Homeland Security Watch

This post will end with a ten minute and forty second video that is both the best detective story and the scariest homeland security movie I have seen in years.

But first, the set up….

———————————————–

Is there such a thing as cyber terrorism?

I understand there’s something called cyber warfare. And cyber crime. And cyber security. But what about cyber terrorism?

And if there is something called cyber terrorism, has the US been attacked by cyber terrorists? Or maybe that question should be have terrorists attacked the US with cyber weapons? And if not, could they? Will they?

Experts cannot agree whether cyber terrorism is real or even if it is a useful concept.

I have one colleague who claims that no one in the United States has been killed by cyber terrorism. He says maybe it’s not a valid homeland security threat.

I have another friend who teaches a course on homeland security threats. He says nations attack nations with cyber weapons. Non-state actors don’t use cyber weapons. So in the homeland security threat spectrum, he says, cyber is more about sound than significance.

———————————————–

Former DHS Secretary Chertoff sort of disagrees.

He devotes Chaper 8 to cybersecurity in his book “Homeland Security: Assessing the First Five Years.” He underscored that concern in his March 2 appearance with the other two DHS secretaries:

“We’ve seen some very dramatic, publicized attacks, not terrorism so much as espionage and things of that sort. But that is going to become an increasing area of concern for the Department.”

Secretary Napolitano agreed with Chertoff:

… I think cyber will be an ever-evolving area. And the problem with cyber is, almost by the time you’re talking about something, they’re onto the next thing. I mean, it is really a fast-moving field. And, quite frankly, probably none of us on this stage are as good at understanding it as somebody who’s 20 years old and who’s grown up with the computer just as part of life.

———————————————–

The US has a cyber incident annex to the National Response Plan. I think that was updated in September of 2010 with an Interim Version of the National Cyber Incident Response Plan.  I believe that is meant to serve as part of the National Response Framework. But I’m not sure. Cyber security (i.e., cyber crime, cyber warfare, cyber terrorism) is yet another homeland security issue area I know very little about.

———————————————–

The gap in my knowledge was brought to my attention again this weekend when I saw news stories about something called “LizaMoon.” [see here or here for probably more than you want to know about LizaMoon].

As I understand it, LizaMoon is a small piece of computer code that places itself into certain websites; when someone goes to that website, they see a message (and the resulting screen drama) that tries to convince the user the computer they are using is infected. Liza then offers to clean the computer and the trouble expands.

I don’t know if this is a big deal or not. Some reports say over a million websites were infected. Is that a lot? Other reports (like this one ) say it’s not that big of a deal.

———————————————–
Also this weekend, I learned that a firm called Epsilon had (according to its press release):

“…an incident … where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.”

Translated into numbers, “a subset of Epsilon clients” could be several million people.

Perhaps you got an email message today from Hilton, or Target, or Best Buy, or Capital One, or LL Bean, or Walgreens or another Epsilon client that basically said, “Don’t worry; nothing bad happened.”

———————————————–
These were two fairly well publicized cyber incidents over a weekend that included at least the cusp of April Fool’s day.  Maybe I’m overly sensitive to these kinds of incidents since some of my web presence was hacked in December.  It wasn’t terrorism.   But it was disturbing.

Are cyber “attacks” something an inquiring homeland security mind should be concerned about?  I use that word in quotes because I know there are thousands of cyber incursions every day.  How should one even start to think about this cyber stuff?

———————————————–

I went to three government sites that, I thought, would help me frame and understand these incidents: IT-ISAC: The Information Technology Information Sharing and Analysis Center, MS-ISAC: The Multi-State Sharing and Analysis Center, and US-CERT: the United States Computer Emergency Readiness Team.

I thought they might have some information about what I figured might be fairly significant incidents. But if they did, I missed it.

I went back to the sites several times over the weekend, and saw no information about LizaMoon or Epsilon.

But I do have to say the MS-ISAC has a really impressive looking Cyber Operations Center Dashboard.  Looking at it made me feel like Mr. Jones in Bob Dylan’s “Ballad of a Thin Man”:

… something is happening here

But you don’t know what it is

Do you, Mister Jones?

———————————————–

Maybe providing situational awareness for the public is not part of the IT-ISAC, MS-ISAC or US-CERT missions.

The IT-ISAC says:

the mission of the IT-ISAC is to:

• Report, exchange, collect, and analyze across the IT Sector information concerning security incidents, threats, attacks, vulnerabilities, solutions and countermeasures, best security practices and other protective measures,

• Establish a mechanism for systematic and protected exchange and coordination of such information [my emphasis] and trusted collaboration; and

• Provide technical thought leadership to U.S. and International policymakers on cyber security and information sharing issues.

