The strategy offers two goals:

Goal 1: Promote the Efficient and Secure Movement of Goods – The first goal of the Strategy is topromote the timely, efficient flow of legitimate commerce while protecting and securing the supply chain from exploitation, and reducing its vulnerability to disruption. To achieve this goal we will enhance the integrity of goods as they move through the global supply chain. We will also understand and resolve threats early in the process, and strengthen the security of physical infrastructures, conveyances and information assets, while seeking to maximize trade through modernizing supply chain infrastructures and processes.

Goal 2: Foster a Resilient Supply Chain – The second goal of the Strategy is to foster a global supply chain system that is prepared for, and can withstand, evolving threats and hazards and can recover rapidly from disruptions. To achieve this we will prioritize efforts to mitigate systemic vulnerabilities and refine plans to reconstitute the flow of commerce after disruptions.

In my judgment we are much closer to achieving “efficient and secure movement” than we are to a “resilient supply chain”.  The new strategy could help with each, but the tougher task will be the effort “to mitigate systemic vulnerabilities.”

On January 11 the Wall Street Journal reported,

After a decade of streamlining their supply chains to make them less costly, the natural disasters and political upheavals that marked 2011 showed many multinational companies just how vulnerable those links have become.

A senior supply chain executive recently told me (clearly depending on me to protect his name and the name of his firm), “We have several known choke-points. I’m sure there are many more we don’t know about.  It won’t take a major disaster to disrupt supply, just a couple of unusual, probably simultaneous accidents.  I think — hope — there would be a similar impact on our competitors.  But that doesn’t help our consumers.”

“There are ways to mitigate our risk, but they’re all expensive,” another executive explains.  ”And for the last decade and the foreseeable future the lower cost of US supply chain management has been our principal economic advantage.  We’re much better than the Europeans, tons more efficient than the Chinese.  Increase supply chain costs and we lose just about the only advantage the US has left on most commodity trading and even a broad range of high-end specialty goods.”

Again from the Wall Street Journal:

Justifying redundancies is one of the toughest aspects of managing a supply chain, because backstopping doesn’t pay off unless there is a disaster. When CFOs ask about the return on such investments, the answer is, “If we’re lucky, absolutely zero return,” says Sean Cumbie, vice president in charge of global supply-chain management at genetics-testing company Qiagen NV, based in Germany.

The new strategy makes a glancing reference to “appropriate redundancy” which, for most supply chain executives, is like discussing the practical difference between manslaughter and murder.   Whatever you call it, the outcome ain’t pretty.

The senior supply chain guys (and a few gals) are the pioneers of the field.  In the last twenty years they have transformed the known world.  Not just the supply chain world, but the everyday world of billions of consumers.  Today the supply chain is faster, cheaper,  delivers much higher quality with much more assurance and transparency than a quarter century ago.

On most days the supply chain is also stronger, more flexible, and better at handling a range of emergencies and disasters.

But what we saw in Northeast Japan and Thailand has exposed a parallel reality.  Like all networked systems, risk tends to pool in unexpected ways and often unexpected places.  What if the earthquake-and-tsunami had hit the economic heartland of Tokyo and Osaka, instead of the Tohoku periphery?  What’s would the outcome be if  instead of Thai flooding it was an earthquake in San Francisco and down the east side of Santa Clara County?  What happens if the Port of Long Beach is seriously disrupted for an extended period?  What if cyber-vandals — or economic or national or terrorist adversaries –seriously target the digital systems on which the modern supply chain absolutely depends?

In a report — “New Models Addressing Supply Chain and Transport Risk” (7 megabyte PDF) —  released Tuesday, the World Economic Forum found:

Supply chain and transport networks have continuously evolved to deliver capacity, speed, efficiency and customer service through organizational trends such as globalization, specialization, volume consolidation and information availability. The focus on cost optimization has highlighted the tension between cost elimination and network robustness – with the removal of traditional buffers such as safety stock and excess capacity. These developments have shifted risk distributions…(while) their effects have often included sharing risk more broadly around the world, reducing high-frequency risks and focusing risk within sectors, common technologies or nodes. Another common feature has been to disassociate risk from responsibility, misaligning incentives and creating moral hazards – the notion that a party that is insulated from risk will behave differently from how it would behave if it had full exposure to risk.

Most supply chain managers I know tend to discount low frequency, high consequence risks (see related post).  They discount this kind of risk because over the last twenty years they have become true masters of risk management.   They also discount high impact risks because their CEO’s, Boards of Directors, and shareholders reward them for squeezing every possible penny out of supply chain costs.  They discount catastrophic risk because their creation — the modern supply chain — has never experienced a fundamental systemic failure.

Yet.

Many supply chain executives have become what economists sometimes call “risk preferers”, they have learned to maximize their return by skating with great style, grace, and confidence along the edge of chaos.   Each day they become more adept at mastering the chaos.   Is the experienced supply chain executive a sorcerer or  sorcerer’s apprentice?

The new National Strategy is the starting point for a collaborative process of discussion, analysis, and policy development.  It seeks to “develop a culture of mutual interest and shared responsibility” across government and the private sector.  It’s the right goal.  It’s the right way to pursue the goal.

It is a very ambitious goal.

Page 1:

The demise of Osama bin Laden and the capturing or killing of many other senior al-Qa?’ida  leaders have rendered the group far less capable. However, al-Qa?’ida and its affiliates remain active in Pakistan, Afghanistan, Yemen, Somalia, and elsewhere. More broadly,violent extremists will continue to threaten U.S. interests, allies, partners, and the homeland.The primary loci of these threats are South Asia and the Middle East. With the diffusion of destructive technology, these extremists have the potential to pose catastrophic threats thatcould directly affect our security and prosperity. For the foreseeable future, the UnitedStates will continue to take an active approach to countering these threats by monitoring theactivities of non-state threats worldwide, working with allies and partners to establishcontrol over ungoverned territories, and directly striking the most dangerous groups and individuals when necessary.

