Homeland Security Watch

News and analysis of critical issues in homeland security

March 11, 2014

Privacy is theft

Filed under: Cybersecurity,General Homeland Security,Privacy and Security — by Christopher Bellavita on March 11, 2014

News item:

The Custom and Border Protection (CBP) official at Hartsfield–Jackson airport scanned Martin Bryant’s fingerprints.

“What’s that little device you’ve got clipped on?” he asked.

Bryant was entering the United States from the UK.  He was wearing a Narrative Clip.  The Clip is “a tiny camera that takes a photo of what’s in front of you every 30 seconds.”

Narrative-Clip-1.jpg_2022572542

Bryant planned to use the Clip to document his trip, to “capture the flavor of his journey.” As he approached the CBP official, “a terrible realization dawned on me – I’d forgotten to take the Clip off.”

The story has a sort of happy ending.  Bryant had to delete the airport pictures he took — or rather, the Clip took, but he was eventually allowed to continue his travels.

It was the first time the CBP officials had seen that particular device.  Bryant writes that he

…expected stern faced, intolerant treatment from officials who wanted to get rid of an odd British geek’s weird little camera as soon as possible, and instead they took the time to understand what they were dealing with and respond in an appropriate manner.”

News item:

Homeland security students contemplate how wearable technology, like Google Glass, can assist first responders for event security, disaster response, and other tasks.

Wearable glass technology could be valuable in reinforcing the [TSA’s]… security techniques for its Behavior Detection Officers…. A computerized eyeglass device could assist in gauging a passenger’s physiological responses, such as pupil dilation or micro facial expressions. The technology could also potentially monitor a traveler’s walking gait to determine if the person is concealing an item, as well as provide a remote feed where other officers can analyze what the wearer is seeing.

google-glass-diarrhea-540x600

News item:

The PEW Research Center issues a report on Digital Life in 2025, reminding readers that the World Wide Web is 25 years old on March 12.

Among the report’s good news bad news hopes:

Augmented reality and wearable devices will be implemented to monitor and give quick feedback on daily life….

People will continue – sometimes grudgingly – to make tradeoffs favoring convenience and perceived immediate gains over privacy; and privacy will be something only the upscale will enjoy.

25-birthday-candles

There is no need to worry about this Brave New World

Here are three slogans from the David Eggers book, The Circle. Repeating them 15 minutes twice a day will put any concerns you might have to rest, once in the morning and once before you turn off all your devices and go to sleep.

Sharing is caring.

Secrets are lies.

Privacy is theft.

Here’s an excerpt from The Circle (208 ff).  An elected official decides to provide ultimate transparency by wearing a steroids version of the Clip during every waking moment.

Everything she does will be streamed in real time.

Showing care by sharing everything.

Embracing truth by having no secrets.

Demonstrating honesty by shedding privacy.

I intend to show how democracy can and should be: entirely open, entirely transparent,  Starting today… I will be wearing [the Clip on steroids]. My every meeting, movement, my every word, will be available to all my constituents and to the world.

“And what if those who want to meet with you don’t want a given meeting to be broadcast?” she is asked.

‘Well, then they will not meet with me.… You’re either transparent or you’re not. You’re either accountable or you’re not. What would anyone have to say to me that couldn’t be said in public? What part of representing the people should not be known by the very people I’m representing?

It begins now for me… And I hope it begins soon for the rest of the elected leaders in this country – and for those in everyone of the world’s democracies.

Before too long, in Eggers’ transparent new world, no one gets elected or appointed to any office unless they promise to wear “the Device.”

Why would they refuse to wear it?

What are they trying to hide?

TheCircle-Jacket

News item:

Happy birthday, World Wide Web.  Without you, life would be

February 13, 2014

Private-Public Cybersecurity Framework

Filed under: Cybersecurity,Private Sector,Resilience — by Philip J. Palin on February 13, 2014

Wednesday the White House “launched” the long-under-way Framework for Improving Critical Infrastructure Cybersecurity (41-page PDF).   A snow day has given me the chance to read it.

You need to turn to someone else for a technically competent reading-between-the-lines.  I have no particular competence in cyber hermeneutics.

Information Week reports, “Experts believe NIST’s voluntary Cybersecurity Framework will become the de facto standard for litigators and regulators.”

Several others suggest the voluntary standards are a reasonable step forward given the collapse of earlier efforts to draft legislation.  The US Chamber of Commerce continues to be suspicious of how even these kumbaya methods might be turned to satanic purposes.

The White House spin is well-set out in a detailed background briefing.

No one is suggesting the framework, even widely adopted, resolves vulnerabilities innate to the network.

Two aspects of the framework should not be taken for granted.  First, the methods to finalize the framework may be a model for future approaches to private-public problem solving.  The National Institute of Standards and Technology, a non-regulatory agency, played host and facilitator for a largely private-sector-driven process.  NIST did not try to drive the process in any particular direction, but was helpful in brokering practical paths for reaching consensus among sometime competitors and a variety of views.  ”Honest broker” is not the first thing many in the private sector usually attribute to the Feds.  It apparently worked here.

Second, several of the private sector “Big Boys” involved in the process (e.g. AT&T) have announced their intention to use audited compliance with the voluntary standards as a gateway for those enterprises from which they will purchase goods and services.

This tees-up the potential for a dynamic process of community self-enforcement that several studies (including many by my heroine Elinor Ostrom) have found are much more effective at proactive avoidance and prevention of problems, rather than after-the-fact sanctioning.  Given the “commons-like” characteristics of the cyber-domain this could be an important dynamic to consciously cultivate.

January 30, 2014

The mitigation message

East Rivers Elementary

Cobb County elementary school children sleeping Tuesday night in the gym

Last Tuesday my train pulled into Union Station, Washington DC, shortly before noon.  The station and surrounding city were unusually quiet.  The Federal Office of Personnel Management had given most of its employees liberal leave to stay home.   Most area schools followed this lead.

On Capitol Hill — where I still had some meetings — the snow did not really begin until about 2:00 and was not quite as bad as predicted even into the height of the typical rush hour, which given the OPM decision had much more rush than usual.

By the next morning there was nearly 4 inches of snow at Reagan Airport and over 8 at Dulles.  Wednesday got underway with official delays.

Still some were inclined to second-guess the Tuesday mitigation decision made with the best possible information Monday night.

I hope the second-guessers are giving close attention to the more recent news out of Atlanta.

Even at dawn Tuesday, January 28 the best information available to Georgia decision-makers — very much including the general public — was that the worst weather would track south and east of Atlanta.  Beginning between about 7 and 8 that morning the best information began to shift.  By 10 it was snowing in Bartow County on the northwestern edge of metro Atlanta.  By 11 it was snowing hard and icing.  At 11:23 Cobb County Schools (along the Northwest Atlanta beltway) closed and began busing students home.  At 12:15 Georgia DOT suggested private-sector workers head home.

By 1:00 many Atlanta highways were grid-locked, more the result of sudden volume than — yet — because of the weather.  (Should bring back unpleasant memories of similar events in Chicago and DC in recent years.)  As some of you know, traffic is not an unusual problem in Atlanta, even in fragrant and sunny springtime.

At 1:55 the Governor declared a State of Emergency; the most immediate effect being to pour state employees onto already packed roads.  Across the United States we are predisposed to evacuations.  It is a bad — sometimes, someplaces deadly — habit.

By mid-afternoon the snow and especially ice were adding to the problems.  You have probably seen the videos.  There were several hundred vehicle accidents just in the Atlanta area.

On Wednesday many Tuesday afternoon commuters were still stuck in their cars.  Some had abandoned their vehicles.  In several cases school buses were forced to retreat back to classrooms.  Several hundred children — the numbers are still unclear — spent the night in their schools. (See picture above.) My ten-year-old nephew got home from school, but neither of his parents could.  Shane spent the night at the neighbors.

There will be after-action analyses. There will be studies.  There will be hearings.  There will be blame-gaming. There will be lessons-learned.

What I hope someone will declare clearly and well is that 1) there are many things we cannot accurately predict, 2) especially in unpredictable contexts innate vulnerabilities are exposed, and 3) in densely networked environments, like cities, these vulnerabilities can sometimes meet and mate, propagating suddenly and prolifically.

So… for a whole host of risks we are wise to invest in mitigation and to keep in mind that what will always seem an over-investment before will likely pay profitable dividends after.

This principle applies well beyond the weather, including water systems, supply chains, fuel networks, bridges, and much, much more.

January 17, 2014

The President’s remarks on signals intelligence

Filed under: Cybersecurity,Intelligence and Info-Sharing,Privacy and Security — by Philip J. Palin on January 17, 2014

This is a cut-and-paste from the White House website of the President’s remarks given at the Department of Justice earlier today. The topic. as headlined by the White House, is “signals intelligence”. I have highlighted a few phrases in bold, toward the end of a long day and longer week. No particular insight is promised in the highlights. But especially with this President, a careful read of the whole is almost always worth it.

