Homeland Security Watch

News and analysis of critical issues in homeland security

October 25, 2012

The Presidential Debates: Substantial agreement on homeland security

The word “homeland” was used once,  the term “homeland security” not at all  in the three presidential debates.  But a close-reading of the transcripts does expose HS-related discussion.

Below are direct excerpts from the debate transcripts.  I have purposefully not identified who said what.  Where the candidates seem to mostly agree, I have only quoted one of them.  Occasionally a candidate asserted a difference that — at least to me — seemed either non-substantive or illusory.  I have not included these assertions.  There are subtle distinctions.  I have chosen excerpts that I hope bring these forward.

To me the distinctions — on these issues —  often run counter to each candidate’s stereotype. President Obama comes off tougher than the other side wants to admit, Governor Romney more reasonable than he is portrayed.  Debate posturing?  Meaningful insight?  My own eccentric tendency to see what is shared more than what divides?


The first role of the federal government is to keep the American people safe. That’s its most basic function…

The Constitution and the Declaration of Independence. The role of government is to promote and protect the principles of those documents. First, life and liberty. We have a responsibility to protect the lives and liberties of our people…



First of all, this is a nation of immigrants. We welcome people coming to this country as immigrants… I want our legal system to work better. I want it to be streamlined. I want it to be clearer. I don’t think you have to — shouldn’t have to hire a lawyer to figure out how to get into this country legally. I also think that we should give visas to people — green cards, rather — to  people who graduate with skills that we need. People around the world with accredited degrees in science and math get a green card stapled to their diploma, come to the U.S. of A. We should make sure our legal system works.

Number two, we’re going to have to stop illegal immigration. There are 4 million people who are waiting in line to get here legally. Those who’ve come here illegally take their place… What I will do is I’ll put in place an employment verification system and make sure that employers that hire people who have come here illegally are sanctioned for doing so. I won’t put in place magnets for people coming here illegally. The kids of those that came here illegally, those kids, I think, should have a pathway to become a permanent resident of the United States and military service, for instance, is one way they would have that kind of pathway to become a permanent resident…

If we’re going to go after folks who are here illegally, we should do it smartly and go after folks who are criminals, gang bangers, people who are hurting the community, not after students, not after folks who are here just because they’re trying to figure out how to feed their families. And that’s what we’ve done. And what I’ve also said is for young people who come here, brought here often times by their parents. Had gone to school here, pledged allegiance to the flag. Think of this as their country. Understand themselves as Americans in every way except having papers. And we should make sure that we give them a pathway to citizenship…

Domestic Counterterrorism (or Whole Community or gun control)

So my belief is that, (A), we have to enforce the laws we’ve already got, make sure that we’re keeping guns out of the hands of criminals, those who are mentally ill. We’ve done a much better job in terms of background checks, but we’ve got more to do when it comes to enforcement…

Weapons that were designed for soldiers in war theaters don’t belong on our streets. And so what I’m trying to do is to get a broader conversation about how do we reduce the violence generally… Part of it is also looking at other sources of the violence… And so what can we do to intervene, to make sure that young people have opportunity; that our schools are working; that if there’s violence on the streets, that working with faith groups and law enforcement, we can catch it before it gets out of control…

And so what I want is a — is a comprehensive strategy. Part of it is seeing if we can get automatic weapons that kill folks in amazing numbers out of the hands of criminals and the mentally ill. But part of it is also going deeper and seeing if we can get into these communities and making sure we catch violent impulses before they occur.

Resilience (?)

I believe in self-reliance and individual initiative and risk takers being rewarded.


International Counterterrorism

But we can’t kill our way out of this mess. We’re going to have to put in place a very comprehensive and robust strategy to help the — the world of Islam and other parts of the world, reject this radical violent extremism, which is — it’s certainly not on the run. It’s certainly not hiding. This is a group that is now involved in 10 or 12 countries, and it presents an enormous threat to our friends, to the world, to America, long term, and we must have a comprehensive strategy to help reject this kind of extremism…

A group of Arab scholars came together, organized by the U.N., to look at how we can help the — the world reject these — these terrorists. And the answer they came up with was this: One, more economic development. We should key our foreign aid, our direct foreign investment, and that of our friends, we should coordinate it to make sure that we — we push back and give them more economic development. Number two, better education. Number three, gender equality. Number four, the rule of law. We have to help these nations create civil societies…

