Homeland Security Watch

SUNDAY UPDATE: According to the BBC – and to the group’s Twitterfeed — LulzSec has disbanded.  The BBC indicates no reason for disbanding has been offered.  To the contrary, I found the LulzSec explanation reasonably clear… and not inconsistent with considerations set out below.

Original post from early Friday morning:

This week three very different men were arrested in three very different places suspected of three very different crimes.

Is it just me or do the three share something important?

Tuesday the Pakistani military confirmed the detention of Brigadier Ali Khan (top left).  The soon-to-retire head of regulations at Army General Headquarters is suspected of using his military connections to support Hizb ut-Tahrir, a pan-Islamist political and religious movement.

Also on Tuesday — half a world away — the head of La Familia cartel was captured.  According to Excelsior, Jose de Jesus Mendez Vargas (middle), age 37, “was arrested in Aguascalientes by elements of the Federal Police, without fighting or deaths reported from the action and was later transferred to the facilities of the SIEDO in Mexico City.” (SIEDO or Subprocuraduría de Investigación Especializada en Delincuencia Organizada or Assistant Attorney General’s Office for Special Investigations.)  Additional coverage is available in English from the Houston Chronicle.

According to The Guardian, “A British teenager has been charged with five offences of computer hacking. Ryan Cleary, 19 (right at age 13), was charged with offences, including a cyber attack on Monday on Britain’s Serious Organised Crime Agency (Soca). Cleary was arrested on Monday evening at his family’s home in Wickford, Essex. His arrest was linked to a series of cyber attacks by a group called LulzSec, which investigators believe had targeted websites including ones belonging to the US government and the electronics giant Sony.”

–+–

We can be more confident of the criminal complicity of Jose de Jesus Mendez Vargas, aka El Chango or The Monkey, than of the other two. La Familia has been one of the principal Mexican drug cartels since at least 2006.  But it was founded in the 1980s as a quasi-religious organization seeking to protect and purify Michoacán, an impoverished region — and Mexican state — west of Mexico City.  El Chango was one of a handful of founders.  In the broadest terms the La Familia narrative has a striking resemblance to the origins of the Afghan Taliban. Religiously inspired reform, resulted in power and was followed by the abuse of power. By the 1990s the group was allied with the Gulf Cartel, in recent years it has established an independent power base.  Even in the murderous context of the Mexican cartels La Familia is known as especially violent.  Jesus Mendez Vargas has defended the use of violence as a form of “divine justice.”

Brigadier Khan has not yet been charged, much less convicted.  According to the Daily Times (Pakistan), “There are contradictory reports that the detained brigadier had been targeted due to his concerted campaign to promote self-reliance and do away with the need for US assistance. The last straw is said to be his outspoken criticism of the US raid in Abbottabad after which he was arrested.”

There is plenty of smoke suggesting burning embers of religious radicalism in the Pakistani military. The group Brigadier Khan is accused of assisting is banned in Pakistan and other majority Muslim nations, but is not on the US State Department’s list of terrorist organizations.  According to the group’s English language website, “Hizb ut-Tahrir is a political party whose ideology is Islam. Its objective is to resume the Islamic way of life by establishing an Islamic State that executes the systems of Islam and carries its call to the world.”

Hizb ut-Tahrir opposes US-Pakistan cooperation. While the Brigadier’s attitudes and actions are currently beyond knowing, the leadership of  Hizb ut-Tahrir is clear in it’s criticism of the United States and the current Pakistani political and military elite:

Even though Pakistan is a strong Muslim country, with an army bigger than America’s, and braver due to the Muslims’ love of Shahadah, you have cheated the people of their right to security by siding with the enemy. Due to your alliance with the open enemies of the Muslims, America’s presence in the region has led to unprecedented insecurity, with America’s private military organizations and intelligence orchestrating a campaign of assassinations and bombings, as they did in Iraq. You added to the harm upon the Muslims, by sending the Muslim soldiers to the tribal areas to fight on behalf of America, just like Musharraf before you. Until now 30,452 people have been killed and injured since 9/11 in America’s war of fitna. Some 2,273 Pakistani soldiers including 78 officers, two Major Generals and five brigadiers besides others, have lost their lives while 6,512 sustained injuries, even though the Western crusaders have only sacrificed 1,582 of their own troops! You are cheating the Muslims of their strength when America is at its weakest, with its allies abandoning it and its economy crippled and collapsing, when there is ample opportunity to allow America’s crusade to collapse rather than supporting it with the blood of Muslims.

To in any way compare LulzSec to La Familia and Hizb ut-Tahrir is, perhaps, to invite an apocalyptic hacker attack on HLSWatch. So… if we disappear, thanks for the memories.

The teenager arrested on Tuesday has been charged on five counts, mostly involving denial-of-service attacks.  His involvement with the LulzSec collaborative of hackers has not been specified.  But some link was confirmed by LulzSec via its Twitterfeed, “Clearly the UK police are so desperate to catch us that they’ve gone and arrested someone who is, at best, mildly associated with us.”

LulzSec has claimed responsibility for a series of successful attacks on the CIA, Sony, PBS, and others around the world. Wednesday they brought down the President of Brazil’s website. Earlier today Lulzsec hacked the Arizona Department of Public Safety data repository and released a broad array of information. They describe themselves as, “a team of entertainment and security experts that specialise in the production of malicious comedic cybermaterials.”  The attack on Sony’s PlayStation network left that system offline for a month.  Not much laughing by the company or its roughly 77 million customers or its depressed shareholders.

The Arizona attack has been explained as a protest against state laws perceived as unjust toward immigrants. The hackers’ motivations are not always clear. On June 17 LulzSec outlined its purposes in a post at Pastebin.  Self-entertainment is big; so is exposing the vulnerability we all share online.  They want to protect us… and “spread fun, fun, fun.”

–+–

I want to be a hero. I want to protect the vulnerable and punish the unjust.

Is this what motivated Ali Khan to follow his father into the military? The Non-Com’s son committed his life to the Army and advanced to brigadier.  Ali’s wife, Anjum, claims, “He loves the Pakistani army more than his life, and he can’t even think of betraying the institution.” His sons are junior officers, proud parts of — until recently? — the only reasonably functioning element of Pakistani society. Who is to blame for the dysfunction of Pakistan, including attacks on the military itself? What and who is the source of this shame? What enemy can the brave Brigadier bring to justice?

Jose de Jesus Mendez Vargas, seeing family and friends disappear into the prison of poverty and madness of drug addiction, was motivated by love of neighbor. According to a Drug Enforcement Administration backgrounder La Familia, “has a strong religious background. It purportedly originated to protect locals from the violence of drug cartels. Now, La Familia Michoacana uses drug proceeds to fuel their agenda that encompasses a Robin Hood-type mentality – steal from the rich and give to the poor. They believe they are doing God’s work, and pass out bibles and money to the poor. La Familia Michoacana also gives money to schools and local officials.” He only decapitated predators (and threw their heads onto dance floors).

According to the Daily Mail the young Mr. Cleary is a deeply troubled man seldom leaving his bedroom, fearful, and suicidal. Yet when asked what he did all day online, he reportedly replied, “God’s work.”

In November 2009 the Times of London published an indepth profile of Goldman Sachs. It included an interview with the unlikely-to-be-arrested CEO of the firm, Lloyd Blankfein. Even while skid-marks from the crash of capitalism were still smoking, Mr. Blankfein was confident of his purpose.

Is it possible to make too much money? “Is it possible to have too much ambition? Is it possible to be too successful?” Blankfein shoots back. “I don’t want people in this firm to think that they have accomplished as much for themselves as they can and go on vacation. As the guardian of the interests of the shareholders and, by the way, for the purposes of society, I’d like them to continue to do what they are doing. I don’t want to put a cap on their ambition. It’s hard for me to argue for a cap on their compensation.” So, it’s business as usual, then, regardless of whether it makes most people howl at the moon with rage? Goldman Sachs, this pillar of the free market, breeder of super-citizens, object of envy and awe will go on raking it in, getting richer than God? An impish grin spreads across Blankfein’s face. Call him a fat cat who mocks the public. Call him wicked. Call him what you will. He is, he says, just a banker “doing God’s work.”

–+–

I should probably leave it there. The case is sufficiently made for anyone who has read this far and cares to consider the case.  But I will be tediously explicit: My ability to mistake my own desires as God’s intention is significant.  I am not alone.

So, some will say, we have further proof for the dangers of divine delusion.  Especially as a believer I agree that danger and delusion are involved.

The issue is how to engage the threat.  I don’t perceive secular empiricism as a promising near-term therapeutic regime. Too many most in need of the therapy are evidently immune to it’s ministrations.  Might we extract a vaccine from the virus itself?

