“I should prefer Mozart. Mostly I listen to 70s hits.”

“I should eat a hot breakfast, but usually have a powerbar instead.”

“I should work-out three or four times a week, maybe I walk around the block twice.”

Should has become moralistic.  It is typically used as a kind of anti-verb, ascribing — often anticipating — non-action.

I have heard a lot of “shoulds” in regard to the explosion of the West, Texas fertilizer storage facility. The April 17 blast killed 14 and injured more than 190 in the town of 2700.

“We should regulate better.”

“We should put buffer zones in place.”

“We should be more realistic about the threat.”

“We should do a better job sharing what we know about the risk.”

“We should focus more on pre-event prevention and mitigation.”

More plural pronouns than singulars it seems.

According to a November 2012 analysis undertaken by the Congressional Research Service, 6,985 chemical facilities self-report they pose a risk to populations greater than 1,000. There are 90 that self-report a worst-case risk affecting up to 1 million people.

The West facility was not included in the CRS analysis.  They did not self-report — or evidently self-conceive — a worst case scenario that would seriously harm anyone.

As regular readers know I have for a few years worked on catastrophe preparedness.

One of the most remarkable — and absolutely predictable — aspects of this gig is the readiness — preference really — by nearly everyone to define catastrophe as something non-catastrophic.  I saw it again last week and this.  It extends across the public-private divide and every level of government.  When a few of us argue otherwise we are being pedantic, unrealistic, and wasting people’s time.

We should give regular time and energy — maybe five percent of overall effort — to truly catastrophic risks: Global pandemic, significant earthquakes and cyclonic events hitting major urban areas, sustained collapse of the electrical grid whatever the cause. Each of these could have far-reaching secondary and tertiary effects.  In some regions I would include wildfire and flooding. If you have a chemical storage or processing facility nearby that is absolutely worth worst-case thinking now not later.

In many cases the most important issues relate to the mitigation of systemic vulnerabilities that are threat-agnostic.  ”Fixing” vulnerabilities can reduce consequences for a whole host of threats, including non-catastrophic threats.

USA Today editorialized, “The Boston Marathon bombings overshadowed the disaster in Texas, but what happened in West was deadlier, and preventing the next fertilizer accident should command serious attention.”

There’s that anti-verb again.

–+–

And how I wish I’d, wish I’d thought a little bit more
Now shoulda, woulda, coulda I means I’m out of time
Shoulda, woulda, coulda can’t change your mind
And I wonder, wonder what I’m going to do
Shoulda, woulda coulda are the last words of a fool

Can’t change your mind
Can’t change your mind

Beverly Knight

The following is the current lead in The Telegraph (London).  For the record, I am online, have been online all day (it’s now 1705 Eastern), and have not noticed a problem. I’ve checked a couple of US-based tech sites and a quick scan shows nothing or only a minor mention.  The New York Times is, however, giving major attention. Perhaps this is — so far — mostly a European phenomenon?

–+–

A Dutch web-hosting company caused disruption and the global slowdown of the internet, according to a not-for-profit anti-spam organization.

The interruptions came after Spamhaus, a spam-fighting group based in Geneva, temporarily added the Dutch firm, CyberBunker, to a blacklist that is used by e-mail providers to weed out spam.

Cyberbunker is housed in a five-story former NATO bunker and famously offers its services to any website “except child porn and anything related to terrorism”. As such it has often been linked to behaviour that anti-spam blacklist compilers have condemned.

Users of Cyberbunker retaliated with a huge ‘denial of service attack’. These work by trying to make a network unavailable to its intended users,overloading a server with coordinated requests to access it. At one point, 300 billion bits per second were being sent by a network of computers, making this the biggest attack ever.

MORE

THURSDAY UPDATE

Two morning after reports:

The San Jose Mercury tells us what happened in brief.

The Christian Science Monitor asks if it was overblown

Information Week tells us about the implications of what (apparently) happened

Sounds like it was much more a Eurasian event this time.

From James Clapper’s Tuesday testimony to the Senate Select Committee on Intelligence:

We are in a major transformation because our critical infrastructures, economy, personal lives, and even basic understanding of—and interaction with—the world are becoming more intertwined with digital technologies and the Internet. In some cases, the world is applying digital technologies faster than our ability to understand the security implications and mitigate potential risks.

State and nonstate actors increasingly exploit the Internet to achieve strategic objectives, while many governments—shaken by the role the Internet has played in political instability and regime change—seek to increase their control over content in cyberspace. The growing use of cyber capabilities to achieve strategic goals is also outpacing the development of a shared understanding of norms of behavior, increasing the chances for miscalculations and misunderstandings that could lead to unintended escalation.

Compounding these developments are uncertainty and doubt as we face new and unpredictable cyber threats. In response to the trends and events that happen in cyberspace, the choices we and other actors make in coming years will shape cyberspace for decades to come, with potentially profound implications for US economic and national security.

A major hospital system has delayed deploying an extensive (expensive) digital patient record system.   Everyone agrees the new system will produce significant financial and clinical benefits.   But no one has figured out how to ensure an effective non-digital capability persists.   This was not a design specification.

There are multiple digital redundancies.  But what if electric power is lost beyond the capacity of back-up generators? How can patient records and status be accessed and updated if the digital system is dead for days?

This is more than a technical problem.  Many of the efficiencies generated by the ready-to-go system depend on collecting digital signals from various diagnostic tools and displaying integrated clinical outcomes.  Today the sub-systems feeding these displays — and their strengths and weaknesses — are understood by clinical staff.   Today it is not uncommon for an experienced nurse or lab tech to recognize that a specific data source  can be “screwy” and should be rechecked.   The new system will sufficiently obscure data sources  to make this nearly impossible.

One hospital administrator comments, “As long as we have clinical staff who remember how to use pre-digital systems, we can probably recover capabilities.”  But given staff turn-over this sort of human redundancy is expected to disappear within seven years.

My auto mechanic recently said, “When computer diagnostics first came out it was a big help, but I could still do most of my work without it, just not as quick.  Now if the computer is on the fritz I can’t do anything.”  He suggests younger mechanics are just “playing electronic games with your car,” and don’t understand any of the underlying systems. The hospital is trying to avoid this outcome.