The other thing that we have to do is recognize that we can’t continue to do nation building in these regions. Part of American leadership is making sure that we’re doing nation building here at home. That will help us maintain the kind of American leadership that we need…

We make decisions today… that will confront challenges we can’t imagine. In the 2000 debates, there was no mention of terrorism, for instance. And a year later, 9/11 happened. So, we have to make decisions based upon uncertainty…


We need to be thinking about cyber security. We need to be talking about space…

International Counterterrorism (Again)

Pakistan is important to the region, to the world and to us, because Pakistan has 100 nuclear warheads and they’re rushing to build a lot more. They’ll have more than Great Britain sometime in the — in the relatively near future. They also have the Haqqani Network and the Taliban existent within their country. And so a Pakistan that falls apart, becomes a failed state, would be of extraordinary danger to Afghanistan and to us. And so we’re going to have to remain helpful in encouraging Pakistan to move towards a more stable government and rebuild the relationship with us. And that means that our aid that we provide to Pakistan is going to have to be conditioned upon certain benchmarks being met…


We should use any and all means necessary to take out people who pose a threat to us and our friends around the world.

International Counterterrorism (Again)

There’s no doubt that attitudes about Americans have changed. But there are always going to be elements in these countries that potentially threaten the United States. And we want to shrink those groups and those networks and we can do that.  But we’re always also going to have to maintain vigilance when it comes to terrorist activities. The truth, though, is that Al Qaeda is much weaker than it was…and they don’t have the same capacities to attack the U.S. homeland and our allies as they did four years ago.

I expect partisans of each candidate will complain I have obscured important differences.   In my judgment a narcissism of small differences is epidemic.   I have no interest in abetting the fever.  More interesting to me is — for good or bad — the considerable consensus that is articulated.

October 12, 2012

Panetta: “Cyber terrorist attack could paralyze the nation.”

Filed under: Cybersecurity — by Philip J. Palin on October 12, 2012

Last night in New York the Secretary of Defense told his audience, ““A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyze the nation.”

While noting the role of DHS and the FBI in cyber defense, the SECDEF also emphasized, “We defend. We deter. And if called upon, we take decisive action. In the past, we have done so through operations on land and at sea, in the skies and in space. In this new century, the United States military must help defend the nation in cyberspace as well.”

Here’s a link to the DOD news release.  I have not yet found a full transcript.  When I do — or you do — it will be posted here.


Here’s the transcript: Defending the Nation from Cyber Attack.

October 9, 2012

Seven recent homeland security stories you might have missed

Filed under: Cybersecurity — by Christopher Bellavita on October 9, 2012

1. An EMP attack could bring this country to a screeching halt by permanently disabling electronic devices, and DHS remains unprepared for the possibility of an electromagnetic pulse (EMP) event or attack, says the Heritage Foundation. William Forstchen wrote a book called One Second After that describes what life could be like after an EMP attack.

2. Two fusion centers in Wisconsin — the Wisconsin Statewide Information Center and the Southeastern Wisconsin Threat Analysis Center created a website called WiWatch “to provide a portal to educate the public and provide a means to report suspicious activity.” The site describes 16 examples of “suspicious behavior” to say something about (either on the phone or on the web) if you see something.
WiWatch notes: “A critical element of the missions of the Wisconsin Fusion Centers is ensuring that the civil rights and civil liberties of persons are not diminished by our security efforts, activities, and programs. Consequently, the “WiWATCH” campaign respects civil rights and liberties by emphasizing behavior, rather than appearance, in identifying suspicious activity.”

3. Karen Remley, the Virginia State Health Commissioner, reminded the state’s clinicians about “the medical school dictum related to differential diagnoses: ‘When you hear hoof beats behind you, don’t expect to see a zebra.’ Sometimes, however, it will be a zebra. If you think it is a zebra, I want you to say something. During the anthrax attacks in 2001, clinicians made the first diagnosis in an emergency department…. An astute clinician who diagnoses a reportable illness and alerts the local health department may be detecting a bioterrorism attack or a disease outbreak and putting in motion actions that will save his or her patient and many others.”

