Homeland Security Watch

Yesterday at the World Economic Forum in Davos, Switzerland Secretary Napolitano unveiled the new National Strategy for Global Supply Chain Security (1.5 megabyte PDF).  The President signed-out the document on Monday.

The strategy offers two goals:

Goal 1: Promote the Efficient and Secure Movement of Goods – The first goal of the Strategy is topromote the timely, efficient flow of legitimate commerce while protecting and securing the supply chain from exploitation, and reducing its vulnerability to disruption. To achieve this goal we will enhance the integrity of goods as they move through the global supply chain. We will also understand and resolve threats early in the process, and strengthen the security of physical infrastructures, conveyances and information assets, while seeking to maximize trade through modernizing supply chain infrastructures and processes.

Goal 2: Foster a Resilient Supply Chain – The second goal of the Strategy is to foster a global supply chain system that is prepared for, and can withstand, evolving threats and hazards and can recover rapidly from disruptions. To achieve this we will prioritize efforts to mitigate systemic vulnerabilities and refine plans to reconstitute the flow of commerce after disruptions.

In my judgment we are much closer to achieving “efficient and secure movement” than we are to a “resilient supply chain”.  The new strategy could help with each, but the tougher task will be the effort “to mitigate systemic vulnerabilities.”

On January 11 the Wall Street Journal reported,

After a decade of streamlining their supply chains to make them less costly, the natural disasters and political upheavals that marked 2011 showed many multinational companies just how vulnerable those links have become.

A senior supply chain executive recently told me (clearly depending on me to protect his name and the name of his firm), “We have several known choke-points. I’m sure there are many more we don’t know about.  It won’t take a major disaster to disrupt supply, just a couple of unusual, probably simultaneous accidents.  I think — hope — there would be a similar impact on our competitors.  But that doesn’t help our consumers.”

“There are ways to mitigate our risk, but they’re all expensive,” another executive explains.  ”And for the last decade and the foreseeable future the lower cost of US supply chain management has been our principal economic advantage.  We’re much better than the Europeans, tons more efficient than the Chinese.  Increase supply chain costs and we lose just about the only advantage the US has left on most commodity trading and even a broad range of high-end specialty goods.”

Again from the Wall Street Journal:

Justifying redundancies is one of the toughest aspects of managing a supply chain, because backstopping doesn’t pay off unless there is a disaster. When CFOs ask about the return on such investments, the answer is, “If we’re lucky, absolutely zero return,” says Sean Cumbie, vice president in charge of global supply-chain management at genetics-testing company Qiagen NV, based in Germany.

The new strategy makes a glancing reference to “appropriate redundancy” which, for most supply chain executives, is like discussing the practical difference between manslaughter and murder.   Whatever you call it, the outcome ain’t pretty.

The senior supply chain guys (and a few gals) are the pioneers of the field.  In the last twenty years they have transformed the known world.  Not just the supply chain world, but the everyday world of billions of consumers.  Today the supply chain is faster, cheaper,  delivers much higher quality with much more assurance and transparency than a quarter century ago.

On most days the supply chain is also stronger, more flexible, and better at handling a range of emergencies and disasters.

But what we saw in Northeast Japan and Thailand has exposed a parallel reality.  Like all networked systems, risk tends to pool in unexpected ways and often unexpected places.  What if the earthquake-and-tsunami had hit the economic heartland of Tokyo and Osaka, instead of the Tohoku periphery?  What’s would the outcome be if  instead of Thai flooding it was an earthquake in San Francisco and down the east side of Santa Clara County?  What happens if the Port of Long Beach is seriously disrupted for an extended period?  What if cyber-vandals — or economic or national or terrorist adversaries –seriously target the digital systems on which the modern supply chain absolutely depends?

In a report — “New Models Addressing Supply Chain and Transport Risk” (7 megabyte PDF) —  released Tuesday, the World Economic Forum found:

Supply chain and transport networks have continuously evolved to deliver capacity, speed, efficiency and customer service through organizational trends such as globalization, specialization, volume consolidation and information availability. The focus on cost optimization has highlighted the tension between cost elimination and network robustness – with the removal of traditional buffers such as safety stock and excess capacity. These developments have shifted risk distributions…(while) their effects have often included sharing risk more broadly around the world, reducing high-frequency risks and focusing risk within sectors, common technologies or nodes. Another common feature has been to disassociate risk from responsibility, misaligning incentives and creating moral hazards – the notion that a party that is insulated from risk will behave differently from how it would behave if it had full exposure to risk.

Most supply chain managers I know tend to discount low frequency, high consequence risks (see related post).  They discount this kind of risk because over the last twenty years they have become true masters of risk management.   They also discount high impact risks because their CEO’s, Boards of Directors, and shareholders reward them for squeezing every possible penny out of supply chain costs.  They discount catastrophic risk because their creation — the modern supply chain — has never experienced a fundamental systemic failure.

Yet.

Many supply chain executives have become what economists sometimes call “risk preferers”, they have learned to maximize their return by skating with great style, grace, and confidence along the edge of chaos.   Each day they become more adept at mastering the chaos.   Is the experienced supply chain executive a sorcerer or  sorcerer’s apprentice?

The new National Strategy is the starting point for a collaborative process of discussion, analysis, and policy development.  It seeks to “develop a culture of mutual interest and shared responsibility” across government and the private sector.  It’s the right goal.  It’s the right way to pursue the goal.

It is a very ambitious goal.

Earlier today the President signed out and the Secretary of Defense released new strategic guidance for the Department of Defense. Following are my quick-takes on those aspects of the document  most closely related to homeland security.

Page 1:

The demise of Osama bin Laden and the capturing or killing of many other senior al-Qa?’ida  leaders have rendered the group far less capable. However, al-Qa?’ida and its affiliates remain active in Pakistan, Afghanistan, Yemen, Somalia, and elsewhere. More broadly,violent extremists will continue to threaten U.S. interests, allies, partners, and the homeland.The primary loci of these threats are South Asia and the Middle East. With the diffusion of destructive technology, these extremists have the potential to pose catastrophic threats thatcould directly affect our security and prosperity. For the foreseeable future, the UnitedStates will continue to take an active approach to countering these threats by monitoring theactivities of non-state threats worldwide, working with allies and partners to establishcontrol over ungoverned territories, and directly striking the most dangerous groups and individuals when necessary.

Page 2:

In the Middle East, the Arab Awakening presents both strategic opportunities and challenges. Regime changes, as well as tensions within and among states under pressure toreform, introduce uncertainty for the future. But they also may result in governments that,over the long term, are more responsive to the legitimate aspirations of their people, and aremore stable and reliable partners of the United States.Our defense efforts in the Middle East will be aimed at countering violent extremists anddestabilizing threats, as well as upholding our commitment to allies and partner states.

Page 3:

To enable economic growth and commerce, America, working in conjunction with allies and partners around the world, will seek to protect freedom of access throughout the globalcommons ?– those areas beyond national jurisdiction that constitute the vital connective tissue of the international system. Global security and prosperity are increasingly dependent on the free flow of goods shipped by air or sea. State and non-state actors pose potential threats to access in the global commons, whether through opposition to existing norms orother anti-access approaches. Both state and non-state actors possess the capability and intent to conduct cyber espionage and, potentially, cyber attacks on the United States, with possible severe effects on both our military operations and our homeland. Growth in the number of space-faring nations is also leading to an increasingly congested and contested space environment, threatening safety and security. The United States will continue to lead global efforts with capable allies and partners to assure access to and use of the global commons, both by strengthening international norms of responsible behavior and by maintaining relevant and interoperable military capabilities.

Page 4:

Acting in concert with other means of national power, U.S. military forces must continue to hold al-Qa?’ida and its affiliates and adherents under constant pressure, wherever they may be. Achieving our core goal of disrupting, dismantling, and defeating al-Qa?’ida and preventing Afghanistan from everbeing a safe haven again will be central to this effort. As U.S. forces draw down in Afghanistan, our global counter terrorism efforts will become more widely distributedand will be characterized by a mix of direct action and security force assistance. Reflecting lessons learned of the past decade, we will continue to build and sustain tailored capabilities appropriate for counter terrorism and irregular warfare. We will also remain vigilant to threats posed by other designated terrorist organizations, such as Hezbollah.

Page 5:

Accordingly, DoD will continue to work with domestic and international allies and partners and invest in advanced capabilities to defend its networks, operational capability, and resiliency in cyberspace and space….

U.S. forces willcontinue to defend U.S. territory from direct attack by state and non-state actors. We willalso come to the assistance of domestic civil authorities in the event such defense fails or in case of natural disasters, potentially in response to a very significant or even catastrophic event. Homeland defense and support to civil authorities require strong,steady?–state force readiness, to include a robust missile defense capability. Threats to the homeland may be highest when U.S. forces are engaged in conflict with an adversary abroad.