The MS-ISAC says:

The mission of the MS-ISAC is to improve the overall cyber security posture of state, local, territorial and tribal governments. Collaboration and information sharing among members, private sector partners and the DHS are the keys to success.

Major Objectives of the MS-ISAC

• provide two-way sharing of information and early warnings on cyber security threats

• provide a process for gathering and disseminating information on cyber security incidents [my emphasis]

• promote awareness of the interdependencies between cyber and physical critical infrastructure as well as between and among the different sectors

• coordinate training and awareness

• ensure that all necessary parties are vested partners in this effort

The US-CERT says:

US-CERT is charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners.

US-CERT interacts with federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public. [my emphasis]

———————————————–

If it isn’t at least part of their job to provide situation awareness to the public about cyber security matters (i.e., cyber war, cyber crime, cyber terrorism), whose job is it? Have we essentially privatized situational awareness? I learned more about both attacks this weekend by monitoring Twitter.

I guess I’m ok with that as an interim fix.

But is that the plan?

———————————————–

Ok, that’s the set up. Now the movie.

Perhaps you’ve heard of stuxnet. If not, you can read about it here.  The New York Times claims it may be “the most sophisticated cyberweapon ever deployed.”

So, to answer the question I posed at the start of this post, maybe currently there isn’t such a thing as cyber terrorism.

However after watching this video (also available here) — particularly at the 8:45 mark, when the speaker talks about the possibility of a cyber weapon of mass destruction — I think the homeland security enterprise would be foolish to discount the use of cyber weapons by terrorists.

Prime Minister Kan on March 13 (left) and on April 1 (right)

Friday the Government of Japan moved explicitly from response to recovery.   Since the crisis opened Japanese officials have, in accordance with  long-time disaster response tradition, appeared in work jackets. Friday, they shifted back to business suits.

More substantively, the Prime Minister used a 43 minute press conference to announce the government’s recovery policy.  You can view the press conference and hear a simultaneous English translation at http://nettv.gov-online.go.jp/eng/prg/prg2060.html. MONDAY UPDATE: The Prime Minister’s Office has released a provisional English translation of the news conference.

The Sunday Asahi Shimbun summarized this policy:

Prime Minister Naoto Kan’s blueprint for rebuilding the areas devastated by the Great East Japan Earthquake will focus on safe housing, the fisheries industry and ecological technology.

“We will reconstruct with the dream of building a great Tohoku region and a great Japan,” Kan told a news conference Friday. “We hope our new city planning will become a model for the world.”

Kan said he intends to have new homes built on higher ground by leveling mountainous areas, with residents commuting to fishing ports and fisheries firms along the coast.

The idea of relocating housing from the lowlands to elevated areas was broached by Kimiaki Toda, mayor of Ofunato, Iwate Prefecture, who recently spoke with Kan over the phone.

Kan said eco-friendly features would be included when rebuilding, such as heating systems that use biomass energy, something Kan has been eager to promote. He also said welfare-oriented services and facilities would be a key feature of the new communities.

Kan plans to set up by April 11 a council of officials from the quake-hit regions and experts who will discuss city planning and other issues such as land utilization.

“I hope opposition parties will cooperate with the government so we can work together to develop reconstruction plans,” he said.

Nationalization of the devastated areas is expected to be a key topic for the panel because the work requires close coordination with affected municipalities and residents. Kan said the government will try to satisfy local authorities and landowners and thereby win their approval for its plans. (Further details on possible tax hikes and bond issues for reconstruction, including a “social solidarity” income tax increase that would exclude residents of the most affected areas.)

According to the Kyodo News Service, the recovery scheme will also involve significant government incentives for private sector investments. “The government intends to push forward with reconstruction of quake and tsunami affected areas under a private finance initiative in which private-sector funds will be capitalized to build and operate social infrastructure, government sources said Saturday.”

MONDAY UPDATE:

On April 4 the Bank of Japan released much more detail than usual for its first comprehensive survey of the national economy (Tankan) completed since the earthquake-and-tsunami-and-nuclear-emergency.