–+–

THE PRESIDENT: At the dawn of our Republic, a small, secret surveillance committee borne out of the “The Sons of Liberty” was established in Boston. And the group’s members included Paul Revere. At night, they would patrol the streets, reporting back any signs that the British were preparing raids against America’s early Patriots.

Throughout American history, intelligence has helped secure our country and our freedoms. In the Civil War, Union balloon reconnaissance tracked the size of Confederate armies by counting the number of campfires. In World War II, code-breakers gave us insights into Japanese war plans, and when Patton marched across Europe, intercepted communications helped save the lives of his troops. After the war, the rise of the Iron Curtain and nuclear weapons only increased the need for sustained intelligence gathering. And so, in the early days of the Cold War, President Truman created the National Security Agency, or NSA, to give us insights into the Soviet bloc, and provide our leaders with information they needed to confront aggression and avert catastrophe.

Throughout this evolution, we benefited from both our Constitution and our traditions of limited government. U.S. intelligence agencies were anchored in a system of checks and balances — with oversight from elected leaders, and protections for ordinary citizens. Meanwhile, totalitarian states like East Germany offered a cautionary tale of what could happen when vast, unchecked surveillance turned citizens into informers, and persecuted people for what they said in the privacy of their own homes.

In fact, even the United States proved not to be immune to the abuse of surveillance. And in the 1960s, government spied on civil rights leaders and critics of the Vietnam War. And partly in response to these revelations, additional laws were established in the 1970s to ensure that our intelligence capabilities could not be misused against our citizens. In the long, twilight struggle against Communism, we had been reminded that the very liberties that we sought to preserve could not be sacrificed at the altar of national security.

If the fall of the Soviet Union left America without a competing superpower, emerging threats from terrorist groups, and the proliferation of weapons of mass destruction placed new and in some ways more complicated demands on our intelligence agencies. Globalization and the Internet made these threats more acute, as technology erased borders and empowered individuals to project great violence, as well as great good. Moreover, these new threats raised new legal and new policy questions. For while few doubted the legitimacy of spying on hostile states, our framework of laws was not fully adapted to prevent terrorist attacks by individuals acting on their own, or acting in small, ideologically driven groups on behalf of a foreign power.

The horror of September 11th brought all these issues to the fore. Across the political spectrum, Americans recognized that we had to adapt to a world in which a bomb could be built in a basement, and our electric grid could be shut down by operators an ocean away. We were shaken by the signs we had missed leading up to the attacks — how the hijackers had made phone calls to known extremists and traveled to suspicious places. So we demanded that our intelligence community improve its capabilities, and that law enforcement change practices to focus more on preventing attacks before they happen than prosecuting terrorists after an attack.

It is hard to overstate the transformation America’s intelligence community had to go through after 9/11. Our agencies suddenly needed to do far more than the traditional mission of monitoring hostile powers and gathering information for policymakers. Instead, they were now asked to identify and target plotters in some of the most remote parts of the world, and to anticipate the actions of networks that, by their very nature, cannot be easily penetrated with spies or informants.

And it is a testimony to the hard work and dedication of the men and women of our intelligence community that over the past decade we’ve made enormous strides in fulfilling this mission. Today, new capabilities allow intelligence agencies to track who a terrorist is in contact with, and follow the trail of his travel or his funding. New laws allow information to be collected and shared more quickly and effectively between federal agencies, and state and local law enforcement. Relationships with foreign intelligence services have expanded, and our capacity to repel cyber-attacks have been strengthened. And taken together, these efforts have prevented multiple attacks and saved innocent lives — not just here in the United States, but around the globe.

And yet, in our rush to respond to a very real and novel set of threats, the risk of government overreach — the possibility that we lose some of our core liberties in pursuit of security — also became more pronounced. We saw, in the immediate aftermath of 9/11, our government engaged in enhanced interrogation techniques that contradicted our values. As a Senator, I was critical of several practices, such as warrantless wiretaps. And all too often new authorities were instituted without adequate public debate.

Through a combination of action by the courts, increased congressional oversight, and adjustments by the previous administration, some of the worst excesses that emerged after 9/11 were curbed by the time I took office. But a variety of factors have continued to complicate America’s efforts to both defend our nation and uphold our civil liberties.

First, the same technological advances that allow U.S. intelligence agencies to pinpoint an al Qaeda cell in Yemen or an email between two terrorists in the Sahel also mean that many routine communications around the world are within our reach. And at a time when more and more of our lives are digital, that prospect is disquieting for all of us.

Second, the combination of increased digital information and powerful supercomputers offers intelligence agencies the possibility of sifting through massive amounts of bulk data to identify patterns or pursue leads that may thwart impending threats. It’s a powerful tool. But the government collection and storage of such bulk data also creates a potential for abuse.

Third, the legal safeguards that restrict surveillance against U.S. persons without a warrant do not apply to foreign persons overseas. This is not unique to America; few, if any, spy agencies around the world constrain their activities beyond their own borders. And the whole point of intelligence is to obtain information that is not publicly available. But America’s capabilities are unique, and the power of new technologies means that there are fewer and fewer technical constraints on what we can do. That places a special obligation on us to ask tough questions about what we should do.

And finally, intelligence agencies cannot function without secrecy, which makes their work less subject to public debate. Yet there is an inevitable bias not only within the intelligence community, but among all of us who are responsible for national security, to collect more information about the world, not less. So in the absence of institutional requirements for regular debate — and oversight that is public, as well as private or classified — the danger of government overreach becomes more acute. And this is particularly true when surveillance technology and our reliance on digital information is evolving much faster than our laws.

For all these reasons, I maintained a healthy skepticism toward our surveillance programs after I became President. I ordered that our programs be reviewed by my national security team and our lawyers, and in some cases I ordered changes in how we did business. We increased oversight and auditing, including new structures aimed at compliance. Improved rules were proposed by the government and approved by the Foreign Intelligence Surveillance Court. And we sought to keep Congress continually updated on these activities.

What I did not do is stop these programs wholesale — not only because I felt that they made us more secure, but also because nothing in that initial review, and nothing that I have learned since, indicated that our intelligence community has sought to violate the law or is cavalier about the civil liberties of their fellow citizens.

To the contrary, in an extraordinarily difficult job — one in which actions are second-guessed, success is unreported, and failure can be catastrophic — the men and women of the intelligence community, including the NSA, consistently follow protocols designed to protect the privacy of ordinary people. They’re not abusing authorities in order to listen to your private phone calls or read your emails. When mistakes are made — which is inevitable in any large and complicated human enterprise — they correct those mistakes. Laboring in obscurity, often unable to discuss their work even with family and friends, the men and women at the NSA know that if another 9/11 or massive cyber-attack occurs, they will be asked, by Congress and the media, why they failed to connect the dots. What sustains those who work at NSA and our other intelligence agencies through all these pressures is the knowledge that their professionalism and dedication play a central role in the defense of our nation.

Now, to say that our intelligence community follows the law, and is staffed by patriots, is not to suggest that I or others in my administration felt complacent about the potential impact of these programs. Those of us who hold office in America have a responsibility to our Constitution, and while I was confident in the integrity of those who lead our intelligence community, it was clear to me in observing our intelligence operations on a regular basis that changes in our technological capabilities were raising new questions about the privacy safeguards currently in place.

Moreover, after an extended review of our use of drones in the fight against terrorist networks, I believed a fresh examination of our surveillance programs was a necessary next step in our effort to get off the open-ended war footing that we’ve maintained since 9/11. And for these reasons, I indicated in a speech at the National Defense University last May that we needed a more robust public discussion about the balance between security and liberty. Of course, what I did not know at the time is that within weeks of my speech, an avalanche of unauthorized disclosures would spark controversies at home and abroad that have continued to this day.

And given the fact of an open investigation, I’m not going to dwell on Mr. Snowden’s actions or his motivations; I will say that our nation’s defense depends in part on the fidelity of those entrusted with our nation’s secrets. If any individual who objects to government policy can take it into their own hands to publicly disclose classified information, then we will not be able to keep our people safe, or conduct foreign policy. Moreover, the sensational way in which these disclosures have come out has often shed more heat than light, while revealing methods to our adversaries that could impact our operations in ways that we may not fully understand for years to come.

Regardless of how we got here, though, the task before us now is greater than simply repairing the damage done to our operations or preventing more disclosures from taking place in the future. Instead, we have to make some important decisions about how to protect ourselves and sustain our leadership in the world, while upholding the civil liberties and privacy protections that our ideals and our Constitution require. We need to do so not only because it is right, but because the challenges posed by threats like terrorism and proliferation and cyber-attacks are not going away any time soon. They are going to continue to be a major problem. And for our intelligence community to be effective over the long haul, we must maintain the trust of the American people, and people around the world.