Page 2:

In the Middle East, the Arab Awakening presents both strategic opportunities and challenges. Regime changes, as well as tensions within and among states under pressure toreform, introduce uncertainty for the future. But they also may result in governments that,over the long term, are more responsive to the legitimate aspirations of their people, and aremore stable and reliable partners of the United States.Our defense efforts in the Middle East will be aimed at countering violent extremists anddestabilizing threats, as well as upholding our commitment to allies and partner states.

Page 3:

To enable economic growth and commerce, America, working in conjunction with allies and partners around the world, will seek to protect freedom of access throughout the globalcommons ?– those areas beyond national jurisdiction that constitute the vital connective tissue of the international system. Global security and prosperity are increasingly dependent on the free flow of goods shipped by air or sea. State and non-state actors pose potential threats to access in the global commons, whether through opposition to existing norms orother anti-access approaches. Both state and non-state actors possess the capability and intent to conduct cyber espionage and, potentially, cyber attacks on the United States, with possible severe effects on both our military operations and our homeland. Growth in the number of space-faring nations is also leading to an increasingly congested and contested space environment, threatening safety and security. The United States will continue to lead global efforts with capable allies and partners to assure access to and use of the global commons, both by strengthening international norms of responsible behavior and by maintaining relevant and interoperable military capabilities.

Page 4:

Acting in concert with other means of national power, U.S. military forces must continue to hold al-Qa?’ida and its affiliates and adherents under constant pressure, wherever they may be. Achieving our core goal of disrupting, dismantling, and defeating al-Qa?’ida and preventing Afghanistan from everbeing a safe haven again will be central to this effort. As U.S. forces draw down in Afghanistan, our global counter terrorism efforts will become more widely distributedand will be characterized by a mix of direct action and security force assistance. Reflecting lessons learned of the past decade, we will continue to build and sustain tailored capabilities appropriate for counter terrorism and irregular warfare. We will also remain vigilant to threats posed by other designated terrorist organizations, such as Hezbollah.

Page 5:

Accordingly, DoD will continue to work with domestic and international allies and partners and invest in advanced capabilities to defend its networks, operational capability, and resiliency in cyberspace and space….

U.S. forces willcontinue to defend U.S. territory from direct attack by state and non-state actors. We willalso come to the assistance of domestic civil authorities in the event such defense fails or in case of natural disasters, potentially in response to a very significant or even catastrophic event. Homeland defense and support to civil authorities require strong,steady?–state force readiness, to include a robust missile defense capability. Threats to the homeland may be highest when U.S. forces are engaged in conflict with an adversary abroad.

Page 6:

The nation has frequently called upon its Armed Forces to respond to a range of situations that threaten the safety and well-being of its citizens and those of other countries. U.S. forces possess rapidly deployable capabilities, including airlift and sealift, surveillance, medical evacuation and care, and communications that can be invaluable in supplementing lead relief agencies, by extending aid to victims of natural or man-made disasters, both at home and abroad. DoD will continue to develop joint doctrine and military response options to prevent and, if necessary, respond to mass atrocities. U.S. forces will also remain capable of conducting non-combatant evacuation operations for American citizens overseas on an emergency basis.

You may see more.   The document includes considerable attention to WMD and cyber threats not excerpted above.

The issues surrounding cyber run deep and wide (and sometimes silent). It can be difficult to tease out what is, is not, might be,  or is not even related to homeland security.

• Professor Bellavita recently covered the technical aspects of a suspected cyber attack on critical infrastructure…that turned out not to be a cyber attack on critical infrastructure.  This particular case brings up the issues of communication (who told whom what when and why), risk/vulnerability (what can be attacked, what is being attacked, what is the real–as opposed to imagined–consequences of such an attack), and attribution (“the butler in the library with the candlestick” issue).

• Taking a step back to consider some of these issues at the crossroads of the technological and strategic are the people involved with the “Explorations in Cyber International Relations.”  A joint project between MIT and Harvard’s Kennedy School of Government, it aims to be “a collaborative and interdisciplinary research program that seeks to create a field of international cyber relations for the 21st century.  It is designed as a theoretically rich, and technically informed initiative anchored in diverse tools and methods to identify, measure, model, interpret, and analyze emergent issues, challenges, and responses. The ECIR research plan integrates social sciences, legal studies, computer science, and policy analysis.”

• Three individuals involved with the project have written interesting cyber pieces informed by their professional backgrounds.  Joseph Nye, esteemed professor of international relations and originator of the term “soft power,” considers the strategic implications for world politics of increasing reliance and power of cyberspace.  Melissa Hathaway, former White House cyber adviser, tackles the issue of cybercrime.  Jack Goldsmith, legal scholar and former high-ranking Justice Department official, examines the difficulties arising from the overlap between private and public networks and the security related issues.

• The Department of Defense foreshadowed some of the institutional thinking about cyber issues in a Foreign Affairs article from last fall by Deputy Secretary of Defense William Lynn III (he considered progress a year later here). The Department followed up with a “Strategy for Operating in Cyberspace” this past summer.  However, the Homeland Security Policy Institute’s Frank Cilluffo and Sharon Cardash were not too impressed.