Page 6:

The nation has frequently called upon its Armed Forces to respond to a range of situations that threaten the safety and well-being of its citizens and those of other countries. U.S. forces possess rapidly deployable capabilities, including airlift and sealift, surveillance, medical evacuation and care, and communications that can be invaluable in supplementing lead relief agencies, by extending aid to victims of natural or man-made disasters, both at home and abroad. DoD will continue to develop joint doctrine and military response options to prevent and, if necessary, respond to mass atrocities. U.S. forces will also remain capable of conducting non-combatant evacuation operations for American citizens overseas on an emergency basis.

You may see more.   The document includes considerable attention to WMD and cyber threats not excerpted above.

If you arrived at this post looking for shopping deals, you have come to the wrong website.  However, if you are interested in post-Thanksgiving, haze induced, cyber-related leftovers you are definitely in the right place.

The issues surrounding cyber run deep and wide (and sometimes silent). It can be difficult to tease out what is, is not, might be,  or is not even related to homeland security.

• Professor Bellavita recently covered the technical aspects of a suspected cyber attack on critical infrastructure…that turned out not to be a cyber attack on critical infrastructure.  This particular case brings up the issues of communication (who told whom what when and why), risk/vulnerability (what can be attacked, what is being attacked, what is the real–as opposed to imagined–consequences of such an attack), and attribution (“the butler in the library with the candlestick” issue).

• Taking a step back to consider some of these issues at the crossroads of the technological and strategic are the people involved with the “Explorations in Cyber International Relations.”  A joint project between MIT and Harvard’s Kennedy School of Government, it aims to be “a collaborative and interdisciplinary research program that seeks to create a field of international cyber relations for the 21st century.  It is designed as a theoretically rich, and technically informed initiative anchored in diverse tools and methods to identify, measure, model, interpret, and analyze emergent issues, challenges, and responses. The ECIR research plan integrates social sciences, legal studies, computer science, and policy analysis.”

• Three individuals involved with the project have written interesting cyber pieces informed by their professional backgrounds.  Joseph Nye, esteemed professor of international relations and originator of the term “soft power,” considers the strategic implications for world politics of increasing reliance and power of cyberspace.  Melissa Hathaway, former White House cyber adviser, tackles the issue of cybercrime.  Jack Goldsmith, legal scholar and former high-ranking Justice Department official, examines the difficulties arising from the overlap between private and public networks and the security related issues.

• The Department of Defense foreshadowed some of the institutional thinking about cyber issues in a Foreign Affairs article from last fall by Deputy Secretary of Defense William Lynn III (he considered progress a year later here). The Department followed up with a “Strategy for Operating in Cyberspace” this past summer.  However, the Homeland Security Policy Institute’s Frank Cilluffo and Sharon Cardash were not too impressed.

• Coming down from such lofty strategic heights to daily operational issues, organizations at all levels of government as well as those in the private sector are increasingly grappling with the difficulties involved in developing and implementing communication strategies and guidelines in the age of ever increasing social media usage. Emergency Management Magazine hosts a blog dedicated to “crisis and emergency communication strategies” authored by Gerald Baron.  In a recent post, he examines the question “Is Social Media more problem than solution in emergencies?” (HLSWatch’s Mark Chubb recently considered a similar question, and Jim Garrow covers a range of related topics on his blog). What does that particular question and Thanksgiving have in common?  The Dallas Cowboys. Long story short: sometimes it is better to trust the good judgement of your employees and the positive influence of cyberspace than attempt to control the flow of information.  Just as good of a lesson for “America’s Team” as it is for America’s federal, state, and local governmental institutions.

Last Tuesday, Nick Catrantzos, suggested here that reports of the Springfield, Illinois “cyberattack” might have more to do with “Naïve or myopic cyber professionals whose over attention to expediency permits convenient remote access for their technical support colleagues with insufficient attention to the exposure that this condition creates,” than with an attack by foreigners.

He’s right, according to Friday’s Washington Post story by Ellen Nakashima:

A water-pump failure in Illinois that appeared to be the first foreign cyberattack on a public utility in the United States was in fact caused by a plant contractor traveling in Russia, according to a source familiar with a federal investigation of the incident….  The contractor, who had remote access to the computer system, was in Russia on personal business, the source added.

Score one point also for DHS officials who insisted on getting the facts correct before someone lobbies congress for a 350 trillion dollar Water Attack Security Target Enforcement program:

… officials at the Department of Homeland Security, which oversees industrial control system cybersecurity, cautioned from the outset that the report contained “no credible, corroborated data.”

The water pump in question had been experiencing problems, turning on and off and eventually failing, water district board members said. The pump has malfunctioned several times in recent years, a DHS official said.

The “international authority on cybersecurity” who (apparently) first made public the information in the Illinois State Terrorism and Intelligence Center (STIC) report responded to the new details about the attack by attacking:

This [the conflict between the STIC and DHS reports] begs the question why two government agencies disagree over whether a cyber event that damaged equipment had occurred at a water utility….

There are numerous critical infrastructure table-top exercises that assume that notifications such as the STIC report are sufficient to initiate the cyber attack response process. If DHS turns out to be correct in its assumptions, then anyone acting on the STIC warning would have been wasting precious resources addressing a problem that doesn’t exist. At issue is that we need to be quickly informed if an event has occurred so that others who have similar equipment or architectures can take steps to protect themselves in case the event spreads. However, this requires both timely notification and correct information. Right now, it seems that neither of these two conditions may exist in this case.

We now have to wait for DHS and the other government agencies to come to agreement and let us know what has happened. If the STIC report is correct, then we have wasted precious time and allowed many others in the infrastructure to remain potentially vulnerable while we wait to find out if we should do anything.

Perhaps that’s a restatement of the classic expectation of intelligence: “give us accurate, timely, and actionable information.”

Welcome to another dimension of the big data problem.

Or, as our buddy prOf might say, “Take the f*%#!&g SCADA off the internet.”

Water System Hack – The System Is Broken

Hackers ‘hit’ US water treatment systems

Homeland Security investigates possible terrorism in Springfield

Water system may be cyber attack victim

Has stuxnet come to our critical infrastructure shores?  Is it duqu?  Could it be something even worse?

“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Illinois.  At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” DHS spokesman Peter Boogaard explains.

“I dislike, immensely, how the DHS tend to downplay how absolutely FUCKED the state of national infrastructure is” responds someone named “prOf” in a pastebin post that includes, according to pr0f, images of another water system that was hacked.

“I’m not going to expose the details of the box,” prOf promises. “No damage was done to any of the machinery; I don’t really like mindless vandalism. It’s stupid and silly. On the other hand, so is connecting interfaces to your SCADA machinery to the Internet. I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic.”

————————–

Nick Catrantzos, who has written for Homeland Security Watch in the past, is an adjunct professor of Homeland Security and Emergency Management.  More relevant to today’s post, Nick is the former security director for a regional water utility.  Here are his thoughts on the most recent cyber event.

Spotting the Incidental Cyber Saboteur

You need not be evil to be wrong, and the true Achilles’ Heel of recent news about cyber attacks to water infrastructure in the Chicago area (details at http://www.cnn.com/2011/11/18/us/cyber-attack-investigation/index.html?iref=allsearch) is not foreign hackers of SCADA, the supervisory control and data acquisition system that makes it possible to turn a valve by remote control. Hackers have been a known external threat since the personal computer became widespread. Thus, makers of computer- and network-dependent tools like SCADA systems have to offer some protections against hackers just to make their systems marketable.

Why is no one therefore consulting other than self-avowed cyber security experts who are now issuing dire warnings about offshore SCADA hackers who may or may not be Russians? (The may-not possibility arises when these experts point out that clever hackers have the ability to misrepresent the origin of their attacks.). The same hand-wringing experts – or their fellow travelers – belong to the camp that opens the door to this vulnerability in the first place. They are not evil, just wrong.

Remote Access as Double-Edged Sword

Consider: Even the technologically challenged security professional sees the vulnerability to enabling remote access to critical systems, like water infrastructure. How do purveyors of such systems see remote access when marketing to fellow cyber aficionados? It is a selling feature, of course. Why, with remote access, the technician fielding a panic troubleshooting call at midnight can diagnose and solve the problem in pajamas instead of in the field. And the field, when it comes to water infrastructure, often turns out to be at distant sites over bad roads, poor lighting, and unattractive traveling conditions. Solving the problem from home is a win-win for all concerned, since it saves down time, isn’t it? Not if this debate includes security professionals charged with looking at the bigger picture of enterprise-wide vulnerabilities.

What makes it possible for these infrastructure attacks to abuse SCADA? Remote web access adopted in the name of expediency. What is the Achilles’ Heel? Naïve or myopic cyber professionals whose over attention to expediency permits convenient remote access for their technical support colleagues with insufficient attention to the exposure that this condition creates.

Discovering What Some Won’t Admit

How to zero in on the problem? The way not to do it is to rely exclusively on pronouncements of SCADA vendors and their like-minded counterparts in the organization who bought into web-based remote access in the first place. There is a good chance at least some of these people overlooked sharing details of remote access vulnerabilities in discussing the system before upper management and traditional security practitioners.