This effort will not be completed overnight, and given the pace of technological change, we shouldn’t expect this to be the last time America has this debate. But I want the American people to know that the work has begun. Over the last six months, I created an outside Review Group on Intelligence and Communications Technologies to make recommendations for reform. I consulted with the Privacy and Civil Liberties Oversight Board, created by Congress. I’ve listened to foreign partners, privacy advocates, and industry leaders. My administration has spent countless hours considering how to approach intelligence in this era of diffuse threats and technological revolution. So before outlining specific changes that I’ve ordered, let me make a few broad observations that have emerged from this process.

First, everyone who has looked at these problems, including skeptics of existing programs, recognizes that we have real enemies and threats, and that intelligence serves a vital role in confronting them. We cannot prevent terrorist attacks or cyber threats without some capability to penetrate digital communications — whether it’s to unravel a terrorist plot; to intercept malware that targets a stock exchange; to make sure air traffic control systems are not compromised; or to ensure that hackers do not empty your bank accounts. We are expected to protect the American people; that requires us to have capabilities in this field.

Moreover, we cannot unilaterally disarm our intelligence agencies. There is a reason why BlackBerrys and iPhones are not allowed in the White House Situation Room. We know that the intelligence services of other countries — including some who feign surprise over the Snowden disclosures — are constantly probing our government and private sector networks, and accelerating programs to listen to our conversations, and intercept our emails, and compromise our systems. We know that.

Meanwhile, a number of countries, including some who have loudly criticized the NSA, privately acknowledge that America has special responsibilities as the world’s only superpower; that our intelligence capabilities are critical to meeting these responsibilities, and that they themselves have relied on the information we obtain to protect their own people.

Second, just as ardent civil libertarians recognize the need for robust intelligence capabilities, those with responsibilities for our national security readily acknowledge the potential for abuse as intelligence capabilities advance and more and more private information is digitized. After all, the folks at NSA and other intelligence agencies are our neighbors. They’re our friends and family. They’ve got electronic bank and medical records like everybody else. They have kids on Facebook and Instagram, and they know, more than most of us, the vulnerabilities to privacy that exist in a world where transactions are recorded, and emails and text and messages are stored, and even our movements can increasingly be tracked through the GPS on our phones.

Third, there was a recognition by all who participated in these reviews that the challenges to our privacy do not come from government alone. Corporations of all shapes and sizes track what you buy, store and analyze our data, and use it for commercial purposes; that’s how those targeted ads pop up on your computer and your smartphone periodically. But all of us understand that the standards for government surveillance must be higher. Given the unique power of the state, it is not enough for leaders to say: Trust us, we won’t abuse the data we collect. For history has too many examples when that trust has been breached. Our system of government is built on the premise that our liberty cannot depend on the good intentions of those in power; it depends on the law to constrain those in power.

I make these observations to underscore that the basic values of most Americans when it comes to questions of surveillance and privacy converge a lot more than the crude characterizations that have emerged over the last several months. Those who are troubled by our existing programs are not interested in repeating the tragedy of 9/11, and those who defend these programs are not dismissive of civil liberties.

The challenge is getting the details right, and that is not simple. In fact, during the course of our review, I have often reminded myself I would not be where I am today were it not for the courage of dissidents like Dr. King, who were spied upon by their own government. And as President, a President who looks at intelligence every morning, I also can’t help but be reminded that America must be vigilant in the face of threats.

Fortunately, by focusing on facts and specifics rather than speculation and hypotheticals, this review process has given me — and hopefully the American people — some clear direction for change. And today, I can announce a series of concrete and substantial reforms that my administration intends to adopt administratively or will seek to codify with Congress.

First, I have approved a new presidential directive for our signals intelligence activities both at home and abroad. This guidance will strengthen executive branch oversight of our intelligence activities. It will ensure that we take into account our security requirements, but also our alliances; our trade and investment relationships, including the concerns of American companies; and our commitment to privacy and basic liberties. And we will review decisions about intelligence priorities and sensitive targets on an annual basis so that our actions are regularly scrutinized by my senior national security team.

Second, we will reform programs and procedures in place to provide greater transparency to our surveillance activities, and fortify the safeguards that protect the privacy of U.S. persons. Since we began this review, including information being released today, we have declassified over 40 opinions and orders of the Foreign Intelligence Surveillance Court, which provides judicial review of some of our most sensitive intelligence activities — including the Section 702 program targeting foreign individuals overseas, and the Section 215 telephone metadata program.

And going forward, I’m directing the Director of National Intelligence, in consultation with the Attorney General, to annually review for the purposes of declassification any future opinions of the court with broad privacy implications, and to report to me and to Congress on these efforts. To ensure that the court hears a broader range of privacy perspectives, I am also calling on Congress to authorize the establishment of a panel of advocates from outside government to provide an independent voice in significant cases before the Foreign Intelligence Surveillance Court.

Third, we will provide additional protections for activities conducted under Section 702, which allows the government to intercept the communications of foreign targets overseas who have information that’s important for our national security. Specifically, I am asking the Attorney General and DNI to institute reforms that place additional restrictions on government’s ability to retain, search, and use in criminal cases communications between Americans and foreign citizens incidentally collected under Section 702.

Fourth, in investigating threats, the FBI also relies on what’s called national security letters, which can require companies to provide specific and limited information to the government without disclosing the orders to the subject of the investigation. These are cases in which it’s important that the subject of the investigation, such as a possible terrorist or spy, isn’t tipped off. But we can and should be more transparent in how government uses this authority.

I have therefore directed the Attorney General to amend how we use national security letters so that this secrecy will not be indefinite, so that it will terminate within a fixed time unless the government demonstrates a real need for further secrecy. We will also enable communications providers to make public more information than ever before about the orders that they have received to provide data to the government.

This brings me to the program that has generated the most controversy these past few months — the bulk collection of telephone records under Section 215. Let me repeat what I said when this story first broke: This program does not involve the content of phone calls, or the names of people making calls. Instead, it provides a record of phone numbers and the times and lengths of calls — metadata that can be queried if and when we have a reasonable suspicion that a particular number is linked to a terrorist organization.

Why is this necessary? The program grew out of a desire to address a gap identified after 9/11. One of the 9/11 hijackers — Khalid al-Mihdhar — made a phone call from San Diego to a known al Qaeda safe-house in Yemen. NSA saw that call, but it could not see that the call was coming from an individual already in the United States. The telephone metadata program under Section 215 was designed to map the communications of terrorists so we can see who they may be in contact with as quickly as possible. And this capability could also prove valuable in a crisis. For example, if a bomb goes off in one of our cities and law enforcement is racing to determine whether a network is poised to conduct additional attacks, time is of the essence. Being able to quickly review phone connections to assess whether a network exists is critical to that effort.

In sum, the program does not involve the NSA examining the phone records of ordinary Americans. Rather, it consolidates these records into a database that the government can query if it has a specific lead — a consolidation of phone records that the companies already retained for business purposes. The review group turned up no indication that this database has been intentionally abused. And I believe it is important that the capability that this program is designed to meet is preserved.

Having said that, I believe critics are right to point out that without proper safeguards, this type of program could be used to yield more information about our private lives, and open the door to more intrusive bulk collection programs in the future. They’re also right to point out that although the telephone bulk collection program was subject to oversight by the Foreign Intelligence Surveillance Court and has been reauthorized repeatedly by Congress, it has never been subject to vigorous public debate.

For all these reasons, I believe we need a new approach. I am therefore ordering a transition that will end the Section 215 bulk metadata program as it currently exists, and establish a mechanism that preserves the capabilities we need without the government holding this bulk metadata.

This will not be simple. The review group recommended that our current approach be replaced by one in which the providers or a third party retain the bulk records, with government accessing information as needed. Both of these options pose difficult problems. Relying solely on the records of multiple providers, for example, could require companies to alter their procedures in ways that raise new privacy concerns. On the other hand, any third party maintaining a single, consolidated database would be carrying out what is essentially a government function but with more expense, more legal ambiguity, potentially less accountability — all of which would have a doubtful impact on increasing public confidence that their privacy is being protected.

During the review process, some suggested that we may also be able to preserve the capabilities we need through a combination of existing authorities, better information sharing, and recent technological advances. But more work needs to be done to determine exactly how this system might work.

Because of the challenges involved, I’ve ordered that the transition away from the existing program will proceed in two steps. Effective immediately, we will only pursue phone calls that are two steps removed from a number associated with a terrorist organization instead of the current three. And I have directed the Attorney General to work with the Foreign Intelligence Surveillance Court so that during this transition period, the database can be queried only after a judicial finding or in the case of a true emergency.

Next, step two, I have instructed the intelligence community and the Attorney General to use this transition period to develop options for a new approach that can match the capabilities and fill the gaps that the Section 215 program was designed to address without the government holding this metadata itself. They will report back to me with options for alternative approaches before the program comes up for reauthorization on March 28th. And during this period, I will consult with the relevant committees in Congress to seek their views, and then seek congressional authorization for the new program as needed.

