Showing posts with label Hostile Nation States. Show all posts
Showing posts with label Hostile Nation States. Show all posts

February 22, 2014

National State Of Cyber Insecurity


This video is a wake up call on the state of our national cyber insecurity. 

It is the opening statement (about 6 minutes) of Chairman Michael McCaul (R-TX) of the Homeland Security Subcommittee of Oversight, Investigations, and Management.

What he describes is quite grave and every American should listen carefully about the state of our cyber insecurity that poses a real and significant threat to our economy and national security.

We are under attack by cyber criminals, terrorists, and hostile nation states. 

Our adversaries seek to and can paralyze our critical infrastructure, steal our intellectual property, conduct espionage, and access our personal and financial information. 

The collapse of our military networks, financial system, energy, transportation, and electricity "is not science fiction."

The cyber attacks are "real, stealth, and persistent, and can devastate our nation." 

It is "not a matter of if, but when a Cyber Pearl Harbor will occur."

And "we have been fortunate that up until this point that cyber attacks on our country have not caused a cataclysmic event."

I read from the Center for Strategic and International Studies (2011) that cybersecurity has taken a back seat after 9/11 to the War on Terror as well as the economic fight after the recession of 2008, with the result that "the United States is unprepared to defend itself."

Chairman McCaul critically states at the end of his opening statement, "Let's do something meaningful [now] because it is not a tolerable situation!"
Share/Save/Bookmark

November 26, 2011

Espionage, Social Media Style

You are being watched!
Good guys and bad guys are tracking your movements, rants and raves, photos, and more online.
For example, The Atlantic reported on 4 November 2011 in an article titled How the CIA Uses Social Media to Track How People Feel that "analysts are tracking millions of tweets, blog posts, and Facebook updates around the world."
Further, in January 2009, "DHS established a Social Networking Monitoring Center (SNMC) to monitor social networking sites for 'items of interest.'"
And even more recently in August 2011, DARPA invited proposals for "memetracking" to identify themes and sentiments online and potentially use this for predictive analysis.
The thinking is that if you can use online information to predict stock market movements as some have attempted, why not criminal and terrorist activity?
Similarly, The Guardian reported on 16 March 2010 FBI using Facebook in fight against crime and cautions that "criminals dumb enough to brag about their exploits on social networking sites have now been warned: the next Facebook 'friend' who contacts you may be an FBI agent."
This is reminescent of the work of private sector, Dateline NBC in using Internet chat rooms to catch sexual predators online by luring them to a house where the predators believed they were going to meet up with a underage girl for a tryst.
While these efforts are notable and even praiseworthy by the good guys--assuming you can get over the privacy implications in favor of the potential to have a safer society to live in--these activities should be carefully safeguarded, so as not to infringe on the rights and freedoms of those who behave legally and ethically.
But the good guys are not the only ones using the tools of the trade for monitoring and analyzing social networking activities--the bad guys too recognize the implicit information treasure trove available and have you in their crosshairs.
For example, in the last years Arab Spring, we have nation states tracking their citizens political activities and using their power over the Internet to shut off access and otherwise surpress democracy and human rights. Further, we have seen their use for cyberspying and testing offensive cyber attack capabilities--only the most recent of which was the alleged infiltration of a SCADA system for a Illinois water plant.
Moreover, this past week, Forbes (21 November 2011) reported in The Spy Who Liked Me that "your social network friends might not be all that friendly."
From corporate espionage to market intelligence, there are those online who "steadfastly follows competitors' executives and employees on Twitter and LinkedIn."
In fact, the notion of online monitoring is so strong now that the article openly states that "if you're not monitoring your competitors activity on social media, you may be missing out on delicious tidbits" and warns that "it's easy to forget that some may not have your best intersts at heart."
Additionally, while you may not think your posts online give that much away, when your information is aggregated with other peoples posts as well as public information, it's possible to put together a pretty good sketch of what organizations and individuals are doing.
Forbes lists the following sites as examples of the "Web Spy Manual" with lots of information to pull from: Slideshare, Glassdoor.com, Quora, iSpionage, Youtube as well as job postings and customer support forums.
When you are on your computer in what you believe to be the privacy of your own home, office, or wherever, do not be deceived, when you are logged on, you are basically as open book for all the world to see--good guys and bad guys alike.
(Source Photo: here)

Share/Save/Bookmark

November 19, 2011

Will You Survive?