In his 1927 book, “Does Civilization Need Religion”, Reinhold Niebuhr wrote:

Religion intensifies selfishness when it adds sanctity to a respectable selfish life and creates a self-respect which is impervious to emotions of contrition. If the religious ideal is to gain any potency in modern life it must be able to convict men of sin and inspire them to a conversion. But the sins of which they need most to be convicted are those which are covert in the social and economic relations which custom has hallowed; and the conversion of life which is most needed is that which will express itself in terms of the economic and political relationships in which men live…

Religion is therefore under the necessity of developing the critical faculty even while it maintains its naivete and reverence. The necessity of cooperation between the naturally incompatible factors of reason and imagination,of intelligence and moral dynamic, is really the crux of the religious and moral problem in modern civilization. The complexity of modern life demands that moral purpose be astutely guided; but moral purpose itself is rooted in ultra-rational sanctions and may be destroyed by the same intelligence which is needed to direct it. Both humility and love,the highest religious virtues, are ultra-rational; yet they cannot be achieved in an intricate social life without a discriminating intelligence which knows how to uncover covert sins and to discover potential virtues. The incidental limitations which every historic type of religion reveals can be dealt with only if the religious devotee can be persuaded to regard the values of his religion critically…”

Religiously-inspired terrorism — or mayhem or pride — is usually the signal of an immature and ill-considered religiosity.  The most effective solution may be in cultivating a more discriminating and self-critical engagement with the religious domain.

In other words, love others and approach God with deep humility.

A colleague told me about a May 31, 2011 two volume policy report from the Center for A New American Security called  ”America’s Cyber Future: Security And Prosperity In The Information Age.”  The report is available at this link.

From the web page:

America’s growing dependence on cyberspace has created new vulnerabilities that are being exploited as fast as or faster than the nation can respond. Cyber attacks can cause economic damage, physical destruction, and even the loss of human life. They constitute a serious challenge to U.S. national security and demand greater attention from American leaders.

Despite productive efforts by the U.S. government and the private sector to strengthen cyber security, the increasing sophistication of cyber threats continues to outpace progress. To help U.S. policymakers address the growing danger of cyber insecurity, this two-volume report features accessible and insightful chapters on cyber security strategy, policy, and technology by some of the world’s leading experts on international relations, national security, and information technology.

Here is the table of contents:

Volume I

America’s Cyber Future: Security and Prosperity in the Information Age
By Kristin Lord and Travis Sharp

Volume II

Note: Chapters are bookmarked within the Table of Contents.

• Chapter I: Power and National Security in Cyberspace
  By Joseph S. Nye, Jr.
• Chapter II: Cyber Insecurities: The 21st Century Threatscape
  By Mike McConnell
• Chapter III: Separating Threat from the Hype: What Washington Needs to Know about Cyber Security
  By  Gary McGraw and Nathaniel Fick
• Chapter IV: Cyberwar and Cyber Warfare
  By Thomas G. Mahnken
• Chapter V: Non-State Actors and Cyber Conflict
  By Gregory J. Rattray and Jason Healey
• Chapter VI: Cultivating International Cyber Norms
  By Martha Finnemore
• Chapter VII: Cyber Security Governance: Existing Structures, International Approaches and the Private Sector
  By David A. Gross, Nova J. Daly, M. Ethan Lucarelli and Roger H. Miksad
• Chapter VIII: Why Privacy and Cyber Security Clash
  By James A. Lewis
• Chapter IX: Internet Freedom and Its Discontents: Navigating the Tensions with Cyber Security
  By Richard Fontaine and Will Rogers
• Chapter X: The Unprecedented Economic Risks of Network Insecurity
  By Christopher M. Schroeder
• Chapter XI: How Government Can Access Innovative Technology
  By Daniel E. Geer, Jr.
• Chapter XII: The Role of Architecture in Internet Defense
  By Robert E. Kahn
• Chapter XIII: Scenarios for the Future of Cyber Security
  By Peter Schwartz

This post will end with a ten minute and forty second video that is both the best detective story and the scariest homeland security movie I have seen in years.

But first, the set up….

———————————————–

Is there such a thing as cyber terrorism?

I understand there’s something called cyber warfare. And cyber crime. And cyber security. But what about cyber terrorism?

And if there is something called cyber terrorism, has the US been attacked by cyber terrorists? Or maybe that question should be have terrorists attacked the US with cyber weapons? And if not, could they? Will they?

Experts cannot agree whether cyber terrorism is real or even if it is a useful concept.

I have one colleague who claims that no one in the United States has been killed by cyber terrorism. He says maybe it’s not a valid homeland security threat.

I have another friend who teaches a course on homeland security threats. He says nations attack nations with cyber weapons. Non-state actors don’t use cyber weapons. So in the homeland security threat spectrum, he says, cyber is more about sound than significance.

———————————————–

Former DHS Secretary Chertoff sort of disagrees.

He devotes Chaper 8 to cybersecurity in his book “Homeland Security: Assessing the First Five Years.” He underscored that concern in his March 2 appearance with the other two DHS secretaries:

“We’ve seen some very dramatic, publicized attacks, not terrorism so much as espionage and things of that sort. But that is going to become an increasing area of concern for the Department.”

Secretary Napolitano agreed with Chertoff:

… I think cyber will be an ever-evolving area. And the problem with cyber is, almost by the time you’re talking about something, they’re onto the next thing. I mean, it is really a fast-moving field. And, quite frankly, probably none of us on this stage are as good at understanding it as somebody who’s 20 years old and who’s grown up with the computer just as part of life.

———————————————–

The US has a cyber incident annex to the National Response Plan. I think that was updated in September of 2010 with an Interim Version of the National Cyber Incident Response Plan.  I believe that is meant to serve as part of the National Response Framework. But I’m not sure. Cyber security (i.e., cyber crime, cyber warfare, cyber terrorism) is yet another homeland security issue area I know very little about.

———————————————–

The gap in my knowledge was brought to my attention again this weekend when I saw news stories about something called “LizaMoon.” [see here or here for probably more than you want to know about LizaMoon].

As I understand it, LizaMoon is a small piece of computer code that places itself into certain websites; when someone goes to that website, they see a message (and the resulting screen drama) that tries to convince the user the computer they are using is infected. Liza then offers to clean the computer and the trouble expands.

I don’t know if this is a big deal or not. Some reports say over a million websites were infected. Is that a lot? Other reports (like this one ) say it’s not that big of a deal.

———————————————–
Also this weekend, I learned that a firm called Epsilon had (according to its press release):

“…an incident … where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.”

Translated into numbers, “a subset of Epsilon clients” could be several million people.

Perhaps you got an email message today from Hilton, or Target, or Best Buy, or Capital One, or LL Bean, or Walgreens or another Epsilon client that basically said, “Don’t worry; nothing bad happened.”

———————————————–
These were two fairly well publicized cyber incidents over a weekend that included at least the cusp of April Fool’s day.  Maybe I’m overly sensitive to these kinds of incidents since some of my web presence was hacked in December.  It wasn’t terrorism.   But it was disturbing.

Are cyber “attacks” something an inquiring homeland security mind should be concerned about?  I use that word in quotes because I know there are thousands of cyber incursions every day.  How should one even start to think about this cyber stuff?

———————————————–

I went to three government sites that, I thought, would help me frame and understand these incidents: IT-ISAC: The Information Technology Information Sharing and Analysis Center, MS-ISAC: The Multi-State Sharing and Analysis Center, and US-CERT: the United States Computer Emergency Readiness Team.

I thought they might have some information about what I figured might be fairly significant incidents. But if they did, I missed it.

I went back to the sites several times over the weekend, and saw no information about LizaMoon or Epsilon.

But I do have to say the MS-ISAC has a really impressive looking Cyber Operations Center Dashboard.  Looking at it made me feel like Mr. Jones in Bob Dylan’s “Ballad of a Thin Man”:

… something is happening here

But you don’t know what it is

Do you, Mister Jones?

———————————————–

Maybe providing situational awareness for the public is not part of the IT-ISAC, MS-ISAC or US-CERT missions.

The IT-ISAC says:

the mission of the IT-ISAC is to:

• Report, exchange, collect, and analyze across the IT Sector information concerning security incidents, threats, attacks, vulnerabilities, solutions and countermeasures, best security practices and other protective measures,

• Establish a mechanism for systematic and protected exchange and coordination of such information [my emphasis] and trusted collaboration; and

• Provide technical thought leadership to U.S. and International policymakers on cyber security and information sharing issues.

The MS-ISAC says:

The mission of the MS-ISAC is to improve the overall cyber security posture of state, local, territorial and tribal governments. Collaboration and information sharing among members, private sector partners and the DHS are the keys to success.

Major Objectives of the MS-ISAC

• provide two-way sharing of information and early warnings on cyber security threats

• provide a process for gathering and disseminating information on cyber security incidents [my emphasis]

• promote awareness of the interdependencies between cyber and physical critical infrastructure as well as between and among the different sectors

• coordinate training and awareness

• ensure that all necessary parties are vested partners in this effort

The US-CERT says:

US-CERT is charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners.

US-CERT interacts with federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public. [my emphasis]

———————————————–

If it isn’t at least part of their job to provide situation awareness to the public about cyber security matters (i.e., cyber war, cyber crime, cyber terrorism), whose job is it? Have we essentially privatized situational awareness? I learned more about both attacks this weekend by monitoring Twitter.

I guess I’m ok with that as an interim fix.

But is that the plan?

———————————————–

Ok, that’s the set up. Now the movie.

Perhaps you’ve heard of stuxnet. If not, you can read about it here.  The New York Times claims it may be “the most sophisticated cyberweapon ever deployed.”

So, to answer the question I posed at the start of this post, maybe currently there isn’t such a thing as cyber terrorism.

However after watching this video (also available here) — particularly at the 8:45 mark, when the speaker talks about the possibility of a cyber weapon of mass destruction — I think the homeland security enterprise would be foolish to discount the use of cyber weapons by terrorists.