• Coming down from such lofty strategic heights to daily operational issues, organizations at all levels of government as well as those in the private sector are increasingly grappling with the difficulties involved in developing and implementing communication strategies and guidelines in the age of ever increasing social media usage. Emergency Management Magazine hosts a blog dedicated to “crisis and emergency communication strategies” authored by Gerald Baron.  In a recent post, he examines the question “Is Social Media more problem than solution in emergencies?” (HLSWatch’s Mark Chubb recently considered a similar question, and Jim Garrow covers a range of related topics on his blog). What does that particular question and Thanksgiving have in common?  The Dallas Cowboys. Long story short: sometimes it is better to trust the good judgement of your employees and the positive influence of cyberspace than attempt to control the flow of information.  Just as good of a lesson for “America’s Team” as it is for America’s federal, state, and local governmental institutions.

He’s right, according to Friday’s Washington Post story by Ellen Nakashima:

A water-pump failure in Illinois that appeared to be the first foreign cyberattack on a public utility in the United States was in fact caused by a plant contractor traveling in Russia, according to a source familiar with a federal investigation of the incident….  The contractor, who had remote access to the computer system, was in Russia on personal business, the source added.

Score one point also for DHS officials who insisted on getting the facts correct before someone lobbies congress for a 350 trillion dollar Water Attack Security Target Enforcement program:

… officials at the Department of Homeland Security, which oversees industrial control system cybersecurity, cautioned from the outset that the report contained “no credible, corroborated data.”

The water pump in question had been experiencing problems, turning on and off and eventually failing, water district board members said. The pump has malfunctioned several times in recent years, a DHS official said.

The “international authority on cybersecurity” who (apparently) first made public the information in the Illinois State Terrorism and Intelligence Center (STIC) report responded to the new details about the attack by attacking:

This [the conflict between the STIC and DHS reports] begs the question why two government agencies disagree over whether a cyber event that damaged equipment had occurred at a water utility….

There are numerous critical infrastructure table-top exercises that assume that notifications such as the STIC report are sufficient to initiate the cyber attack response process. If DHS turns out to be correct in its assumptions, then anyone acting on the STIC warning would have been wasting precious resources addressing a problem that doesn’t exist. At issue is that we need to be quickly informed if an event has occurred so that others who have similar equipment or architectures can take steps to protect themselves in case the event spreads. However, this requires both timely notification and correct information. Right now, it seems that neither of these two conditions may exist in this case.

We now have to wait for DHS and the other government agencies to come to agreement and let us know what has happened. If the STIC report is correct, then we have wasted precious time and allowed many others in the infrastructure to remain potentially vulnerable while we wait to find out if we should do anything.

Perhaps that’s a restatement of the classic expectation of intelligence: “give us accurate, timely, and actionable information.”

Welcome to another dimension of the big data problem.

Or, as our buddy prOf might say, “Take the f*%#!&g SCADA off the internet.”

Hackers ‘hit’ US water treatment systems

Homeland Security investigates possible terrorism in Springfield

Water system may be cyber attack victim

Has stuxnet come to our critical infrastructure shores?  Is it duqu?  Could it be something even worse?

“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Illinois.  At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” DHS spokesman Peter Boogaard explains.

“I dislike, immensely, how the DHS tend to downplay how absolutely FUCKED the state of national infrastructure is” responds someone named “prOf” in a pastebin post that includes, according to pr0f, images of another water system that was hacked.

“I’m not going to expose the details of the box,” prOf promises. “No damage was done to any of the machinery; I don’t really like mindless vandalism. It’s stupid and silly. On the other hand, so is connecting interfaces to your SCADA machinery to the Internet. I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic.”

————————–

Nick Catrantzos, who has written for Homeland Security Watch in the past, is an adjunct professor of Homeland Security and Emergency Management.  More relevant to today’s post, Nick is the former security director for a regional water utility.  Here are his thoughts on the most recent cyber event.

Spotting the Incidental Cyber Saboteur

You need not be evil to be wrong, and the true Achilles’ Heel of recent news about cyber attacks to water infrastructure in the Chicago area (details at http://www.cnn.com/2011/11/18/us/cyber-attack-investigation/index.html?iref=allsearch) is not foreign hackers of SCADA, the supervisory control and data acquisition system that makes it possible to turn a valve by remote control. Hackers have been a known external threat since the personal computer became widespread. Thus, makers of computer- and network-dependent tools like SCADA systems have to offer some protections against hackers just to make their systems marketable.

Why is no one therefore consulting other than self-avowed cyber security experts who are now issuing dire warnings about offshore SCADA hackers who may or may not be Russians? (The may-not possibility arises when these experts point out that clever hackers have the ability to misrepresent the origin of their attacks.). The same hand-wringing experts – or their fellow travelers – belong to the camp that opens the door to this vulnerability in the first place. They are not evil, just wrong.

Remote Access as Double-Edged Sword

Consider: Even the technologically challenged security professional sees the vulnerability to enabling remote access to critical systems, like water infrastructure. How do purveyors of such systems see remote access when marketing to fellow cyber aficionados? It is a selling feature, of course. Why, with remote access, the technician fielding a panic troubleshooting call at midnight can diagnose and solve the problem in pajamas instead of in the field. And the field, when it comes to water infrastructure, often turns out to be at distant sites over bad roads, poor lighting, and unattractive traveling conditions. Solving the problem from home is a win-win for all concerned, since it saves down time, isn’t it? Not if this debate includes security professionals charged with looking at the bigger picture of enterprise-wide vulnerabilities.

What makes it possible for these infrastructure attacks to abuse SCADA? Remote web access adopted in the name of expediency. What is the Achilles’ Heel? Naïve or myopic cyber professionals whose over attention to expediency permits convenient remote access for their technical support colleagues with insufficient attention to the exposure that this condition creates.