4. For $4,450, you can get a 680 page report about the U.S. Homeland Security & Public Safety Market from 2013 to 2020. Here’s an excerpt from the online summary:
“Annual investments in HLS and Public Safety products and services (excluding: HLD post-warranty revenues) purchased by the U.S. Federal agencies and private sector increased from $48 Billion in 2011 to $51 billion in 2012 and is forecasted to increase to $81 billion by 2020…..The total U.S. HLS, HLD, HLS related Counter-terror & Public Safety Markets (including post-warranty maintenance and upgrades revenues) grow from $74.5 billion in 2012 to $107.3 billion in 2020 at a CAGR [I think that means compound annual growth rate] of 4.7%…. Unlike most other government sectors, the 2013-2020 federal, state and local government funding for HLS & Public Safety will grow over the next eight years at a CAGR of 4-5%. This growth is driven by a solid bipartisan congressional support.” [That's my favorite sentence.]

5. Stephanie Lambert tried to bring peanut butter on a flight last June. TSA confiscated the peanut butter. After filling out the appropriate forms, Lambert received a $3.99 refund check from the U.S. Treasury. For another $22.99 Lambert can by 6 jars of Skippy Peanut Butter on Amazon, and have them mailed to her house.

6. Without comment, The U.S. Supreme Court refused to consider a blogger’s challenge of body scanners and whole body pat-downs at airports. “[The] court declined to take up Jonathan Corbett’s complaint that the Transportation Security Administration’s use of the screening techniques violated passengers’ protection against illegal searches under the Fourth Amendment of the U.S. Constitution.”

7. And the final story you might have missed: October is National Cyber Security Awareness Month.

September 26, 2012

Government and the cyber-domain; or command-and-control encounters complexity

Filed under: Congress and HLS,Cybersecurity,Strategy,Technology for HLS — by Philip J. Palin on September 26, 2012

There is considerable expectation that an Executive Order will soon try to pick up the pieces from a failed effort at cybersecurity legislation.  You can read more at CNET, Wall Street Journal, or The Hill (for three very different angles on reality).

Technical challenges, political problems, and real philosophical differences complicated the legislative process.  I already gave attention to many of these issues in a February post.  Whatever the text of the Executive  Order these complications will persist.

Many of the most vexing problems are not particular to cyber.  Similar issues are encountered in regard to strategy, policy, regulation, innovation, security, resilience, and competition in domains seemingly as diverse as eCommerce, supply chains, and the global financial system.

Sunday there was a brief two-page essay in the New York Times Magazine that focuses on how the Internet was created.  Following are a few key paragraphs.  As you read cut-and-paste your preferred networked-entity over the word Internet.  When I do that,  the author’s explanation still holds.

Like many of the bedrock technologies that have come to define the digital age, the Internet was created by — and continues to be shaped by — decentralized groups of scientists and programmers and hobbyists (and more than a few entrepreneurs) freely sharing the fruits of their intellectual labor with the entire world. Yes, government financing supported much of the early research, and private corporations enhanced and commercialized the platforms. But the institutions responsible for the technology itself were neither governments nor private start-ups. They were much closer to the loose, collaborative organizations of academic research. They were networks of peers.

Peer networks break from the conventions of states and corporations in several crucial respects. They lack the traditional economic incentives of the private sector: almost all of the key technology standards are not owned by any one individual or organization, and a vast majority of contributors to open-source projects do not receive direct compensation for their work. (The Harvard legal scholar Yochai Benkler has called this phenomenon “commons-based peer production.”) And yet because peer networks are decentralized, they don’t suffer from the sclerosis of government bureaucracies. Peer networks are great innovators, not because they’re driven by the promise of commercial reward but rather because their open architecture allows others to build more easily on top of existing ideas, just as Berners-Lee built the Web on top of the Internet, and a host of subsequent contributors improved on Berners-Lee’s vision of the Web…

It’s not enough to say that peer networks are an interesting alternative to states and markets. The state and the market are now fundamentally dependent on peer networks in ways that would have been unthinkable just 20 years ago…

When we talk about change being driven by mass collaboration, it’s often in the form of protest movements: civil rights or marriage equality. That’s a tradition worth celebrating, but it’s only part of the story. The Internet (and all the other achievements of peer networks) is not a story about changing people’s attitudes or widening the range of human tolerance. It’s a story, instead, about a different kind of organization, neither state nor market, that actually builds things, creating new tools that in turn enhance the way states and markets work.

Legislation, regulation, many theories of management and the practice of most managers assume someone is in charge of something.  Someone is accountable for discreet action that leads to reasonably foreseeable consequences.  There are intentional practices to regulate, systematize, and evaluate.   Certainly this is part of reality, but only part and its proportion of the whole seems to be decreasing.  In homeland security I expect most of our reality cannot be accurately described in these traditional “Newtonian” terms.