The New York Times had a cyber two-fer on their op-ed page today.

First up, celebrated cyberpunk author William Gibson (credited with coining the phrase “cyberspace” in the early 1980s) who provides historical context for the Stuxnet virus:

IN January 1986, Basit and Amjad Alvi, sibling programmers living near the main train station in Lahore, Pakistan, wrote a piece of code to safeguard the latest version of their heart-monitoring software from piracy. They called it Brain, and it was basically a wheel-clamp for PCs. Computers that ran their program, plus this new bit of code, would stop working after a year, though they cheerfully provided three telephone numbers, against the day. If you were a legitimate user, and could prove it, they’d unlock you.

But in the way of all emergent technologies, something entirely unintended happened. The Alvis’ wheel-clamp was soon copied by a certain stripe of computer hobbyist, who began to distribute it, concealed within various digital documents that people might be expected to want to open. Because almost all these booby-trapped files went out on floppy disks, the virus spread at a pre-Internet snail’s pace.

Should the lights go out in our online bus shelters one day, or some critical control system go spectacularly awry, it may in a sense, however distantly, be because Israel found a way to shut down Iran’s centrifuges. But in another way it will be the result of a bright idea two brothers once had, in the vicinity of Lahore Railway Station, to innocently clamp a digital pirate’s wheel.

Considered something of a cyber-visionary, Gibson points out he foresaw computer viruses becoming strategic weapons deployed by nation states but admits to missing the possibility that they would, for the most part, be the tool of amateur vandals.

The second piece is from Richard Falkenrath, former Bush White House homeland security official and NYPD Counterterrorism Commissioner. He covers a lot of familiar ground, questions of sovereignty and collateral damage, but brings up an interesting new (at least to me) issue:

Under American law the transmission of malicious code is in many cases a criminal offense. This makes sense, given the economy’s reliance on information networks, the sensitivity of stored electronic data and the ever-present risk of attack from viruses, worms and other varieties of malware.

But the president, as commander in chief, does have some authority to conduct offensive information warfare against foreign adversaries. However, as with many presidential powers to wage war and conduct espionage, the extent of his authority has never been enumerated.

This legal ambiguity is problematic because such warfare is far less controllable than traditional military and intelligence operations, and it raises much more complex issues of private property, personal privacy and commercial integrity.

Therefore, before our courts are forced to consider the issue and potentially limit executive powers, as they did after President Harry Truman tried to seize steel plants in the early 1950s, Congress should grant the White House broad authority to wage offensive information warfare.

Both pieces are worth reading in full.

Dr. Who fans, don’t get excited.  Estonia is not creating an army of Cybermen.

Instead, as reported by NPR,  it has created an all volunteer force of programmers and computer scientists that would be mobilized to defend the country during a cyberwar.

The responsibility would fall to a force of programmers, computer scientists and software engineers who make up a Cyber Defense League, a volunteer organization that in wartime would function under a unified military command.

“[Our] league brings together specialists in cyberdefense who work in the private sector as well as in different government agencies,” Defense Minister Jaak Aaviksoo says. The force carries out regular weekend exercises, Aaviksoo says, “to prepare for possible cyber contingencies.”

For a nation as dependent on the internet for everyday life as Estonia, the fear of cyber attack is strong. The risk was made vivid following the 2007 assault on many of the country’s networks.  So strong, in fact, that there is serious consideration given to instituting a cyber draft:

The sense of cyber vulnerability in Estonia has been a key rallying point for the Cyber Defense League. No democratic country in the world has a comparable force, with computer specialists ready and willing to put themselves under a single paramilitary command to defend the country’s cyber infrastructure.

Aaviksoo says it’s so important for Estonia to have a skilled cyber army that the authorities there may even institute a draft to make sure every cyber expert in the country is available in a true national emergency.

There seems to be some obvious lessons for U.S. cyber efforts, but cultural difference may present too large of a firewall…

In the United States, most top cybersecurity experts work in the private sector and are not available for government duty, even in times of an emergency. Stewart Baker, who tried to coordinate cyberdefense efforts at the Department of Homeland Security under President George W. Bush, says a Cyber Defense League like Estonia has would have been helpful.

But Baker, a former general counsel at the National Security Agency, says it’s been hard in the United States to promote public-private collaboration in cybersecurity.

“The people who work in IT in the U.S. tend to be quite suspicious of government,” Baker says. “Maybe they think that they’re so much smarter than governments that they’ll be able to handle an attack on their own. But there’s a standoffishness that makes it much harder to have that kind of easy confidence that you can call on people in an emergency and that they’ll be respond.”

Potential lessons learned for U.S. homeland security are not limited to the cyber arena.

The unit is but one division of Estonia’s Total Defense League, an all-volunteer paramilitary force dedicated to maintaining the country’s security and preserving its independence.

Aaviksoo says Estonian civilians are willing to be mobilized to defend their country because of their experience of invasion and occupation: by the Soviet Army in 1939, followed by the Germans in 1941 and then again by the Soviet Union, which occupied Estonia until it broke free in 1991.

“Insurgent activity against an occupying force sits deep in the Estonian understanding of fighting back,” Aaviksoo says, “and I think that builds the foundation for understanding total defense in the case of Estonia.”

While a paramilitary force is not required in the U.S. to preserve our independence, the Estonian Total Defense League could be a model for increasing citizen resilience, in particular active participation in prevention, mitigation, preparedness, response, and recovery activities.  A Total Resilience League?

CERT is a good, if underfunded and underdeveloped, first start in this direction. The next step should be a concentrated effort to engage those outside of traditional homeland security communities with relevant expertise or experience to participate in resilience-building activities.  For example, veterinarians as well as anyone else with a modicum of medical training should be excepted as providers/responders during any catastrophe that overwhelms traditional response organizations (thus helping to create community medical resiliency).  Unfortunately, I fear that ingrained attitudes found within those organizations, concerning behavior of the public in general and volunteers in particular during events of all sizes, will be a major impediment.  But we can always hope.

Friday Secretary Napolitano delivered a speech on cybersecurity to a forum sponsored by The Atlantic and Government Executive.  About mid-way through the remarks there was something that sounded new to me:

Now, there are some who say that cybersecurity should be left to the market. The market will take care of it, and there are some who characterize the Internet as a battlefield on which we are fighting a war. So it’s the market or the war. Those are the two analogies that you hear.

Not surprisingly, I take a different position. In my view, cyberspace is fundamentally a civilian space, and government has a role to help protect it, in partnership with responsible partners across the economy and across the globe.So let me just say that again. In my judgment, both the market and the battlefield analogies are the wrong ones for us to use. We should be talking about this as, fundamentally, a civilian space and a civilian benefit that employs partnerships with the private sector and across the globe.

So we’re proud to be a part of that global effort. We believe in the importance of an open Internet, but we cannot have an Internet that is open, but not secure, nor an Internet that is secure but not open. And I think just by saying that, that lays down the challenge that we confront.

So… like a watershed, or a fishery, or deep sea oil deposits, or the radio spectrum, or other “common pool resources” there is a shared public-private responsibility.  If that’s the model, Elinor Ostrom would appreciate the emphasis on ”fundamentally a civilian space.”  

Dr. Ostrom’s research and that of her myriad disciples — including yours truly — suggests that when the emphasis starts and stays on user management then resilient systems are more likely to emerge.  Effective norms are developed by users — who know and depend on the resources most — and are adopted not just as rules but as fundamental expectations across the system.

When government is a facilitator, trusted source of information, and a last resort of enforcement against norm-breaking users, public-private partnerships usually thrive.  Government insisting on taking an aggressive lead is an early symptom of collapse in many a commons.

Perhaps I am reading too much between too few lines. The Secretary did not say much. Maybe she was just sending a turf-claiming signal to DOD. There was no footnote pointing us to Elinor Ostrom. Imposing a Nobel Laureate’s meaning on the Secretary’s remarks may be a stretch.  But I like the stretch.

Earlier in the speech the Secretary had a paragraph that did not sound new (at least to me), but when read in combination with what is excerpted above takes on new meaning (at least for me):

Finally, I want to stress that cybersecurity isn’t about control. It’s not about government control. It is about partnerships. But partnership needs to have some effectiveness. There needs to be meat on the bone when we say partnership. And there needs to be widespread distributed action toward that goal, so that we view this much more as creating, if I may, layered security involving partnerships, as opposed to top-down or government-down. So we are working more closely than ever to identify the private sector partners who we need, and work with them, and also across the federal family.

The re-introduction of cholera to Haiti — the US and Dominican Republic — is a huge step backward in a century long effort to corner, contain, and eliminate the highly infective and deadly disease.  The precise cause of the outbreak is not yet known, but experts have said the simple absence of hand soap has considerably accelerated the spread of the bacteria that causes the disease.

This week for the first time in seven years a human case of Avian Influenza was confirmed in Hong Kong.  But already this year there have been 22 confirmed cases and nine deaths in Egypt and seven cases and two deaths in Vietnam.  Most epidemiologists continue to consider the world past-due for a serious pandemic. The Avian H5N1 virus is thought to be the most likely source.

Last year’s Swine Flu or H1N1 pandemic should have been – and in some ways was — a fantastic real-world exercise for pandemic preparedness.  We were lucky the particular virus was fairly low-grade.  Our weaknesses were exposed, but the consequences were modest.  But from what I can see, the less-than-dire consequences of H1N1 may have suppressed personal and institutional preparedness for H5N1 or other potential strains of pandemic influenza.