Discovering What Some Won’t Admit

How to zero in on the problem? The way not to do it is to rely exclusively on pronouncements of SCADA vendors and their like-minded counterparts in the organization who bought into web-based remote access in the first place. There is a good chance at least some of these people overlooked sharing details of remote access vulnerabilities in discussing the system before upper management and traditional security practitioners.

No, the short path to excellence in uncovering self-introduced remote access exposures is to check logs of trouble calls against field records of physical access to work sites. The more serious cyber professionals know to avoid web-based SCADA access from any home and, instead limit access to SCADA terminals that reside behind the secured perimeter of the institution’s work facilities. Maybe a SCADA technician fielding a trouble call won’t have to drive three hours to diagnose the problem at a remote field site, but he may still have to drive 20 minutes to get to a locked and alarmed office that houses a protected SCADA terminal. At least this is the ideal and advertised state of affairs. But even 20 minutes may, in time, seem too much of an imposition, so the SCADA tech quietly arranges to beta test remote access from — you guessed it — the convenience of his or her own residence. Unofficially, without a lot of fanfare. So much so, that even the boss may not realize this is happening, hence the futility of relying on the cyber function to verify its own status regarding this vulnerability. There is another way to check.

Uncovering the Rest of the Story

If expediency has come to trump security, an examination of audit trails will soon show that technician troubleshooting calls at midnight aren’t matching up to midnight access to facilities housing SCADA terminals. Maybe operators in the field are too immersed in the problem to ask or even care how a SCADA tech is responding to a trouble call. They just want help. Maybe the tech is shrewd enough to avoid volunteering details, reasoning that speed of problem resolution is more important than revealing that this is being done from home via means subject to compromise and exposure to hackers.

However, audit trails won’t lie. Whether it is via manual logs, automated access records, video surveillance archives, or a guard’s register used for having all employees sign in after normal business hours, the discrepancy will surface under scrutiny. The on-call tech who was supposed to go to an employer site to troubleshoot the problem on a protected SCADA terminal will have shown no record of having entered any employer business site at midnight. So how did he or she handle the problem? Remotely. From home. In pajamas. Expediently. And, in the process, exposing the system to exploitable vulnerability.

Caution on Experts Offering Homilies about Cyber Attack

The so-called expert who was quick to criticize government officials on this latest cyber attack claimed he was doing so out of concern that the Department of Homeland Security was deficient in sharing information with other water agencies that could be targeted. If he were truly as conversant with water security as he claimed, he would know that it is not DHS but EPA that exercises the role of lead federal agency for protection of the water infrastructure. He would also know that EPA supports Water ISAC, the Information Sharing and Analysis Center for the water sector, and that the Association of Metropolitan Water Agencies manages that function, which takes the lead in sharing this kind of threat information within the water community, while DHS and local fusion centers do their share of distributing such information as well.

Showing no sign of recognizing these particulars, how could this self-styled expert really know what information on this SCADA threat is or is not circulating within the affected community of interest? A skeptic might conclude that such considerations take a back seat, however, when dire warnings can generate free publicity.

IT vs. Ops

Some over zealous IT departments in utilities that use SCADA see SCADA as a means of supplying bandwidth on which to commingle business applications as well, thereby increasing likely needs for remote access by more employees and raising susceptibility to compromise at the same time.

If employees in Operations at water utilities don’t over concern themselves with security deficiencies in SCADA, it tends to be because they have their hands full avoiding one or two catastrophes a year when SCADA techs unthinkingly shut down the system for maintenance or cause some other disruption without telling Ops in advance. The techs forget that flow changes can result in catastrophic treatment or distribution problems that affect water quality. This often occurs after business hours or on weekends, when the techs operate on the assumption that it is the best time to tinker without users noticing or balking — true enough for the average business network, but not for 24/7 attention to water treatment and distribution.

One sign that too many debacles have been surfacing serially is when Ops wrests the SCADA function away from IT. This does wonders for reducing those kinds of snafu.

A  firefighter, a  cop, and an emergency manager walk into a bar.  This is not a joke.  I was with the three of them.

One had red wine, another had a beer, the third ordered scotch.   I was drinking Dry Sack on the rocks with a twist.

Can you guess which one had which drink?  Can you guess which offered what to the conversation:

“The problem is everyone is in denial about the worst risks.”

“New Orleans after Katrina was simple compared to Sendai after the tsunami.  How about Memphis after New Madrid or LA after the big one?” You can know the real pros by whether or not they pronounce it Maaadrid, as in really crazy.

“How about DC, Pittsburgh, and Birmingham after New Madrid?  How about pipelines, rail bridges, interstates, and the Eastern Interconnect after New Madrid?”  Hows about every little town downstream from a dam?

“How about the whole economy for the next ten years after Long Beach is taken out? I don’t care if it’s tsunami, pandemic, or an IND.”

“How about the whole economy if some cyber-anarchists decide to really screw with credit cards and ATMs?”

“As long as they vaporize my mortgage too.”

The bar talk was not as grim as this suggests.  Extended conversations with this crew are like a public reading of Dante’s Inferno (no Paradiso) with a running commentary by the comedian Lewis Black.  You roar with laughter over a comment that ought not be documented here.   A slightly sick sense of humor is essential to survival in these professions.

“We’re the real problem,” one guy said wrapping his arms around the shoulders of those on either side.  ”We’re too good.  Why worry when the A team’s got your back?”

“Just call 911 and the cavalry always comes.”

“Even under fire… hell, with radioactive brimstone falling from the sky.”

“Thing is, we’re really good at the everyday stuff and lots of the tough stuff.”

“Did you hear about the 911 call because the citizen thought her remote had been stolen.  Cops found it in a drawer.  They responded!”

“That’s the problem, we are so #$!@ responsive we’ve trained the citizens to depend on us.  When the big #$!@ happens they just wait around.”