I was talking to the manager of a large municipal water system.  ”Actually I feel pretty good about our resilience,” he said. “We’re a collection of several largely separate legacy systems built over the last century-plus: lots of innate redundancy, mostly gravity fed, almost all of it requires a human to turn a valve somewhere.  Not nearly as efficient as the newest systems, but take out one piece and the rest just keeps on flowing.  Bad planning has had some unintentionally good results.”

Meanwhile without digital scanning and communications most retail, wholesale, and shipping would suddenly stop.  This includes food and pharmaceuticals.   When the March 11, 2011 earthquake-and-tsunami hit Northeastern Japan the digital voices of those inside the impact zone went silent.   The voice of hoarders hundreds of miles away became a shout.  The supply chain responded to expressed want, not silent need.

The digital world has become the frame and filter on which many of us depend to engage the real world.  Humans have long depended on frames and filters to simplify what would otherwise be too complex.  Mathematics, religion, law and more are all tool-sets for framing and filtering.

There is often a temptation to mistake form for function. Framing reality has always included the risk of warping reality.  We have experienced the consequences of these risks. (I seem to experience them daily.)

But never before has access to water, food, and other essentials for such large populations been so dependent on the quality and survivability of our frames.

–+–

“Our comforting conviction that the world makes sense rests on a secure foundation: our almost unlimited ability to ignore our ignorance.”

Daniel Kahneman, Thinking, Fast and Slow

–+–

Late Tuesday a third key component in an emerging national strategic architecture was highlighted on the White House website.  The Implementation Update for the National Strategy for Global Supply Chain Security outlines progress made (and if you read carefully between the lines, problems experienced) over the last twelve months since the Strategy itself was released.

This update — and the original National Strategy — should be read along side Presidential Policy Directive: Critical Infrastructure Security and Resilience (February 12, 2013) and the Executive Order: Improving Critical Infrastructure Cybersecurity (February 12, 2013).

Together these documents frame a new Trinitarian order: three distinct strategies of one substance, essence, and nature. Trade depends on production, transport of goods and communication of demand.   We can also say economic vitality depends on these factors.  Often  life itself depends on these mysteriously mutual movements.

The Supply Chain is a particular manifestation of the mystery that benefits from specific attention.   Most minds will not immediately apprehend the wholeness of  cyber, critical infrastructure and supply chains.   A purposeful focus can help. But the Implementation Update is explicit regarding the connections and — much more than connections — the interdependence and indivisibility of the Strategic Trinity:

Priority actions include… building resilient critical infrastructures by creating new incentives… to encourage industry stakeholders to build resilience into their supply chains, which then strengthens  the system overall; mapping the interdependencies among the supply chains of the various critical infrastructure sectors (such as energy, cyber, and transportation); and creating common resilience metrics and standards for worldwide use and implementation.

There are, however, heretics.  Personally I tend toward a Unitarian perspective.   Others insist on the primacy of Cyber or of Critical Infrastructure. Some others recognize the relationship of Cyber and Critical Infrastructure but dismiss equal attention being given to Supply Chain. There are also “Pentecostals”, especially among the private sector laity, who celebrate Supply Chain almost to the exclusion of the other aspects of the Trinity.  I might extend the analogy to principles of Judaism, Islam, and other worldviews.  I won’t. (Can I hear a loud Amen?)

If this theological analogy is not to your taste,  then read the three policy documents along side a fourth gospel: Alfred Thayer Mahan’s  The Influence of Seapower Upon History.  Admiral Mahan wrote:

In these three things—production (with the necessity of exchanging products) shipping (whereby the exchange is carried on) and colonies (which facilitate and enlarge the operations of shipping and tend to protect it by multiplying points of safety)—is to be found the key to much of the history, as well as of the policy, of nations…

The functional benefits of colonies have been superseded by the signaling capabilities of multinational corporations, global exchanges and transnational communication, but the Trinitarian structure persists. Mahan called the Sea the “great common” from which and through which “men may pass in all directions, but on which some well-worn paths show that controlling reasons have led them to choose certain lines of travel rather than others.”

Around these lines of travel, civilization is constructed, information is exchanged, and trade is conducted.   A bridge (critical infrastructure) may determine the direction of trade (supply chain), but the information and money exchanged (cyber) in the village beside the bridge may send supply in previously unexpected directions.   Today the bridge may be a digital link, the village an electronic exchange, and the product an elusive formula for the next new wonder drug.  But still the three must work together.  Corruption or collapse of one aspect will unravel the other two.

Our secular trinity is not eternal. There are ongoing sources of corruption.  There are prior examples of collapse.

I was involved in some of the activities and consultations noted in the Implementation Update.   Some personal impressions:  Many government personnel are predisposed to control.  Many in the private sector have a deep desire for clarity.  Each tendency is understandable.  Each tendency is a potentially profound source of dysfunction.   I know this is not exactly a surprise.

But… the desire for clarity can easily become reductionist, even atomist.  Imposing such radical clarification leads to a kind of analytical surrealism.   Some “lean” supply chains are absolutely anorexic.    The desire for control is justified by (sometimes self-generated) complication.  The more complicated the context, the more — it is said — that control is needed.   The more the laity seeks to deny complexity, the more the priests justify the need for their control.   Both tendencies miss the mark. (Sin in Hebrew is chattath, from the root chatta, the Greek equivalent is hamartia. All these words mean to miss the mark.)  The purpose of our secular Trinity is to hit the mark when, where, and with what is wanted.

There is at least one explanation  of the sacred Trinity relevant to our secular version.  John of Damascus characterized the Trinity as a perichoresis — literally a “dance around” — where, as in a Greek folk dance, distinct lines of dancers (e.g. men, women, and children) each display their own steps and flourishes, but are clearly engaging the same rhythm,  maintain their own identity even as each line dissolves into the others… in common becoming The Dance.

Rather than obsessive control or absolute clarity, the Trinity is a shared dance.  We need to learn to dance together.

Just getting private and public to hear the same music would be a good start.

