Turning the Tables on Terrorists

Rep. Roscoe Bartlett (R-Md) said that an Electromagnetic Pulse (EMP)—“it would bring down the whole [electrical] grid and cost between $1 trillion to $2 trillion” to repair with full recovery taking up to 10 years!

“It sounds like a science-fiction disaster: A nuclear weapon is detonated miles above the Earth’s atmosphere and knocks out power from New York City to Chicago for weeks, maybe months. Experts and lawmakers are increasing warning that terrorists or enemy nation state could wage that exact type of attack, idling electricity grids and disrupting everything from communications networks to military defenses…such an attack would halt banking, transportation, food, water, and emergency services and might result in the defeat of our military forces.” (Federal Times—September 21, 2009)

The Federal Energy Regulatory Commission (FERC) says “the U.S. is ill-prepared to prevent or recover from an EMP”—they are asking Congress for authority to require power companies to take protective steps to build metal shields around sensitive computer equipment.

It is imperative for us to protect our critical infrastructure so that we are not vulnerable to the devastating effects of a potential EMP blast. We must think beyond simple guns and bullets and realize that our technological progress is on one hand a great advantage to our society, but on the other hand, can be a huge liability if our technical nerve centers are “taken out”. Our technology is a great strategic advantage for us, but also it is our soft underbelly, and whether, we are surprised by an EMP or some hard-hitting cyber warfare, we are back to the stone age and it will hurt.

It also occurs to me that the same tools terrorists use against others can also be used against them.

Turning the Tables on Terrorists

IT as a Surrogate Weapon

There is a fascinating controversy going on now over the CIA plans to kill known al Qaeda terrorists. Should we “stoop to their level” and take them out or is this “assassination” style technique out of bounds for a free and democratic society?

Wow. I don’t think too many Americans the day after 9/11 would be asking that question.

We are quickly swayed by the events of the times and our emotions at play.

When 3,000 people—mostly civilians—were killed in a vicious surprise attack on our financial and military hubs in this country; when the Twin Towers were still burning and crashing down; when smoke was rising out of the Pentagon; and when a plane crashed in Pennsylvania—I think most of us would say, these terrorists need to be dealt a severe and deadly blow.

Who would’ve though that just a mere 8 years later, questions would abound on the righteousness of killing the terrorists who planned, executed, and supported these murderous attacks and still seek every day to do us incredible harm—quite likely with chemical, nuclear, biological, or radiological (CNBR) weapons—it they could pull it off in the future.

We are a society with a short-term memory. We are a reactive society. As some have rightly said, we plan to fight the wars of the past, rather than the wars of the future.

We are also a doubting society. We question ourselves, our beliefs, and our actions. And to some extent this is a good thing. It elevates our humanity, our desire to do what is right, and to improve ourselves. But it can also be destructive, because we lose heart, we lose commitment, we change our minds, we are swayed by political currents, and to some extent we swing back and forth like a pendulum—not knowing where the equilibrium really is.

What makes the current argument really fascinating to me from an IT perspective is that we are okay with drones targeting missiles at terrorist targets (and even with a certain degree of civilian “collateral damage”) from these attacks from miles in the sky, but we are critical and repugnant to the idea the CIA wanted to hunt down and put bullets in the heads of the terrorists who committed the atrocities and are unwavering in their desire to attack again and again.

Is there an overreliance on technology to do our dirty work and an abrogation of hands-on business process to do it with our own “boots on the ground” hands?

Why is it okay to pull the trigger on a missile coming from a drone, but it is immoral to do it with a gun?

Why is it unethical to fight a war that we did not choose and do not want, but are victims of?

Why are we afraid to carry out the mission to its rightful conclusion?

The CIA, interrogators, military personnel and so forth are demonized for fighting our fight. When they fight too cautiously—they have lost their will and edge in the fight, we suffer consequences to our nation’s safety, and we call them incompetent. When they fight too vigorously, they are immoral, legal violators, and should be prosecuted. We are putting “war” under a huge microscope—can anyone come out looking sharp?

The CIA is now warning that if these reputational attacks continue, morale will suffer, employees will become risk-averse, people will quit, and the nation will be at risk.

Do we want our last lines of defense to be gun-shy when the terrorists come hunting?

According to the Wall Street Journal, “one former CIA director, once told me that the ‘CIA should do intelligence collection and analysis, not covert actions. Covert actions almost never work and usually get the Agency in trouble.’”

The Journal asks “perhaps covert action should be done by someone else.” Who is this someone else?

Perhaps we need more technology, more drones to carry out the actions that we cannot bear to face?

I believe that we should not distinguish between pulling the trigger on a drone missile and doing the same on a sniper rifle. Moreover, a few hundred years ago the rifle was the new technology of the time, which made killing less brutal and dehumanized. Now we have substituted sophisticated drones with the latest communication, navigation and weapons technologies. Let’s be honest about what we are doing – and what we believe needs to be done.

(As always, my views are my own and do not represent those of any other entity.)

IT as a Surrogate Weapon

Now We All Have Skin In The Game

It used to be that cybersecurity was something we talked about, but took for granted. Now, we’re seeing so many articles and warnings these days about cybersecurity. I think this is more than just hype. We are at a precipice, where cyberspace is essential to each and every one of us.

Here are some recent examples of major reviews in this area:

• The White House released its 60-days Cyberspace Policy Review on May 29, conducted under the auspices of Melissa Hathaway, the Cybersecurity Chief at the National Security Council; and the reports states: “Cybersecurity risks pose some of the most serious economic and national security challenges of the 21^st century…the nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat."
  