When I have most seriously failed it has been because I have very reasonably, diligently, and intelligently applied the lessons learned in one corner of reality to another corner of reality without recognizing the two realities are almost totally different.


August 10, 2012

Brennan defines “bad guys” (NYPD looks for bad guys)

Wednesday, John Brennan, the Assistant to the President for Homeland Security and Counterterrorism, spoke to the  Council on Foreign Relations.  His remarks focus on US operations in Yemen including the use of drones.  This is the latest in a series of extended statements by Mr. Brennan designed to explain and defend US policy regarding the lethal use of drone technology beyond Afghanistan.

Ritika Singh at LAWFARE has posted the first transcript I could find.

There is a Question and Answer session with Mr. Brennan that is considerably longer than his prepared remarks.  During this element of the program he engaged a range of issues, including Syria and cybersecurity… and bad guys.

While looking for the transcript, I stumbled across a very helpful consideration of the NYPD’s new “Domain Awareness System” at the Council on Foreign Relations website.  (If CFR can headline attention to NYPD technology projects,  I think HLSWatch can clearly address Yemen.)  Please see the CFR briefing by Matthew Waxman.

August 2, 2012

NYT editorial and op-ed on cybersecurity

Filed under: Congress and HLS,Cybersecurity,General Homeland Security — by Philip J. Palin on August 2, 2012

The issue certainly deserves sustained and serious attention.   It is not, however, where I spend most of my time.  So… without further comment and just to be sure you did not miss: two recent pieces from the New York Times editorial page. To read the commentary in full please click on the link.

Cybersecurity at Risk

Published: July 31, 2012

Relentless assaults on America’s computer networks by China and other foreign governments, hackers and criminals have created an urgent need for safeguards to protect these vital systems. The question now is whether the Senate will provide them. Senator John McCain, a Republican of Arizona, and the Chamber of Commerce have already exacted compromises from sponsors of a reasonably strong bill, and are asking for more. Their demands should be resisted and the original bill approved by the Senate.


A Law to Strengthen Our Cyberdefense

Published: August 1, 2012

OVER the last decade, the United States has built a sophisticated security system to protect the nation’s seaports against terrorists and criminals. But our nation’s critical infrastructure is not similarly secured from cyberattack. Although we have made progress in recent years, Congressional action is needed to ensure that our laws keep pace with the electronically connected world we live in. The bipartisan Cybersecurity Act of 2012, currently before the Senate, offers a way forward.


May 6, 2012

Cyber attack currently underway targeting natural gas industry

Filed under: Cybersecurity — by Philip J. Palin on May 6, 2012

Here’s something worth reading.  I am only displaying the first three paragraphs of a fairly indepth piece of reporting.

By Mark Clayton writing in the Christian Science Montior.

A major cyber attack is currently underway aimed squarely at computer networks belonging to US natural gas pipeline companies, according to alerts issued to the industry by the US Department of Homeland Security.

At least three confidential “amber” alerts – the second most sensitive next to “red” – were issued by DHS beginning March 29, all warning of a “gas pipeline sector cyber intrusion campaign” against multiple pipeline companies. But the wave of cyber attacks, which apparently began four months ago – and may also affect Canadian natural gas pipeline companies – is continuing.

That fact was reaffirmed late Friday in a public, albeit less detailed, “incident response” report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an arm of DHS based in Idaho Falls. It reiterated warnings in the earlier confidential alerts made directly to pipeline companies and some power companies.


During the House of Representatives so-called Cyber Week there was disagreement regarding the nature of the cyber threat.  Following is a recent Richard Clark quote differentiating an acute threat from a chronic threat:

People keep asking, well, do we have to have a cyber Pearl Harbor in order for people to do the right thing? Implicit in that question is sort of a hope that that will happen and then maybe we’ll fix everything. I don’t know that there ever will be a cyber Pearl Harbor. What I do know is that we’re suffering the death of a thousand cuts in the little Pearl Harbors that are happening every day, where cyberespionage and cybercrime are having a huge cumulative and negative effect. The theft of research and development information, the theft of intellectual property, the theft even of transactional data is giving huge economic advantage to our competitive opponents in other countries. If we all sit around waiting for the apocalypse to do something appropriate on cybersecurity, it may never happen and we may never solve the problem.