Wednesday a series of cyber specialists told the Senate Homeland Security and Governmental Affairs Committee that the Stuxnet Wormhas viral capabilities. “What makes Stuxnet unique is that it uses a variety of previously seen individual cyber attack techniques, tactics, and procedures, automates them, and hides its presence so that the operator and the system have no reason to suspect that any malicious activity is occurring,” according to Sean P. McGurk, acting director of the DHS National Cybersecurity and Communications Integration Center.

But while Stuxnet is visciously sophisticated once it infects a system, prevention measures are classic.  According to PC Magazine these include, ”Deploy an anti-malware solution; watch out for vendor security notifications and alerts, and apply patches; ensure that users are updated via security education and awareness programs; and be aware of their assets.”  Attention and discipline are the most important preventive measures.

A Russian biologist, Dmitry Ivanovsky, discovered viruses in the late 19th century.  The word virus has a Latin origin that usually referred to a poisonous ooze.  

Virus is closely related to the Latin virulentus.  The English “virulent” also means poisonous, but today is probably more often used for anything that is extremely infective and rapidly spreading. Especially in this context, it has made sense to use the biological term for malicious computer code and now for anything digital that is rapidly consumed.

The John Tyner — “don’t touch my junk” — video and narrative has certainly gone viral.  I am disgusted by it.  The combination of a puerile wanna-be passenger and a couple of aggressively bureaucratic TSA agents has certainly produced a poisonous ooze of invective going every which way. 

Like soap in Haiti and disciplined attention with our computers, a reasonable dose of recognizing the humanity of one another might have avoided the entire drama. 

In regard to transportation security, there are meaningful issues of privacy and security that deserve serious consideration. In their Tuesday post Chris Bellavita and Dee Walker outlined several.  Most persuasive to me is that TSA is too often  preoccupied with going through the motions.  They need our help, as informed and active citizens, to focus on delivering real security value.

But John Tyner is no Rosa Parks.  Neither are the two slightly obnoxious TSA agents a latter day Sheriff Clark and Governor Wallace. John Tyner missing his plane is no Bloody Sunday.

What I perceive in most — not all — reactions to the John Tyner incident is an epidemic of self-righteous rage.  I saw similar symptoms yesterday on the streets of Baltimore.  I can’t always flip the channel quickly enough to miss it on television.  I hear it on radio talk shows and in the halls of Congress.  I don’t know the epidemic’s source, but the destruction caused is easy enough to see.

I can understand the rage of some Haitians – ten months after the earthquake, two weeks after being flooded out of their tents and shanties, and now told the water on which they depend is deadly — in some moments I share their rage. 

But how do we diagnose — or treat — the rage of  the well-fed and warmly housed?  There seems to be some virus attacking our sense of relationship with one another, of being Americans together, of our shared humanity.

In 1992 the rap metal band Rage Against the Machine wrote what seems to have become the angry anthem of those from the left, right, and plenty in the middle:

I’ve got no patience now
So sick of complacence now
I’ve got no patience now
So sick of complacence now
Sick of sick of sick of sick of you
Time has come to pay…
Know your enemy!

It is an epidemic: virulent, poisonous, and just as deadly as any other infection.

In the 1983 movie WarGames, a teenager/hacker named David Lightman breaks into a military computer and challenges the WOPR  (War Operation Planning Response) supercomputer to a game of  Global Thermonuclear War.   The result? A nuclear war simulation that nearly starts World War III as WOPR convinces the military that Soviet nuclear missiles are inbound and that the USSR is staging an attack on the U.S.   In an attempt to get WOPR to stop playing the “game,” the computer is directed to play tic-tac-toe against itself.  The computer learns from this exercise the concept of futility as its tic-tac-toe games end in draws.  The computer then stops its game, noting to its human observers, “A strange game. The only winning move is not to play. How about a nice game of chess?”

Watching the movie this weekend on Netflix reminded me of our nation’s efforts to achieve cybersecurity.  Reports this past week made me wonder if, perhaps, those efforts are much like a game of tic-tac-toe or Global Thermonuclear War.  Last week, the Government Accountability Office issued a report that raised concerns about the Obama Adminsitration’s implementation of recommendations included in the White House’s 2009 cybersecurity review. The GAO noted that of the 24 recommendations laid out by the review, only two have been fully implemented – the appointments of Howard Schmidt and a privacy/civil liberties official.

The GAO found that some progress had been made on 22 of the 24 recommendations but concluded that

[o]ur extensive research and experience at federal agencies have shown that, without clearly and explicitly assigned roles and responsibilities and documented plans, agencies increase the risk that implementing such actions will not fully succeed. Consequently, until roles and responsibilities are made clear, and the schedule and planning shortfalls identified above are adequately addressed, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country’s cyber infrastructure at risk.

Defining roles and responsibilities is not an easy feat.  Since 1996, when President Clinton first took a comprehensive approach to critical infrastructure protection and cybersecurity by putting it on the government’s radar, there has been a struggle on who should be responsible for cybersecurity. That effort was recreated/repeated when President Bush issued a national strategy in 2003 and then, again, in 2008, created the Comprehensive National Cybersecurity Initiative (CNCI).  Thus, the 2009 review referenced by the GAO was not the first effort in what seems to be a continual game of tic tac toe.

Part of the problem is that cybersecurity is present in so many different areas, requiring (seemingly) various agencies to be engaged.  When the Department of Homeland Security was created, many of the government’s cyber efforts were merged into the new agency, though many agencies chose not to transfer over elements that would have made the new Department’s cyber efforts stronger.  The result?  DHS, while improving, continues to struggle with its efforts to lead on the cybersecurity front,  especially as it does not have explicit authority to tell other agencies what to do on the cyber front, especially with regards to private sector engagement.

I’ve written several times about the struggle between DHS and the Department of Defense for leadership of the nation’s cybersecurity efforts.  Last week, Defense Secretary Robert M. Gates and Homeland Security Secretary Janet Napolitano announced that the two agencies signed a memorandum of agreement to better protect against threats to military and civilian computer networks and systems.  The agreement calls for DoD cyber analysts to work with DHS to support the National Cybersecurity and Communications Integration Center.  In addition, a DHS senior staffer will be detailed to NSA.  While promising, the skeptic in me hopes that we do not see a repeat of the National Infrastructure Protection Center “sharing” experience of the 1990s where the FBI and the Secret Service joined efforts on cybercrime and infrastructure protection, only to see the Secret Service to abandon the NIPC over operational differences.

So is our cybersecurity effort futile?  Unlike Global Thermonuclear War, it is not the case that “the only winning move is not to play” on the cybersecurity front unless, of course,  one advocates an impossible-to-achieve Luddite-approach to unplugging our society from computers.   If we can realize that total elimination of cyberthreats is impossible and that our efforts should be to focus on how to mitigate potential threats and risks as much as feasible and imaginable, then we may continue to make progress on the cybersecurity front.   I’ve noted before that the Obama Administration appears to have the right people in place.  With expectation management and a commitment to not repeat past mistakes, we may just see an end to the cybersecurity tic-tac-toe.

Monday the House Homeland Security released a new GAO study: Key Private and Public Cyber Expectations Need to be Consistently Addressed.

The Government Accountability Office reports that the private sector is disappointed in the public sector and the reverse is also true.  From the report:

Private sector stakeholders reported that they expect their federal partners to provide usable, timely, and actionable cyber threat information and alerts; access to sensitive or classified information; a secure mechanism for sharing information; security clearances; and a single centralized government cybersecurity organization to coordinate government efforts. However, according to private sector stakeholders, federal partners are not consistently meeting these expectations… 

 

Public sector council officials stated that improvements could be made to the partnership, including improving private sector sharing of sensitive information. Some private sector stakeholders do not want to share their proprietary information with the federal government for fear of public disclosure and potential loss of market share, among other reasons.

 

Without improvements in meeting private and public sector expectations, the partnerships will remain less than optimal, and there is a risk that owners of critical infrastructure will not have the information necessary to thwart cyber attacks that could have catastrophic effects on our nation’s cyber-reliant critical infrastructure.

Siobhan Gorman of the Wall Street Journal reported yesterday that the National Security Agency (NSA) is developing a cybersecurity program entitled “Perfect Citizen” that would “rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system.” The purpose of the program would be to “detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants.”

Raytheon allegedly won a $100 million contract for the first phase of the project, which is part of the Comprehensive National Cybersecurity Initiative (CNCI) rolled out in January 2008 by President George W. Bush in the classified National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/ HSPD-23).  President Obama announced in May 2009 as part of the current Administration’s Cyberspace Policy Review that elements of the CNCI would continue as part of an increased effort to build our nation’s cybersecurity strengths.

NSA confirmed late Thursday/early this morning that Perfect Citizen is, indeed, a real program but took issue with the Wall Street Journal’s portrayal. In a statement the agency said “Perfect Citizen is purely a vulnerabilities-assessment and capabilities-development contract. This is a research and engineering effort. There is no monitoring activity involved, and no sensors are employed in this endeavor ….Specifically, it does not involve the monitoring of communications or placement of sensors on utility company systems.”  The NSA went on to say that”this contract provides a set of technical solutions that help the National Security Agency better understand the threats to national security networks, which is a critical part of NSA’s mission of defending the nation.”