No, the short path to excellence in uncovering self-introduced remote access exposures is to check logs of trouble calls against field records of physical access to work sites. The more serious cyber professionals know to avoid web-based SCADA access from any home and, instead limit access to SCADA terminals that reside behind the secured perimeter of the institution’s work facilities. Maybe a SCADA technician fielding a trouble call won’t have to drive three hours to diagnose the problem at a remote field site, but he may still have to drive 20 minutes to get to a locked and alarmed office that houses a protected SCADA terminal. At least this is the ideal and advertised state of affairs. But even 20 minutes may, in time, seem too much of an imposition, so the SCADA tech quietly arranges to beta test remote access from — you guessed it — the convenience of his or her own residence. Unofficially, without a lot of fanfare. So much so, that even the boss may not realize this is happening, hence the futility of relying on the cyber function to verify its own status regarding this vulnerability. There is another way to check.

Uncovering the Rest of the Story

If expediency has come to trump security, an examination of audit trails will soon show that technician troubleshooting calls at midnight aren’t matching up to midnight access to facilities housing SCADA terminals. Maybe operators in the field are too immersed in the problem to ask or even care how a SCADA tech is responding to a trouble call. They just want help. Maybe the tech is shrewd enough to avoid volunteering details, reasoning that speed of problem resolution is more important than revealing that this is being done from home via means subject to compromise and exposure to hackers.

However, audit trails won’t lie. Whether it is via manual logs, automated access records, video surveillance archives, or a guard’s register used for having all employees sign in after normal business hours, the discrepancy will surface under scrutiny. The on-call tech who was supposed to go to an employer site to troubleshoot the problem on a protected SCADA terminal will have shown no record of having entered any employer business site at midnight. So how did he or she handle the problem? Remotely. From home. In pajamas. Expediently. And, in the process, exposing the system to exploitable vulnerability.

Caution on Experts Offering Homilies about Cyber Attack

The so-called expert who was quick to criticize government officials on this latest cyber attack claimed he was doing so out of concern that the Department of Homeland Security was deficient in sharing information with other water agencies that could be targeted. If he were truly as conversant with water security as he claimed, he would know that it is not DHS but EPA that exercises the role of lead federal agency for protection of the water infrastructure. He would also know that EPA supports Water ISAC, the Information Sharing and Analysis Center for the water sector, and that the Association of Metropolitan Water Agencies manages that function, which takes the lead in sharing this kind of threat information within the water community, while DHS and local fusion centers do their share of distributing such information as well.

Showing no sign of recognizing these particulars, how could this self-styled expert really know what information on this SCADA threat is or is not circulating within the affected community of interest? A skeptic might conclude that such considerations take a back seat, however, when dire warnings can generate free publicity.

IT vs. Ops

Some over zealous IT departments in utilities that use SCADA see SCADA as a means of supplying bandwidth on which to commingle business applications as well, thereby increasing likely needs for remote access by more employees and raising susceptibility to compromise at the same time.

If employees in Operations at water utilities don’t over concern themselves with security deficiencies in SCADA, it tends to be because they have their hands full avoiding one or two catastrophes a year when SCADA techs unthinkingly shut down the system for maintenance or cause some other disruption without telling Ops in advance. The techs forget that flow changes can result in catastrophic treatment or distribution problems that affect water quality. This often occurs after business hours or on weekends, when the techs operate on the assumption that it is the best time to tinker without users noticing or balking — true enough for the average business network, but not for 24/7 attention to water treatment and distribution.

One sign that too many debacles have been surfacing serially is when Ops wrests the SCADA function away from IT. This does wonders for reducing those kinds of snafu.

A  firefighter, a  cop, and an emergency manager walk into a bar.  This is not a joke.  I was with the three of them.

One had red wine, another had a beer, the third ordered scotch.   I was drinking Dry Sack on the rocks with a twist.

Can you guess which one had which drink?  Can you guess which offered what to the conversation:

“The problem is everyone is in denial about the worst risks.”

“New Orleans after Katrina was simple compared to Sendai after the tsunami.  How about Memphis after New Madrid or LA after the big one?” You can know the real pros by whether or not they pronounce it Maaadrid, as in really crazy.

“How about DC, Pittsburgh, and Birmingham after New Madrid?  How about pipelines, rail bridges, interstates, and the Eastern Interconnect after New Madrid?”  Hows about every little town downstream from a dam?

“How about the whole economy for the next ten years after Long Beach is taken out? I don’t care if it’s tsunami, pandemic, or an IND.”

“How about the whole economy if some cyber-anarchists decide to really screw with credit cards and ATMs?”

“As long as they vaporize my mortgage too.”

The bar talk was not as grim as this suggests.  Extended conversations with this crew are like a public reading of Dante’s Inferno (no Paradiso) with a running commentary by the comedian Lewis Black.  You roar with laughter over a comment that ought not be documented here.   A slightly sick sense of humor is essential to survival in these professions.

“We’re the real problem,” one guy said wrapping his arms around the shoulders of those on either side.  ”We’re too good.  Why worry when the A team’s got your back?”

“Just call 911 and the cavalry always comes.”

“Even under fire… hell, with radioactive brimstone falling from the sky.”

“Thing is, we’re really good at the everyday stuff and lots of the tough stuff.”

“Did you hear about the 911 call because the citizen thought her remote had been stolen.  Cops found it in a drawer.  They responded!”

“That’s the problem, we are so #$!@ responsive we’ve trained the citizens to depend on us.  When the big #$!@ happens they just wait around.”

“Not everyone.”

“Practically EVERYONE!”

“There’s two big pile-ups:  real increasing dependence. Who grows their own food anymore?  Who even eats at home? And where does our food come from? Not anywhere close.  Second pile-up: The #$!@ complicated system works really, really well until it doesn’t work at all.  So there’s no obvious reason to pay much attention, until it’s too late.”

“So… what we’re really good at is hiding the problems?”

“Sure.  There’s a fire.  You put it out.  You get ‘em temporary housing or they go to the in-laws.  I keep gawkers away.  Everything’s fine. No worries. But in Joplin or Tuscaloosa? Even those huge twisters were tiny compared to what we’ll get when the wrong fault shifts under 5 million or a wildfire overwhelms San Diego.  Hows about a CAT 5 and flood surge pounding Miami-Dade?”

“When they call 911 no one will answer, they won’t even get a #$!@ dial-tone!”

“It doesn’t take such a big hit.  Maybe catastrophe comes on little cat feet?  You read Ted Lewis’ new book?  The complex systems we depend on are so intricate  just one little complication and the consequences cascade.”

“Sort of like the 2003 blackout caused by tree branches in Ohio?”

“But the cause wasn’t tree branches, it’s the way WE build and manage systems. Tree branches are a preexisting condition.  Our choices create the vulnerabilities.”

“You know when I was a little kid,” (the guy to his right mimicked the Staten Island accent) we had a farm right down the road.  It’s a landfill now.  The big farms in Jersey, they’re all McMansions.  Mom and pop get their broccoli and peas from California just like all of us.”

“You know what though? The beers alot better than back then.  Hey waitress, another round here.”

SUNDAY UPDATE: According to the BBC – and to the group’s Twitterfeed — LulzSec has disbanded.  The BBC indicates no reason for disbanding has been offered.  To the contrary, I found the LulzSec explanation reasonably clear… and not inconsistent with considerations set out below.

Original post from early Friday morning:

This week three very different men were arrested in three very different places suspected of three very different crimes.

Is it just me or do the three share something important?

Tuesday the Pakistani military confirmed the detention of Brigadier Ali Khan (top left).  The soon-to-retire head of regulations at Army General Headquarters is suspected of using his military connections to support Hizb ut-Tahrir, a pan-Islamist political and religious movement.

Also on Tuesday — half a world away — the head of La Familia cartel was captured.  According to Excelsior, Jose de Jesus Mendez Vargas (middle), age 37, “was arrested in Aguascalientes by elements of the Federal Police, without fighting or deaths reported from the action and was later transferred to the facilities of the SIEDO in Mexico City.” (SIEDO or Subprocuraduría de Investigación Especializada en Delincuencia Organizada or Assistant Attorney General’s Office for Special Investigations.)  Additional coverage is available in English from the Houston Chronicle.

According to The Guardian, “A British teenager has been charged with five offences of computer hacking. Ryan Cleary, 19 (right at age 13), was charged with offences, including a cyber attack on Monday on Britain’s Serious Organised Crime Agency (Soca). Cleary was arrested on Monday evening at his family’s home in Wickford, Essex. His arrest was linked to a series of cyber attacks by a group called LulzSec, which investigators believe had targeted websites including ones belonging to the US government and the electronics giant Sony.”

–+–

We can be more confident of the criminal complicity of Jose de Jesus Mendez Vargas, aka El Chango or The Monkey, than of the other two. La Familia has been one of the principal Mexican drug cartels since at least 2006.  But it was founded in the 1980s as a quasi-religious organization seeking to protect and purify Michoacán, an impoverished region — and Mexican state — west of Mexico City.  El Chango was one of a handful of founders.  In the broadest terms the La Familia narrative has a striking resemblance to the origins of the Afghan Taliban. Religiously inspired reform, resulted in power and was followed by the abuse of power. By the 1990s the group was allied with the Gulf Cartel, in recent years it has established an independent power base.  Even in the murderous context of the Mexican cartels La Familia is known as especially violent.  Jesus Mendez Vargas has defended the use of violence as a form of “divine justice.”