• The Center for Strategic and International Studies’ Commission on Cybersecurity for the 44^th President wrote in a December 2008 report: “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration…It is a battle we are losing.”
  

Cyberspace is becoming a more dangerous place as the attacks against it are growing. Federal Computer Week, June 2009, summarized the threat this way:

“Nation states are stealing terabytes of sensitive military data, including some of the most advanced technology. Cybercrime groups are taking hundreds of millions of dollars from bank accounts and using some of that money to buy weapons that target U.S. soldiers. The attacks are gaining in sophistication and the U.S. defenses are not keeping up.”

Reviewing the possibilities as to why this is happening: Have we dropped our guard or diverted resources or knowhow away from cybersecurity in a tight budgetary environment and now have to course correct? Or, have our adversaries become more threatening and more dangerous to us?

I believe that the answer is neither. While our enemies continue to gain in sophistication, they have always been tenacious against us and our determination has never wavered to overcome those who would threaten our freedoms and nation. So what has happened?

In my view the shift has to do with our realization that technology and cyberspace have become more and more vital to us and underpins everything we do--so that we would be devastated by any serious disruption. As the Cyberspace Policy Review states definitively: “The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S economy, civil infrastructure, public safety, and national security.”

We rely on cyberspace in every facet of our lives, and quite honestly, most would be lost without the connectivity, communications, commerce, productivity, and pleasure we derive from it each and every day.

The result is that we now have some serious “skin in the game”. We have something to lose--things that we deeply care about. Thus, we fear for our safety and survival should something bad happen. We think consciously or subconsciously how would we survive without the technology, Internet, and global communications that we have come to depend upon.

Let’s think for a second:

What if cyberspace was taken down or otherwise manipulated or controlled by hostile nation states, terrorists, or criminals?

Would there be a breakdown in our ability to communicate, share information, and learn? Would there be interruptions to daily life activities, disruptions to commerce, finance, medicine and so forth, concerns about physical safety or “accidents”, risks to critical infrastructure, and jeopardy to our ability to effectively protect ourselves and country?

The point here is not to scare, but to awaken to the new realities of cyberspace and technology dependence.

Safeguarding cyberspace isn’t a virtual reality game. Cyberspace has physical reality and implications for all of us if we don’t protect it. Cyberspace if a critical national asset, and we had better start treating it as such if we don’t want our fear to materialize.

Now We All Have Skin In The Game

Internet Apocalypse and Enterprise Architecture

It is the 21^st century and we are a nation dependent on everything internet. We rely on the internet for communications, like email, text messaging, and even voice over IP. We also use the internet for getting news and information, social networking, storing and sharing blogs, videos, music, and photos, accessing various applications, shopping, and conducting financial transactions.

What happens if the internet is attacked or otherwise fails us?

This is the question asked in ComputerWorld, 21 January 2008: “If the internet goes down will you be ready?”

ComputerWorld states: “It’s likely that the internet will soon experience a catastrophic failure, a multiday outage that will cost the U.S. economy billions of dollars. Or maybe it isn’t likely. In any case, companies are not prepared for such a possibility.”

The Business Roundtable says: “The threat is ‘urgent and real.’ There is a 10% to 20% chance of a ‘breakdown of the critical information infrastructure’ in the next 1o years brought on by ‘malicious code, coding error, natural disaster, [or] attacks by terrorists and other adversaries.’”

What will be the effect of a major internet interruption?

“An internet meltdown would result in reduced productivity and profits, falling stock prices, erosion of consumer spending, and potentially a liquidity crisis.” It would disrupt our everyday ability to communicate, get and share information, work and conduct transactions. And let’s not forget the effect on the human psyche—there would be chaos.

Why have we not prepared ourselves adequately?

The Business Roundtable says that “business executives often fail to realize how dependent they have become on the public network—for email, collaboration, e-commerce, public-facing and internal Web sites, and information retrieval by employees.”

Where are we most vulnerable?

The Internet Corporation for Assigned Names and Numbers (ICANN) says that “the Internet is pretty robust at the physical layer. There are just too many alternate paths available. But the Internet is not so robust at other layers.” Hence, the risk of operating system failures, penetration by worms, and denial of service attacks.

Is there any reason for optimism?

The CIO of Yuma County, Arizona, reminds us that the Internet “having been based on the Arpanet [from DoD] and designed to keep functioning when pieces are broken, it seems less likely that the entire Internet would stop working.”

What can enterprises do to prepare for the worst?

Of course, all organizations need to fully address security concerns in terms of managerial, operational, and technical controls.

They need the best and brightest security personnel.

Additionally, they need to perform regular risk assessments, vulnerability testing, intrusion detection and prevention, back-up and recovery.

They need to have strict access controls, security awareness training of employees and contractors, and an IT security policy.

Our organizations need a comittment to continuity of operations planning (COOP).

ComputerWorld points out that the financial services sector is out in front in making preparations Here’s some of the architectural preparations that financial companies have undertaken:

• Dedicated networks—“set up dedicated networks independent of phone companies.”
• Guaranteed diverse routing—“negotiate more aggressively with communications companies to guarantee diverse routing.”
• Geographic dispersal—“separate data centers and communications centers more widely geographically.”

In general, enterprises need “diversity and redundancy” of communications.

Most importantly, we need to recognize the risks out there and prepare, prepare, prepare.

Internet Apocalypse and Enterprise Architecture