Since Gorman’s story on Perfect Citizen yesterday, there has been a flurry of Internet activity asking several questions, all of which mirror the larger issues facing the federal government as it tries to tackle cybersecurity.  Those questions are:

1. How much should the federal government be intervening in the private sector’s efforts to protect critical infrastructure assets that are not owned by the United States?
2. If there should be intervention, how do we address privacy concerns and fears of Big Brother intervention?
3. Is the NSA (or any of the three letter classified agencies) the proper place for housing such a program?

The questions are intertwined but are not new — the government has struggled with them since the mid-90s when President Bill Clinton announced the first large-scale public efforts to develop public-private partnerships to address critical infrastructure and cybersecurity.   How the Obama Administration chooses to address these three questions going forward will help define the future of cybersecurity for citizens, stakeholders, contractors, the federal government, and our international partners.

How much should the federal government be intervening in the private sector’s efforts to protect critical infrastructure assets that are not owned by the United States?

Interestingly,this is objective # 12 of 12 in the CNCI, according to documents released by President Obama last year.  According to the White House National Security Council’s website describing the program, that objective is as follows:

Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains. The U.S. Government depends on a variety of privately owned and operated critical infrastructures to carry out the public’s business. In turn, these critical infrastructures rely on the efficient operation of information systems and networks that are vulnerable to malicious cyber threats. This Initiative builds on the existing and ongoing partnership between the Federal Government and the public and private sector owners and operators of Critical Infrastructure and Key Resources (CIKR). The Department of Homeland Security and its private-sector partners have developed a plan of shared action with an aggressive series of milestones and activities. It includes both short-term and long-term recommendations, specifically incorporating and leveraging previous accomplishments and activities that are already underway. It addresses security and information assurance efforts across the cyber infrastructure to increase resiliency and operational capabilities throughout the CIKR sectors. It includes a focus on public-private sharing of information regarding cyber threats and incidents in both government and CIKR.

This objective, as stated, meshes with findings of the President’s Commission on Critical Infrastructure Protection, created by President Clinton in 1996, in its report Critical Foundations, Protecting America’s Infrastructures.  In its 1997 report, the Commission found:

The quickest and most effective way to achieve a much higher level of protection from cyber threats is a strategy of cooperation and information sharing based on partnerships among the infrastructure owners and operators and appropriate government agencies.

To facilitate this new relationship between government and industry, new mechanisms will be needed, including sector “clearing houses” to provide the focus for industry cooperation and information sharing; a council of industry CEOs, representatives of state and local government, and Cabinet secretaries to provide policy advice and implementation commitment; a real-time capability for attack warning; and a top-level policy making office in the White House.

…

Another area where government must lead is in research and development. Some of the basic technology and tools needed to provide improved infrastructure protection already exist, but need to be widely employed. However, there is a need for additional technology with which to protect our essential systems. We have, therefore, recommended a program of research and development focused on those needed capabilities.

It is eerie how little the rhetoric, problems, and solutions on cybersecurity has changed in 13 years, especially given the leaps and bounds we have seen on the technology front – from broadband to smartgrids to wireless to social networks.  The 1997 report would be one of a handful to emerge from the government, all touting the same action items.  In addition, several federal entities – many with acronyms as names – emerged over the years, from the Critical Infrastructure Assurance Office (CIAO) at the Department of Commerce to the National Infrastructure Protection Center (NIPC) at the FBI to the National Cyber Security Division (NCSD) at the Department of Homeland Security.

We also saw directives offered by both Presidents Clinton and Bush to further explain the complex relationship between the government and the private sector in protecting critical infrastructures.  PDD 63, released in May 1998, established national policy on necessary measures to eliminate significant vulnerabilities to physical and cyber attacks on U.S. critical infrastructures, including U.S. cyber systems.  HSPD-7, released in December 2003, superseded PDD-63, and focused on establishing a national policy for Federal departments and agencies to identify and prioritize U.S. critical infrastructure and key resources and to protect them from terrorist attacks.

Since Perfect Citizen is focused on the energy sector, it is worth noting that the 1997 Critical Infrastructure report did specifically address the vulnerabilities and threats of the energy sector in one of its chapters.  Its concluding findings were:

1. The authorities and responsibilities for energy infrastructure assurance in the federal
   government need to be clarified.
   
2. The respective responsibilities of government and private sector for infrastructure assurance are not clearly understood.
   
3. Improved sharing of threat information and “indications and warning” (I&W) information is needed. Improved sharing of industry experience is needed (e.g., a fully populated cyber intrusion database).
4. More training and awareness in infrastructure assurance is needed, focusing on risk management, vulnerabilities, performance testing, and cyber security.
5. Infrastructure assurance technology advancements could add significantly to the overall protection of industry assets.
6. Adopting uniform physical and cyber security guidelines, standards or best practices would enhance protection.

Interesting, the government had already been looking at energy sector vulnerabilities before the Commission was even formed.  In the late 80s, the House Energy & Commerce and Senate Government Affairs Committees held hearings and requested an assessment from the then-existing Office of Technology Assessment on the vulnerabilities of the grid. OTA released a report in 1990 entitled  “Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage.”  The report describes the various agencies involved in protecting electric systems, from the National Security Council to the Federal Emergency Management Agency to the Department of Defense to the FBI, and includes the conclusion that “[t]he appropriate level of government intervention is a matter of value judgment and opinion. The level of threat, both sabotage and natural disaster, cannot be quantified, and the costs of a major outage are highly dependent on the exact nature of the outage.”

So what can be concluded from these efforts?  Maybe the OTA report is right – government intervention/involvement in private sector efforts in this area is really a value judgment call where we will see the right mix when we see it.  There is no easy answer though it is clear that it has to be a joint effort if we are going to protect our critical infrastructures such as the electric grid, nuclear plants, and oil pipelines.  Attention should be focused on specific solutions that can harden our systems and advance our efforts beyond policy, partnerships, and threatened mandates.

If there should be intervention, how do we address privacy concerns and fears of Big Brother intervention?

Privacy concerns relating to how the federal government works with the private sector on monitoring critical systems are also not new.  Each time the government creates a cybersecurity program, concerns are raised – some rightly, some not – on what are we doing on the privacy front.

In the late 90s/early 2000s, the FBI came under fire for its unfortunately named program “Carnivore,” which was designed to monitor email and electronic communications through the use of customized packet sniffers.  The name was quickly changed to DCS1000 (despite some   calls for it to be renamed “Fluffy Bunny”) but the program never quite survived the privacy uproar that followed it.

Currently, the Einstein (1,2, 3) programs that make up part of the CNCI effort remain under fire from privacy and civil liberties advocates because they involve deep packet inspections and scanning of communications for malicious code before they attack government systems.  Einstein 1 and 2 have been examined in great detail and have Privacy Impact Assessments available.  Einstein 3, which has yet to be rolled out fully, has created the most controversy as it would allegedly preempt strikes before they happen by sharing information with the NSA (a simplistic description that I’m sure has many techies rolling their eyes).

The concern for many privacy and civil liberties advocates on this front are two-fold. First, there is a general concern that NSA’s involvement in what many deem a civilian effort, especially in light of NSA’s surveillance and intelligence gathering missions, would go beyond protecting to  actively intruding on citizen’s privacy and activities.  Second, to the degree there is discussion about extending Einstein and other programs into the private sector, there is concern about government involvement in such efforts, especially in light of concerns over NSA involvement and use of its “Tutelage” technology developed for screening cybersecurity networks. 

We can expect the same concerns raised by Einstein 3 to be raised with Perfect Citizen.  The fact that private sector systems are the focal point of the effort, something that most of the CNCI has avoided by focusing government systems, may raise further questions as experts try to parse out what really is going on with Perfect Citizen.  Since it is a classified program, much of the discussion will focus on speculation and rumors, making the privacy concerns more difficult to discern.  NSA’s involvement will only magnify those concerns.  It is hard to address concerns for problems that are only speculative and so dependent on “trust” but with little way to “verify” for privacy advocates.

Is the NSA (or any of the three letter classified agencies) the proper place for housing such a program?

Before answering this question, it is worth exploring whether the privacy issues raised in question 2 would go away if NSA was not involved in Perfect Citizen.   My assessment is that they would not as DHS has had a number of programs come under privacy scrutiny and much of the proposed activity would need to be classified to achieve its goals and be successful.  The protection of industry information would also have to be adequately addressed.

So putting those concerns aside,  should DHS or NSA be leading this effort?  It is hard to understand exactly what role NSA is playing in this effort or why, according to media reports, it is doing outreach to utilities.  Especially confusing is the fact that if you look at Objective #12 under the CNCI (see above), DHS has the lead on the effort to extend government efforts to the private sector and has done extensive work, along with the Department of Energy and the Federal Energy Regulatory Commission, on the various subsectors within the energy sector on protecting their systems.

Also unclear is how the NSA’s lead (if it is indeed leading) on Perfect Citizen meshes with the Office of Management and Budget’s Memorandum released earlier this week, on July 6th, entitled Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS).

That memorandum clearly states:

Under various national security and homeland security Presidential directives, and pursuant to its statutory authorities, DHS oversees critical infrastructure protection, operates the United States Computer Emergency Readiness Team (US-CERT), oversees implementation of the Trusted Internet Connection initiative, and takes other actions to help secure both the Federal civilian government systems and the private sector.