“Not everyone.”

“Practically EVERYONE!”

“There’s two big pile-ups:  real increasing dependence. Who grows their own food anymore?  Who even eats at home? And where does our food come from? Not anywhere close.  Second pile-up: The #$!@ complicated system works really, really well until it doesn’t work at all.  So there’s no obvious reason to pay much attention, until it’s too late.”

“So… what we’re really good at is hiding the problems?”

“Sure.  There’s a fire.  You put it out.  You get ‘em temporary housing or they go to the in-laws.  I keep gawkers away.  Everything’s fine. No worries. But in Joplin or Tuscaloosa? Even those huge twisters were tiny compared to what we’ll get when the wrong fault shifts under 5 million or a wildfire overwhelms San Diego.  Hows about a CAT 5 and flood surge pounding Miami-Dade?”

“When they call 911 no one will answer, they won’t even get a #$!@ dial-tone!”

“It doesn’t take such a big hit.  Maybe catastrophe comes on little cat feet?  You read Ted Lewis’ new book?  The complex systems we depend on are so intricate  just one little complication and the consequences cascade.”

“Sort of like the 2003 blackout caused by tree branches in Ohio?”

“But the cause wasn’t tree branches, it’s the way WE build and manage systems. Tree branches are a preexisting condition.  Our choices create the vulnerabilities.”

“You know when I was a little kid,” (the guy to his right mimicked the Staten Island accent) we had a farm right down the road.  It’s a landfill now.  The big farms in Jersey, they’re all McMansions.  Mom and pop get their broccoli and peas from California just like all of us.”

“You know what though? The beers alot better than back then.  Hey waitress, another round here.”

SUNDAY UPDATE: According to the BBC – and to the group’s Twitterfeed — LulzSec has disbanded.  The BBC indicates no reason for disbanding has been offered.  To the contrary, I found the LulzSec explanation reasonably clear… and not inconsistent with considerations set out below.

Original post from early Friday morning:

This week three very different men were arrested in three very different places suspected of three very different crimes.

Is it just me or do the three share something important?

Tuesday the Pakistani military confirmed the detention of Brigadier Ali Khan (top left).  The soon-to-retire head of regulations at Army General Headquarters is suspected of using his military connections to support Hizb ut-Tahrir, a pan-Islamist political and religious movement.

Also on Tuesday — half a world away — the head of La Familia cartel was captured.  According to Excelsior, Jose de Jesus Mendez Vargas (middle), age 37, “was arrested in Aguascalientes by elements of the Federal Police, without fighting or deaths reported from the action and was later transferred to the facilities of the SIEDO in Mexico City.” (SIEDO or Subprocuraduría de Investigación Especializada en Delincuencia Organizada or Assistant Attorney General’s Office for Special Investigations.)  Additional coverage is available in English from the Houston Chronicle.

According to The Guardian, “A British teenager has been charged with five offences of computer hacking. Ryan Cleary, 19 (right at age 13), was charged with offences, including a cyber attack on Monday on Britain’s Serious Organised Crime Agency (Soca). Cleary was arrested on Monday evening at his family’s home in Wickford, Essex. His arrest was linked to a series of cyber attacks by a group called LulzSec, which investigators believe had targeted websites including ones belonging to the US government and the electronics giant Sony.”

–+–

We can be more confident of the criminal complicity of Jose de Jesus Mendez Vargas, aka El Chango or The Monkey, than of the other two. La Familia has been one of the principal Mexican drug cartels since at least 2006.  But it was founded in the 1980s as a quasi-religious organization seeking to protect and purify Michoacán, an impoverished region — and Mexican state — west of Mexico City.  El Chango was one of a handful of founders.  In the broadest terms the La Familia narrative has a striking resemblance to the origins of the Afghan Taliban. Religiously inspired reform, resulted in power and was followed by the abuse of power. By the 1990s the group was allied with the Gulf Cartel, in recent years it has established an independent power base.  Even in the murderous context of the Mexican cartels La Familia is known as especially violent.  Jesus Mendez Vargas has defended the use of violence as a form of “divine justice.”

Brigadier Khan has not yet been charged, much less convicted.  According to the Daily Times (Pakistan), “There are contradictory reports that the detained brigadier had been targeted due to his concerted campaign to promote self-reliance and do away with the need for US assistance. The last straw is said to be his outspoken criticism of the US raid in Abbottabad after which he was arrested.”

There is plenty of smoke suggesting burning embers of religious radicalism in the Pakistani military. The group Brigadier Khan is accused of assisting is banned in Pakistan and other majority Muslim nations, but is not on the US State Department’s list of terrorist organizations.  According to the group’s English language website, “Hizb ut-Tahrir is a political party whose ideology is Islam. Its objective is to resume the Islamic way of life by establishing an Islamic State that executes the systems of Islam and carries its call to the world.”

Hizb ut-Tahrir opposes US-Pakistan cooperation. While the Brigadier’s attitudes and actions are currently beyond knowing, the leadership of  Hizb ut-Tahrir is clear in it’s criticism of the United States and the current Pakistani political and military elite:

Even though Pakistan is a strong Muslim country, with an army bigger than America’s, and braver due to the Muslims’ love of Shahadah, you have cheated the people of their right to security by siding with the enemy. Due to your alliance with the open enemies of the Muslims, America’s presence in the region has led to unprecedented insecurity, with America’s private military organizations and intelligence orchestrating a campaign of assassinations and bombings, as they did in Iraq. You added to the harm upon the Muslims, by sending the Muslim soldiers to the tribal areas to fight on behalf of America, just like Musharraf before you. Until now 30,452 people have been killed and injured since 9/11 in America’s war of fitna. Some 2,273 Pakistani soldiers including 78 officers, two Major Generals and five brigadiers besides others, have lost their lives while 6,512 sustained injuries, even though the Western crusaders have only sacrificed 1,582 of their own troops! You are cheating the Muslims of their strength when America is at its weakest, with its allies abandoning it and its economy crippled and collapsing, when there is ample opportunity to allow America’s crusade to collapse rather than supporting it with the blood of Muslims.