Kyodo News Agency reports, “On conditions in March, the post-quake index stood at plus 6 for large manufacturers, slightly lower than the pre-quake reading of plus 7. For major nonmanufacturers, however, the post-quake index came to plus 7, much stronger than the pre-quake index of plus 1… The breakdown figures also showed that the outlook index of small and medium-sized companies in all industries stood at minus 25 after the quake and minus 22 before it, compared with Friday’s reading of minus 23. The diffusion index represents the percentage of companies reporting favorable business conditions minus the percentage reporting an unfavorable environment.”

The Bank of Japan report and supportive data is available, in English, at http://www.boj.or.jp/en/statistics/tk/tankan03b.htm/

The chart is via Earthquake Report and was developed by Armand Vervaeck, James Daniell, and Friedemann Wenzel.

A few Saturday morning impressions related to the Japanese crisis:

From March 11 to March 22 or 23 support for survivors was minimal.  Supply was substantially less than demand — or needs — for water, food, pharmaceuticals, essential medical care and basic shelter.  Since the 23rd or so fundamental human needs are being met in most areas.

The supply crunch has been mostly a matter of distribution capacity not supply capacity.  Distribution was incapacitated by breaks in the transportation network, the communications network, and — especially — availability of fuel.  (I continue to seek more information on the role of perimeter power in curtailing distribution capacity.)  Hoarding hurt, but did not break supply capacity.

The transportation network was the first to bounce back.  Given the power of the earthquake, this confirms the value of long-term investment in structural mitigation and resilience. (See interesting details on rapid repairs from NEXCO, link should appears in translation.)

Restoration of the communications network has been uneven and dramatically demonstrates the tight interdependence of the power and communications systems.  In the immediate aftermath of the March 11 earthquake and tsunami cell phone communications was surprisingly robust.  But as both towers and cell phones lost power and could not be recharged much of the system went dark.  As electricity has been restored to the region, the communications network is also coming back, but it will be months before full restoration is achieved.

Nearly one-third of total Japanese oil refining capacity was thrown offline in the immediate aftermath of the earthquake-and-tsunami.   Regional capacity in Northeast Japan was almost totally knocked-out.   The reduced — and uncertain — supply of gasoline and diesel significantly curtailed the strategic capacity to resupply the most affected region.   And with the long-term reduction of electricity complicating rail operations, there is even greater demand for liquid fuels.

The importance of focusing on strategic capacity, rather than local capability, is one of the principal lessons-learned emerging from the situation in Japan.   Catastrophes will wipe-out most local capability, regardless of what we do.  But if strategic capacity can be maintained, local capability will be restored.  With no capacity, there will be no capability.

–+–

Following is a Wall Street Journal report that should be read by every emergency management and homeland security professional — and probably every owner and operator of supply chains — anywhere.   When it was published on March 30 the commentary was available for subscribers only, but the public interest justifies (I think) re-printing here.  By the way, the business and economic reporters in Tokyo, especially with the WSJ, have in my opinion been the best source of reporting in terms of systemic and strategic implications of the earthquake, tsunami, and nuclear emergency.

Two Tsunamis

Japan’s Tragedy Contrasts With ’04

By ERIC BELLMAN

SENDAI, Japan—Yoshi Kameya wouldn’t be out of place in any of the Western world’s cozy city suburbs. Standing near the rubble that used to be his frozen-food company, he pulled an iPhone out of his bright blue North Face jacket to flip through photos he had taken of the tsunami damage.

The confident, cosmopolitan 43-year-old said he had enough food. But when a seaweed-wrapped rice ball was offered, his hand snatched it before his mouth could say thank you.

Mr. Kameya’s hungry hand reflected one of the many unsettling aspects of Japan’s tragedy. The disaster has thrown one of the world’s wealthiest countries off its axis, leaving once-affluent victims in desperation, while underscoring how even the best-prepared places aren’t immune from disaster. The developed-world technologies residents fill their homes and pockets with weren’t much help, either.

The 2004 tsunami, which this reporter covered for The Wall Street Journal, was different. In terms of lives lost, it was far, far worse: 200,000 people dead across Indonesia, Sri Lanka and other countries, compared with 11,000 confirmed dead and more than 16,500 missing.

But in other ways, that disaster was easier to comprehend. The scale of visible damage was actually smaller in many areas, and the relative lack of dependence on technologies such as mobile phones, cars and complex supply chains sometimes proved to be an advantage for those who survived.

In Sri Lanka, a line of beachfront resorts and fishing villages was flattened. However, since the communities were smaller and poorer, damage was often limited to simple settlements hugging the seashore, and were easier to rebuild. In Japan, piles of rubble including cars and homes stretch for miles inland. While this is partly because the deadly waves had traveled hundreds of miles before they hit Sri Lanka, it was also because most victims there didn’t have cars, televisions, two-story homes, kitchen tables or the closets full of clothes.