Now, the reforms I’m proposing today should give the American people greater confidence that their rights are being protected, even as our intelligence and law enforcement agencies maintain the tools they need to keep us safe. And I recognize that there are additional issues that require further debate. For example, some who participated in our review, as well as some members of Congress, would like to see more sweeping reforms to the use of national security letters so that we have to go to a judge each time before issuing these requests. Here, I have concerns that we should not set a standard for terrorism investigations that is higher than those involved in investigating an ordinary crime. But I agree that greater oversight on the use of these letters may be appropriate, and I’m prepared to work with Congress on this issue.

There are also those who would like to see different changes to the FISA Court than the ones I’ve proposed. On all these issues, I am open to working with Congress to ensure that we build a broad consensus for how to move forward, and I’m confident that we can shape an approach that meets our security needs while upholding the civil liberties of every American.

Let me now turn to the separate set of concerns that have been raised overseas, and focus on America’s approach to intelligence collection abroad. As I’ve indicated, the United States has unique responsibilities when it comes to intelligence collection. Our capabilities help protect not only our nation, but our friends and our allies, as well. But our efforts will only be effective if ordinary citizens in other countries have confidence that the United States respects their privacy, too. And the leaders of our close friends and allies deserve to know that if I want to know what they think about an issue, I’ll pick up the phone and call them, rather than turning to surveillance. In other words, just as we balance security and privacy at home, our global leadership demands that we balance our security requirements against our need to maintain the trust and cooperation among people and leaders around the world.

For that reason, the new presidential directive that I’ve issued today will clearly prescribe what we do, and do not do, when it comes to our overseas surveillance. To begin with, the directive makes clear that the United States only uses signals intelligence for legitimate national security purposes, and not for the purpose of indiscriminately reviewing the emails or phone calls of ordinary folks. I’ve also made it clear that the United States does not collect intelligence to suppress criticism or dissent, nor do we collect intelligence to disadvantage people on the basis of their ethnicity, or race, or gender, or sexual orientation, or religious beliefs. We do not collect intelligence to provide a competitive advantage to U.S. companies or U.S. commercial sectors.

And in terms of our bulk collection of signals intelligence, U.S. intelligence agencies will only use such data to meet specific security requirements: counterintelligence, counterterrorism, counter-proliferation, cybersecurity, force protection for our troops and our allies, and combating transnational crime, including sanctions evasion.

In this directive, I have taken the unprecedented step of extending certain protections that we have for the American people to people overseas. I’ve directed the DNI, in consultation with the Attorney General, to develop these safeguards, which will limit the duration that we can hold personal information, while also restricting the use of this information.

The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security, and that we take their privacy concerns into account in our policies and procedures. This applies to foreign leaders as well. Given the understandable attention that this issue has received, I have made clear to the intelligence community that unless there is a compelling national security purpose, we will not monitor the communications of heads of state and government of our close friends and allies. And I’ve instructed my national security team, as well as the intelligence community, to work with foreign counterparts to deepen our coordination and cooperation in ways that rebuild trust going forward.

Now let me be clear: Our intelligence agencies will continue to gather information about the intentions of governments — as opposed to ordinary citizens — around the world, in the same way that the intelligence services of every other nation does. We will not apologize simply because our services may be more effective. But heads of state and government with whom we work closely, and on whose cooperation we depend, should feel confident that we are treating them as real partners. And the changes I’ve ordered do just that.

Finally, to make sure that we follow through on all these reforms, I am making some important changes to how our government is organized. The State Department will designate a senior officer to coordinate our diplomacy on issues related to technology and signals intelligence. We will appoint a senior official at the White House to implement the new privacy safeguards that I have announced today. I will devote the resources to centralize and improve the process we use to handle foreign requests for legal assistance, keeping our high standards for privacy while helping foreign partners fight crime and terrorism.

I have also asked my counselor, John Podesta, to lead a comprehensive review of big data and privacy. And this group will consist of government officials who, along with the President’s Council of Advisors on Science and Technology, will reach out to privacy experts, technologists and business leaders, and look how the challenges inherent in big data are being confronted by both the public and private sectors; whether we can forge international norms on how to manage this data; and how we can continue to promote the free flow of information in ways that are consistent with both privacy and security.

For ultimately, what’s at stake in this debate goes far beyond a few months of headlines, or passing tensions in our foreign policy. When you cut through the noise, what’s really at stake is how we remain true to who we are in a world that is remaking itself at dizzying speed. Whether it’s the ability of individuals to communicate ideas; to access information that would have once filled every great library in every country in the world; or to forge bonds with people on other sides of the globe, technology is remaking what is possible for individuals, and for institutions, and for the international order. So while the reforms that I have announced will point us in a new direction, I am mindful that more work will be needed in the future.

One thing I’m certain of: This debate will make us stronger. And I also know that in this time of change, the United States of America will have to lead. It may seem sometimes that America is being held to a different standard. And I’ll admit the readiness of some to assume the worst motives by our government can be frustrating. No one expects China to have an open debate about their surveillance programs, or Russia to take privacy concerns of citizens in other places into account. But let’s remember: We are held to a different standard precisely because we have been at the forefront of defending personal privacy and human dignity.

As the nation that developed the Internet, the world expects us to ensure that the digital revolution works as a tool for individual empowerment, not government control. Having faced down the dangers of totalitarianism and fascism and communism, the world expects us to stand up for the principle that every person has the right to think and write and form relationships freely — because individual freedom is the wellspring of human progress.

Those values make us who we are. And because of the strength of our own democracy, we should not shy away from high expectations. For more than two centuries, our Constitution has weathered every type of change because we have been willing to defend it, and because we have been willing to question the actions that have been taken in its defense. Today is no different. I believe we can meet high expectations. Together, let us chart a way forward that secures the life of our nation while preserving the liberties that make our nation worth fighting for.

Thank you. God bless you. May God bless the United States of America. (Applause.)

November 13, 2013

American Blackout: National Geographic imagines a national power outage caused by a cyber attack

Filed under: Cybersecurity — by Christopher Bellavita on November 13, 2013

A National Geographic re-broadcast:

American Blackout imagines the story of a national power failure in the United States caused by a cyberattack ? told in real time, over 10 days, by those who kept filming on cameras and phones. You’ll learn what it means to be absolutely powerless. Gritty, visceral and totally immersive, see what it might take to survive from day one, and who would be left standing when the lights come back on.

The program is scheduled to be shown (again) on Wednesday, November 13th at 9 pm Eastern time – and various other times throughout the day.

If you don’t have a television, but do have the internet, there is a copy of the one hour and twenty-seven minute program on youtube: http://www.youtube.com/watch?v=PreJvrljihI

 

May 2, 2013

Catastrophe: Should’a, Would’a, Could’a

“I should prefer Mozart. Mostly I listen to 70s hits.”

“I should eat a hot breakfast, but usually have a powerbar instead.”

“I should work-out three or four times a week, maybe I walk around the block twice.”

Should has become moralistic.  It is typically used as a kind of anti-verb, ascribing — often anticipating — non-action.

I have heard a lot of “shoulds” in regard to the explosion of the West, Texas fertilizer storage facility. The April 17 blast killed 14 and injured more than 190 in the town of 2700.

“We should regulate better.”

“We should put buffer zones in place.”

“We should be more realistic about the threat.”

“We should do a better job sharing what we know about the risk.”

“We should focus more on pre-event prevention and mitigation.”

More plural pronouns than singulars it seems.

According to a November 2012 analysis undertaken by the Congressional Research Service, 6,985 chemical facilities self-report they pose a risk to populations greater than 1,000. There are 90 that self-report a worst-case risk affecting up to 1 million people.

The West facility was not included in the CRS analysis.  They did not self-report — or evidently self-conceive — a worst case scenario that would seriously harm anyone.

As regular readers know I have for a few years worked on catastrophe preparedness.

One of the most remarkable — and absolutely predictable — aspects of this gig is the readiness — preference really — by nearly everyone to define catastrophe as something non-catastrophic.  I saw it again last week and this.  It extends across the public-private divide and every level of government.  When a few of us argue otherwise we are being pedantic, unrealistic, and wasting people’s time.

We should give regular time and energy — maybe five percent of overall effort — to truly catastrophic risks: Global pandemic, significant earthquakes and cyclonic events hitting major urban areas, sustained collapse of the electrical grid whatever the cause. Each of these could have far-reaching secondary and tertiary effects.  In some regions I would include wildfire and flooding. If you have a chemical storage or processing facility nearby that is absolutely worth worst-case thinking now not later.

In many cases the most important issues relate to the mitigation of systemic vulnerabilities that are threat-agnostic.  ”Fixing” vulnerabilities can reduce consequences for a whole host of threats, including non-catastrophic threats.