To in any way compare LulzSec to La Familia and Hizb ut-Tahrir is, perhaps, to invite an apocalyptic hacker attack on HLSWatch. So… if we disappear, thanks for the memories.

The teenager arrested on Tuesday has been charged on five counts, mostly involving denial-of-service attacks.  His involvement with the LulzSec collaborative of hackers has not been specified.  But some link was confirmed by LulzSec via its Twitterfeed, “Clearly the UK police are so desperate to catch us that they’ve gone and arrested someone who is, at best, mildly associated with us.”

LulzSec has claimed responsibility for a series of successful attacks on the CIA, Sony, PBS, and others around the world. Wednesday they brought down the President of Brazil’s website. Earlier today Lulzsec hacked the Arizona Department of Public Safety data repository and released a broad array of information. They describe themselves as, “a team of entertainment and security experts that specialise in the production of malicious comedic cybermaterials.”  The attack on Sony’s PlayStation network left that system offline for a month.  Not much laughing by the company or its roughly 77 million customers or its depressed shareholders.

The Arizona attack has been explained as a protest against state laws perceived as unjust toward immigrants. The hackers’ motivations are not always clear. On June 17 LulzSec outlined its purposes in a post at Pastebin.  Self-entertainment is big; so is exposing the vulnerability we all share online.  They want to protect us… and “spread fun, fun, fun.”

–+–

I want to be a hero. I want to protect the vulnerable and punish the unjust.

Is this what motivated Ali Khan to follow his father into the military? The Non-Com’s son committed his life to the Army and advanced to brigadier.  Ali’s wife, Anjum, claims, “He loves the Pakistani army more than his life, and he can’t even think of betraying the institution.” His sons are junior officers, proud parts of — until recently? — the only reasonably functioning element of Pakistani society. Who is to blame for the dysfunction of Pakistan, including attacks on the military itself? What and who is the source of this shame? What enemy can the brave Brigadier bring to justice?

Jose de Jesus Mendez Vargas, seeing family and friends disappear into the prison of poverty and madness of drug addiction, was motivated by love of neighbor. According to a Drug Enforcement Administration backgrounder La Familia, “has a strong religious background. It purportedly originated to protect locals from the violence of drug cartels. Now, La Familia Michoacana uses drug proceeds to fuel their agenda that encompasses a Robin Hood-type mentality – steal from the rich and give to the poor. They believe they are doing God’s work, and pass out bibles and money to the poor. La Familia Michoacana also gives money to schools and local officials.” He only decapitated predators (and threw their heads onto dance floors).

According to the Daily Mail the young Mr. Cleary is a deeply troubled man seldom leaving his bedroom, fearful, and suicidal. Yet when asked what he did all day online, he reportedly replied, “God’s work.”

In November 2009 the Times of London published an indepth profile of Goldman Sachs. It included an interview with the unlikely-to-be-arrested CEO of the firm, Lloyd Blankfein. Even while skid-marks from the crash of capitalism were still smoking, Mr. Blankfein was confident of his purpose.

Is it possible to make too much money? “Is it possible to have too much ambition? Is it possible to be too successful?” Blankfein shoots back. “I don’t want people in this firm to think that they have accomplished as much for themselves as they can and go on vacation. As the guardian of the interests of the shareholders and, by the way, for the purposes of society, I’d like them to continue to do what they are doing. I don’t want to put a cap on their ambition. It’s hard for me to argue for a cap on their compensation.” So, it’s business as usual, then, regardless of whether it makes most people howl at the moon with rage? Goldman Sachs, this pillar of the free market, breeder of super-citizens, object of envy and awe will go on raking it in, getting richer than God? An impish grin spreads across Blankfein’s face. Call him a fat cat who mocks the public. Call him wicked. Call him what you will. He is, he says, just a banker “doing God’s work.”

–+–

I should probably leave it there. The case is sufficiently made for anyone who has read this far and cares to consider the case.  But I will be tediously explicit: My ability to mistake my own desires as God’s intention is significant.  I am not alone.

So, some will say, we have further proof for the dangers of divine delusion.  Especially as a believer I agree that danger and delusion are involved.

The issue is how to engage the threat.  I don’t perceive secular empiricism as a promising near-term therapeutic regime. Too many most in need of the therapy are evidently immune to it’s ministrations.  Might we extract a vaccine from the virus itself?

In his 1927 book, “Does Civilization Need Religion”, Reinhold Niebuhr wrote:

Religion intensifies selfishness when it adds sanctity to a respectable selfish life and creates a self-respect which is impervious to emotions of contrition. If the religious ideal is to gain any potency in modern life it must be able to convict men of sin and inspire them to a conversion. But the sins of which they need most to be convicted are those which are covert in the social and economic relations which custom has hallowed; and the conversion of life which is most needed is that which will express itself in terms of the economic and political relationships in which men live…

Religion is therefore under the necessity of developing the critical faculty even while it maintains its naivete and reverence. The necessity of cooperation between the naturally incompatible factors of reason and imagination,of intelligence and moral dynamic, is really the crux of the religious and moral problem in modern civilization. The complexity of modern life demands that moral purpose be astutely guided; but moral purpose itself is rooted in ultra-rational sanctions and may be destroyed by the same intelligence which is needed to direct it. Both humility and love,the highest religious virtues, are ultra-rational; yet they cannot be achieved in an intricate social life without a discriminating intelligence which knows how to uncover covert sins and to discover potential virtues. The incidental limitations which every historic type of religion reveals can be dealt with only if the religious devotee can be persuaded to regard the values of his religion critically…”

Religiously-inspired terrorism — or mayhem or pride — is usually the signal of an immature and ill-considered religiosity.  The most effective solution may be in cultivating a more discriminating and self-critical engagement with the religious domain.