Brigadier Khan has not yet been charged, much less convicted.  According to the Daily Times (Pakistan), “There are contradictory reports that the detained brigadier had been targeted due to his concerted campaign to promote self-reliance and do away with the need for US assistance. The last straw is said to be his outspoken criticism of the US raid in Abbottabad after which he was arrested.”

There is plenty of smoke suggesting burning embers of religious radicalism in the Pakistani military. The group Brigadier Khan is accused of assisting is banned in Pakistan and other majority Muslim nations, but is not on the US State Department’s list of terrorist organizations.  According to the group’s English language website, “Hizb ut-Tahrir is a political party whose ideology is Islam. Its objective is to resume the Islamic way of life by establishing an Islamic State that executes the systems of Islam and carries its call to the world.”

Hizb ut-Tahrir opposes US-Pakistan cooperation. While the Brigadier’s attitudes and actions are currently beyond knowing, the leadership of  Hizb ut-Tahrir is clear in it’s criticism of the United States and the current Pakistani political and military elite:

Even though Pakistan is a strong Muslim country, with an army bigger than America’s, and braver due to the Muslims’ love of Shahadah, you have cheated the people of their right to security by siding with the enemy. Due to your alliance with the open enemies of the Muslims, America’s presence in the region has led to unprecedented insecurity, with America’s private military organizations and intelligence orchestrating a campaign of assassinations and bombings, as they did in Iraq. You added to the harm upon the Muslims, by sending the Muslim soldiers to the tribal areas to fight on behalf of America, just like Musharraf before you. Until now 30,452 people have been killed and injured since 9/11 in America’s war of fitna. Some 2,273 Pakistani soldiers including 78 officers, two Major Generals and five brigadiers besides others, have lost their lives while 6,512 sustained injuries, even though the Western crusaders have only sacrificed 1,582 of their own troops! You are cheating the Muslims of their strength when America is at its weakest, with its allies abandoning it and its economy crippled and collapsing, when there is ample opportunity to allow America’s crusade to collapse rather than supporting it with the blood of Muslims.

To in any way compare LulzSec to La Familia and Hizb ut-Tahrir is, perhaps, to invite an apocalyptic hacker attack on HLSWatch. So… if we disappear, thanks for the memories.

The teenager arrested on Tuesday has been charged on five counts, mostly involving denial-of-service attacks.  His involvement with the LulzSec collaborative of hackers has not been specified.  But some link was confirmed by LulzSec via its Twitterfeed, “Clearly the UK police are so desperate to catch us that they’ve gone and arrested someone who is, at best, mildly associated with us.”

LulzSec has claimed responsibility for a series of successful attacks on the CIA, Sony, PBS, and others around the world. Wednesday they brought down the President of Brazil’s website. Earlier today Lulzsec hacked the Arizona Department of Public Safety data repository and released a broad array of information. They describe themselves as, “a team of entertainment and security experts that specialise in the production of malicious comedic cybermaterials.”  The attack on Sony’s PlayStation network left that system offline for a month.  Not much laughing by the company or its roughly 77 million customers or its depressed shareholders.

The Arizona attack has been explained as a protest against state laws perceived as unjust toward immigrants. The hackers’ motivations are not always clear. On June 17 LulzSec outlined its purposes in a post at Pastebin.  Self-entertainment is big; so is exposing the vulnerability we all share online.  They want to protect us… and “spread fun, fun, fun.”

–+–

I want to be a hero. I want to protect the vulnerable and punish the unjust.

Is this what motivated Ali Khan to follow his father into the military? The Non-Com’s son committed his life to the Army and advanced to brigadier.  Ali’s wife, Anjum, claims, “He loves the Pakistani army more than his life, and he can’t even think of betraying the institution.” His sons are junior officers, proud parts of — until recently? — the only reasonably functioning element of Pakistani society. Who is to blame for the dysfunction of Pakistan, including attacks on the military itself? What and who is the source of this shame? What enemy can the brave Brigadier bring to justice?

Jose de Jesus Mendez Vargas, seeing family and friends disappear into the prison of poverty and madness of drug addiction, was motivated by love of neighbor. According to a Drug Enforcement Administration backgrounder La Familia, “has a strong religious background. It purportedly originated to protect locals from the violence of drug cartels. Now, La Familia Michoacana uses drug proceeds to fuel their agenda that encompasses a Robin Hood-type mentality – steal from the rich and give to the poor. They believe they are doing God’s work, and pass out bibles and money to the poor. La Familia Michoacana also gives money to schools and local officials.” He only decapitated predators (and threw their heads onto dance floors).

According to the Daily Mail the young Mr. Cleary is a deeply troubled man seldom leaving his bedroom, fearful, and suicidal. Yet when asked what he did all day online, he reportedly replied, “God’s work.”

In November 2009 the Times of London published an indepth profile of Goldman Sachs. It included an interview with the unlikely-to-be-arrested CEO of the firm, Lloyd Blankfein. Even while skid-marks from the crash of capitalism were still smoking, Mr. Blankfein was confident of his purpose.

Is it possible to make too much money? “Is it possible to have too much ambition? Is it possible to be too successful?” Blankfein shoots back. “I don’t want people in this firm to think that they have accomplished as much for themselves as they can and go on vacation. As the guardian of the interests of the shareholders and, by the way, for the purposes of society, I’d like them to continue to do what they are doing. I don’t want to put a cap on their ambition. It’s hard for me to argue for a cap on their compensation.” So, it’s business as usual, then, regardless of whether it makes most people howl at the moon with rage? Goldman Sachs, this pillar of the free market, breeder of super-citizens, object of envy and awe will go on raking it in, getting richer than God? An impish grin spreads across Blankfein’s face. Call him a fat cat who mocks the public. Call him wicked. Call him what you will. He is, he says, just a banker “doing God’s work.”

–+–

I should probably leave it there. The case is sufficiently made for anyone who has read this far and cares to consider the case.  But I will be tediously explicit: My ability to mistake my own desires as God’s intention is significant.  I am not alone.

So, some will say, we have further proof for the dangers of divine delusion.  Especially as a believer I agree that danger and delusion are involved.

The issue is how to engage the threat.  I don’t perceive secular empiricism as a promising near-term therapeutic regime. Too many most in need of the therapy are evidently immune to it’s ministrations.  Might we extract a vaccine from the virus itself?

In his 1927 book, “Does Civilization Need Religion”, Reinhold Niebuhr wrote:

Religion intensifies selfishness when it adds sanctity to a respectable selfish life and creates a self-respect which is impervious to emotions of contrition. If the religious ideal is to gain any potency in modern life it must be able to convict men of sin and inspire them to a conversion. But the sins of which they need most to be convicted are those which are covert in the social and economic relations which custom has hallowed; and the conversion of life which is most needed is that which will express itself in terms of the economic and political relationships in which men live…

Religion is therefore under the necessity of developing the critical faculty even while it maintains its naivete and reverence. The necessity of cooperation between the naturally incompatible factors of reason and imagination,of intelligence and moral dynamic, is really the crux of the religious and moral problem in modern civilization. The complexity of modern life demands that moral purpose be astutely guided; but moral purpose itself is rooted in ultra-rational sanctions and may be destroyed by the same intelligence which is needed to direct it. Both humility and love,the highest religious virtues, are ultra-rational; yet they cannot be achieved in an intricate social life without a discriminating intelligence which knows how to uncover covert sins and to discover potential virtues. The incidental limitations which every historic type of religion reveals can be dealt with only if the religious devotee can be persuaded to regard the values of his religion critically…”

Religiously-inspired terrorism — or mayhem or pride — is usually the signal of an immature and ill-considered religiosity.  The most effective solution may be in cultivating a more discriminating and self-critical engagement with the religious domain.

In other words, love others and approach God with deep humility.

A colleague told me about a May 31, 2011 two volume policy report from the Center for A New American Security called  ”America’s Cyber Future: Security And Prosperity In The Information Age.”  The report is available at this link.

From the web page:

America’s growing dependence on cyberspace has created new vulnerabilities that are being exploited as fast as or faster than the nation can respond. Cyber attacks can cause economic damage, physical destruction, and even the loss of human life. They constitute a serious challenge to U.S. national security and demand greater attention from American leaders.

Despite productive efforts by the U.S. government and the private sector to strengthen cyber security, the increasing sophistication of cyber threats continues to outpace progress. To help U.S. policymakers address the growing danger of cyber insecurity, this two-volume report features accessible and insightful chapters on cyber security strategy, policy, and technology by some of the world’s leading experts on international relations, national security, and information technology.

Here is the table of contents:

Volume I

America’s Cyber Future: Security and Prosperity in the Information Age
By Kristin Lord and Travis Sharp

Volume II

Note: Chapters are bookmarked within the Table of Contents.