In the New York Time’s Friday piece on the National Preparedness Report, the reporter emphasized cyber vulnerabilities (not where my first read took me):

… it was the report’s findings about cybersecurity that appeared to be the most troubling, and they continued a drumbeat from the Obama administration about the need for Congress to pass legislation giving the Department of Homeland Security the authority to regulate computer security for the country’s infrastructure.

The report said that cybersecurity “was the single core capability where states had made the least amount of overall progress” and that only 42 percent of state and local officials believed that theirs was adequate.

I hope HLSWatch readers will take the time to read the NPR.  I would welcome your comments, concerns, or more here.   How should we read it?  What are the major take-aways?  What are the major questions raised?  What should we do with it? What can we do with it?  If there is a delta between should and can, what does that tell us?

April 27, 2012

Cybersecurity: A gale is brewing in the rocky waters of unknowing

Filed under: Cybersecurity — by Philip J. Palin on April 27, 2012

From Jason and the Argonauts (1963)

Late Thursday afternoon the Cyber Intelligence Sharing and Protection Act (CISPA) was passed by the House on a bipartisan vote of 248-168.  Forty-two Democrats voted for the bill and 28 Republicans voted against it. Senate approval seems unlikely.  The White House has raised the prospect of a veto.

Cybersecurity is a compound derived from cybernetics, a term coined in 1948.  Cybernetics is the study of biological and cultural systems of control adapted to mechanical or electronic devices.  Norbert Wiener based his neologism on the classical Greek kybernetike meaning helmsman, navigator, pilot and in some contexts: governor.  (Some will recall that Mao was called the “Great Helmsman”.)

As a matter of etymology, cybersecurity means “steering-to-be-carefree” or less literally, “navigating for open water.”

This week several members of the House, operating on a bipartisan basis, attempted to advance substantive cybersecurity legislation even in the shadow of a quadrennial election marked by especially sharp partisanship.  The proposals encountered bipartisan opposition.

It is worth acknowledging good faith on each side.  This was an example of our legislators attempting to navigate the ship-of-state through treacherous waters.  We can disagree with individual choices.  I don’t see cause to question individual intentions.

Nonetheless, such questions were deployed, accusations traded, and nefarious purposes perceived.  No great surprise in regard to cybersecurity or anything else.

Each side is attempting to steer between what many perceive as two great rocks: one threatening to turn our own government into a privacy-devouring monster while the other is already undermining our economic and military strength.  Which rock is more dangerous?  Toward which is the current pushing us?  Is there a safe way between? (To see the solution found by Jason and the Argonauts, check out this YouTube.)


Until the mid-19th Century students were usually introduced to Plato with First Alcibiades.  In this dialogue Socrates engages in his well-known method of inquiry with a promising young politician. The narrative explores the tension between decisions made for effect and decisions that are effective.

Below is a Reader’s Digest version of First Alcibiades.  For me it has implications for the current cybersecurity legislation, homeland security policy/strategy, and probably much more.

Socrates: Do you not see, then, that mistakes in life and practice are likewise to be attributed to the ignorance which has conceit of knowledge?
Alcibiades: Once more, what do you mean?
Socrates: I suppose that we begin to act when we think that we know what we are doing?
Alcibiades: Yes.
Socrates: But when people think that they do not know, they entrust their business to others?
Alcibiades: Yes.
Socrates: And so there is a class of ignorant persons who do not make mistakes in life, because they trust others about things of which they are ignorant?
Alcibiades: True.
Socrates: Who, then, are the persons who make mistakes? They cannot, of course, be those who know?
Alcibiades: Certainly not.
Socrates: But if neither those who know, nor those who know that they do not know, make mistakes, there remain those only who do not know and think that they know. (Bold highlight not in the original.)
Alcibiades: Yes, only those.
Socrates: Then this is ignorance of the disgraceful sort which is mischievous?
Alcibiades: Yes.
Socrates: And most mischievous and most disgraceful when having to do with the greatest matters?
Alcibiades: By far.
Socrates: And can there be any matters greater than the just, the honourable, the good, and the expedient?

Are our legislators asking authentic questions of those opposed to their proposals?  Are they listening carefully to the answers? Are we?  Do our answers acknowledge the reasonable and substantive concern of those asking questions?  Alcibiades was not so inclined.  He tended to see his political rivals as his enemy.  Socrates argued otherwise.