In other words, love others and approach God with deep humility.

From the web page:

America’s growing dependence on cyberspace has created new vulnerabilities that are being exploited as fast as or faster than the nation can respond. Cyber attacks can cause economic damage, physical destruction, and even the loss of human life. They constitute a serious challenge to U.S. national security and demand greater attention from American leaders.

Despite productive efforts by the U.S. government and the private sector to strengthen cyber security, the increasing sophistication of cyber threats continues to outpace progress. To help U.S. policymakers address the growing danger of cyber insecurity, this two-volume report features accessible and insightful chapters on cyber security strategy, policy, and technology by some of the world’s leading experts on international relations, national security, and information technology.

Here is the table of contents:

Volume I

America’s Cyber Future: Security and Prosperity in the Information Age
By Kristin Lord and Travis Sharp

Volume II

Note: Chapters are bookmarked within the Table of Contents.

• Chapter I: Power and National Security in Cyberspace
  By Joseph S. Nye, Jr.
• Chapter II: Cyber Insecurities: The 21st Century Threatscape
  By Mike McConnell
• Chapter III: Separating Threat from the Hype: What Washington Needs to Know about Cyber Security
  By  Gary McGraw and Nathaniel Fick
• Chapter IV: Cyberwar and Cyber Warfare
  By Thomas G. Mahnken
• Chapter V: Non-State Actors and Cyber Conflict
  By Gregory J. Rattray and Jason Healey
• Chapter VI: Cultivating International Cyber Norms
  By Martha Finnemore
• Chapter VII: Cyber Security Governance: Existing Structures, International Approaches and the Private Sector
  By David A. Gross, Nova J. Daly, M. Ethan Lucarelli and Roger H. Miksad
• Chapter VIII: Why Privacy and Cyber Security Clash
  By James A. Lewis
• Chapter IX: Internet Freedom and Its Discontents: Navigating the Tensions with Cyber Security
  By Richard Fontaine and Will Rogers
• Chapter X: The Unprecedented Economic Risks of Network Insecurity
  By Christopher M. Schroeder
• Chapter XI: How Government Can Access Innovative Technology
  By Daniel E. Geer, Jr.
• Chapter XII: The Role of Architecture in Internet Defense
  By Robert E. Kahn
• Chapter XIII: Scenarios for the Future of Cyber Security
  By Peter Schwartz

But first, the set up….

———————————————–

Is there such a thing as cyber terrorism?

I understand there’s something called cyber warfare. And cyber crime. And cyber security. But what about cyber terrorism?

And if there is something called cyber terrorism, has the US been attacked by cyber terrorists? Or maybe that question should be have terrorists attacked the US with cyber weapons? And if not, could they? Will they?

Experts cannot agree whether cyber terrorism is real or even if it is a useful concept.

I have one colleague who claims that no one in the United States has been killed by cyber terrorism. He says maybe it’s not a valid homeland security threat.

I have another friend who teaches a course on homeland security threats. He says nations attack nations with cyber weapons. Non-state actors don’t use cyber weapons. So in the homeland security threat spectrum, he says, cyber is more about sound than significance.

———————————————–

Former DHS Secretary Chertoff sort of disagrees.

He devotes Chaper 8 to cybersecurity in his book “Homeland Security: Assessing the First Five Years.” He underscored that concern in his March 2 appearance with the other two DHS secretaries:

“We’ve seen some very dramatic, publicized attacks, not terrorism so much as espionage and things of that sort. But that is going to become an increasing area of concern for the Department.”

Secretary Napolitano agreed with Chertoff:

… I think cyber will be an ever-evolving area. And the problem with cyber is, almost by the time you’re talking about something, they’re onto the next thing. I mean, it is really a fast-moving field. And, quite frankly, probably none of us on this stage are as good at understanding it as somebody who’s 20 years old and who’s grown up with the computer just as part of life.

———————————————–

The US has a cyber incident annex to the National Response Plan. I think that was updated in September of 2010 with an Interim Version of the National Cyber Incident Response Plan.  I believe that is meant to serve as part of the National Response Framework. But I’m not sure. Cyber security (i.e., cyber crime, cyber warfare, cyber terrorism) is yet another homeland security issue area I know very little about.

———————————————–

The gap in my knowledge was brought to my attention again this weekend when I saw news stories about something called “LizaMoon.” [see here or here for probably more than you want to know about LizaMoon].

As I understand it, LizaMoon is a small piece of computer code that places itself into certain websites; when someone goes to that website, they see a message (and the resulting screen drama) that tries to convince the user the computer they are using is infected. Liza then offers to clean the computer and the trouble expands.

I don’t know if this is a big deal or not. Some reports say over a million websites were infected. Is that a lot? Other reports (like this one ) say it’s not that big of a deal.

———————————————–
Also this weekend, I learned that a firm called Epsilon had (according to its press release):

“…an incident … where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.”

Translated into numbers, “a subset of Epsilon clients” could be several million people.

Perhaps you got an email message today from Hilton, or Target, or Best Buy, or Capital One, or LL Bean, or Walgreens or another Epsilon client that basically said, “Don’t worry; nothing bad happened.”