The Iron Triangle

President Dwight D. Eisenhower coined the term, “military industrial complex” during his farewell address to Congress on January 17, 1961. The phrase stuck and is now used to describe an ironclad triangle binding together private-sector companies, the military, and government appropriations for the purpose of promoting defense spending. According to Wikipedia, the triangle contains, “…relationships includ[ing] political contributions, political approval for military spending, lobbying to support bureaucracies, and oversight of the industry.”

The military industrial complex grew during the Cold War, but slowed after the fall of the Former Soviet Union. During Eisenhower’s tenure as President, and through most of the 1950s, military spending remained above 10% of GDP; it dropped slightly during the Vietnam War (about 9 percent of US GDP); and then declined even further to about 5 percent through the 1970s. President Ronald Reagan ramped it back up to 6 percent until the fall of the Soviet Union. By 2000, it had settled down to 3% and has inched up slightly to its current level of 5.5 percent – a far cry from its 9-10% level during the “glory days” of the Cold War.

But a new requirement may be emerging to replace tanks, warships, missiles, and airplanes as the next growth area for the complex: cyber insecurity. Cyber insecurity is the term I use to describe real and imagined security gaps in the global information and communication network infrastructure. It is the opposite of cyber security.

Suddenly, vast sums of money are pouring into cyber insecurity because of perceived increases in cyber threats, growing vulnerabilities created by connecting everything to the TCP/IP monoculture (mobile devices and cloud computing), flawed software, and lack of adequate precautions on the part of government agencies, infrastructure companies, and the public.

It seems governments and companies are rushing to the Internet because it improves efficiencies and reduces costs. But this rush also opens up new vulnerabilities. According to eWeek, government spending to combat cyber insecurity was forecast, “to reach $60 billion in 2011 and is forecast to grow 10 percent every year during the next three to five years.”

Financial institutions spent $17 billion on cyber insecurity in 2012. AT&T estimates spending to reach $40 billion annually, and “Frank Kendall, defense undersecretary for acquisition, technology and logistics, says there is still ‘a lot of money’ to be made in the defense business, despite mounting budget pressures… in cyber security.”

President Obama is seeking $500 million for research into cyber security with emphasis on industrial control systems that control water, power, and transportation systems. Gartner Corp, a market research company, claims total spending on cyber insecurity will reach $86 billion by 2016.

On the surface it would seem that cyber insecurity is emerging as the next big opportunity for the military industrial complex. There is money to be made by extending the military industrial complex to embrace the cyber security industrial complex. With billions of dollars pouring into research and development, how can the iron triangle resist?

The Check, Please

A 2012 survey of 56 corporate and governmental organizations conducted by the Ponemon Institute found that cyber attacks cost an average of $8.9 million per organization in the US, $5.9 million in Germany, $5.1 million in Japan, $3.2 million in UK, and $3.2 million in Australia. Most attacks were perpetrated by malicious insiders or through network exploits such as denial of service attacks.

Compare this with exploits committed against consumers, such as phishing ($687 million, globally, according to RSA Inc.) and online fraud (1% of retail sales or $3.4 billion, globally). There are many problems with estimates of cyber insecurity costs, so readers should be skeptical of these estimates.

Given the “pre-decision” by the Department of Defense, today I should probably be writing about cyber threats: the current reality, catastrophic possibilities, strong probabilities, and treacherous implications of both passive and active cyber-defense operations.  But instead please read the Georgia Tech Report on 2013 Cyber Threats.

The cyber domain is a kind of fourth dimension where natural, accidental and intentional threats can easily cascade into our first, second, and third dimensions.  This has happened, will happen, is happening.

Some sort of widespread digital disaster is inevitable.  My bet is an insider accident/bad practice will cause a cascading collapse that cannot be hidden and commands our attention for more than a couple of days. But we are also seeing more hacktivist and adversary intrusions.  A couple of natural catastrophes could sweep up a fair portion of the network.  Anyway, good luck to DoD and others; and be prepared for a massive failure anyway.

–+–

As with so much in homeland security, cyber highlights the interplay of purposeful choice and randomness.  We look for formulas to avoid (or minimize) failure and achieve (or increase the likelihood of) success or, at least, survival.

Our brains are inclined to perceive patterns — especially threat patterns — and our species has obviously benefited from this adaptation. Wash a couple of synapses with the right (wrong) chemicals and the same positive adaptation produces paranoia, not typically a helpful and happy state of being. But then Andy Grove, one of the founders of Intel, entitled a kind of  memoir, Only the Paranoid Survive.

After more than a decade’s experience with homeland security,  we can see how a proto- or pseudo-paranoia slices both ways.  When we are attentive to possible threats we are able to take action to prevent, mitigate, or avoid potential consequences.  But there are also situations where threats are mostly self-created and consequences mostly a matter of self-fulfilling prophecies.  My suspicion of you can prompt defensive actions by you that confirm my suspicions.

Yet evil intention is a reality and unintentional threats abound.  One person’s paranoia can seem another’s prudence.

–+–

Sigmund Freud crafted many still-popular perceptions of paranoia, even as many of his psychological theories have been superseded.  Freud was operating on empirical frontiers and his insights can have implications far beyond psycho-analysis.  He wrote,

… we have drawn the conclusion that there actually exists in the ego an agency which unceasingly observes, criticizes, and compares, and in that way sets itself over against the other part of the ego.  We believe, therefore, that the patient is betraying a truth to us which is not yet sufficiently appreciated when he complains that he is spied upon and observed at every step he takes and that every one of his thoughts is reported  and criticized. His only mistake is in regarding this uncomfortable power as something alien to him and placing it outside himself.  He senses an agency holding sway in his ego which measures his actual ego and each of its activities by an ideal ego (Freud’s emphasis) that he has created for himself in the course of his development. (The Libido Theory and Narcissism, Gesammelte Werke (1916) translated by James Strachey)

Paranoia seeks the guise of prudence as the gap widens between inner and outer reality.  The supposed external threat on which the paranoid fixates is not the precipitating cause.  Self-delusion, confusion, and conflict regarding our own intentions and behaviors is, according to Freud, the principal source of paranoia.