Maybe future revelations about Perfect Citizen will reveal DHS’s role in the program and make clearer how NSA is engaging with the energy sector on what the agency is calling a “research and development” program.  Given the complexities involved with cybersecurity, if NSA has technology that is useful that has been developed on “the other side,” shouldn’t it be working with DHS and other civilian agencies to test it and determine its applicability in civilian government and private sector systems?

If it does not have the technology but is contracting with outside entities to develop it purely for civilian purposes, then that would seemingly contradict the understood paradigm on who does what in cybersecurity for the government and with public-private outreach.  Based on what has been made public so far, it is unclear which scenario is actually taking place.

In any event, it would be helpful for the Administration to clarify roles and responsibilities and how it seems the interplay between NSA and DHS on cybersecurity, much in the same way it did on the interplay between the White House and DHS in this week’s OMB memo, as the tension between DHS-NSA efforts will likely not disappear anytime soon.

In 2005, Stewart Baker joined the Department of Homeland Security as Assistant Secretary of Policy for the entire Department of Homeland Security under Secretary Michael Chertoff. The position, which evolved from the Assistant Secretary for Border and Transportation Security Policy and Planning position, has the following responsibilities, according to the DHS website:

• Leads coordination of Department-wide policies, programs, and planning, which will ensure consistency and integration of missions throughout the entire Department.

• Provides a central office to develop and communicate policies across multiple components of the homeland security network and strengthens the Department’s ability to maintain policy and operational readiness needed to protect the homeland.

• Provides the foundation and direction for Department-wide strategic planning and budget priorities.

• Bridges multiple headquarters’ components and operating agencies to improve communication among departmental entities, eliminate duplication of effort, and translate policies into timely action.

• Creates a single point of contact for internal and external stakeholders that will allow for streamlined policy management across the Department.

Baker would hold the position for the next four years, tackling a variety of issues from border and travel to cybersecurity and the Committee on Foreign Investment in the United States (CFIUS) to bioterrorism.  In his upcoming book, Skating on Stilts: Why We Aren’t Stopping Tomorrow’s Terrorism, Baker offers an intriguing view of our homeland security posture that ties back to the central theme that technology is both our savior and our enemy as it empowers not only us but our foes.  Coming from Baker, who has been described by the Washington Post as “one of the most techno-literate lawyers around,” the analysis of homeland security technology from a policy/legal prism is refreshing.  This is not a Luddite’s view of why technology harms, but an expert’s finely woven story of “how the technologies we love eventually find new ways to kill us, and how to stop them from doing that.”

A subtheme throughout the book is that information sharing, or lack thereof, has hindered our nation’s efforts to fight terrorism, especially when “privacy” has played a role.  In setting up a discussion of what led to his time at DHS, Baker recounts some of the failures leading up to 9/11, including the information sharing wall put up at the Department of Justice between intelligence and law enforcement elements of the agency, as well as challenges at the Foreign Intelligence Surveillance Court. His view is of someone who has spent time in the intelligence world as the General Counsel of the National Security Agency and as General Counsel of the Robb-Silberman Commission investigating intelligence failures before the Iraq War. The account dives into the intricacies of Justice and its overseers, as well as how bureaucracy and personalities can so easily define our government’s most sensitive policies.

The book then looks at his days at DHS and attempts to strengthen border and travel programs and policies for acronym-named programs, including Passenger Name Records (PNR), the Visa Waiver Program (VWP), Electronic System of Travel Authorization (ESTA), Western Hemisphere Travel Initiative (WHTI), and Computer Assisted Passenger Pre-Screening System II (CAPPS II),  among others.  If you have ever doubted Washington’s love of acronyms and initialisms, this read will certainly change your mind.

In evaluating efforts in the aviation space, Baker is critical of a number of groups that he deems to have stood in the way of the Department’s mission during his tenure, including the private sector, European governing bodies, bureaucrats, Congress, and privacy/civil liberties groups, all of whom he argues are all about the status quo and not open to change.  Some of his criticisms are valid while others seem to simplify the views of the various actors.  For example, in dismissing some of the tourism industry’s concerns related to travel policies, he argues that the industry did not want innovation in government security on the border. Having been in the trenches at the U.S. House Homeland Security Committee during many of these debates, I would argue that the balancing of the numerous parties’ interests and concerns was not always that simple or easy to discern, especially when assessing the right security path forward.  Some programs mentioned in the book, such as WHTI, succeeded, in part, because they were implemented once necessary infrastructure had been deployed.

His strongest concerns are reserved for privacy and civil rights advocates and the government policies they either tout or hate.  There is a great deal of skepticism for “hypothetical civil liberties” and “hypothetical privacy concerns,” without evidence of demonstrated abuses by the government. He cites numerous incidents, some of which certainly demonstrate the tension between privacy and security co-existing.  A few of the examples he uses have even been explored here at HLSWatch, including complaints about whole body imaging machines in airports.  See, e.g. The Right to Be Left Alone (October 27, 2009) and “Where are all the white guys?” (November 10, 2009). Reading the book, privacy and civil liberties supporters may find it hard to balance Baker’s call for imagination when tackling homeland security policy and decisionmaking without calling for a similar level of creative thinking when addressing how those policies and decisions will affect privacy and civil liberties.

The book goes on to describe how the Department and Administration tackled (or failed to tackle) cybersecurity and biosecurity and the differences between the approaches. In both sections, privacy and information sharing are undercurrents, though we also see some interesting discussions of such topics as patent protections, self-regulation, and the evolution of security in each of these areas.  The discussions are intriguing and provide both a history and analysis of why we are where we are on those issues.   The cybersecurity and related CFIUS discussion brought back some memories to this self-proclaimed cybergeek, including some of my first interactions with Baker when he was in private practice and I was at the Justice Department.

One last observation: while the focus on the book is obviously on the time that Baker served at the Department under Secretary Chertoff, it leaves much to the imagination of what work Secretary Ridge and his team- from their early days in the White House after 9/11 until the changing of the guard to Secretary Chertoff – undertook and how that may have contributed to some of Secretary Chertoff’s and Baker’s successes, challenges, and mindset.  In addition, despite the focus on privacy and civil liberties, there is little mention of the other DHS offices, including the Privacy, Civil Liberties, and General Counsel’s offices, who may have been engaged in many of the battles noted by Baker. The book is not lacking in detail or intrigue because of these exclusions, though I wonder how they affected the decisions of Baker and his policy team. Perhaps these items are the subject of another book for another time.

Stewart Baker provides insight into a D.C. perspective of homeland security and the struggle of a Department to tackle technology, privacy, and information sharing. The book provides some valuable lessons for those who are on the frontlines of homeland security policy as they attempt to tackle future threats. For an observer of homeland security development, Skating on Stilts: Why We Aren’t Stopping Tomorrow’s Terrorism is a must-read. The book will be released on June 15th and is available for pre-order on Amazon.com.  In the meanwhile, excerpts from the book and other missives from Baker can be found at a blog with the same name, http://www.skatingonstilts.com/.

The deputy assistant director of the FBI’s cyber division, Steven Chabinsky, told a conference on Tuesday:

“The cyber threat can be an existential threat — meaning it can challenge our country’s very existence, or significantly alter our nation’s potential…. How we rise to the cybersecurity challenge will determine whether our nation’s best days are ahead of us or behind us.”

That’s serious language.

Several weeks ago I was with a group of homeland security executives who agreed the cyber threat was really important.  They were equally in agreement the nation would not get serious about the threat until we experienced the cyber equivalent of Pearl Harbor.

Why is that?

Beyond the usual “human nature” kinds of hypotheses, I think part of the answer has to do with the difficulty understanding what the cyber threat actually is.  Why should it have the same fear status as, say, a biological attack on the nation, a nuclear detonation in an American city, a Mumbai-style attack on multiple-cities — pick your own “challenge to our country’s existence” scenario?

Chabinsky talks about cyber terrorism, the theft of state and corporate secrets, and cybercrime.  I am sure there are detailed reports available that give more information about why cyber is a serious threat.  And I mean to find and read them.

I also mean to track down a copy of CNN’s “We Were Warned: Cyber Shockwave”  attack simulation.  I hear two stories about it: On the one hand, the “presentation was excellent and it highlighted some very real vulnerabilities.” On the other hand,  “This scenario is removed from reality. This could have possibly happened 9 years ago. The pillars of the private sector have developed contingency plans just in case of this type of “event”.   At best this is a poorly constructed “war game” at worst this is a piece of think tank propaganda.”

I am confused.  So I am looking to learn about the cyber threat and understand why it should be a high priority homeland security issue.

As a part of my education, I came across an out-of-frame essay in the Financial Times [free, but registration is required] that sees cyber space not as a way to exchange information, but as a “new continent,” rich in both resources and peril. And before too long, many of us will spend so much time living in the new continent that, “… almost any human interaction of any kind will require use of the internet.”

From this perspective, we will have two homelands: the United States and the Internet.

States embark on a scramble for cyberspace

By Misha Glenny
Published: March 17 2010 23:20 |
It is time to stop thinking of cyberspace as a new medium or an agglomeration of new media. It is a new continent, rich in resources but in parts most perilous. Until 30 years ago, it had lain undiscovered, unmined and uninhabited.

The first settlers were idealists and pioneers who set out from San José, Boston and Seattle before sending back messages about the exciting virgin lands that awaited humanity in the realm of the net. They were quickly followed by chancers and adventurers who were able to make fortunes by devising their own version of the South Sea Bubble.