If you are interested in your chances of survival in the event of a nuclear blast, check out the website for Would I Survive a Nuke?
I ran the simulation as if was still living in my old neighborhood of Riverdale, New York and 50 megaton bombs were hitting 5 cities with populations over 1 million people.
On the map, you can see the horrible destruction--gone is Boston, New York, Philadelphia, Baltimore, and Washington, D.C.
The concentric circles around each blast shows 5 levels of devastation as follows (associated with the colors zones of red, pink, orange, yellow, and clear/outside the blast):
Devastation
This is not a pretty picture and warrants our consideration of how critically important is missile defense and homeland security is.
This position was advocated by the late Dr. Fred Ikle the former Pentagon official who passed away this week on 10 November 2011--Ikle challenged the status quo policy of MAD asking "Why should mutually assured destruction be our policy?" -WSJ
I, for one, don't like any of the 5 scenarios above and would like to keep our society and way of life going with a strong national security posture that includes the gamut of diplomatic, defensive, and offensive capabilities for safeguarding our national security.
With this in mind, this coming week with the deadline for Super Committee to come up with recommendations for reducing our budget deficit or else the automatic $1.2 trillion cut goes into effect--half of which is to come from the Department of Defense is extremely concerning.
Moreover, with well-known hostile nations having achieved (North Korea) or very near to achieving (Iran) nuclear weapons capabilities, we must take the threats of nuclear attack to us and our allies very seriously or else we can end up with not just scary looking colored concentric circles on a map, but the very real deadly effects they represent.

Share/Save/Bookmark

December 19, 2009

How $26 Can Buy You A Billion-Dollar Surveillance System

If $26 software can give our enemies on the ground access to our drone feeds and cyber warfare can inflict indefinite havoc on our critical infrastructure, we need to rethink what technological superiority means and how we keep it.

No defense system is foolproof. That’s why we build redundancy into the system and layer our defenses with “defense in depth,” so that just because the enemy infiltrates one layer, doesn’t mean that our defenses are laid bare.

When in fact, we become aware that our systems have been compromised, it is only responsible for us to re-secure them, bolster them with additional defenses, or take those systems out of commission.

It was shocking to learn this week in multiple reports in the Wall Street Journal that our UAV drones and their surveillance systems that have been so critical in our fight against terror in Iraq and Afghanistan were compromised, and the feeds intercepted by $25.95 software sold over the Internet. These feeds were found on the laptops of the very militants we were fighting against. Reportedly, we knew about this vulnerability ever since the war in Bosnia.

It is incredible to imagine our massive multi-billion dollar defense investments and technological know-how being upended by some commercial-off-the-shelf software bought online for the price of a family dinner at McDonalds. But what makes it even worse is that we knew for nearly two decades that the enemy had compromised our systems, yet we did not fix the problem.

A number of reasons have been circulated about why the necessary encryption was not added to the drones, as follows:

- It would have resulted in an increase in cost to the development and deployment of the systems.

- There would be a detriment to our being able to quickly share surveillance information within the U.S. military and with allies.

- There was immediate battlefield need for the drones because of the immediate concern about roadside bombs and therefore there was apparently no time to address this issue.

Based on the above, one may possibly be able to understand why the Joint Chiefs “largely dismissed” the need to repair the drones’ security flaw. However, it also seems that they were overconfident. For any “Are You Smarter Than A Fifth Grader” contestant can tell you that if the enemy can see and hear what we see and hear, then they can take action to subvert our military and intelligence resources, and the critical element of surprise is gone—the mission is compromised.

Of course as civilians we are not privy to all the information that our leaders have. And one can say that if all you have are compromised drones, then those are what you must use. Nevertheless, officials interviewed by the Journal point to the hubris that influenced the decision in this situation – as the report states:

“The Pentagon assumed that local adversaries [in Iraq and Afghanistan] wouldn’t know how to exploit” the vulnerability. So, the result was that we kept building and deploying the same vulnerable systems, over a long period of time!

This is not the first time that we have both been overconfident in our technological superiority and underestimated competitors and opponents in foreign countries—with disastrous results. There are the human tragedies of Pearl Harbor and 9/11, to name just two. And then there are the economic challenges of global competition, such as in the automobile industry and overseas manufacturing in general.

And if some terrorist cells on the run can so clearly compromise our technical know-how, shouldn’t we be even more concerned about established nations who are well financed and determined to undermine our security? For example, just this week, a group calling itself the “Iranian Cyber Army” hacked and defaced Twitter and we were helpless to prevent it. Also noteworthy is that this same week, it was reported that our defense plans with respect to South Korea, including operational details, were hacked into and stolen by North Korea.

Unfortunately, however, we do not even seem to take threats from other nations as seriously as we should: As the Journal reported, “senior U.S. military officers working for the Joint Chiefs of Staff discussed the danger of Russia and China intercepting and doctoring video from the drone aircraft in 2004, but the Pentagon didn’t begin securing signals until this year.”