Socrates: And suppose that you were going to steer a ship into action, would you only aim at being the best pilot on board? Would you not, while acknowledging that you must possess this degree of excellence, rather look to your antagonists, and not, as you are now doing, to your fellow combatants?

What do we really know about our cyber-antagonists: criminals, vandals, terrorists, and more?  Technically, tactically, strategically what are the capabilities and objectives of our adversaries?  What is our claim?  What is our case?  Does the evidence persuade? Do we sometimes — inappropriately, even self-destructively — see those who question our claims as adversaries rather than allies in a common cause?

Socrates: What art makes men know how to rule over their fellow-sailors,— how would you answer?
Alcibiades: The art of the pilot. (Palin: aretes kybernetike)…
Socrates: And what do you call the art of fellow-citizens?
Alcibiades: I should say, good counsel, Socrates.
Socrates: And is the art of the pilot evil counsel?
Alcibiades: No.
Socrates: But good counsel?
Alcibiades: Yes, that is what I should say,— good counsel, of which the aim is the preservation of the voyagers.
Socrates: True. And what is the aim of that other good counsel of which you speak?
Alcibiades: The aim is the better order and preservation of the city.

How do we take good counsel together? Is there any way other than asking questions, listening carefully — even sympathetically — to uncomfortable answers, and then asking uncomfortable questions before listening again?  Is this what we saw in the House this week?  Is this what you experienced in your home, neighborhood, workplace and city this week?

Socrates: O my friend, be persuaded by me, and hear the Delphian inscription, ‘Know thyself’— not the men whom you think, but these kings are our rivals, and we can only overcome them by pains and skill…
Alcibiades: I entirely believe you; but what are the sort of pains which are required, Socrates,— can you tell me?

If  Socrates’ claim — Know Thyself — seems off-topic, irrelevant to cybersecurity, and impractical for present purposes, please explain why.  Socrates, or probably Plato, makes this case:

Socrates: Consider; if some one were to say to the eye, ‘See thyself,’ as you might say to a man, ‘Know thyself,’ what is the nature and meaning of this precept? Would not his meaning be:— That the eye should look at that in which it would see itself?
Alcibiades: Clearly.
Socrates: And what are the objects in looking at which we see ourselves?
Alcibiades: Clearly, Socrates, in looking at mirrors and the like.
Socrates: Very true; and is there not something of the nature of a mirror in our own eyes?
Alcibiades: Certainly.
Socrates: Did you ever observe that the face of the person looking into the eye of another is reflected as in a mirror; and in the visual organ which is over against him, and which is called the pupil, there is a sort of image of the person looking?
Alcibiades: That is quite true.
Socrates: Then the eye, looking at another eye, and at that in the eye which is most perfect, and which is the instrument of vision, will there see itself?
Alcibiades: That is evident.
Socrates: But looking at anything else either in man or in the world, and not to what resembles this, it will not see itself?
Alcibiades: Very true.
Socrates: Then if the eye is to see itself, it must look at the eye, and at that part of the eye where sight which is the virtue of the eye resides?
Alcibiades: True.
Socrates: And if the soul, my dear Alcibiades, is ever to know herself, must she not look at the soul; and especially at that part of the soul in which her virtue resides, and to any other which is like this?
Alcibiades: I agree, Socrates.
Socrates: And do we know of any part of our souls more divine than that which has to do with wisdom and knowledge?
Alcibiades: There is none.
Socrates: Then this is that part of the soul which resembles the divine; and he who looks at this and at the whole class of things divine, will be most likely to know himself?
Alcibiades: Clearly.
Socrates: And self-knowledge we agree to be wisdom?
Alcibiades: True.

Let’s look each other in the eye, ask, answer, and listen carefully.  We depend on this dialogue — especially with those who disagree with us — to open the way to any sort of wisdom.

By the way: despite Socrates best effort, Alcibiades became a successful politician and a catastrophic helmsman. Athens suffered horribly from his persistent lack of self-knowledge. This did not dissuade Socrates from encouraging self-knowledge among others.  But this was not always well-received.  See the Apology.

April 26, 2012

Shared cybersecurity sensibilities squandered in the scuffle

Filed under: Cybersecurity — by Philip J. Palin on April 26, 2012

One side compromised with the other, alleged deals were done, criticisms were leveled, a possible veto was signaled (threatened would be too strong in this case),  alleged deals unraveled, unprincipled behavior was alleged.  Further compromise was probably undermined. See Declan McCollough’s report  at CNET.