It was inevitable that the wondrous materials found all over this territory would attract the interest of nation states. Now, the scramble for cyberspace has begun. Military and intelligence agencies are already staking their claim for the web’s high ground as civilian powers lay down boundaries to define what belongs to whom and who is allowed to wander where.

Cyberspace is being nationalised rapidly. In some parts of the world, this has been going on for a while. Russia has been running a programme known by the delightfully sinister acronym Sorm-2 (System of operational investigative activities) since the late 1990s. This ensures that a copy of every single data byte that goes into, out of or around the country ends up in a vast storage vault run by the Federal Security Service. You can read about atrocities committed in Chechnya if you wish but you can be confident that somebody will be looking over your digital shoulder.

China, of course, has its “great firewall”, filtering politically incorrect sites along with pornography and other forms of cultural contamination. But of even greater import is China’s demand, effectively conceded, that the US relinquish control of the internet’s language and domain names through the Californian non-profit organisation Icann. This is being transformed into a United Nations-style regulatory operation. China will soon have absolute say over the internet’s structure within its borders. [Note: this was written before this week's skirmish in the first war between nation states and virtual states: i.e., China v. Google.]

The legal mapping of cyberspace in the west is more chaotic. But we are now witnessing the establishment of myriad laws and rules by legislators and in the courts. In a hearing this week … in London following a major cybercrime trial, [an attorney] put his finger on it when he argued that “we are entering a world where almost any human interaction of any kind will require use of the internet”.

So while there is clearly a pressing need to define rules that apply in cyberspace, they are emerging at speed with little coherent strategy behind them. Nobody knows where this process will lead for two central reasons. The speed of technological change means that the traditional tools of state used to carve up the world in the 19th century, such as laws and treaties, are often inadequate, if not entirely irrelevant, when applied to this new domain.

Law enforcement agencies such as the FBI and the Serious Organised Crime Agency in Britain have invested considerable time and money in bringing down criminal networks on the web. But as the Internet Crime Complaints Centre in the US has just reported, the losses from cybercrime continue to climb at a staggering rate because criminals adapt at lightning speed to new policing methods.

In the commercial world, major legislation concerning copyright … is unlikely to withstand the second great variable – the coming of age of the net generation. Laws banning file-sharing are likely to prove as unpopular as the poll tax that helped bring down the Thatcher government. They also look utterly unenforceable.

As a harbinger of change, we are seeing political parties springing up throughout Europe with names such as the Internet party or the Pirate party, which understand the web as simply part of human DNA. “In the collision between the old and the new on the web,” argues Rex Hughes, a Chatham House fellow who is leading a cybersecurity project, “the old always wins the first few rounds but eventually they die off.” [my emphasis]

But the greatest battle is happening in the area of cyberwarfare and cyberespionage. Symbolically, the US designated cyberspace as the “Fifth Domain” last June and the first man-made one after land, sea, air and space. Nato lawyers are trying to work out how the laws of war operate in cyberspace. Hysteria is accompanying this new arms race, as when Admiral Mike McConnell, former director of US National Intelligence, claimed at a Senate hearing last month that “if the nation went to war today in a cyberwar, we would lose”.

Meanwhile, the phenomenon of “anonymisation”, so useful for cybercrime, is a gift to intelligence agencies as they sniff into every corner of the web to find out who is up to what.

None of this would amount to a hill of beans were it not for [the attorney cited above’s] point that everything we do is somehow mediated by the web. Governments are becoming obsessed about the need to control the internet but have yet to work out how to do this without suffocating the noble goal of those pioneers who merely wanted to facilitate communication between ordinary people. Heaven forbid!

In my post on Monday, I wrote about this week’s big conferences relating to homeland security – the RSA Conference in San Francisco (Geeks) and the ABA Homeland Security Institute in DC (Lawyers).  I suggested that folks “stay tuned to any announcements or surprises that might come from” the conferences.

RSA has not disappointed, with a number of announcements and declarations coming out of the conference.  The biggest revelation was that the White House was, as many had been expecting for the last several months, declassifying information on the Comprehensive National Cybersecurity Initiative (CNCI).

The CNCI was initiated in January 2008 in NSPD 54/HSPD 23, a classified document that left many, even before its release, asking questions about the role of the intelligence agencies in the government’s cybersecurity plans.  Siobhan Gorman, then of the Baltimore Sun, did a great job in late 2007 covering the effort.

While the the HSPD 54/HSPD 23 has not itself been declassified, the President did release a five page summary of the CNCI this week, the first official document to describe the classified directive, which can be found on the White House’s website.

The summary notes the twelve initiative within the Initiative:

Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections

Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.

Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.

Initiative #4: Coordinate and redirect research and development (R&D) efforts.

Initiative #5. Connect current cyber ops centers to enhance situational awareness.

Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.

Initiative #7. Increase the security of our classified networks.

Initiative #8. Expand cyber education.

Initiative #9. Define and develop enduring “leap-ahead” technology, strategies, and programs.

Initiative #10. Define and develop enduring deterrence strategies and programs.

Initiative #11. Develop a multi-pronged approach for global supply chain risk management.

Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains.

In announcing the declassification, White House Cybersecurity Coordinator Howard Schmidt said “partnerships and transparency are concepts that have to go hand in hand” in the protection of the nation’s critical computer networks.

The declassification has come with mixed reviews. Many privacy advocates still would like to see the original NSPD/HSPD declassified, especially parts dealing with cyber offense capabilities.  The Washington Post also reported and Schmidt acknowledged that there remain a number of legal questions to be answered about parts of the initiative.  Personally, I believe that the declassification of information on the CNCI is an important first step that allows the private sector and the public to have a more open dialogue on how the government can be leading the way, with private sector input, on protecting government systems.

One of the biggest issues that came out of the CNCI was a concern that the government would move full-force ahead on the classified initiative without significant input from the numerous sectors of the private sector, many of whom have tackled some of the problems facing the government as it moved to protect its systems.  The added fear was that once the government put in place “solutions” for itself, it would move to migrate those solutions to the private sector through standards and mandates.  While some sectors with appropriate clearances have advised on parts of the initiative, there remained a gap in a transparent and full discussion.   Schmidt should be commended for taking on this effort and moving for a more open process for discussion.

I also question whether the NSPD/HSPD should be declassified in its entirety. While privacy and legal questions may arise out of any classified cyber offense capabilities discussed in the directive, we also should be careful about revealing too much about these efforts, especially if doing so would potentially reveal sources and methods to our technologically-savvy opponents, who are intent on compromising, sabotaging, or stealing information from our systems.  There needs to be a method to assure that classified information within the directive goes through appropriate checks and balances, but we also have to be prepared against a sophisticated enemy.

Also of note at the conference were Secretary Napolitano’s remarks.  In addition to encouraging industry to do better at security and recognize a “sense of urgency,” she announced a contest to the IT security community on how to develop a public education campaign on cyber-readiness.  Information on the contest and how to enter can be found at http://www.dhs.gov/files/cyber-awareness-campaign.shtm.

It is an interesting concept, though I wonder how it meshes with existing and past efforts to do public education campaigns on the cyber front.  In particular,  I wonder how this effort fits into the National Cyber Security Alliance, which was founded in 2001, as the pubic-private partnership for promoting cyber security awareness. That effort has worked with DHS and a number of tech companies, as well as the MS-ISAC for promoting cyberawareness and  “National Cybersecurity Awareness Month” in each of the past six Octobers.  There have also been numerous similar efforts through the years, including one I was involved with about 10 years ago, the “Cybercitizen Awareness Program,” that was intended to “establish a broad sense of responsibility and community in an effort to develop in young people smart, ethical, and socially conscious online behavior.”

Despite these questions, I think the idea is an interesting one.  In past posts, I have advocated for DHS to take more of a DARPA approach to solving problems, including potentially duplicating efforts like the DARPA Grand Challenge.  I have also written about DHS’ increasing use of social media and the need for it to integrate the public into those efforts.  In many ways, this contest takes both of those concepts and creates a mini-Grand Challenge web 2.0 awareness campaign. I look forward to seeing the results.

Those were the big government announcements coming out of RSA.  Overall, the conference seems to focus on a few themes : cloud computing, offensive cybersecurity efforts (including warfare), a call to action, and collaboration.

Today marks the opening of the RSA Conference where geeks and cyberwonks gather in San Francisco for five days of information security overload.  The conference, started in 1991 as a conference where approximately 50 cryptographers gathered to talk shop, is expecting more than 11,000 attendees this year and includes 250 sessions across 18 tracks.   Since 1995, the conference has focused on a unique theme to highlight a “significant historical contribution to or illustration of cryptography, mathematics, or information security.”  This year’s theme is the Rosetta Stone, designed to remember “the Rosetta Stone’s legacy to modern Egyptology and its lasting message on the power of collaboration.”

Expect a good share of government officials – from the Department of Homeland Security to the FBI to the White House to the Department of Defense to Congress – to be wandering around the conference.   DHS Secretary Janet Napolitano and FBI Director Robert S. Mueller are both slated to speak.  According to a release from conference organizers, Napolitano will “speak to the impact of information security on today’s society and how cybersecurity will continue to be a key area of focus for the Department of Homeland Security in the coming years,” while Mueller will “detail cyber threats through the years – from criminal threats like computer intrusions and identity theft to the use of the Internet by extremists and hostile foreign powers.”  Will be interesting to learn what insight each offers on the growing cybersecurity challenge and what is being done within the government to address that challenge.