Google is watching me.  So is my credit card company.  So is my wireless provider. Several others.   How might these observers objectively describe me via my digital breadcrumbs? How might this description conform or conflict with my self-description?  Do I want to claim what is seen in my digital mirror?

–+–

Our vulnerability to cyber threats reflects a series of choices made over the last quarter-century and especially in the last ten years.   Were we mindful of these choices?   I mostly adopted technologies and practices that started out low cost (this is not how I would characterize my current data plan) and promised greater speed, convenience and gratification.

I spent a decade advising clients on how they could develop digital products in secure, sustainable and purposeful ways.  Most clients were seeking short-term returns.  There was perpetual impatience with requirements analysis, design processes, and product/process testing.

Among personal accounts successfully hacked in 2012 the same passwords were often overcome.  Using any of these passwords almost certainly increases your vulnerability: “password”, “123456″, and “12345678″.

Our cyber vulnerability has mostly unfolded — and continues to unfold — from our own choices.  We too often choose the cheap, easy, and near-term.   The consequences are usually mixed, positively reinforcing at first and only become destructive over time. Adversaries exist, but we have created many of their opportunities to threaten us.  Our own choices increasingly endanger us.  In response we try to obscure our complicity by blaming those we have enabled, even empowered.

To deal with paranoia Freud prescribed therapeutic attention to narcissism (excessive, non-critical self-regard). Might be worth a shot with cyber.  Anyone got a counter-narcissism app?

The word “homeland” was used once,  the term “homeland security” not at all  in the three presidential debates.  But a close-reading of the transcripts does expose HS-related discussion.

Below are direct excerpts from the debate transcripts.  I have purposefully not identified who said what.  Where the candidates seem to mostly agree, I have only quoted one of them.  Occasionally a candidate asserted a difference that — at least to me — seemed either non-substantive or illusory.  I have not included these assertions.  There are subtle distinctions.  I have chosen excerpts that I hope bring these forward.

To me the distinctions — on these issues —  often run counter to each candidate’s stereotype. President Obama comes off tougher than the other side wants to admit, Governor Romney more reasonable than he is portrayed.  Debate posturing?  Meaningful insight?  My own eccentric tendency to see what is shared more than what divides?

FIRST DEBATE: THE FUNDAMENTALS

The first role of the federal government is to keep the American people safe. That’s its most basic function…

The Constitution and the Declaration of Independence. The role of government is to promote and protect the principles of those documents. First, life and liberty. We have a responsibility to protect the lives and liberties of our people…

SECOND DEBATE: IMMIGRATION, DOMESTIC COUNTER-TERRORISM, AND RESILIENCE

Immigration

First of all, this is a nation of immigrants. We welcome people coming to this country as immigrants… I want our legal system to work better. I want it to be streamlined. I want it to be clearer. I don’t think you have to — shouldn’t have to hire a lawyer to figure out how to get into this country legally. I also think that we should give visas to people — green cards, rather — to  people who graduate with skills that we need. People around the world with accredited degrees in science and math get a green card stapled to their diploma, come to the U.S. of A. We should make sure our legal system works.

Number two, we’re going to have to stop illegal immigration. There are 4 million people who are waiting in line to get here legally. Those who’ve come here illegally take their place… What I will do is I’ll put in place an employment verification system and make sure that employers that hire people who have come here illegally are sanctioned for doing so. I won’t put in place magnets for people coming here illegally. The kids of those that came here illegally, those kids, I think, should have a pathway to become a permanent resident of the United States and military service, for instance, is one way they would have that kind of pathway to become a permanent resident…

If we’re going to go after folks who are here illegally, we should do it smartly and go after folks who are criminals, gang bangers, people who are hurting the community, not after students, not after folks who are here just because they’re trying to figure out how to feed their families. And that’s what we’ve done. And what I’ve also said is for young people who come here, brought here often times by their parents. Had gone to school here, pledged allegiance to the flag. Think of this as their country. Understand themselves as Americans in every way except having papers. And we should make sure that we give them a pathway to citizenship…

Domestic Counterterrorism (or Whole Community or gun control)

So my belief is that, (A), we have to enforce the laws we’ve already got, make sure that we’re keeping guns out of the hands of criminals, those who are mentally ill. We’ve done a much better job in terms of background checks, but we’ve got more to do when it comes to enforcement…

Weapons that were designed for soldiers in war theaters don’t belong on our streets. And so what I’m trying to do is to get a broader conversation about how do we reduce the violence generally… Part of it is also looking at other sources of the violence… And so what can we do to intervene, to make sure that young people have opportunity; that our schools are working; that if there’s violence on the streets, that working with faith groups and law enforcement, we can catch it before it gets out of control…

And so what I want is a — is a comprehensive strategy. Part of it is seeing if we can get automatic weapons that kill folks in amazing numbers out of the hands of criminals and the mentally ill. But part of it is also going deeper and seeing if we can get into these communities and making sure we catch violent impulses before they occur.

Resilience (?)

I believe in self-reliance and individual initiative and risk takers being rewarded.

THIRD DEBATE: COUNTERTERRORISM, CYBER, AND DRONES

International Counterterrorism

But we can’t kill our way out of this mess. We’re going to have to put in place a very comprehensive and robust strategy to help the — the world of Islam and other parts of the world, reject this radical violent extremism, which is — it’s certainly not on the run. It’s certainly not hiding. This is a group that is now involved in 10 or 12 countries, and it presents an enormous threat to our friends, to the world, to America, long term, and we must have a comprehensive strategy to help reject this kind of extremism…

A group of Arab scholars came together, organized by the U.N., to look at how we can help the — the world reject these — these terrorists. And the answer they came up with was this: One, more economic development. We should key our foreign aid, our direct foreign investment, and that of our friends, we should coordinate it to make sure that we — we push back and give them more economic development. Number two, better education. Number three, gender equality. Number four, the rule of law. We have to help these nations create civil societies…

The other thing that we have to do is recognize that we can’t continue to do nation building in these regions. Part of American leadership is making sure that we’re doing nation building here at home. That will help us maintain the kind of American leadership that we need…

We make decisions today… that will confront challenges we can’t imagine. In the 2000 debates, there was no mention of terrorism, for instance. And a year later, 9/11 happened. So, we have to make decisions based upon uncertainty…

Cybersecurity

We need to be thinking about cyber security. We need to be talking about space…

International Counterterrorism (Again)

Pakistan is important to the region, to the world and to us, because Pakistan has 100 nuclear warheads and they’re rushing to build a lot more. They’ll have more than Great Britain sometime in the — in the relatively near future. They also have the Haqqani Network and the Taliban existent within their country. And so a Pakistan that falls apart, becomes a failed state, would be of extraordinary danger to Afghanistan and to us. And so we’re going to have to remain helpful in encouraging Pakistan to move towards a more stable government and rebuild the relationship with us. And that means that our aid that we provide to Pakistan is going to have to be conditioned upon certain benchmarks being met…

Drones

We should use any and all means necessary to take out people who pose a threat to us and our friends around the world.