I am deeply respectful of our military and the men and women who put their lives on the line for our nation. It is because of that deep respect that I reach out with concern about our overconfidence that we are technologically superior, and about our dismissal and underestimation of the resolve of our enemies.



Share/Save/Bookmark

December 7, 2009

Let's Not Understate the Cyber Threat

Wow. I read with some surprise and consternation an article in Government Computer News, 4 December 2009. In this article, the author portrays the fears of a “digital Pearl Harbor” or overwhelming cyber attack on the United States as overblown—almost as if it’s of no real possibility or significant impact. In short, the article states:

“What good would it do an attacker to take down the vital U.S. networks? While the damage to this country could be great, the benefit to an attack would be nil if it could not be followed up. The real threat of cyber warfare is not in stand-alone attacks, but in attacks coordinated with military action.”

While, I agree that a coordinated attack is obviously more dangerous than a cyber attack alone, the threat and potential damage of a cyber attack could potentially be devastating—with or without military action.

Let’s think for a second about how the military traditionally projects force around the world through conventional warfare—taking control of the air, land, and sea. Control the sea-lanes and you have power over 90%+ of international commerce. Control the land and you have power over people’s daily lives—including their ability to satisfy even basic needs for food, clothing, and shelter, their personal safety, and even their ability to govern themselves. Control the air and you control freedom of movement on the ground, people’s basic comings and goings. Traditional military power can affect just about every facet of people’s lives including ultimately the taking of life itself i.e. paying “the ultimate price.”

Now think for a second, about what a massive cyber attack could potentially do to us. At this stage in history, we have to ask ourselves not what elements could be affected by cyber attack, but what elements of our lives would not be impacted? This is the case since virtually our entire civil and elements of the military infrastructure are dependent on the Internet and the computers that are connected to them. If you “pull the plug” or corrupt the interconnected systems, “watch out” seems apropos.

The same areas that are vulnerable to traditional military attack are threatened by cyber attack: Commerce, Energy, Transportation, Finance, Health, Agriculture, (Defense)…are all deeply interwoven and dependent on our interconnected computer systems—and this is the case more and more.

Think e-Commerce, online banking and finance, manufacturing production systems, transportation systems, food production and safety, the energy grid, electronic health records, C4ISR, and so on.

While thank G-d, we have been spared a really devastating attack to date (if you exclude the massive data compromised/stolen in recent cyber attacks), we would be derelict in responsibilities for ensuring safety and security if we thought that was it.

Further, while unpleasant as it may be, we should consider the impact in terms of potential for physical harm or loss of life in the event of a serious cyber attack?

While many brush aside this possibility, there is certainly the potential. Even putting aside the potential public panic/chaos and ensuing loss of life and property that could occur in a serious attack, how about just taking out a single, major facility—like a dam, power plant, reservoir, electrical hub, transportation system, and so on. This is an important focus of efforts to ensure critical infrastructure protection, a public-private sector partnership initiative.

Rep. Lamar Smith, R-Texas said "Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives.”

Sure, a severe and consequential attack would require ample skills, knowhow, resources, and sophistication—it is no small feat—but with the hosts of cyber criminals, terrorists, and hostile nation states out there increasingly trying to hack our systems, there is valid cause for concern.

This recognition of what’s possible does not mean it is probable or imminent. However, the awareness and understanding of our increasing dependence on the Internet and related systems and the acknowledgement that there are those out there—as in 9-11—who seek to do our country harm, should not blind us with fear, but rather spark us to constructively deal with the challenge and take proactive actions to secure the ever expanding realm of cyberspace.

The Executive Summary in the CyberSpace Policy Review that was conducted by the White House in 2009 sums it up, this way:

“The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.”

We should not and cannot understate the possible threats against our nation, but rather we need to act responsibility and rationality, with resolve to protect our nation, before and not only after. As the CyberSpace Policy Review states:

“The Nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat. We need to demonstrate abroad and at home that the United States takes cybersecurity-related issues, policies, and activities seriously.”

Fortunately, our nation has recognized the potential threat and is acting, as Security Focus reported on June 24, 2009: “The U.S. Secretary of Defense ordered the military to create a unified command to act as the nation's central hub for cyber capabilities and commanded the Pentagon to develop a policy framework for cyberspace operations.”

On a personal note, I am grateful for the many good, hardworking people in our military, civilian and private sector that are working to secure cyberspace for us, and believe we need to do this with vigor and resolve. It’s necessary in order to safeguard our future that is ever reliant on technology.


Share/Save/Bookmark