USA Today editorialized, “The Boston Marathon bombings overshadowed the disaster in Texas, but what happened in West was deadlier, and preventing the next fertilizer accident should command serious attention.”

There’s that anti-verb again.

–+–

And how I wish I’d, wish I’d thought a little bit more
Now shoulda, woulda, coulda I means I’m out of time
Shoulda, woulda, coulda can’t change your mind
And I wonder, wonder what I’m going to do
Shoulda, woulda coulda are the last words of a fool

Can’t change your mind
Can’t change your mind

Beverly Knight

March 27, 2013

Web slows under ‘biggest attack ever’

Filed under: Cybersecurity — by Philip J. Palin on March 27, 2013

The following is the current lead in The Telegraph (London).  For the record, I am online, have been online all day (it’s now 1705 Eastern), and have not noticed a problem. I’ve checked a couple of US-based tech sites and a quick scan shows nothing or only a minor mention.  The New York Times is, however, giving major attention. Perhaps this is — so far — mostly a European phenomenon?

–+–

A Dutch web-hosting company caused disruption and the global slowdown of the internet, according to a not-for-profit anti-spam organization.

The interruptions came after Spamhaus, a spam-fighting group based in Geneva, temporarily added the Dutch firm, CyberBunker, to a blacklist that is used by e-mail providers to weed out spam.

Cyberbunker is housed in a five-story former NATO bunker and famously offers its services to any website “except child porn and anything related to terrorism”. As such it has often been linked to behaviour that anti-spam blacklist compilers have condemned.

Users of Cyberbunker retaliated with a huge ‘denial of service attack’. These work by trying to make a network unavailable to its intended users,overloading a server with coordinated requests to access it. At one point, 300 billion bits per second were being sent by a network of computers, making this the biggest attack ever.

MORE

THURSDAY UPDATE

Two morning after reports:

The San Jose Mercury tells us what happened in brief.

The Christian Science Monitor asks if it was overblown

Information Week tells us about the implications of what (apparently) happened

Sounds like it was much more a Eurasian event this time.

March 14, 2013

Cyber framing of reality

Filed under: Cybersecurity — by Philip J. Palin on March 14, 2013

From James Clapper’s Tuesday testimony to the Senate Select Committee on Intelligence:

We are in a major transformation because our critical infrastructures, economy, personal lives, and even basic understanding of—and interaction with—the world are becoming more intertwined with digital technologies and the Internet. In some cases, the world is applying digital technologies faster than our ability to understand the security implications and mitigate potential risks.

State and nonstate actors increasingly exploit the Internet to achieve strategic objectives, while many governments—shaken by the role the Internet has played in political instability and regime change—seek to increase their control over content in cyberspace. The growing use of cyber capabilities to achieve strategic goals is also outpacing the development of a shared understanding of norms of behavior, increasing the chances for miscalculations and misunderstandings that could lead to unintended escalation.

Compounding these developments are uncertainty and doubt as we face new and unpredictable cyber threats. In response to the trends and events that happen in cyberspace, the choices we and other actors make in coming years will shape cyberspace for decades to come, with potentially profound implications for US economic and national security.

A major hospital system has delayed deploying an extensive (expensive) digital patient record system.   Everyone agrees the new system will produce significant financial and clinical benefits.   But no one has figured out how to ensure an effective non-digital capability persists.   This was not a design specification.

There are multiple digital redundancies.  But what if electric power is lost beyond the capacity of back-up generators? How can patient records and status be accessed and updated if the digital system is dead for days?

This is more than a technical problem.  Many of the efficiencies generated by the ready-to-go system depend on collecting digital signals from various diagnostic tools and displaying integrated clinical outcomes.  Today the sub-systems feeding these displays — and their strengths and weaknesses — are understood by clinical staff.   Today it is not uncommon for an experienced nurse or lab tech to recognize that a specific data source  can be “screwy” and should be rechecked.   The new system will sufficiently obscure data sources  to make this nearly impossible.

One hospital administrator comments, “As long as we have clinical staff who remember how to use pre-digital systems, we can probably recover capabilities.”  But given staff turn-over this sort of human redundancy is expected to disappear within seven years.

My auto mechanic recently said, “When computer diagnostics first came out it was a big help, but I could still do most of my work without it, just not as quick.  Now if the computer is on the fritz I can’t do anything.”  He suggests younger mechanics are just “playing electronic games with your car,” and don’t understand any of the underlying systems. The hospital is trying to avoid this outcome.

I was talking to the manager of a large municipal water system.  ”Actually I feel pretty good about our resilience,” he said. “We’re a collection of several largely separate legacy systems built over the last century-plus: lots of innate redundancy, mostly gravity fed, almost all of it requires a human to turn a valve somewhere.  Not nearly as efficient as the newest systems, but take out one piece and the rest just keeps on flowing.  Bad planning has had some unintentionally good results.”

Meanwhile without digital scanning and communications most retail, wholesale, and shipping would suddenly stop.  This includes food and pharmaceuticals.   When the March 11, 2011 earthquake-and-tsunami hit Northeastern Japan the digital voices of those inside the impact zone went silent.   The voice of hoarders hundreds of miles away became a shout.  The supply chain responded to expressed want, not silent need.

The digital world has become the frame and filter on which many of us depend to engage the real world.  Humans have long depended on frames and filters to simplify what would otherwise be too complex.  Mathematics, religion, law and more are all tool-sets for framing and filtering.

There is often a temptation to mistake form for function. Framing reality has always included the risk of warping reality.  We have experienced the consequences of these risks. (I seem to experience them daily.)

But never before has access to water, food, and other essentials for such large populations been so dependent on the quality and survivability of our frames.

–+–

“Our comforting conviction that the world makes sense rests on a secure foundation: our almost unlimited ability to ignore our ignorance.”

Daniel Kahneman, Thinking, Fast and Slow

March 6, 2013

Our secular Trinity: supply chain, critical infrastructure, and cyber security

Filed under: Cybersecurity,Infrastructure Protection,Private Sector,Risk Assessment,Strategy — by Philip J. Palin on March 6, 2013

Above from the conclusion to Zorba the Greek, please don’t watch and listen until reading post, then it might make some sense.

–+–

Late Tuesday a third key component in an emerging national strategic architecture was highlighted on the White House website.  The Implementation Update for the National Strategy for Global Supply Chain Security outlines progress made (and if you read carefully between the lines, problems experienced) over the last twelve months since the Strategy itself was released.

This update — and the original National Strategy — should be read along side Presidential Policy Directive: Critical Infrastructure Security and Resilience (February 12, 2013) and the Executive Order: Improving Critical Infrastructure Cybersecurity (February 12, 2013).

Together these documents frame a new Trinitarian order: three distinct strategies of one substance, essence, and nature. Trade depends on production, transport of goods and communication of demand.   We can also say economic vitality depends on these factors.  Often  life itself depends on these mysteriously mutual movements.

The Supply Chain is a particular manifestation of the mystery that benefits from specific attention.   Most minds will not immediately apprehend the wholeness of  cyber, critical infrastructure and supply chains.   A purposeful focus can help. But the Implementation Update is explicit regarding the connections and — much more than connections — the interdependence and indivisibility of the Strategic Trinity:

Priority actions include… building resilient critical infrastructures by creating new incentives… to encourage industry stakeholders to build resilience into their supply chains, which then strengthens  the system overall; mapping the interdependencies among the supply chains of the various critical infrastructure sectors (such as energy, cyber, and transportation); and creating common resilience metrics and standards for worldwide use and implementation.

There are, however, heretics.  Personally I tend toward a Unitarian perspective.   Others insist on the primacy of Cyber or of Critical Infrastructure. Some others recognize the relationship of Cyber and Critical Infrastructure but dismiss equal attention being given to Supply Chain. There are also “Pentecostals”, especially among the private sector laity, who celebrate Supply Chain almost to the exclusion of the other aspects of the Trinity.  I might extend the analogy to principles of Judaism, Islam, and other worldviews.  I won’t. (Can I hear a loud Amen?)

If this theological analogy is not to your taste,  then read the three policy documents along side a fourth gospel: Alfred Thayer Mahan’s  The Influence of Seapower Upon History.  Admiral Mahan wrote:

In these three things—production (with the necessity of exchanging products) shipping (whereby the exchange is carried on) and colonies (which facilitate and enlarge the operations of shipping and tend to protect it by multiplying points of safety)—is to be found the key to much of the history, as well as of the policy, of nations…

The functional benefits of colonies have been superseded by the signaling capabilities of multinational corporations, global exchanges and transnational communication, but the Trinitarian structure persists. Mahan called the Sea the “great common” from which and through which “men may pass in all directions, but on which some well-worn paths show that controlling reasons have led them to choose certain lines of travel rather than others.”