Also slated to speak is Howard Schmidt, the recently appointed  “cyberczar” or, if you prefer, his official title – “White House Cybersecurity Coordinator, National Security Council, Executive Office of the President.”  Schmidt will give a keynote and, according to the conference schedule, will be busy participating in a number of other events, including a town hall sponsored by the Business Software Alliance.  In many ways, RSA represents a coming out for Schmidt. He has appeared and spoken at some DC-oriented events but this is (I believe) the first time he has been in a national venue and the first time where experts and industry will get a public account of what to expect from the Obama Administration on cybersecurity going forward.  It is big task but, as a veteran and well-respected expert on cybersecurity (including public-private partnerships), Schmidt should be up to the task.

Other big-name former government officials who have tackled cybersecurity are also plentiful. Schmidt’ predecessor (at least in an acting status), Melissa Hathaway, is slated to speak on a panel on “Delivering a Unified and Resilient National Cyber Security Framework” and former DHS Secretary Michael Chertoff and the first cyber-czar under President Clinton, Dick Clarke, are also on the agenda.

Moving from wonks to lawyers (if there is really a difference), back in D.C., the American Bar Association will be hosting its Fifth Annual Homeland Security Law Institute.  Chaired by Joe D. Whitley, former General Counsel of DHS, the conference gathers together practitioners  to examine legal issues surrounding various homeland security areas.  Among the panels topics:  homeland defense, international issues, chemical and personnel security, supply chain, CFIUS, immigration, detention of terror suspects, cybersecurity, privacy, homeland security grants, and H1N1.

Among the keynote speakers – Senator Susan Collins, Ranking Member of the Senate Committee on Homeland Security and Government Affairs Committee,  W. Craig Fugate, the Administrator of  FEMA, and New York Police Commissioner Ray Kelly.

Two very different conferences offering different perspectives on how to address homeland security problems.  Stay tuned to any announcements or surprises that might come from either conference.

Co-authored by first time contributor Colin Bortner

The Internet Security Alliance released a report, “Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model,” yesterday responding to Obama administration’s Cyber Space Policy Review. The report takes a broad view of cybersecurity and tackles everything from information sharing to securing the IT supply chain, but its most substantive proposal is a public private-model to enhance cybersecurity though market incentives.

The report strives to align the President’s Cyber Space Policy Review, completed in May, with points raised in the the Cyber Security Social Contract: Recommendations for the Obama Administration, published by ISA a year ago.  As noted by ISA then, the social contract:

is essentially a deal between industry and government wherein both entities agree to provide services and receive benefits resulting in a larger social good.

The social contract ISA is proposing is based on the agreement between government and the utilities in the early 20th century which had the goal of providing universal phone, power and light service to Americans. That model worked.

The Contract had two key elements:

“First is the realization that cyber security is not a purely technical problem. Rather, cyber security is an enterprise-wide risk management problem which must be understood as much for its economic perspectives as for its technical issues.”

“The second key element is that, at this point, government’s primary role ought to be to encourage the investment required to implement the standards, practices, and technologies that have already been shown to be effective in improving cyber security.”

The public-private model outlined in the report released yesterday calls for the establishment a family of incentives and a body charged with evaluating and grading security certifications.   The various grades of certification would be mapped to the various incentives so that certification x would yield incentive a, while certification y would yield incentive b.

The incentives that ISA suggests include basic tax incentives, access to Federal grants, participation in Federal procurement, a Cyber Safety Act (modeled after the Safety Act providing limited liability in the case of a cyber incident), and national awards for cybersecurity, among other recomendations.   ISA envisions the certification to be a stamp of compliance with an established open standard, such as those developed and maintained by ISO and NIST, or a proprietary, sector-specific certification, such as PCI-DSS for the payments industry.

The model aims to accommodate an ecosystem of certifications that are both tailored to fit the needs of different industries or organizations and which provide different levels of security at different costs (and rewards).  ISA predicts that this would create a competitive marketplace of Federally-blessed certification organizations that compete to win access to greater incentives for their customers at lower costs.

The ISA Report largely reiterates the views advocated by ISA over the last several years.  As a non-profit collaboration between the Electronic Industries Alliance (EIA), a federation of trade associations, and Carnegie Mellon University’s CyLab, ISA represents corporate interests from the Defense & Aerospace, Banking & Financial, Food Service, Entertainment, Telecommunications and Manufacturing industries.   Focusing on the Internet economy sectors, it makes sense that ISA would promote insurance and incentives over pure regulation.

Unfortunately, without high-level leadership in the White House on cybersecurity, a review of ISA’s and others views and proposals are lagging.  The Department of Homeland Security, led by Rand Beers, Phil Reitinger, and Greg Schaffer in the National Protection and Programs Directorate (NPPD),  is getting its house in order and making headway on DHS’s efforts to better streamline and secure government systems.  Hopefully, with the new Assistant Secretary of Private Sector Douglas Smith, the folks at NPPD can strengthen their public-private sector outreach.  That will only be 1/2 the puzzle, however, if they do not have a strong advocate in the White House for their operational and policy efforts.

On Friday, I wrote a quick blurb noting that Mischel Kwon, the director of the U.S. Computer Emergency Readiness Team at the Department of Homeland Security (DHS) had announced her departure.  Her exit from the government cybersecurity realm marked the second in a week, following the highly-covered resignation of Melissa Hathaway, the White House’s Cybersecurity Advisor/Coordinator, earlier in the week.

In both cases,  many politicos and pundits have pondered why our federal cybersecurity efforts seem to be in such disarray.   Kwon was the fourth director of US CERT in five years.  Hathaway was the acting “cyber czar,” though the Administration prefers to call it “coordinator,” a position announced by the President eight weeks ago that few cybersecurity gurus have been interested in taking.

Things, however, may be bad but not be as bad as they appear.  DHS has filled its two (or three, depending on you count) political cybersecurity spots with experienced and smart experts.  Phil Reitinger is the Deputy Under Security for the National Protection & Programs Directorate, overseeing the agency’s cybersecurity efforts.  He is dual-hatted as the Director of the National Cybersecurity Center (NCSC), a position created in 2008 amid internal squabbling that has been duplicative of the agency’s efforts, as well as under appreciated, as demonstrated by Rod Beckstrom’s very public resignation from that position earlier this year.  In consolidating the two positions, Secretary Napolitano has created one point person to strategize and lead the Department’s efforts on a macro level.

In addition, the new Assistant Secretary for Cybersecurity & Communications, Greg Schaffer, is well-versed in the cybersecurity space.  Both Phil and Greg have worked together in the past and have private sector and government experience in the operational and legal sides of cybersecurity – something which is much needed at the agency. Hopefully, by working together in a concerted effort, there will be some progress at DHS on the cybersecurity front.  That’s not to say there is not a lot of work to be done and it is a nearly-impossible task, but having some gameplan and a team effort will be critical.

Over at the Department of Defense Secretary Robert Gates created a “Cyber Command” to be headed by  the director of the National Security Agency.  When announcing the new Command in June, Gates issued a memo noting that the new effort will have synchronize “warfighting efforts across the global security environment.”  While there has been some concerns that the New Cyber Command will usurp civilian efforts, its creation is an important step in streamlining and synchronizing our military’s offensive and defense capabilities.  In addition, its creation may help thwart what has been seen as increasing competition between the branches to be responsible for DoD’s cybersecurity efforts.

Which brings us back to the so-called Cyber czar vacancy.  It is important to remember that the White House Cybersecurity Coordinator is a policy position — not an operational one.  The nuts and bolts of protecting government civilian, military, and private sector systems remains with the agencies above, as well as with several others tasked with specific elements of cybersecurity (i.e. Department of Justice with prosecuting cybercrimes, FBI and Secret Service with investigations, countless CIO offices with securing specific agency computers, NIST with standards).  The cyberczar will report both to the National Security Council and the National Economic Council, which suggests that the individual will attempt to balance between homeland security and economic concerns. That dichotomy, however, is not as prevalent as it may have been 10 years ago when Dick Clarke served as czar.  It could change if Congress enacted legislation that was strong on regulation in cyber space.  What is not clear from the creation of the cyberczar is whether that individual will have the authority to direct all the agencies should a cyber-crisis occur.

The inability to fill the “cyberczar” spot, whether it sits in DHS, DoD, the White House, or the Office of Management and Budget, is long-standing.  In the 2002-2004 timeframe, much attention was given to DHS’ efforts on the cybersecurity front and the fact that the cyberczar had gone from being in the White House to the Director of the National Cyber Security Division, a spot buried within the agency’s bureaucracy.   The first Director, Amit Yoran, lasted a little more than a year before leaving,  in part, because of the lack of authority.

Going forward, regardless of what you call the positions or how they are filled, it is essential that there be long-term planning and staffing on the cybersecurity front.  As DHS and DoD get their operational efforts in order,  their successes will be measured on whether their cyber leaders have the authority to do their jobs AND whether they stay for longer than a year or two.   At the same time, when and if the cyber czar position is filled, it will be critical that the chosen person be one who puts supporting  DHS, DoD, and other agencies efforts first and not one who, taken by the czar title, is overly-interested in leaving their personal mark.