The cost of damage from Japan’s tsunami may be as high as $300 billion, economists estimate. The Indian Ocean wave caused about $10 billion in damage.

In Koggala, Sri Lanka, then-24-year-old Rosmand Wickramanayake had to bury his father, mother, sister and brother in the sand after the deadly waves came and went. A year later, life for his remaining family, which includes another brother, an uncle and others, had basically returned to normal.

The few thousand dollars they got from the government was enough to rebuild a one-car-garage-size hut, and restart a small shop. It’s impossible to gauge how the family was doing emotionally, but economically their simple lives had been relatively simple to fix.

Survivors like Mr. Wickramanayake also didn’t have to worry too much about food after an initial emergency period passed. He was usually only one or two middlemen away from suppliers of his basic necessities. If one fish vendor was killed or a market was washed away, he switched to another. Farmers with chickens or coconuts outside the tsunami-soaked zone were never far away.

In Japan, like other wealthy countries, residents are now cut off from the farmers and factories that feed and clothe them. Consumers in the developed world often ignore how store-bought products like apples, milk, shoes, rice, brooms, fish and soap get to the shelves. Now, with the power out, highways closed and trains frozen, the constant flow of products has been severed.

Each 7-11 store in Japan, for example, usually gets more than three daily deliveries. This “just-in-time” distribution helps it sell more soda, cigarettes and sandwiches from its limited shelf space.

Only two days after the quake, 7-11s in Fukushima had little left on their shelves other than ice cream and hard liquor. By the third day, most convenience stores (even some 20 miles from the coast) were closed, and there were long lines of people at the few grocery stores still open. Today, most stores in the affected areas remain closed.

Another problem for Japan, with its reliance on mobile communication devices, has been the pain of being out of touch. In Sri Lanka, most of the survivors were able to quickly reconvene. Other than a few migrant workers, relatives and friends often lived nearby, and rarely traveled far from home.

More than two weeks after the disasters in Japan, many people are still unsure which friends and family survived. When the waves hit, family members were often miles from home, working or shopping in places easily reached by car or public transport.

With cars, buses and trains damaged or gone, many Japanese were unable to get home through the rubble. Cellphone towers were out, so they were unable to call anyone. In the early days, countless people were in the streets staring at their cellphones, praying for even one bar of network connectivity so they could check on their loved ones.

After a week, the phones disappeared. Everyone’s batteries had died.

There are still daily reunion stories in Japan as people find their way home or to phones. The agonizing separations weren’t because the tsunami had spread people far and wide, but because their lives had dispersed them much farther and wider than is common in poor countries.

The sophistication of Japan’s developed economy didn’t always work against its people. Almost all the buildings untouched by the tsunami remained intact, even though the earthquake itself was one of the worst ever in Japan. The durability of Japan’s buildings was a testament to its construction industry and strict building codes.

Further, unlike the 2004 Indian Ocean disaster, most Japanese had been taught from a young age exactly what to do when a quake hits. They had practiced it repeatedly over the years, running to higher places mapped out by the government at any threat of a tsunami. Without such plans, thousands more would have died.

Still, it will likely take more than good building codes and education systems to get Japan’s economy back on its feet. Unlike Sri Lanka, where it was mostly a function of getting bridges, boats and houses rebuilt, Japan needs roads, electrical power networks, and ports to be fixed or replaced as well as tens of thousands of homes and cars. Then people will need their cellphones, cable connections and Internet. Factories that make everything from Kirin Beer to Sony videotape will have to be repaired and then the intricate web of supplies that delivers everything from radial tires to rice balls has to be slowly knit back together.

Evidence of the unexpected needs of the Japanese consumer was on display in Sendai on Sunday. With nearby Starbucks and McDonald’s still closed, long lines formed in front of one of the only international food chains to reopen: Mr. Donuts. But it wasn’t the doughnuts that people in line missed so much, but rather the familiar experience of stopping by a shop for a little break.

Another contrast between Sri Lanka and Japan’s reactions to the wicked waves has been the role of religion.

In Sri Lanka, people fled the tsunami to temples, mosques and churches. Religious leaders were in the newspapers every day commenting on what it all meant. In Japan, few have flocked to Buddhist temples or Shinto shrines.