International Counterterrorism (Again)

There’s no doubt that attitudes about Americans have changed. But there are always going to be elements in these countries that potentially threaten the United States. And we want to shrink those groups and those networks and we can do that.  But we’re always also going to have to maintain vigilance when it comes to terrorist activities. The truth, though, is that Al Qaeda is much weaker than it was…and they don’t have the same capacities to attack the U.S. homeland and our allies as they did four years ago.

I expect partisans of each candidate will complain I have obscured important differences.   In my judgment a narcissism of small differences is epidemic.   I have no interest in abetting the fever.  More interesting to me is — for good or bad — the considerable consensus that is articulated.

Last night in New York the Secretary of Defense told his audience, ““A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyze the nation.”

While noting the role of DHS and the FBI in cyber defense, the SECDEF also emphasized, “We defend. We deter. And if called upon, we take decisive action. In the past, we have done so through operations on land and at sea, in the skies and in space. In this new century, the United States military must help defend the nation in cyberspace as well.”

Here’s a link to the DOD news release.  I have not yet found a full transcript.  When I do — or you do — it will be posted here.

UPDATE AT 1049 EASTERN

Here’s the transcript: Defending the Nation from Cyber Attack.

1. An EMP attack could bring this country to a screeching halt by permanently disabling electronic devices, and DHS remains unprepared for the possibility of an electromagnetic pulse (EMP) event or attack, says the Heritage Foundation. William Forstchen wrote a book called One Second After that describes what life could be like after an EMP attack.

2. Two fusion centers in Wisconsin — the Wisconsin Statewide Information Center and the Southeastern Wisconsin Threat Analysis Center created a website called WiWatch “to provide a portal to educate the public and provide a means to report suspicious activity.” The site describes 16 examples of “suspicious behavior” to say something about (either on the phone or on the web) if you see something.
WiWatch notes: “A critical element of the missions of the Wisconsin Fusion Centers is ensuring that the civil rights and civil liberties of persons are not diminished by our security efforts, activities, and programs. Consequently, the “WiWATCH” campaign respects civil rights and liberties by emphasizing behavior, rather than appearance, in identifying suspicious activity.”

3. Karen Remley, the Virginia State Health Commissioner, reminded the state’s clinicians about “the medical school dictum related to differential diagnoses: ‘When you hear hoof beats behind you, don’t expect to see a zebra.’ Sometimes, however, it will be a zebra. If you think it is a zebra, I want you to say something. During the anthrax attacks in 2001, clinicians made the first diagnosis in an emergency department…. An astute clinician who diagnoses a reportable illness and alerts the local health department may be detecting a bioterrorism attack or a disease outbreak and putting in motion actions that will save his or her patient and many others.”

4. For $4,450, you can get a 680 page report about the U.S. Homeland Security & Public Safety Market from 2013 to 2020. Here’s an excerpt from the online summary:
“Annual investments in HLS and Public Safety products and services (excluding: HLD post-warranty revenues) purchased by the U.S. Federal agencies and private sector increased from $48 Billion in 2011 to $51 billion in 2012 and is forecasted to increase to $81 billion by 2020…..The total U.S. HLS, HLD, HLS related Counter-terror & Public Safety Markets (including post-warranty maintenance and upgrades revenues) grow from $74.5 billion in 2012 to $107.3 billion in 2020 at a CAGR [I think that means compound annual growth rate] of 4.7%…. Unlike most other government sectors, the 2013-2020 federal, state and local government funding for HLS & Public Safety will grow over the next eight years at a CAGR of 4-5%. This growth is driven by a solid bipartisan congressional support.” [That's my favorite sentence.]

5. Stephanie Lambert tried to bring peanut butter on a flight last June. TSA confiscated the peanut butter. After filling out the appropriate forms, Lambert received a $3.99 refund check from the U.S. Treasury. For another $22.99 Lambert can by 6 jars of Skippy Peanut Butter on Amazon, and have them mailed to her house.

6. Without comment, The U.S. Supreme Court refused to consider a blogger’s challenge of body scanners and whole body pat-downs at airports. “[The] court declined to take up Jonathan Corbett’s complaint that the Transportation Security Administration’s use of the screening techniques violated passengers’ protection against illegal searches under the Fourth Amendment of the U.S. Constitution.”

7. And the final story you might have missed: October is National Cyber Security Awareness Month.

There is considerable expectation that an Executive Order will soon try to pick up the pieces from a failed effort at cybersecurity legislation.  You can read more at CNET, Wall Street Journal, or The Hill (for three very different angles on reality).

Technical challenges, political problems, and real philosophical differences complicated the legislative process.  I already gave attention to many of these issues in a February post.  Whatever the text of the Executive  Order these complications will persist.

Many of the most vexing problems are not particular to cyber.  Similar issues are encountered in regard to strategy, policy, regulation, innovation, security, resilience, and competition in domains seemingly as diverse as eCommerce, supply chains, and the global financial system.

Sunday there was a brief two-page essay in the New York Times Magazine that focuses on how the Internet was created.  Following are a few key paragraphs.  As you read cut-and-paste your preferred networked-entity over the word Internet.  When I do that,  the author’s explanation still holds.