• Chapter I: Power and National Security in Cyberspace
  By Joseph S. Nye, Jr.
• Chapter II: Cyber Insecurities: The 21st Century Threatscape
  By Mike McConnell
• Chapter III: Separating Threat from the Hype: What Washington Needs to Know about Cyber Security
  By  Gary McGraw and Nathaniel Fick
• Chapter IV: Cyberwar and Cyber Warfare
  By Thomas G. Mahnken
• Chapter V: Non-State Actors and Cyber Conflict
  By Gregory J. Rattray and Jason Healey
• Chapter VI: Cultivating International Cyber Norms
  By Martha Finnemore
• Chapter VII: Cyber Security Governance: Existing Structures, International Approaches and the Private Sector
  By David A. Gross, Nova J. Daly, M. Ethan Lucarelli and Roger H. Miksad
• Chapter VIII: Why Privacy and Cyber Security Clash
  By James A. Lewis
• Chapter IX: Internet Freedom and Its Discontents: Navigating the Tensions with Cyber Security
  By Richard Fontaine and Will Rogers
• Chapter X: The Unprecedented Economic Risks of Network Insecurity
  By Christopher M. Schroeder
• Chapter XI: How Government Can Access Innovative Technology
  By Daniel E. Geer, Jr.
• Chapter XII: The Role of Architecture in Internet Defense
  By Robert E. Kahn
• Chapter XIII: Scenarios for the Future of Cyber Security
  By Peter Schwartz

This post will end with a ten minute and forty second video that is both the best detective story and the scariest homeland security movie I have seen in years.

But first, the set up….

———————————————–

Is there such a thing as cyber terrorism?

I understand there’s something called cyber warfare. And cyber crime. And cyber security. But what about cyber terrorism?

And if there is something called cyber terrorism, has the US been attacked by cyber terrorists? Or maybe that question should be have terrorists attacked the US with cyber weapons? And if not, could they? Will they?

Experts cannot agree whether cyber terrorism is real or even if it is a useful concept.

I have one colleague who claims that no one in the United States has been killed by cyber terrorism. He says maybe it’s not a valid homeland security threat.

I have another friend who teaches a course on homeland security threats. He says nations attack nations with cyber weapons. Non-state actors don’t use cyber weapons. So in the homeland security threat spectrum, he says, cyber is more about sound than significance.

———————————————–

Former DHS Secretary Chertoff sort of disagrees.

He devotes Chaper 8 to cybersecurity in his book “Homeland Security: Assessing the First Five Years.” He underscored that concern in his March 2 appearance with the other two DHS secretaries:

“We’ve seen some very dramatic, publicized attacks, not terrorism so much as espionage and things of that sort. But that is going to become an increasing area of concern for the Department.”

Secretary Napolitano agreed with Chertoff:

… I think cyber will be an ever-evolving area. And the problem with cyber is, almost by the time you’re talking about something, they’re onto the next thing. I mean, it is really a fast-moving field. And, quite frankly, probably none of us on this stage are as good at understanding it as somebody who’s 20 years old and who’s grown up with the computer just as part of life.

———————————————–

The US has a cyber incident annex to the National Response Plan. I think that was updated in September of 2010 with an Interim Version of the National Cyber Incident Response Plan.  I believe that is meant to serve as part of the National Response Framework. But I’m not sure. Cyber security (i.e., cyber crime, cyber warfare, cyber terrorism) is yet another homeland security issue area I know very little about.

———————————————–

The gap in my knowledge was brought to my attention again this weekend when I saw news stories about something called “LizaMoon.” [see here or here for probably more than you want to know about LizaMoon].

As I understand it, LizaMoon is a small piece of computer code that places itself into certain websites; when someone goes to that website, they see a message (and the resulting screen drama) that tries to convince the user the computer they are using is infected. Liza then offers to clean the computer and the trouble expands.

I don’t know if this is a big deal or not. Some reports say over a million websites were infected. Is that a lot? Other reports (like this one ) say it’s not that big of a deal.

———————————————–
Also this weekend, I learned that a firm called Epsilon had (according to its press release):

“…an incident … where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.”

Translated into numbers, “a subset of Epsilon clients” could be several million people.

Perhaps you got an email message today from Hilton, or Target, or Best Buy, or Capital One, or LL Bean, or Walgreens or another Epsilon client that basically said, “Don’t worry; nothing bad happened.”

———————————————–
These were two fairly well publicized cyber incidents over a weekend that included at least the cusp of April Fool’s day.  Maybe I’m overly sensitive to these kinds of incidents since some of my web presence was hacked in December.  It wasn’t terrorism.   But it was disturbing.

Are cyber “attacks” something an inquiring homeland security mind should be concerned about?  I use that word in quotes because I know there are thousands of cyber incursions every day.  How should one even start to think about this cyber stuff?

———————————————–

I went to three government sites that, I thought, would help me frame and understand these incidents: IT-ISAC: The Information Technology Information Sharing and Analysis Center, MS-ISAC: The Multi-State Sharing and Analysis Center, and US-CERT: the United States Computer Emergency Readiness Team.

I thought they might have some information about what I figured might be fairly significant incidents. But if they did, I missed it.

I went back to the sites several times over the weekend, and saw no information about LizaMoon or Epsilon.

But I do have to say the MS-ISAC has a really impressive looking Cyber Operations Center Dashboard.  Looking at it made me feel like Mr. Jones in Bob Dylan’s “Ballad of a Thin Man”:

… something is happening here

But you don’t know what it is

Do you, Mister Jones?

———————————————–

Maybe providing situational awareness for the public is not part of the IT-ISAC, MS-ISAC or US-CERT missions.

The IT-ISAC says:

the mission of the IT-ISAC is to:

• Report, exchange, collect, and analyze across the IT Sector information concerning security incidents, threats, attacks, vulnerabilities, solutions and countermeasures, best security practices and other protective measures,

• Establish a mechanism for systematic and protected exchange and coordination of such information [my emphasis] and trusted collaboration; and

• Provide technical thought leadership to U.S. and International policymakers on cyber security and information sharing issues.

The MS-ISAC says:

The mission of the MS-ISAC is to improve the overall cyber security posture of state, local, territorial and tribal governments. Collaboration and information sharing among members, private sector partners and the DHS are the keys to success.

Major Objectives of the MS-ISAC

• provide two-way sharing of information and early warnings on cyber security threats

• provide a process for gathering and disseminating information on cyber security incidents [my emphasis]

• promote awareness of the interdependencies between cyber and physical critical infrastructure as well as between and among the different sectors

• coordinate training and awareness

• ensure that all necessary parties are vested partners in this effort

The US-CERT says:

US-CERT is charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners.

US-CERT interacts with federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public. [my emphasis]

———————————————–

If it isn’t at least part of their job to provide situation awareness to the public about cyber security matters (i.e., cyber war, cyber crime, cyber terrorism), whose job is it? Have we essentially privatized situational awareness? I learned more about both attacks this weekend by monitoring Twitter.

I guess I’m ok with that as an interim fix.

But is that the plan?

———————————————–

Ok, that’s the set up. Now the movie.

Perhaps you’ve heard of stuxnet. If not, you can read about it here.  The New York Times claims it may be “the most sophisticated cyberweapon ever deployed.”

So, to answer the question I posed at the start of this post, maybe currently there isn’t such a thing as cyber terrorism.

However after watching this video (also available here) — particularly at the 8:45 mark, when the speaker talks about the possibility of a cyber weapon of mass destruction — I think the homeland security enterprise would be foolish to discount the use of cyber weapons by terrorists.

The New York Times had a cyber two-fer on their op-ed page today.

First up, celebrated cyberpunk author William Gibson (credited with coining the phrase “cyberspace” in the early 1980s) who provides historical context for the Stuxnet virus:

IN January 1986, Basit and Amjad Alvi, sibling programmers living near the main train station in Lahore, Pakistan, wrote a piece of code to safeguard the latest version of their heart-monitoring software from piracy. They called it Brain, and it was basically a wheel-clamp for PCs. Computers that ran their program, plus this new bit of code, would stop working after a year, though they cheerfully provided three telephone numbers, against the day. If you were a legitimate user, and could prove it, they’d unlock you.

But in the way of all emergent technologies, something entirely unintended happened. The Alvis’ wheel-clamp was soon copied by a certain stripe of computer hobbyist, who began to distribute it, concealed within various digital documents that people might be expected to want to open. Because almost all these booby-trapped files went out on floppy disks, the virus spread at a pre-Internet snail’s pace.

Should the lights go out in our online bus shelters one day, or some critical control system go spectacularly awry, it may in a sense, however distantly, be because Israel found a way to shut down Iran’s centrifuges. But in another way it will be the result of a bright idea two brothers once had, in the vicinity of Lahore Railway Station, to innocently clamp a digital pirate’s wheel.

Considered something of a cyber-visionary, Gibson points out he foresaw computer viruses becoming strategic weapons deployed by nation states but admits to missing the possibility that they would, for the most part, be the tool of amateur vandals.

The second piece is from Richard Falkenrath, former Bush White House homeland security official and NYPD Counterterrorism Commissioner. He covers a lot of familiar ground, questions of sovereignty and collateral damage, but brings up an interesting new (at least to me) issue:

Under American law the transmission of malicious code is in many cases a criminal offense. This makes sense, given the economy’s reliance on information networks, the sensitivity of stored electronic data and the ever-present risk of attack from viruses, worms and other varieties of malware.