“For their practical needs, people are not praying to some god for help,” said Masato Miura, a monk at a 400-year-old Buddhist temple in Sendai. “They are just going to the store.”

Two days ago, Homeland Security Watch’s own Chris Bellavita pointed out in an email that “baseball season starts tomorrow and to me that means the homeland is safe.”  As a baseball fan whose pulse quickens at the phrase “pitchers and catchers report,” all I could think was: amen.

Whatever the correct analogy–I need an extended spring training; I belong in the pundit minor leagues; I am simply a replacement-level commentator–I realize that I am simply not in the George Will-class of baseball loving opinionators.  That said, I still cannot resist attempting to make another connection between baseball and homeland security.

The baseball season is long, so there will be ample time to tease out general connections between what is required to win on the diamond as well as succeed in this amorphous thing we call homeland security. However, one aspect of the game struck me as particularly timely in terms of news out of Japan–the importance of having a “Plan B.”

In baseball, one can hope that a team’s starting players will go the entire season without losing much time to injury.  This happens, albeit rarely, and when it does the team involved (assuming the players were good in the first place) does well.  Most often, this just doesn’t happen and a good team has a smart general manager who considers this possibility before the season begins and takes steps to mitigate the risk.

It would seem obvious that baseball teams would plan for contingencies involving losing a couple starting players for a period of time.  Yet it involves variables not easily managed, as the most useful bench players when regulars are healthy are not always the optimal choices to fill-in for a starter over the long term, as well as juggling competing priorities at the minor league level (i.e. whether to develop prospects or stock back ups). It is easy to plan for the best case and hard to manage risks involved with the worst:

Assembling a 25-man roster is fairly easy for most general managers, especially for a team with financial resources.But finding the depth to combat injuries requires creativity.

“You have to plan for injuries because they happen every year,’’ said Epstein. “You try and plan for the worst-case scenario and adjust to the best-case scenario. It’s by trying to create redundancy.

Some obvious lessons for homeland security planning in general.  Yet, just as in baseball, this balance between best and worst case scenario planning can be difficult in even the best prepared of countries–or simply ignored.

Tokyo Electric Power Co.’s disaster plans greatly underestimated the scope of a potential accident at its Fukushima Daiichi nuclear plant, calling for only one stretcher, one satellite phone and 50 protective suits in case of emergencies.

Hard to believe, but it seems that in a nation often lauded as among the best, if not the best, in terms of preparation for a natural disaster simply dropped the ball regarding catastrophic planning for nuclear facilities. More from the Wall Street Journal article describing the lack of proper planning:

Disaster-response documents for Fukushima Daiichi, examined by The Wall Street Journal, also contain few guidelines for obtaining outside help, providing insight into why Japan struggled to cope with a nuclear crisis after an earthquake and tsunami devastated the facility.

There are no references to Tokyo firefighters, Japanese military forces or U.S. equipment.

The main disaster-readiness manual, updated annually, envisions the fax machine as a principal means of communication with the outside world and includes detailed forms for Tepco managers when faxing government officials.

Much hinged on the fax machine. One section directs managers to notify the industry minister, the local governor and mayors of nearby towns of any problems “all at once, within 15 minutes, by facsimile.” In certain cases, the managers were advised to follow up by phone to make sure the fax had arrived.

Obviously one could take up several blog posts to simply unpack these and other related revelations. Undoubtedly, other Japanese efforts at disaster readiness saved thousands, if not tens of thousands, of lives following the earthquake and tsunami.  I have serious doubts about the current ability of the United States to manage a similar size catastrophe–both the immediate impact and long term consequences.  And I agree with Phil that the nuclear crisis is needlessly overshadowing the larger natural disaster.

Yet it still boggles the mind that a society so prepared could allow such a substandard state of planning to exist.  The current disaster would not have been avoided if much of the response plan had been improved–only moving the back-up generators to higher ground would have saved the plant from the loss of power that initially drove events.  However, this disaster did underline the deficiencies in planning and hints at the difficulties that it caused in responding to this maximum of maximums event.

What the managers of the Fukushima plant failed to do was honestly consider even a bad, never mind worst, case scenario.  The level of planning appears to be equivalent to losing your back-up catcher or utility infielder for half the season.  Would it be inconvenient?  Absolutely.  Would it derail a season?  Not a chance.  Perhaps planning for an earthquake and resulting tsunami stronger than the reliable historical record indicates would not have been feasible before current events.  But the existence of a decent Plan B may have helped ameliorate the consequences of this Godzilla-esq black swan that fell on the people of Japan.