Like many of the bedrock technologies that have come to define the digital age, the Internet was created by — and continues to be shaped by — decentralized groups of scientists and programmers and hobbyists (and more than a few entrepreneurs) freely sharing the fruits of their intellectual labor with the entire world. Yes, government financing supported much of the early research, and private corporations enhanced and commercialized the platforms. But the institutions responsible for the technology itself were neither governments nor private start-ups. They were much closer to the loose, collaborative organizations of academic research. They were networks of peers.

Peer networks break from the conventions of states and corporations in several crucial respects. They lack the traditional economic incentives of the private sector: almost all of the key technology standards are not owned by any one individual or organization, and a vast majority of contributors to open-source projects do not receive direct compensation for their work. (The Harvard legal scholar Yochai Benkler has called this phenomenon “commons-based peer production.”) And yet because peer networks are decentralized, they don’t suffer from the sclerosis of government bureaucracies. Peer networks are great innovators, not because they’re driven by the promise of commercial reward but rather because their open architecture allows others to build more easily on top of existing ideas, just as Berners-Lee built the Web on top of the Internet, and a host of subsequent contributors improved on Berners-Lee’s vision of the Web…

It’s not enough to say that peer networks are an interesting alternative to states and markets. The state and the market are now fundamentally dependent on peer networks in ways that would have been unthinkable just 20 years ago…

When we talk about change being driven by mass collaboration, it’s often in the form of protest movements: civil rights or marriage equality. That’s a tradition worth celebrating, but it’s only part of the story. The Internet (and all the other achievements of peer networks) is not a story about changing people’s attitudes or widening the range of human tolerance. It’s a story, instead, about a different kind of organization, neither state nor market, that actually builds things, creating new tools that in turn enhance the way states and markets work.

Legislation, regulation, many theories of management and the practice of most managers assume someone is in charge of something.  Someone is accountable for discreet action that leads to reasonably foreseeable consequences.  There are intentional practices to regulate, systematize, and evaluate.   Certainly this is part of reality, but only part and its proportion of the whole seems to be decreasing.  In homeland security I expect most of our reality cannot be accurately described in these traditional “Newtonian” terms.

When I have most seriously failed it has been because I have very reasonably, diligently, and intelligently applied the lessons learned in one corner of reality to another corner of reality without recognizing the two realities are almost totally different.

Wednesday, John Brennan, the Assistant to the President for Homeland Security and Counterterrorism, spoke to the  Council on Foreign Relations.  His remarks focus on US operations in Yemen including the use of drones.  This is the latest in a series of extended statements by Mr. Brennan designed to explain and defend US policy regarding the lethal use of drone technology beyond Afghanistan.

Ritika Singh at LAWFARE has posted the first transcript I could find.

There is a Question and Answer session with Mr. Brennan that is considerably longer than his prepared remarks.  During this element of the program he engaged a range of issues, including Syria and cybersecurity… and bad guys.

While looking for the transcript, I stumbled across a very helpful consideration of the NYPD’s new “Domain Awareness System” at the Council on Foreign Relations website.  (If CFR can headline attention to NYPD technology projects,  I think HLSWatch can clearly address Yemen.)  Please see the CFR briefing by Matthew Waxman.

The issue certainly deserves sustained and serious attention.   It is not, however, where I spend most of my time.  So… without further comment and just to be sure you did not miss: two recent pieces from the New York Times editorial page. To read the commentary in full please click on the link.

Cybersecurity at Risk

Published: July 31, 2012

Here’s something worth reading.  I am only displaying the first three paragraphs of a fairly indepth piece of reporting.

By Mark Clayton writing in the Christian Science Montior.

A major cyber attack is currently underway aimed squarely at computer networks belonging to US natural gas pipeline companies, according to alerts issued to the industry by the US Department of Homeland Security.

At least three confidential “amber” alerts – the second most sensitive next to “red” – were issued by DHS beginning March 29, all warning of a “gas pipeline sector cyber intrusion campaign” against multiple pipeline companies. But the wave of cyber attacks, which apparently began four months ago – and may also affect Canadian natural gas pipeline companies – is continuing.

That fact was reaffirmed late Friday in a public, albeit less detailed, “incident response” report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an arm of DHS based in Idaho Falls. It reiterated warnings in the earlier confidential alerts made directly to pipeline companies and some power companies.

MORE AT THE CHRISTIAN SCIENCE MONITOR

During the House of Representatives so-called Cyber Week there was disagreement regarding the nature of the cyber threat.  Following is a recent Richard Clark quote differentiating an acute threat from a chronic threat:

People keep asking, well, do we have to have a cyber Pearl Harbor in order for people to do the right thing? Implicit in that question is sort of a hope that that will happen and then maybe we’ll fix everything. I don’t know that there ever will be a cyber Pearl Harbor. What I do know is that we’re suffering the death of a thousand cuts in the little Pearl Harbors that are happening every day, where cyberespionage and cybercrime are having a huge cumulative and negative effect. The theft of research and development information, the theft of intellectual property, the theft even of transactional data is giving huge economic advantage to our competitive opponents in other countries. If we all sit around waiting for the apocalypse to do something appropriate on cybersecurity, it may never happen and we may never solve the problem.

In the New York Time’s Friday piece on the National Preparedness Report, the reporter emphasized cyber vulnerabilities (not where my first read took me):

… it was the report’s findings about cybersecurity that appeared to be the most troubling, and they continued a drumbeat from the Obama administration about the need for Congress to pass legislation giving the Department of Homeland Security the authority to regulate computer security for the country’s infrastructure.

The report said that cybersecurity “was the single core capability where states had made the least amount of overall progress” and that only 42 percent of state and local officials believed that theirs was adequate.

I hope HLSWatch readers will take the time to read the NPR.  I would welcome your comments, concerns, or more here.   How should we read it?  What are the major take-aways?  What are the major questions raised?  What should we do with it? What can we do with it?  If there is a delta between should and can, what does that tell us?

From Jason and the Argonauts (1963)

Late Thursday afternoon the Cyber Intelligence Sharing and Protection Act (CISPA) was passed by the House on a bipartisan vote of 248-168.  Forty-two Democrats voted for the bill and 28 Republicans voted against it. Senate approval seems unlikely.  The White House has raised the prospect of a veto.