But the president, as commander in chief, does have some authority to conduct offensive information warfare against foreign adversaries. However, as with many presidential powers to wage war and conduct espionage, the extent of his authority has never been enumerated.

This legal ambiguity is problematic because such warfare is far less controllable than traditional military and intelligence operations, and it raises much more complex issues of private property, personal privacy and commercial integrity.

Therefore, before our courts are forced to consider the issue and potentially limit executive powers, as they did after President Harry Truman tried to seize steel plants in the early 1950s, Congress should grant the White House broad authority to wage offensive information warfare.

Both pieces are worth reading in full.

Dr. Who fans, don’t get excited.  Estonia is not creating an army of Cybermen.

Instead, as reported by NPR,  it has created an all volunteer force of programmers and computer scientists that would be mobilized to defend the country during a cyberwar.

The responsibility would fall to a force of programmers, computer scientists and software engineers who make up a Cyber Defense League, a volunteer organization that in wartime would function under a unified military command.

“[Our] league brings together specialists in cyberdefense who work in the private sector as well as in different government agencies,” Defense Minister Jaak Aaviksoo says. The force carries out regular weekend exercises, Aaviksoo says, “to prepare for possible cyber contingencies.”

For a nation as dependent on the internet for everyday life as Estonia, the fear of cyber attack is strong. The risk was made vivid following the 2007 assault on many of the country’s networks.  So strong, in fact, that there is serious consideration given to instituting a cyber draft:

The sense of cyber vulnerability in Estonia has been a key rallying point for the Cyber Defense League. No democratic country in the world has a comparable force, with computer specialists ready and willing to put themselves under a single paramilitary command to defend the country’s cyber infrastructure.

Aaviksoo says it’s so important for Estonia to have a skilled cyber army that the authorities there may even institute a draft to make sure every cyber expert in the country is available in a true national emergency.

There seems to be some obvious lessons for U.S. cyber efforts, but cultural difference may present too large of a firewall…

In the United States, most top cybersecurity experts work in the private sector and are not available for government duty, even in times of an emergency. Stewart Baker, who tried to coordinate cyberdefense efforts at the Department of Homeland Security under President George W. Bush, says a Cyber Defense League like Estonia has would have been helpful.

But Baker, a former general counsel at the National Security Agency, says it’s been hard in the United States to promote public-private collaboration in cybersecurity.

“The people who work in IT in the U.S. tend to be quite suspicious of government,” Baker says. “Maybe they think that they’re so much smarter than governments that they’ll be able to handle an attack on their own. But there’s a standoffishness that makes it much harder to have that kind of easy confidence that you can call on people in an emergency and that they’ll be respond.”

Potential lessons learned for U.S. homeland security are not limited to the cyber arena.

The unit is but one division of Estonia’s Total Defense League, an all-volunteer paramilitary force dedicated to maintaining the country’s security and preserving its independence.

Aaviksoo says Estonian civilians are willing to be mobilized to defend their country because of their experience of invasion and occupation: by the Soviet Army in 1939, followed by the Germans in 1941 and then again by the Soviet Union, which occupied Estonia until it broke free in 1991.

“Insurgent activity against an occupying force sits deep in the Estonian understanding of fighting back,” Aaviksoo says, “and I think that builds the foundation for understanding total defense in the case of Estonia.”

While a paramilitary force is not required in the U.S. to preserve our independence, the Estonian Total Defense League could be a model for increasing citizen resilience, in particular active participation in prevention, mitigation, preparedness, response, and recovery activities.  A Total Resilience League?

CERT is a good, if underfunded and underdeveloped, first start in this direction. The next step should be a concentrated effort to engage those outside of traditional homeland security communities with relevant expertise or experience to participate in resilience-building activities.  For example, veterinarians as well as anyone else with a modicum of medical training should be excepted as providers/responders during any catastrophe that overwhelms traditional response organizations (thus helping to create community medical resiliency).  Unfortunately, I fear that ingrained attitudes found within those organizations, concerning behavior of the public in general and volunteers in particular during events of all sizes, will be a major impediment.  But we can always hope.

Friday Secretary Napolitano delivered a speech on cybersecurity to a forum sponsored by The Atlantic and Government Executive.  About mid-way through the remarks there was something that sounded new to me:

Now, there are some who say that cybersecurity should be left to the market. The market will take care of it, and there are some who characterize the Internet as a battlefield on which we are fighting a war. So it’s the market or the war. Those are the two analogies that you hear.

Not surprisingly, I take a different position. In my view, cyberspace is fundamentally a civilian space, and government has a role to help protect it, in partnership with responsible partners across the economy and across the globe.So let me just say that again. In my judgment, both the market and the battlefield analogies are the wrong ones for us to use. We should be talking about this as, fundamentally, a civilian space and a civilian benefit that employs partnerships with the private sector and across the globe.

So we’re proud to be a part of that global effort. We believe in the importance of an open Internet, but we cannot have an Internet that is open, but not secure, nor an Internet that is secure but not open. And I think just by saying that, that lays down the challenge that we confront.

So… like a watershed, or a fishery, or deep sea oil deposits, or the radio spectrum, or other “common pool resources” there is a shared public-private responsibility.  If that’s the model, Elinor Ostrom would appreciate the emphasis on ”fundamentally a civilian space.”  

Dr. Ostrom’s research and that of her myriad disciples — including yours truly — suggests that when the emphasis starts and stays on user management then resilient systems are more likely to emerge.  Effective norms are developed by users — who know and depend on the resources most — and are adopted not just as rules but as fundamental expectations across the system.

When government is a facilitator, trusted source of information, and a last resort of enforcement against norm-breaking users, public-private partnerships usually thrive.  Government insisting on taking an aggressive lead is an early symptom of collapse in many a commons.

Perhaps I am reading too much between too few lines. The Secretary did not say much. Maybe she was just sending a turf-claiming signal to DOD. There was no footnote pointing us to Elinor Ostrom. Imposing a Nobel Laureate’s meaning on the Secretary’s remarks may be a stretch.  But I like the stretch.

Earlier in the speech the Secretary had a paragraph that did not sound new (at least to me), but when read in combination with what is excerpted above takes on new meaning (at least for me):

Finally, I want to stress that cybersecurity isn’t about control. It’s not about government control. It is about partnerships. But partnership needs to have some effectiveness. There needs to be meat on the bone when we say partnership. And there needs to be widespread distributed action toward that goal, so that we view this much more as creating, if I may, layered security involving partnerships, as opposed to top-down or government-down. So we are working more closely than ever to identify the private sector partners who we need, and work with them, and also across the federal family.

The re-introduction of cholera to Haiti — the US and Dominican Republic — is a huge step backward in a century long effort to corner, contain, and eliminate the highly infective and deadly disease.  The precise cause of the outbreak is not yet known, but experts have said the simple absence of hand soap has considerably accelerated the spread of the bacteria that causes the disease.

This week for the first time in seven years a human case of Avian Influenza was confirmed in Hong Kong.  But already this year there have been 22 confirmed cases and nine deaths in Egypt and seven cases and two deaths in Vietnam.  Most epidemiologists continue to consider the world past-due for a serious pandemic. The Avian H5N1 virus is thought to be the most likely source.

Last year’s Swine Flu or H1N1 pandemic should have been – and in some ways was — a fantastic real-world exercise for pandemic preparedness.  We were lucky the particular virus was fairly low-grade.  Our weaknesses were exposed, but the consequences were modest.  But from what I can see, the less-than-dire consequences of H1N1 may have suppressed personal and institutional preparedness for H5N1 or other potential strains of pandemic influenza.

Wednesday a series of cyber specialists told the Senate Homeland Security and Governmental Affairs Committee that the Stuxnet Wormhas viral capabilities. “What makes Stuxnet unique is that it uses a variety of previously seen individual cyber attack techniques, tactics, and procedures, automates them, and hides its presence so that the operator and the system have no reason to suspect that any malicious activity is occurring,” according to Sean P. McGurk, acting director of the DHS National Cybersecurity and Communications Integration Center.

But while Stuxnet is visciously sophisticated once it infects a system, prevention measures are classic.  According to PC Magazine these include, ”Deploy an anti-malware solution; watch out for vendor security notifications and alerts, and apply patches; ensure that users are updated via security education and awareness programs; and be aware of their assets.”  Attention and discipline are the most important preventive measures.

A Russian biologist, Dmitry Ivanovsky, discovered viruses in the late 19th century.  The word virus has a Latin origin that usually referred to a poisonous ooze.  

Virus is closely related to the Latin virulentus.  The English “virulent” also means poisonous, but today is probably more often used for anything that is extremely infective and rapidly spreading. Especially in this context, it has made sense to use the biological term for malicious computer code and now for anything digital that is rapidly consumed.

The John Tyner — “don’t touch my junk” — video and narrative has certainly gone viral.  I am disgusted by it.  The combination of a puerile wanna-be passenger and a couple of aggressively bureaucratic TSA agents has certainly produced a poisonous ooze of invective going every which way. 