———————————————–
These were two fairly well publicized cyber incidents over a weekend that included at least the cusp of April Fool’s day.  Maybe I’m overly sensitive to these kinds of incidents since some of my web presence was hacked in December.  It wasn’t terrorism.   But it was disturbing.

Are cyber “attacks” something an inquiring homeland security mind should be concerned about?  I use that word in quotes because I know there are thousands of cyber incursions every day.  How should one even start to think about this cyber stuff?

———————————————–

I went to three government sites that, I thought, would help me frame and understand these incidents: IT-ISAC: The Information Technology Information Sharing and Analysis Center, MS-ISAC: The Multi-State Sharing and Analysis Center, and US-CERT: the United States Computer Emergency Readiness Team.

I thought they might have some information about what I figured might be fairly significant incidents. But if they did, I missed it.

I went back to the sites several times over the weekend, and saw no information about LizaMoon or Epsilon.

But I do have to say the MS-ISAC has a really impressive looking Cyber Operations Center Dashboard.  Looking at it made me feel like Mr. Jones in Bob Dylan’s “Ballad of a Thin Man”:

… something is happening here

But you don’t know what it is

Do you, Mister Jones?

———————————————–

Maybe providing situational awareness for the public is not part of the IT-ISAC, MS-ISAC or US-CERT missions.

The IT-ISAC says:

the mission of the IT-ISAC is to:

• Report, exchange, collect, and analyze across the IT Sector information concerning security incidents, threats, attacks, vulnerabilities, solutions and countermeasures, best security practices and other protective measures,

• Establish a mechanism for systematic and protected exchange and coordination of such information [my emphasis] and trusted collaboration; and

• Provide technical thought leadership to U.S. and International policymakers on cyber security and information sharing issues.

The MS-ISAC says:

The mission of the MS-ISAC is to improve the overall cyber security posture of state, local, territorial and tribal governments. Collaboration and information sharing among members, private sector partners and the DHS are the keys to success.

Major Objectives of the MS-ISAC

• provide two-way sharing of information and early warnings on cyber security threats

• provide a process for gathering and disseminating information on cyber security incidents [my emphasis]

• promote awareness of the interdependencies between cyber and physical critical infrastructure as well as between and among the different sectors

• coordinate training and awareness

• ensure that all necessary parties are vested partners in this effort

The US-CERT says:

US-CERT is charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners.

US-CERT interacts with federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public. [my emphasis]

———————————————–

If it isn’t at least part of their job to provide situation awareness to the public about cyber security matters (i.e., cyber war, cyber crime, cyber terrorism), whose job is it? Have we essentially privatized situational awareness? I learned more about both attacks this weekend by monitoring Twitter.

I guess I’m ok with that as an interim fix.

But is that the plan?

———————————————–

Ok, that’s the set up. Now the movie.

Perhaps you’ve heard of stuxnet. If not, you can read about it here.  The New York Times claims it may be “the most sophisticated cyberweapon ever deployed.”

So, to answer the question I posed at the start of this post, maybe currently there isn’t such a thing as cyber terrorism.

However after watching this video (also available here) — particularly at the 8:45 mark, when the speaker talks about the possibility of a cyber weapon of mass destruction — I think the homeland security enterprise would be foolish to discount the use of cyber weapons by terrorists.

First up, celebrated cyberpunk author William Gibson (credited with coining the phrase “cyberspace” in the early 1980s) who provides historical context for the Stuxnet virus:

IN January 1986, Basit and Amjad Alvi, sibling programmers living near the main train station in Lahore, Pakistan, wrote a piece of code to safeguard the latest version of their heart-monitoring software from piracy. They called it Brain, and it was basically a wheel-clamp for PCs. Computers that ran their program, plus this new bit of code, would stop working after a year, though they cheerfully provided three telephone numbers, against the day. If you were a legitimate user, and could prove it, they’d unlock you.

But in the way of all emergent technologies, something entirely unintended happened. The Alvis’ wheel-clamp was soon copied by a certain stripe of computer hobbyist, who began to distribute it, concealed within various digital documents that people might be expected to want to open. Because almost all these booby-trapped files went out on floppy disks, the virus spread at a pre-Internet snail’s pace.

Should the lights go out in our online bus shelters one day, or some critical control system go spectacularly awry, it may in a sense, however distantly, be because Israel found a way to shut down Iran’s centrifuges. But in another way it will be the result of a bright idea two brothers once had, in the vicinity of Lahore Railway Station, to innocently clamp a digital pirate’s wheel.

Considered something of a cyber-visionary, Gibson points out he foresaw computer viruses becoming strategic weapons deployed by nation states but admits to missing the possibility that they would, for the most part, be the tool of amateur vandals.

The second piece is from Richard Falkenrath, former Bush White House homeland security official and NYPD Counterterrorism Commissioner. He covers a lot of familiar ground, questions of sovereignty and collateral damage, but brings up an interesting new (at least to me) issue:

Under American law the transmission of malicious code is in many cases a criminal offense. This makes sense, given the economy’s reliance on information networks, the sensitivity of stored electronic data and the ever-present risk of attack from viruses, worms and other varieties of malware.

But the president, as commander in chief, does have some authority to conduct offensive information warfare against foreign adversaries. However, as with many presidential powers to wage war and conduct espionage, the extent of his authority has never been enumerated.

This legal ambiguity is problematic because such warfare is far less controllable than traditional military and intelligence operations, and it raises much more complex issues of private property, personal privacy and commercial integrity.

Therefore, before our courts are forced to consider the issue and potentially limit executive powers, as they did after President Harry Truman tried to seize steel plants in the early 1950s, Congress should grant the White House broad authority to wage offensive information warfare.

Both pieces are worth reading in full.