Cybersecurity is a compound derived from cybernetics, a term coined in 1948.  Cybernetics is the study of biological and cultural systems of control adapted to mechanical or electronic devices.  Norbert Wiener based his neologism on the classical Greek kybernetike meaning helmsman, navigator, pilot and in some contexts: governor.  (Some will recall that Mao was called the “Great Helmsman”.)

As a matter of etymology, cybersecurity means “steering-to-be-carefree” or less literally, “navigating for open water.”

This week several members of the House, operating on a bipartisan basis, attempted to advance substantive cybersecurity legislation even in the shadow of a quadrennial election marked by especially sharp partisanship.  The proposals encountered bipartisan opposition.

It is worth acknowledging good faith on each side.  This was an example of our legislators attempting to navigate the ship-of-state through treacherous waters.  We can disagree with individual choices.  I don’t see cause to question individual intentions.

Nonetheless, such questions were deployed, accusations traded, and nefarious purposes perceived.  No great surprise in regard to cybersecurity or anything else.

Each side is attempting to steer between what many perceive as two great rocks: one threatening to turn our own government into a privacy-devouring monster while the other is already undermining our economic and military strength.  Which rock is more dangerous?  Toward which is the current pushing us?  Is there a safe way between? (To see the solution found by Jason and the Argonauts, check out this YouTube.)

–+–

Until the mid-19th Century students were usually introduced to Plato with First Alcibiades.  In this dialogue Socrates engages in his well-known method of inquiry with a promising young politician. The narrative explores the tension between decisions made for effect and decisions that are effective.

Below is a Reader’s Digest version of First Alcibiades.  For me it has implications for the current cybersecurity legislation, homeland security policy/strategy, and probably much more.

Socrates: Do you not see, then, that mistakes in life and practice are likewise to be attributed to the ignorance which has conceit of knowledge?
Alcibiades: Once more, what do you mean?
Socrates: I suppose that we begin to act when we think that we know what we are doing?
Alcibiades: Yes.
Socrates: But when people think that they do not know, they entrust their business to others?
Alcibiades: Yes.
Socrates: And so there is a class of ignorant persons who do not make mistakes in life, because they trust others about things of which they are ignorant?
Alcibiades: True.
Socrates: Who, then, are the persons who make mistakes? They cannot, of course, be those who know?
Alcibiades: Certainly not.
Socrates: But if neither those who know, nor those who know that they do not know, make mistakes, there remain those only who do not know and think that they know. (Bold highlight not in the original.)
Alcibiades: Yes, only those.
Socrates: Then this is ignorance of the disgraceful sort which is mischievous?
Alcibiades: Yes.
Socrates: And most mischievous and most disgraceful when having to do with the greatest matters?
Alcibiades: By far.
Socrates: And can there be any matters greater than the just, the honourable, the good, and the expedient?

Are our legislators asking authentic questions of those opposed to their proposals?  Are they listening carefully to the answers? Are we?  Do our answers acknowledge the reasonable and substantive concern of those asking questions?  Alcibiades was not so inclined.  He tended to see his political rivals as his enemy.  Socrates argued otherwise.

Socrates: And suppose that you were going to steer a ship into action, would you only aim at being the best pilot on board? Would you not, while acknowledging that you must possess this degree of excellence, rather look to your antagonists, and not, as you are now doing, to your fellow combatants?

What do we really know about our cyber-antagonists: criminals, vandals, terrorists, and more?  Technically, tactically, strategically what are the capabilities and objectives of our adversaries?  What is our claim?  What is our case?  Does the evidence persuade? Do we sometimes — inappropriately, even self-destructively — see those who question our claims as adversaries rather than allies in a common cause?

Socrates: What art makes men know how to rule over their fellow-sailors,— how would you answer?
Alcibiades: The art of the pilot. (Palin: aretes kybernetike)…
Socrates: And what do you call the art of fellow-citizens?
Alcibiades: I should say, good counsel, Socrates.
Socrates: And is the art of the pilot evil counsel?
Alcibiades: No.
Socrates: But good counsel?
Alcibiades: Yes, that is what I should say,— good counsel, of which the aim is the preservation of the voyagers.
Socrates: True. And what is the aim of that other good counsel of which you speak?
Alcibiades: The aim is the better order and preservation of the city.

How do we take good counsel together? Is there any way other than asking questions, listening carefully — even sympathetically — to uncomfortable answers, and then asking uncomfortable questions before listening again?  Is this what we saw in the House this week?  Is this what you experienced in your home, neighborhood, workplace and city this week?

Socrates: O my friend, be persuaded by me, and hear the Delphian inscription, ‘Know thyself’— not the men whom you think, but these kings are our rivals, and we can only overcome them by pains and skill…
Alcibiades: I entirely believe you; but what are the sort of pains which are required, Socrates,— can you tell me?

If  Socrates’ claim — Know Thyself — seems off-topic, irrelevant to cybersecurity, and impractical for present purposes, please explain why.  Socrates, or probably Plato, makes this case:

Socrates: Consider; if some one were to say to the eye, ‘See thyself,’ as you might say to a man, ‘Know thyself,’ what is the nature and meaning of this precept? Would not his meaning be:— That the eye should look at that in which it would see itself?
Alcibiades: Clearly.
Socrates: And what are the objects in looking at which we see ourselves?
Alcibiades: Clearly, Socrates, in looking at mirrors and the like.
Socrates: Very true; and is there not something of the nature of a mirror in our own eyes?
Alcibiades: Certainly.
Socrates: Did you ever observe that the face of the person looking into the eye of another is reflected as in a mirror; and in the visual organ which is over against him, and which is called the pupil, there is a sort of image of the person looking?
Alcibiades: That is quite true.
Socrates: Then the eye, looking at another eye, and at that in the eye which is most perfect, and which is the instrument of vision, will there see itself?
Alcibiades: That is evident.
Socrates: But looking at anything else either in man or in the world, and not to what resembles this, it will not see itself?
Alcibiades: Very true.
Socrates: Then if the eye is to see itself, it must look at the eye, and at that part of the eye where sight which is the virtue of the eye resides?
Alcibiades: True.
Socrates: And if the soul, my dear Alcibiades, is ever to know herself, must she not look at the soul; and especially at that part of the soul in which her virtue resides, and to any other which is like this?
Alcibiades: I agree, Socrates.
Socrates: And do we know of any part of our souls more divine than that which has to do with wisdom and knowledge?
Alcibiades: There is none.
Socrates: Then this is that part of the soul which resembles the divine; and he who looks at this and at the whole class of things divine, will be most likely to know himself?
Alcibiades: Clearly.
Socrates: And self-knowledge we agree to be wisdom?
Alcibiades: True.