Like soap in Haiti and disciplined attention with our computers, a reasonable dose of recognizing the humanity of one another might have avoided the entire drama. 

In regard to transportation security, there are meaningful issues of privacy and security that deserve serious consideration. In their Tuesday post Chris Bellavita and Dee Walker outlined several.  Most persuasive to me is that TSA is too often  preoccupied with going through the motions.  They need our help, as informed and active citizens, to focus on delivering real security value.

But John Tyner is no Rosa Parks.  Neither are the two slightly obnoxious TSA agents a latter day Sheriff Clark and Governor Wallace. John Tyner missing his plane is no Bloody Sunday.

What I perceive in most — not all — reactions to the John Tyner incident is an epidemic of self-righteous rage.  I saw similar symptoms yesterday on the streets of Baltimore.  I can’t always flip the channel quickly enough to miss it on television.  I hear it on radio talk shows and in the halls of Congress.  I don’t know the epidemic’s source, but the destruction caused is easy enough to see.

I can understand the rage of some Haitians – ten months after the earthquake, two weeks after being flooded out of their tents and shanties, and now told the water on which they depend is deadly — in some moments I share their rage. 

But how do we diagnose — or treat — the rage of  the well-fed and warmly housed?  There seems to be some virus attacking our sense of relationship with one another, of being Americans together, of our shared humanity.

In 1992 the rap metal band Rage Against the Machine wrote what seems to have become the angry anthem of those from the left, right, and plenty in the middle:

I’ve got no patience now
So sick of complacence now
I’ve got no patience now
So sick of complacence now
Sick of sick of sick of sick of you
Time has come to pay…
Know your enemy!

It is an epidemic: virulent, poisonous, and just as deadly as any other infection.

In the 1983 movie WarGames, a teenager/hacker named David Lightman breaks into a military computer and challenges the WOPR  (War Operation Planning Response) supercomputer to a game of  Global Thermonuclear War.   The result? A nuclear war simulation that nearly starts World War III as WOPR convinces the military that Soviet nuclear missiles are inbound and that the USSR is staging an attack on the U.S.   In an attempt to get WOPR to stop playing the “game,” the computer is directed to play tic-tac-toe against itself.  The computer learns from this exercise the concept of futility as its tic-tac-toe games end in draws.  The computer then stops its game, noting to its human observers, “A strange game. The only winning move is not to play. How about a nice game of chess?”

Watching the movie this weekend on Netflix reminded me of our nation’s efforts to achieve cybersecurity.  Reports this past week made me wonder if, perhaps, those efforts are much like a game of tic-tac-toe or Global Thermonuclear War.  Last week, the Government Accountability Office issued a report that raised concerns about the Obama Adminsitration’s implementation of recommendations included in the White House’s 2009 cybersecurity review. The GAO noted that of the 24 recommendations laid out by the review, only two have been fully implemented – the appointments of Howard Schmidt and a privacy/civil liberties official.

The GAO found that some progress had been made on 22 of the 24 recommendations but concluded that

[o]ur extensive research and experience at federal agencies have shown that, without clearly and explicitly assigned roles and responsibilities and documented plans, agencies increase the risk that implementing such actions will not fully succeed. Consequently, until roles and responsibilities are made clear, and the schedule and planning shortfalls identified above are adequately addressed, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country’s cyber infrastructure at risk.

Defining roles and responsibilities is not an easy feat.  Since 1996, when President Clinton first took a comprehensive approach to critical infrastructure protection and cybersecurity by putting it on the government’s radar, there has been a struggle on who should be responsible for cybersecurity. That effort was recreated/repeated when President Bush issued a national strategy in 2003 and then, again, in 2008, created the Comprehensive National Cybersecurity Initiative (CNCI).  Thus, the 2009 review referenced by the GAO was not the first effort in what seems to be a continual game of tic tac toe.

Part of the problem is that cybersecurity is present in so many different areas, requiring (seemingly) various agencies to be engaged.  When the Department of Homeland Security was created, many of the government’s cyber efforts were merged into the new agency, though many agencies chose not to transfer over elements that would have made the new Department’s cyber efforts stronger.  The result?  DHS, while improving, continues to struggle with its efforts to lead on the cybersecurity front,  especially as it does not have explicit authority to tell other agencies what to do on the cyber front, especially with regards to private sector engagement.

I’ve written several times about the struggle between DHS and the Department of Defense for leadership of the nation’s cybersecurity efforts.  Last week, Defense Secretary Robert M. Gates and Homeland Security Secretary Janet Napolitano announced that the two agencies signed a memorandum of agreement to better protect against threats to military and civilian computer networks and systems.  The agreement calls for DoD cyber analysts to work with DHS to support the National Cybersecurity and Communications Integration Center.  In addition, a DHS senior staffer will be detailed to NSA.  While promising, the skeptic in me hopes that we do not see a repeat of the National Infrastructure Protection Center “sharing” experience of the 1990s where the FBI and the Secret Service joined efforts on cybercrime and infrastructure protection, only to see the Secret Service to abandon the NIPC over operational differences.

So is our cybersecurity effort futile?  Unlike Global Thermonuclear War, it is not the case that “the only winning move is not to play” on the cybersecurity front unless, of course,  one advocates an impossible-to-achieve Luddite-approach to unplugging our society from computers.   If we can realize that total elimination of cyberthreats is impossible and that our efforts should be to focus on how to mitigate potential threats and risks as much as feasible and imaginable, then we may continue to make progress on the cybersecurity front.   I’ve noted before that the Obama Administration appears to have the right people in place.  With expectation management and a commitment to not repeat past mistakes, we may just see an end to the cybersecurity tic-tac-toe.

Monday the House Homeland Security released a new GAO study: Key Private and Public Cyber Expectations Need to be Consistently Addressed.

The Government Accountability Office reports that the private sector is disappointed in the public sector and the reverse is also true.  From the report:

Private sector stakeholders reported that they expect their federal partners to provide usable, timely, and actionable cyber threat information and alerts; access to sensitive or classified information; a secure mechanism for sharing information; security clearances; and a single centralized government cybersecurity organization to coordinate government efforts. However, according to private sector stakeholders, federal partners are not consistently meeting these expectations… 

 

Public sector council officials stated that improvements could be made to the partnership, including improving private sector sharing of sensitive information. Some private sector stakeholders do not want to share their proprietary information with the federal government for fear of public disclosure and potential loss of market share, among other reasons.

 

Without improvements in meeting private and public sector expectations, the partnerships will remain less than optimal, and there is a risk that owners of critical infrastructure will not have the information necessary to thwart cyber attacks that could have catastrophic effects on our nation’s cyber-reliant critical infrastructure.

Siobhan Gorman of the Wall Street Journal reported yesterday that the National Security Agency (NSA) is developing a cybersecurity program entitled “Perfect Citizen” that would “rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system.” The purpose of the program would be to “detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants.”

Raytheon allegedly won a $100 million contract for the first phase of the project, which is part of the Comprehensive National Cybersecurity Initiative (CNCI) rolled out in January 2008 by President George W. Bush in the classified National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/ HSPD-23).  President Obama announced in May 2009 as part of the current Administration’s Cyberspace Policy Review that elements of the CNCI would continue as part of an increased effort to build our nation’s cybersecurity strengths.

NSA confirmed late Thursday/early this morning that Perfect Citizen is, indeed, a real program but took issue with the Wall Street Journal’s portrayal. In a statement the agency said “Perfect Citizen is purely a vulnerabilities-assessment and capabilities-development contract. This is a research and engineering effort. There is no monitoring activity involved, and no sensors are employed in this endeavor ….Specifically, it does not involve the monitoring of communications or placement of sensors on utility company systems.”  The NSA went on to say that”this contract provides a set of technical solutions that help the National Security Agency better understand the threats to national security networks, which is a critical part of NSA’s mission of defending the nation.”

Since Gorman’s story on Perfect Citizen yesterday, there has been a flurry of Internet activity asking several questions, all of which mirror the larger issues facing the federal government as it tries to tackle cybersecurity.  Those questions are:

1. How much should the federal government be intervening in the private sector’s efforts to protect critical infrastructure assets that are not owned by the United States?
2. If there should be intervention, how do we address privacy concerns and fears of Big Brother intervention?
3. Is the NSA (or any of the three letter classified agencies) the proper place for housing such a program?

The questions are intertwined but are not new — the government has struggled with them since the mid-90s when President Bill Clinton announced the first large-scale public efforts to develop public-private partnerships to address critical infrastructure and cybersecurity.   How the Obama Administration chooses to address these three questions going forward will help define the future of cybersecurity for citizens, stakeholders, contractors, the federal government, and our international partners.

How much should the federal government be intervening in the private sector’s efforts to protect critical infrastructure assets that are not owned by the United States?