Around these lines of travel, civilization is constructed, information is exchanged, and trade is conducted.   A bridge (critical infrastructure) may determine the direction of trade (supply chain), but the information and money exchanged (cyber) in the village beside the bridge may send supply in previously unexpected directions.   Today the bridge may be a digital link, the village an electronic exchange, and the product an elusive formula for the next new wonder drug.  But still the three must work together.  Corruption or collapse of one aspect will unravel the other two.

Our secular trinity is not eternal. There are ongoing sources of corruption.  There are prior examples of collapse.

I was involved in some of the activities and consultations noted in the Implementation Update.   Some personal impressions:  Many government personnel are predisposed to control.  Many in the private sector have a deep desire for clarity.  Each tendency is understandable.  Each tendency is a potentially profound source of dysfunction.   I know this is not exactly a surprise.

But… the desire for clarity can easily become reductionist, even atomist.  Imposing such radical clarification leads to a kind of analytical surrealism.   Some “lean” supply chains are absolutely anorexic.    The desire for control is justified by (sometimes self-generated) complication.  The more complicated the context, the more — it is said — that control is needed.   The more the laity seeks to deny complexity, the more the priests justify the need for their control.   Both tendencies miss the mark. (Sin in Hebrew is chattath, from the root chatta, the Greek equivalent is hamartia. All these words mean to miss the mark.)  The purpose of our secular Trinity is to hit the mark when, where, and with what is wanted.

There is at least one explanation  of the sacred Trinity relevant to our secular version.  John of Damascus characterized the Trinity as a perichoresis — literally a “dance around” — where, as in a Greek folk dance, distinct lines of dancers (e.g. men, women, and children) each display their own steps and flourishes, but are clearly engaging the same rhythm,  maintain their own identity even as each line dissolves into the others… in common becoming The Dance.

Rather than obsessive control or absolute clarity, the Trinity is a shared dance.  We need to learn to dance together.

Just getting private and public to hear the same music would be a good start.

February 8, 2013

Cyber Insecurity: Black Swan or Headline?

Filed under: Cybersecurity — by Ted Lewis on February 8, 2013

The Iron Triangle

President Dwight D. Eisenhower coined the term, “military industrial complex” during his farewell address to Congress on January 17, 1961. The phrase stuck and is now used to describe an ironclad triangle binding together private-sector companies, the military, and government appropriations for the purpose of promoting defense spending. According to Wikipedia, the triangle contains, “…relationships includ[ing] political contributions, political approval for military spending, lobbying to support bureaucracies, and oversight of the industry.”

The military industrial complex grew during the Cold War, but slowed after the fall of the Former Soviet Union. During Eisenhower’s tenure as President, and through most of the 1950s, military spending remained above 10% of GDP; it dropped slightly during the Vietnam War (about 9 percent of US GDP); and then declined even further to about 5 percent through the 1970s. President Ronald Reagan ramped it back up to 6 percent until the fall of the Soviet Union. By 2000, it had settled down to 3% and has inched up slightly to its current level of 5.5 percent – a far cry from its 9-10% level during the “glory days” of the Cold War.

But a new requirement may be emerging to replace tanks, warships, missiles, and airplanes as the next growth area for the complex: cyber insecurity. Cyber insecurity is the term I use to describe real and imagined security gaps in the global information and communication network infrastructure. It is the opposite of cyber security.

Suddenly, vast sums of money are pouring into cyber insecurity because of perceived increases in cyber threats, growing vulnerabilities created by connecting everything to the TCP/IP monoculture (mobile devices and cloud computing), flawed software, and lack of adequate precautions on the part of government agencies, infrastructure companies, and the public.

It seems governments and companies are rushing to the Internet because it improves efficiencies and reduces costs. But this rush also opens up new vulnerabilities. According to eWeek, government spending to combat cyber insecurity was forecast, “to reach $60 billion in 2011 and is forecast to grow 10 percent every year during the next three to five years.”

Financial institutions spent $17 billion on cyber insecurity in 2012. AT&T estimates spending to reach $40 billion annually, and “Frank Kendall, defense undersecretary for acquisition, technology and logistics, says there is still ‘a lot of money’ to be made in the defense business, despite mounting budget pressures… in cyber security.”

President Obama is seeking $500 million for research into cyber security with emphasis on industrial control systems that control water, power, and transportation systems. Gartner Corp, a market research company, claims total spending on cyber insecurity will reach $86 billion by 2016.

On the surface it would seem that cyber insecurity is emerging as the next big opportunity for the military industrial complex. There is money to be made by extending the military industrial complex to embrace the cyber security industrial complex. With billions of dollars pouring into research and development, how can the iron triangle resist?

 

The Check, Please

A 2012 survey of 56 corporate and governmental organizations conducted by the Ponemon Institute found that cyber attacks cost an average of $8.9 million per organization in the US, $5.9 million in Germany, $5.1 million in Japan, $3.2 million in UK, and $3.2 million in Australia. Most attacks were perpetrated by malicious insiders or through network exploits such as denial of service attacks.

Compare this with exploits committed against consumers, such as phishing ($687 million, globally, according to RSA Inc.) and online fraud (1% of retail sales or $3.4 billion, globally). There are many problems with estimates of cyber insecurity costs, so readers should be skeptical of these estimates.

The Ponemon study raises questions regarding methodology: how were these costs calculated? Generally, costs are associated with loss of productivity — business disruption, information loss or theft, revenue loss, equipment damages, and the cost of detection, investigation, containment, recovery and measures to fend off future attacks.

Contrast these numbers with $4.5 billion in car theft annually in the USA, and 275,000 accidental deaths of patients in hospitals, annually. [Barbara Starfield, J. AMERICAN MEDICAL ASSOCIATION (JAMA) Vol 284, No 4, (July 26th 2000) reports that medical errors may be the third leading cause of death in the United States: 225,000 deaths per year from unnecessary surgery; medication and other errors; infections in hospitals.]

So far, nobody has died from a cyber attack.

Cyber crime, loss of intellectual property due to cyber exploits, and damages done to banks, consumers, and retail web sites may be on the rise, but the consequences barely compare with traditional crime. In 1999, David Anderson estimated the total cost of crime in the US to exceed $1 trillion – a number several orders of magnitude greater than the most pessimistic scholarly estimates of cyber crime.

So we face two questions: how were estimates of cyber insecurity derived, and how do they compare with other threat statistics?

 

The Wrong Questions

The superficial numbers cited above suggest that cyber insecurity is a relatively minor problem as compared with more mundane problems such as car accidents, medical accidents, natural disasters, and plain ordinary crime. In addition, cyber insecurity statistics based on surveys are highly unreliable and often misleading.

Julie Ryan and Theresa Jefferson, scientists at George Washington University, conclude in their paper (The Use, Misuse, and Abuse of statistics in Information Security Research), “In the information security arena, there is no reliable data upon which to base decisions. Unfortunately, there is unreliable data that is masquerading as reliable data. The people using that data appear not to question the reliability of the data, but simply quote it with no caveats or constraints. This is of great concern because it may mean that resources are being allocated inappropriately or ineffectively.”

Are these unsubstantiated claims merely a continuation of the 50-year old military industrial complex iron triangle? Claims of an impending “cyber pearl harbor” are very conducive to increasing government spending. After 9/11, perception of an impending black swan event has gone from remotely possible random events to almost inevitable high-impact events without the benefit of solid research.

Instead of hyping a poorly understood potential threat to stimulate government spending, perhaps we should be asking a different question, “what policies and strategies are there to prevent both imagined and real cyber insecurities?”

In other words, cyber security should be about policies instead of headlines.

——————

Ted Lewis is Professor of Computer Science and National Security Affairs at the Naval Postgraduate School. He is the director of the NPS Center for Homeland Defense and Security.  His most recent book is Bak’s Sand Pile: Strategies for a Catastrophic World.

January 31, 2013

Narcissism as a cyber threat

Filed under: Cybersecurity — by Philip J. Palin on January 31, 2013

Given the “pre-decision” by the Department of Defense, today I should probably be writing about cyber threats: the current reality, catastrophic possibilities, strong probabilities, and treacherous implications of both passive and active cyber-defense operations.  But instead please read the Georgia Tech Report on 2013 Cyber Threats.

The cyber domain is a kind of fourth dimension where natural, accidental and intentional threats can easily cascade into our first, second, and third dimensions.  This has happened, will happen, is happening.

Some sort of widespread digital disaster is inevitable.  My bet is an insider accident/bad practice will cause a cascading collapse that cannot be hidden and commands our attention for more than a couple of days. But we are also seeing more hacktivist and adversary intrusions.  A couple of natural catastrophes could sweep up a fair portion of the network.  Anyway, good luck to DoD and others; and be prepared for a massive failure anyway.

–+–

As with so much in homeland security, cyber highlights the interplay of purposeful choice and randomness.  We look for formulas to avoid (or minimize) failure and achieve (or increase the likelihood of) success or, at least, survival.