Let’s look each other in the eye, ask, answer, and listen carefully.  We depend on this dialogue — especially with those who disagree with us — to open the way to any sort of wisdom.

By the way: despite Socrates best effort, Alcibiades became a successful politician and a catastrophic helmsman. Athens suffered horribly from his persistent lack of self-knowledge. This did not dissuade Socrates from encouraging self-knowledge among others.  But this was not always well-received.  See the Apology.

One side compromised with the other, alleged deals were done, criticisms were leveled, a possible veto was signaled (threatened would be too strong in this case),  alleged deals unraveled, unprincipled behavior was alleged.  Further compromise was probably undermined. See Declan McCollough’s report  at CNET.

Yesterday was a typical afternoon on Capitol Hill.   A very similar summary might be written of your local City Hall, union hall, church board, or any place that decision making takes place.  Something like this has happened since we first gathered around pre-historic fire pits.

Unlike many of our challenges, differences of judgment on cybersecurity cross partisan and ideological divides.  This is a good thing suggesting the potential for actual thinking and creativity has not — yet — been extinguished.

There is also a widely shared judgment that something needs to be done.

Four Senators blogging at The Hill criticize the House legislation as insufficient, but also argue, “The system is already blinking red in warning. FBI Director Robert Mueller has predicted that, in the near future, cyberattacks will surpass terrorism as the country’s greatest threat, while Chertoff, who served in the George W. Bush administration, said cyber threats are “one of the most seriously disruptive challenges to our national security since the onset of the nuclear age.”

In a Statement of Administration Policy, unidentified authors at the Office of Management and Budget write:

The Administration is committed to increasing public-private sharing of information about cybersecurity threats as an essential part of comprehensive legislation to protect the Nation’s vital information systems and critical infrastructure. The sharing of information must be conducted in a manner that preserves Americans’ privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace. Cybersecurity and privacy are not mutually exclusive. Moreover, information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation’s core critical infrastructure from cyber threats. Accordingly, the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form.

In an opinion piece Congressman Mac Thornberry writes, “We cannot let the quest for the perfect, overarching bill prevent us from achieving the good, a-step-in-the-right-direction bill. In cybersecurity, we cannot afford to wait any longer to get it done perfectly. We need to act now.”

For most of those engaged in this legislative process the question is not if, but how.   Would be remarkable if the contestants might recognize how much they agree.  I wonder what sort of legislation might emerge from such an epiphany?

The four pieces of cybersecurity legislation should be considered by the Committee of the Whole later today.  I will be offline, but will join you in watching and listening for what the process might say about cybersecurity and more.

LATE THURSDAY UPDATE: Late this afternoon the Cyber Intelligence Sharing and Protection Act (CISPA) was passed by the House on a bipartisan vote of 248-168.  Forty-two Democrats voted for the bill and 28 Republicans voted against it. Senate approval is unlikely.  The White House has raised the prospect of a veto.

Today and tomorrow will be big days for the cybersecruity package being moved through the House.  A Friday vote (or votes) is promised. Lots of ink and bytes are available on the issues.

The House Permanent Select Committee is providing access to the proposed bill and emerging amendments.

Here are two more sources for a deeper dive.

PRO CISPA et cetera:

See the Information Technology Council.   Don’t miss the links available via their twitter feed, page right.

CONTRA CISPA et cetera:

See the Center for Democracy and Technology.  Don’t miss the links available via their blog posts, page right.

–+–

PRO-POINT

… Dangerous economic predators, including nation-states like China, use the Internet to steal valuable information from American companies and unfairly compete with our economy. The cost is staggering. Years of effort and billions of dollars in research and development, strategic business plans, communications, and other sensitive data—all are lost in seconds. The victims span all sectors of our economy, from small businesses to large pharmaceutical, biotech, defense, and IT corporations. Additionally, our industrial control systems, utilities networks, and critical infrastructure are at risk of sabotage. We must all work together, government and private sector, to defend America against these predators, and we must do it in a way that does not compromise our core principles. The Cyber Intelligence Sharing and Protection Act allows us to take that first critical step of sharing information in a way that is effective but still protects our civil liberties. MORE (Representative Mike Rogers, Chairman, House Permanent Select Committee on Intelligence)

COUNTER-POINT

The latest assault on internet freedom is called the “Cyber Intelligence Sharing and Protection Act,” or “CISPA,” which may be considered by Congress this week.  CISPA is essentially an internet monitoring bill that permits both the federal government and private companies to view your private online communications with no judicial oversight–provided, of course, that they do so in the name of “cybersecurity.”  The bill is very broadly written, and allows the Department of Homeland Security to obtain large swaths of personal information contained in your emails or other online communication.  It also allows emails and private information found online to be used for purposes far beyond any reasonable definition of fighting cyberterrorism. CISPA represents an alarming form of corporatism, as it further intertwines government with companies like Google and Facebook.  It permits them to hand over your private communications to government officials without a warrant, circumventing well-established federal laws like the Wiretap Act and the Electronic Communications Privacy Act.  It also grants them broad immunity from lawsuits for doing so, leaving you without recourse for invasions of privacy.  Simply put, CISPA encourages some of our most successful internet companies to act as government spies, sowing distrust of social media and chilling communication in one segment of the world economy where America still leads. MORE (Representative Ron Paul, Chairman of the Subcommittee on Domestic and Monetary Policy, House Financial Services Committee)

Scroll below for more attention from HLSWatch.  A prior post on a related Senate proposal is available here. More to come.

Late Wednesday Update: Politico has a good summary of the state-of-play as of dinner time.   PCWorld is providing good sustained coverage of both political developments and their technical implications.