictures of it's surroundings as it reaches it's apex (i.e. the highest point in the air).

You can see behind you, above you, all around you even things that you didn't even know where there.

And you can pan, zoom, and scroll to get the precise view you want.

The pictures are amazing--instantly, you have a birds eye view, but only better, because even a bird can't see behind it's head, but you can.

The implications for artists, photo hobbyists, and outdoor enthusiasts is one thing, but then there are the possibilities for improved surveillance and reconnaissance for homeland and national security.

Watch for camera balls to be used not only for throwing in beautiful and/or dangerous environments, but also for posting at security checkpoints, critical infrastructure, transportation hubs and more.

One question I have is, whether the camera ball become a one-time use device, if you don't catch it and it ends up smashing into the ground.

Situational awareness is about to get a real bounce out of this one.

Keeping All Our Balls In The Air

Be Careful What You Point That At

By now many of you may or may not have pointed your smartphones at a QR ("Quick Response") code to get more information on products, places, events, and so forth.

A QR code is a barcode that that generally contains alphanumeric information and takes you to a website when you read the QR code with your smartphone (i.e. by taking a picture of it with a QR reader app).

QR codes remind me of the barcodes in the store at the checkout line, but QR codes look more like a squared-off roschach test compared to the barcodes on items you purchase which are rectangular straight lines from top to bottom.

By reading the QR code, you don't have to remember or type any information into your smartphone--your just zipped right off to wherever the QR points you (usually after you confirm on the screen that you are okay with going to the URL).

But QR codes like with any information technology, can be used for good or evil -- for some reason though people seemed to have been unsuspecting of the sort of innocuous looking QRs.

Kaspersky Lab has issued a warning on QR codes after finding consumers in Russia scammed when they thought they were downloading an Android app and where instead infected with malware that caused them to send SMS messages to a premium number that charged for each message sent.

So while QR codes can take a reader to a harmless website for information, like other computer code, they can contain instructions that cause you to send email, SMS messages, download applications, etc.

So unless you know what you are QR reading (i.e. you have a high-degree of confidence in whoever placed the advertisement with the QR code)--think twice before scanning that barcode, because you may get a surprise package in your smartphone that you weren't expecting causing infection of your device, loss of privacy to the information stored on it, or costing you money for things you never wanted or intended to spend on.

Scanning a QR code while as simple taking a picture of a sunset--may not have as beautiful consequences.

(Source Photo: here)

Be Careful What You Point That At

EMP Cybergeddon

Electromagnetic Pulses (EMPs) are the weapons of choice against electronics of all sorts, including cyber.

The Economist (15 October 2011) in an article called Frying Tonight describes how "warfare is changing as weapons that destroy electronics, not people, are deployed on the field of battle."

Here a brief summary:

During the Cold War, the notion was to explode an atom bomb high in the atmosphere (i.e. a High-Altitude EMP or HEMP) "to burn out an enemies electrical grid, telephone network, and possibly even the wiring of his motor vehicles."

Today, that principle is being applied in smaller weapons using microwaves---from powerful batteries or reactive chemicals that generate high-energy radio frequencies.

By zapping electronics, EMPs can take down enemy missiles, destroy command, control, and communications capability, and stop in their tracks everything from enemy tanks to planes and speed boats.

EMP weapons are already being deployed:

- Fighter planes are being developed with EMP capabilities using the active electronically scanned array (AESA) as defensive weapons against air-to-air and surface-to-air missiles, while other planes (like the "Growler") are being outfitted with offensive EMP capabilities.

- Ships too are being armed with EMP guns to defend against high-speed boat "swarms" or to defend against pirates.

- Land vehicles will be armed with EMP cannons such as the Radio-Frequency Vehicle Stopper that can stall enemy vehicles' engines or the Active Denial System used as a heat-ray to disperse crowds.

At the same time, defenses against EMPs are being deployed, such as Faradays cages--which are enclosures of conducting material often in a mesh pattern that protects electrical equipment from getting fried.

What is important to note though is that EMPs are not just battlefield weapons--they can take out our everyday electrical and cyber systems.

A Congressional Research Service (CRS) Report to Congress (21 July 2008) called High Altitude Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices: Threat Assessments states "Several nations, including sponsors of terrorism, may currently have a capability to use EMP as a weapon for cyber warfare or cyber terrorism to disrupt communications and other parts of the U.S. critical infrastructure."

The EMP Commission reported that EMP "creates the possibility of long-term, catastrophic consequences for national security."

One of the major concerns is the "cascading effects" that a loss of electrical infrastructure would cause in terms of people being unable to obtain basic life necessities and thereby resulting in that "many people may ultimately die."

The report finds EMP weapons to be an "attractive asymmetric option" for our adversaries, and that analysts find that "it could possibly take years for the United States to recover fully from the resulting widespread damage."

Therefore, it is critical that we increase our cyber security capabilities not only in terms of fighting conventional malware attacks from within the cyber realm, but we must be thinking in ernest about energy weapons directed at us from without.

We must continue to harden our defenses, invest in new technologies and countermeasures to thwart the enemy, develop punishing offensive capabilities, as well as prepare for the possibility of a strike against our homeland.

Although called "human-safe" (and aside from the traditional weapons of mass destruction), EMPs may be actually one of the most devastating weapons of all to a society dependent of technology.

(Source Photo: here)

EMP Cybergeddon