Our brains are inclined to perceive patterns — especially threat patterns — and our species has obviously benefited from this adaptation. Wash a couple of synapses with the right (wrong) chemicals and the same positive adaptation produces paranoia, not typically a helpful and happy state of being. But then Andy Grove, one of the founders of Intel, entitled a kind of  memoir, Only the Paranoid Survive.

After more than a decade’s experience with homeland security,  we can see how a proto- or pseudo-paranoia slices both ways.  When we are attentive to possible threats we are able to take action to prevent, mitigate, or avoid potential consequences.  But there are also situations where threats are mostly self-created and consequences mostly a matter of self-fulfilling prophecies.  My suspicion of you can prompt defensive actions by you that confirm my suspicions.

Yet evil intention is a reality and unintentional threats abound.  One person’s paranoia can seem another’s prudence.

–+–

Sigmund Freud crafted many still-popular perceptions of paranoia, even as many of his psychological theories have been superseded.  Freud was operating on empirical frontiers and his insights can have implications far beyond psycho-analysis.  He wrote,

… we have drawn the conclusion that there actually exists in the ego an agency which unceasingly observes, criticizes, and compares, and in that way sets itself over against the other part of the ego.  We believe, therefore, that the patient is betraying a truth to us which is not yet sufficiently appreciated when he complains that he is spied upon and observed at every step he takes and that every one of his thoughts is reported  and criticized. His only mistake is in regarding this uncomfortable power as something alien to him and placing it outside himself.  He senses an agency holding sway in his ego which measures his actual ego and each of its activities by an ideal ego (Freud’s emphasis) that he has created for himself in the course of his development. (The Libido Theory and Narcissism, Gesammelte Werke (1916) translated by James Strachey)

Paranoia seeks the guise of prudence as the gap widens between inner and outer reality.  The supposed external threat on which the paranoid fixates is not the precipitating cause.  Self-delusion, confusion, and conflict regarding our own intentions and behaviors is, according to Freud, the principal source of paranoia.

Google is watching me.  So is my credit card company.  So is my wireless provider. Several others.   How might these observers objectively describe me via my digital breadcrumbs? How might this description conform or conflict with my self-description?  Do I want to claim what is seen in my digital mirror?

–+–

Our vulnerability to cyber threats reflects a series of choices made over the last quarter-century and especially in the last ten years.   Were we mindful of these choices?   I mostly adopted technologies and practices that started out low cost (this is not how I would characterize my current data plan) and promised greater speed, convenience and gratification.

I spent a decade advising clients on how they could develop digital products in secure, sustainable and purposeful ways.  Most clients were seeking short-term returns.  There was perpetual impatience with requirements analysis, design processes, and product/process testing.

Among personal accounts successfully hacked in 2012 the same passwords were often overcome.  Using any of these passwords almost certainly increases your vulnerability: “password”, “123456″, and “12345678″.

Our cyber vulnerability has mostly unfolded — and continues to unfold — from our own choices.  We too often choose the cheap, easy, and near-term.   The consequences are usually mixed, positively reinforcing at first and only become destructive over time. Adversaries exist, but we have created many of their opportunities to threaten us.  Our own choices increasingly endanger us.  In response we try to obscure our complicity by blaming those we have enabled, even empowered.

To deal with paranoia Freud prescribed therapeutic attention to narcissism (excessive, non-critical self-regard). Might be worth a shot with cyber.  Anyone got a counter-narcissism app?

October 25, 2012

The Presidential Debates: Substantial agreement on homeland security

The word “homeland” was used once,  the term “homeland security” not at all  in the three presidential debates.  But a close-reading of the transcripts does expose HS-related discussion.

Below are direct excerpts from the debate transcripts.  I have purposefully not identified who said what.  Where the candidates seem to mostly agree, I have only quoted one of them.  Occasionally a candidate asserted a difference that — at least to me — seemed either non-substantive or illusory.  I have not included these assertions.  There are subtle distinctions.  I have chosen excerpts that I hope bring these forward.

To me the distinctions — on these issues —  often run counter to each candidate’s stereotype. President Obama comes off tougher than the other side wants to admit, Governor Romney more reasonable than he is portrayed.  Debate posturing?  Meaningful insight?  My own eccentric tendency to see what is shared more than what divides?

FIRST DEBATE: THE FUNDAMENTALS

The first role of the federal government is to keep the American people safe. That’s its most basic function…

The Constitution and the Declaration of Independence. The role of government is to promote and protect the principles of those documents. First, life and liberty. We have a responsibility to protect the lives and liberties of our people…

SECOND DEBATE: IMMIGRATION, DOMESTIC COUNTER-TERRORISM, AND RESILIENCE

Immigration

First of all, this is a nation of immigrants. We welcome people coming to this country as immigrants… I want our legal system to work better. I want it to be streamlined. I want it to be clearer. I don’t think you have to — shouldn’t have to hire a lawyer to figure out how to get into this country legally. I also think that we should give visas to people — green cards, rather — to  people who graduate with skills that we need. People around the world with accredited degrees in science and math get a green card stapled to their diploma, come to the U.S. of A. We should make sure our legal system works.

Number two, we’re going to have to stop illegal immigration. There are 4 million people who are waiting in line to get here legally. Those who’ve come here illegally take their place… What I will do is I’ll put in place an employment verification system and make sure that employers that hire people who have come here illegally are sanctioned for doing so. I won’t put in place magnets for people coming here illegally. The kids of those that came here illegally, those kids, I think, should have a pathway to become a permanent resident of the United States and military service, for instance, is one way they would have that kind of pathway to become a permanent resident…

If we’re going to go after folks who are here illegally, we should do it smartly and go after folks who are criminals, gang bangers, people who are hurting the community, not after students, not after folks who are here just because they’re trying to figure out how to feed their families. And that’s what we’ve done. And what I’ve also said is for young people who come here, brought here often times by their parents. Had gone to school here, pledged allegiance to the flag. Think of this as their country. Understand themselves as Americans in every way except having papers. And we should make sure that we give them a pathway to citizenship…

Domestic Counterterrorism (or Whole Community or gun control)

So my belief is that, (A), we have to enforce the laws we’ve already got, make sure that we’re keeping guns out of the hands of criminals, those who are mentally ill. We’ve done a much better job in terms of background checks, but we’ve got more to do when it comes to enforcement…

Weapons that were designed for soldiers in war theaters don’t belong on our streets. And so what I’m trying to do is to get a broader conversation about how do we reduce the violence generally… Part of it is also looking at other sources of the violence… And so what can we do to intervene, to make sure that young people have opportunity; that our schools are working; that if there’s violence on the streets, that working with faith groups and law enforcement, we can catch it before it gets out of control…

And so what I want is a — is a comprehensive strategy. Part of it is seeing if we can get automatic weapons that kill folks in amazing numbers out of the hands of criminals and the mentally ill. But part of it is also going deeper and seeing if we can get into these communities and making sure we catch violent impulses before they occur.

Resilience (?)

I believe in self-reliance and individual initiative and risk takers being rewarded.

THIRD DEBATE: COUNTERTERRORISM, CYBER, AND DRONES

International Counterterrorism

But we can’t kill our way out of this mess. We’re going to have to put in place a very comprehensive and robust strategy to help the — the world of Islam and other parts of the world, reject this radical violent extremism, which is — it’s certainly not on the run. It’s certainly not hiding. This is a group that is now involved in 10 or 12 countries, and it presents an enormous threat to our friends, to the world, to America, long term, and we must have a comprehensive strategy to help reject this kind of extremism…

A group of Arab scholars came together, organized by the U.N., to look at how we can help the — the world reject these — these terrorists. And the answer they came up with was this: One, more economic development. We should key our foreign aid, our direct foreign investment, and that of our friends, we should coordinate it to make sure that we — we push back and give them more economic development. Number two, better education. Number three, gender equality. Number four, the rule of law. We have to help these nations create civil societies…

The other thing that we have to do is recognize that we can’t continue to do nation building in these regions. Part of American leadership is making sure that we’re doing nation building here at home. That will help us maintain the kind of American leadership that we need…

We make decisions today… that will confront challenges we can’t imagine. In the 2000 debates, there was no mention of terrorism, for instance. And a year later, 9/11 happened. So, we have to make decisions based upon uncertainty…

Cybersecurity

We need to be thinking about cyber security. We need to be talking about space…

International Counterterrorism (Again)

Pakistan is important to the region, to the world and to us, because Pakistan has 100 nuclear warheads and they’re rushing to build a lot more. They’ll have more than Great Britain sometime in the — in the relatively near future. They also have the Haqqani Network and the Taliban existent within their country. And so a Pakistan that falls apart, becomes a failed state, would be of extraordinary danger to Afghanistan and to us. And so we’re going to have to remain helpful in encouraging Pakistan to move towards a more stable government and rebuild the relationship with us. And that means that our aid that we provide to Pakistan is going to have to be conditioned upon certain benchmarks being met…

Drones

We should use any and all means necessary to take out people who pose a threat to us and our friends around the world.