Interestingly,this is objective # 12 of 12 in the CNCI, according to documents released by President Obama last year.  According to the White House National Security Council’s website describing the program, that objective is as follows:

Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains. The U.S. Government depends on a variety of privately owned and operated critical infrastructures to carry out the public’s business. In turn, these critical infrastructures rely on the efficient operation of information systems and networks that are vulnerable to malicious cyber threats. This Initiative builds on the existing and ongoing partnership between the Federal Government and the public and private sector owners and operators of Critical Infrastructure and Key Resources (CIKR). The Department of Homeland Security and its private-sector partners have developed a plan of shared action with an aggressive series of milestones and activities. It includes both short-term and long-term recommendations, specifically incorporating and leveraging previous accomplishments and activities that are already underway. It addresses security and information assurance efforts across the cyber infrastructure to increase resiliency and operational capabilities throughout the CIKR sectors. It includes a focus on public-private sharing of information regarding cyber threats and incidents in both government and CIKR.

This objective, as stated, meshes with findings of the President’s Commission on Critical Infrastructure Protection, created by President Clinton in 1996, in its report Critical Foundations, Protecting America’s Infrastructures.  In its 1997 report, the Commission found:

The quickest and most effective way to achieve a much higher level of protection from cyber threats is a strategy of cooperation and information sharing based on partnerships among the infrastructure owners and operators and appropriate government agencies.

To facilitate this new relationship between government and industry, new mechanisms will be needed, including sector “clearing houses” to provide the focus for industry cooperation and information sharing; a council of industry CEOs, representatives of state and local government, and Cabinet secretaries to provide policy advice and implementation commitment; a real-time capability for attack warning; and a top-level policy making office in the White House.

…

Another area where government must lead is in research and development. Some of the basic technology and tools needed to provide improved infrastructure protection already exist, but need to be widely employed. However, there is a need for additional technology with which to protect our essential systems. We have, therefore, recommended a program of research and development focused on those needed capabilities.

It is eerie how little the rhetoric, problems, and solutions on cybersecurity has changed in 13 years, especially given the leaps and bounds we have seen on the technology front – from broadband to smartgrids to wireless to social networks.  The 1997 report would be one of a handful to emerge from the government, all touting the same action items.  In addition, several federal entities – many with acronyms as names – emerged over the years, from the Critical Infrastructure Assurance Office (CIAO) at the Department of Commerce to the National Infrastructure Protection Center (NIPC) at the FBI to the National Cyber Security Division (NCSD) at the Department of Homeland Security.

We also saw directives offered by both Presidents Clinton and Bush to further explain the complex relationship between the government and the private sector in protecting critical infrastructures.  PDD 63, released in May 1998, established national policy on necessary measures to eliminate significant vulnerabilities to physical and cyber attacks on U.S. critical infrastructures, including U.S. cyber systems.  HSPD-7, released in December 2003, superseded PDD-63, and focused on establishing a national policy for Federal departments and agencies to identify and prioritize U.S. critical infrastructure and key resources and to protect them from terrorist attacks.

Since Perfect Citizen is focused on the energy sector, it is worth noting that the 1997 Critical Infrastructure report did specifically address the vulnerabilities and threats of the energy sector in one of its chapters.  Its concluding findings were:

1. The authorities and responsibilities for energy infrastructure assurance in the federal
   government need to be clarified.
   
2. The respective responsibilities of government and private sector for infrastructure assurance are not clearly understood.
   
3. Improved sharing of threat information and “indications and warning” (I&W) information is needed. Improved sharing of industry experience is needed (e.g., a fully populated cyber intrusion database).
4. More training and awareness in infrastructure assurance is needed, focusing on risk management, vulnerabilities, performance testing, and cyber security.
5. Infrastructure assurance technology advancements could add significantly to the overall protection of industry assets.
6. Adopting uniform physical and cyber security guidelines, standards or best practices would enhance protection.

Interesting, the government had already been looking at energy sector vulnerabilities before the Commission was even formed.  In the late 80s, the House Energy & Commerce and Senate Government Affairs Committees held hearings and requested an assessment from the then-existing Office of Technology Assessment on the vulnerabilities of the grid. OTA released a report in 1990 entitled  “Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage.”  The report describes the various agencies involved in protecting electric systems, from the National Security Council to the Federal Emergency Management Agency to the Department of Defense to the FBI, and includes the conclusion that “[t]he appropriate level of government intervention is a matter of value judgment and opinion. The level of threat, both sabotage and natural disaster, cannot be quantified, and the costs of a major outage are highly dependent on the exact nature of the outage.”

So what can be concluded from these efforts?  Maybe the OTA report is right – government intervention/involvement in private sector efforts in this area is really a value judgment call where we will see the right mix when we see it.  There is no easy answer though it is clear that it has to be a joint effort if we are going to protect our critical infrastructures such as the electric grid, nuclear plants, and oil pipelines.  Attention should be focused on specific solutions that can harden our systems and advance our efforts beyond policy, partnerships, and threatened mandates.

If there should be intervention, how do we address privacy concerns and fears of Big Brother intervention?

Privacy concerns relating to how the federal government works with the private sector on monitoring critical systems are also not new.  Each time the government creates a cybersecurity program, concerns are raised – some rightly, some not – on what are we doing on the privacy front.

In the late 90s/early 2000s, the FBI came under fire for its unfortunately named program “Carnivore,” which was designed to monitor email and electronic communications through the use of customized packet sniffers.  The name was quickly changed to DCS1000 (despite some   calls for it to be renamed “Fluffy Bunny”) but the program never quite survived the privacy uproar that followed it.

Currently, the Einstein (1,2, 3) programs that make up part of the CNCI effort remain under fire from privacy and civil liberties advocates because they involve deep packet inspections and scanning of communications for malicious code before they attack government systems.  Einstein 1 and 2 have been examined in great detail and have Privacy Impact Assessments available.  Einstein 3, which has yet to be rolled out fully, has created the most controversy as it would allegedly preempt strikes before they happen by sharing information with the NSA (a simplistic description that I’m sure has many techies rolling their eyes).

The concern for many privacy and civil liberties advocates on this front are two-fold. First, there is a general concern that NSA’s involvement in what many deem a civilian effort, especially in light of NSA’s surveillance and intelligence gathering missions, would go beyond protecting to  actively intruding on citizen’s privacy and activities.  Second, to the degree there is discussion about extending Einstein and other programs into the private sector, there is concern about government involvement in such efforts, especially in light of concerns over NSA involvement and use of its “Tutelage” technology developed for screening cybersecurity networks. 

We can expect the same concerns raised by Einstein 3 to be raised with Perfect Citizen.  The fact that private sector systems are the focal point of the effort, something that most of the CNCI has avoided by focusing government systems, may raise further questions as experts try to parse out what really is going on with Perfect Citizen.  Since it is a classified program, much of the discussion will focus on speculation and rumors, making the privacy concerns more difficult to discern.  NSA’s involvement will only magnify those concerns.  It is hard to address concerns for problems that are only speculative and so dependent on “trust” but with little way to “verify” for privacy advocates.

Is the NSA (or any of the three letter classified agencies) the proper place for housing such a program?

Before answering this question, it is worth exploring whether the privacy issues raised in question 2 would go away if NSA was not involved in Perfect Citizen.   My assessment is that they would not as DHS has had a number of programs come under privacy scrutiny and much of the proposed activity would need to be classified to achieve its goals and be successful.  The protection of industry information would also have to be adequately addressed.

So putting those concerns aside,  should DHS or NSA be leading this effort?  It is hard to understand exactly what role NSA is playing in this effort or why, according to media reports, it is doing outreach to utilities.  Especially confusing is the fact that if you look at Objective #12 under the CNCI (see above), DHS has the lead on the effort to extend government efforts to the private sector and has done extensive work, along with the Department of Energy and the Federal Energy Regulatory Commission, on the various subsectors within the energy sector on protecting their systems.

Also unclear is how the NSA’s lead (if it is indeed leading) on Perfect Citizen meshes with the Office of Management and Budget’s Memorandum released earlier this week, on July 6th, entitled Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS).

That memorandum clearly states:

Under various national security and homeland security Presidential directives, and pursuant to its statutory authorities, DHS oversees critical infrastructure protection, operates the United States Computer Emergency Readiness Team (US-CERT), oversees implementation of the Trusted Internet Connection initiative, and takes other actions to help secure both the Federal civilian government systems and the private sector.

Maybe future revelations about Perfect Citizen will reveal DHS’s role in the program and make clearer how NSA is engaging with the energy sector on what the agency is calling a “research and development” program.  Given the complexities involved with cybersecurity, if NSA has technology that is useful that has been developed on “the other side,” shouldn’t it be working with DHS and other civilian agencies to test it and determine its applicability in civilian government and private sector systems?

If it does not have the technology but is contracting with outside entities to develop it purely for civilian purposes, then that would seemingly contradict the understood paradigm on who does what in cybersecurity for the government and with public-private outreach.  Based on what has been made public so far, it is unclear which scenario is actually taking place.

In any event, it would be helpful for the Administration to clarify roles and responsibilities and how it seems the interplay between NSA and DHS on cybersecurity, much in the same way it did on the interplay between the White House and DHS in this week’s OMB memo, as the tension between DHS-NSA efforts will likely not disappear anytime soon.