International Counterterrorism (Again)

There’s no doubt that attitudes about Americans have changed. But there are always going to be elements in these countries that potentially threaten the United States. And we want to shrink those groups and those networks and we can do that.  But we’re always also going to have to maintain vigilance when it comes to terrorist activities. The truth, though, is that Al Qaeda is much weaker than it was…and they don’t have the same capacities to attack the U.S. homeland and our allies as they did four years ago.

I expect partisans of each candidate will complain I have obscured important differences.   In my judgment a narcissism of small differences is epidemic.   I have no interest in abetting the fever.  More interesting to me is — for good or bad — the considerable consensus that is articulated.

October 12, 2012

Panetta: “Cyber terrorist attack could paralyze the nation.”

Filed under: Cybersecurity — by Philip J. Palin on October 12, 2012

Last night in New York the Secretary of Defense told his audience, ““A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyze the nation.”

While noting the role of DHS and the FBI in cyber defense, the SECDEF also emphasized, “We defend. We deter. And if called upon, we take decisive action. In the past, we have done so through operations on land and at sea, in the skies and in space. In this new century, the United States military must help defend the nation in cyberspace as well.”

Here’s a link to the DOD news release.  I have not yet found a full transcript.  When I do — or you do — it will be posted here.

UPDATE AT 1049 EASTERN

Here’s the transcript: Defending the Nation from Cyber Attack.

October 9, 2012

Seven recent homeland security stories you might have missed

Filed under: Cybersecurity — by Christopher Bellavita on October 9, 2012

1. An EMP attack could bring this country to a screeching halt by permanently disabling electronic devices, and DHS remains unprepared for the possibility of an electromagnetic pulse (EMP) event or attack, says the Heritage Foundation. William Forstchen wrote a book called One Second After that describes what life could be like after an EMP attack.

2. Two fusion centers in Wisconsin — the Wisconsin Statewide Information Center and the Southeastern Wisconsin Threat Analysis Center created a website called WiWatch “to provide a portal to educate the public and provide a means to report suspicious activity.” The site describes 16 examples of “suspicious behavior” to say something about (either on the phone or on the web) if you see something.
WiWatch notes: “A critical element of the missions of the Wisconsin Fusion Centers is ensuring that the civil rights and civil liberties of persons are not diminished by our security efforts, activities, and programs. Consequently, the “WiWATCH” campaign respects civil rights and liberties by emphasizing behavior, rather than appearance, in identifying suspicious activity.”

3. Karen Remley, the Virginia State Health Commissioner, reminded the state’s clinicians about “the medical school dictum related to differential diagnoses: ‘When you hear hoof beats behind you, don’t expect to see a zebra.’ Sometimes, however, it will be a zebra. If you think it is a zebra, I want you to say something. During the anthrax attacks in 2001, clinicians made the first diagnosis in an emergency department…. An astute clinician who diagnoses a reportable illness and alerts the local health department may be detecting a bioterrorism attack or a disease outbreak and putting in motion actions that will save his or her patient and many others.”

4. For $4,450, you can get a 680 page report about the U.S. Homeland Security & Public Safety Market from 2013 to 2020. Here’s an excerpt from the online summary:
“Annual investments in HLS and Public Safety products and services (excluding: HLD post-warranty revenues) purchased by the U.S. Federal agencies and private sector increased from $48 Billion in 2011 to $51 billion in 2012 and is forecasted to increase to $81 billion by 2020…..The total U.S. HLS, HLD, HLS related Counter-terror & Public Safety Markets (including post-warranty maintenance and upgrades revenues) grow from $74.5 billion in 2012 to $107.3 billion in 2020 at a CAGR [I think that means compound annual growth rate] of 4.7%…. Unlike most other government sectors, the 2013-2020 federal, state and local government funding for HLS & Public Safety will grow over the next eight years at a CAGR of 4-5%. This growth is driven by a solid bipartisan congressional support.” [That's my favorite sentence.]

5. Stephanie Lambert tried to bring peanut butter on a flight last June. TSA confiscated the peanut butter. After filling out the appropriate forms, Lambert received a $3.99 refund check from the U.S. Treasury. For another $22.99 Lambert can by 6 jars of Skippy Peanut Butter on Amazon, and have them mailed to her house.

6. Without comment, The U.S. Supreme Court refused to consider a blogger’s challenge of body scanners and whole body pat-downs at airports. “[The] court declined to take up Jonathan Corbett’s complaint that the Transportation Security Administration’s use of the screening techniques violated passengers’ protection against illegal searches under the Fourth Amendment of the U.S. Constitution.”

7. And the final story you might have missed: October is National Cyber Security Awareness Month.

September 26, 2012

Government and the cyber-domain; or command-and-control encounters complexity

Filed under: Congress and HLS,Cybersecurity,Strategy,Technology for HLS — by Philip J. Palin on September 26, 2012

There is considerable expectation that an Executive Order will soon try to pick up the pieces from a failed effort at cybersecurity legislation.  You can read more at CNET, Wall Street Journal, or The Hill (for three very different angles on reality).

Technical challenges, political problems, and real philosophical differences complicated the legislative process.  I already gave attention to many of these issues in a February post.  Whatever the text of the Executive  Order these complications will persist.

Many of the most vexing problems are not particular to cyber.  Similar issues are encountered in regard to strategy, policy, regulation, innovation, security, resilience, and competition in domains seemingly as diverse as eCommerce, supply chains, and the global financial system.

Sunday there was a brief two-page essay in the New York Times Magazine that focuses on how the Internet was created.  Following are a few key paragraphs.  As you read cut-and-paste your preferred networked-entity over the word Internet.  When I do that,  the author’s explanation still holds.

Like many of the bedrock technologies that have come to define the digital age, the Internet was created by — and continues to be shaped by — decentralized groups of scientists and programmers and hobbyists (and more than a few entrepreneurs) freely sharing the fruits of their intellectual labor with the entire world. Yes, government financing supported much of the early research, and private corporations enhanced and commercialized the platforms. But the institutions responsible for the technology itself were neither governments nor private start-ups. They were much closer to the loose, collaborative organizations of academic research. They were networks of peers.

Peer networks break from the conventions of states and corporations in several crucial respects. They lack the traditional economic incentives of the private sector: almost all of the key technology standards are not owned by any one individual or organization, and a vast majority of contributors to open-source projects do not receive direct compensation for their work. (The Harvard legal scholar Yochai Benkler has called this phenomenon “commons-based peer production.”) And yet because peer networks are decentralized, they don’t suffer from the sclerosis of government bureaucracies. Peer networks are great innovators, not because they’re driven by the promise of commercial reward but rather because their open architecture allows others to build more easily on top of existing ideas, just as Berners-Lee built the Web on top of the Internet, and a host of subsequent contributors improved on Berners-Lee’s vision of the Web…

It’s not enough to say that peer networks are an interesting alternative to states and markets. The state and the market are now fundamentally dependent on peer networks in ways that would have been unthinkable just 20 years ago…

When we talk about change being driven by mass collaboration, it’s often in the form of protest movements: civil rights or marriage equality. That’s a tradition worth celebrating, but it’s only part of the story. The Internet (and all the other achievements of peer networks) is not a story about changing people’s attitudes or widening the range of human tolerance. It’s a story, instead, about a different kind of organization, neither state nor market, that actually builds things, creating new tools that in turn enhance the way states and markets work.

Legislation, regulation, many theories of management and the practice of most managers assume someone is in charge of something.  Someone is accountable for discreet action that leads to reasonably foreseeable consequences.  There are intentional practices to regulate, systematize, and evaluate.   Certainly this is part of reality, but only part and its proportion of the whole seems to be decreasing.  In homeland security I expect most of our reality cannot be accurately described in these traditional “Newtonian” terms.

When I have most seriously failed it has been because I have very reasonably, diligently, and intelligently applied the lessons learned in one corner of reality to another corner of reality without recognizing the two realities are almost totally different.

 

August 10, 2012

Brennan defines “bad guys” (NYPD looks for bad guys)

Wednesday, John Brennan, the Assistant to the President for Homeland Security and Counterterrorism, spoke to the  Council on Foreign Relations.  His remarks focus on US operations in Yemen including the use of drones.  This is the latest in a series of extended statements by Mr. Brennan designed to explain and defend US policy regarding the lethal use of drone technology beyond Afghanistan.

Ritika Singh at LAWFARE has posted the first transcript I could find.

There is a Question and Answer session with Mr. Brennan that is considerably longer than his prepared remarks.  During this element of the program he engaged a range of issues, including Syria and cybersecurity… and bad guys.

While looking for the transcript, I stumbled across a very helpful consideration of the NYPD’s new “Domain Awareness System” at the Council on Foreign Relations website.  (If CFR can headline attention to NYPD technology projects,  I think HLSWatch can clearly address Yemen.)  Please see the CFR briefing by Matthew Waxman.

Next Page »