Yesterday was a typical afternoon on Capitol Hill.   A very similar summary might be written of your local City Hall, union hall, church board, or any place that decision making takes place.  Something like this has happened since we first gathered around pre-historic fire pits.

Unlike many of our challenges, differences of judgment on cybersecurity cross partisan and ideological divides.  This is a good thing suggesting the potential for actual thinking and creativity has not — yet — been extinguished.

There is also a widely shared judgment that something needs to be done.

Four Senators blogging at The Hill criticize the House legislation as insufficient, but also argue, “The system is already blinking red in warning. FBI Director Robert Mueller has predicted that, in the near future, cyberattacks will surpass terrorism as the country’s greatest threat, while Chertoff, who served in the George W. Bush administration, said cyber threats are “one of the most seriously disruptive challenges to our national security since the onset of the nuclear age.”

In a Statement of Administration Policy, unidentified authors at the Office of Management and Budget write:

The Administration is committed to increasing public-private sharing of information about cybersecurity threats as an essential part of comprehensive legislation to protect the Nation’s vital information systems and critical infrastructure. The sharing of information must be conducted in a manner that preserves Americans’ privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace. Cybersecurity and privacy are not mutually exclusive. Moreover, information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation’s core critical infrastructure from cyber threats. Accordingly, the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form.

In an opinion piece Congressman Mac Thornberry writes, “We cannot let the quest for the perfect, overarching bill prevent us from achieving the good, a-step-in-the-right-direction bill. In cybersecurity, we cannot afford to wait any longer to get it done perfectly. We need to act now.”

For most of those engaged in this legislative process the question is not if, but how.   Would be remarkable if the contestants might recognize how much they agree.  I wonder what sort of legislation might emerge from such an epiphany?

The four pieces of cybersecurity legislation should be considered by the Committee of the Whole later today.  I will be offline, but will join you in watching and listening for what the process might say about cybersecurity and more.

LATE THURSDAY UPDATE: Late this afternoon the Cyber Intelligence Sharing and Protection Act (CISPA) was passed by the House on a bipartisan vote of 248-168.  Forty-two Democrats voted for the bill and 28 Republicans voted against it. Senate approval is unlikely.  The White House has raised the prospect of a veto.

April 25, 2012

Cybersecurity: Pro and con for wonks

Filed under: Cybersecurity — by Philip J. Palin on April 25, 2012

Today and tomorrow will be big days for the cybersecruity package being moved through the House.  A Friday vote (or votes) is promised. Lots of ink and bytes are available on the issues.

The House Permanent Select Committee is providing access to the proposed bill and emerging amendments.

Here are two more sources for a deeper dive.

PRO CISPA et cetera:

See the Information Technology Council.   Don’t miss the links available via their twitter feed, page right.

CONTRA CISPA et cetera:

See the Center for Democracy and Technology.  Don’t miss the links available via their blog posts, page right.



… Dangerous economic predators, including nation-states like China, use the Internet to steal valuable information from American companies and unfairly compete with our economy. The cost is staggering. Years of effort and billions of dollars in research and development, strategic business plans, communications, and other sensitive data—all are lost in seconds. The victims span all sectors of our economy, from small businesses to large pharmaceutical, biotech, defense, and IT corporations. Additionally, our industrial control systems, utilities networks, and critical infrastructure are at risk of sabotage. We must all work together, government and private sector, to defend America against these predators, and we must do it in a way that does not compromise our core principles. The Cyber Intelligence Sharing and Protection Act allows us to take that first critical step of sharing information in a way that is effective but still protects our civil liberties. MORE (Representative Mike Rogers, Chairman, House Permanent Select Committee on Intelligence)


The latest assault on internet freedom is called the “Cyber Intelligence Sharing and Protection Act,” or “CISPA,” which may be considered by Congress this week.  CISPA is essentially an internet monitoring bill that permits both the federal government and private companies to view your private online communications with no judicial oversight–provided, of course, that they do so in the name of “cybersecurity.”  The bill is very broadly written, and allows the Department of Homeland Security to obtain large swaths of personal information contained in your emails or other online communication.  It also allows emails and private information found online to be used for purposes far beyond any reasonable definition of fighting cyberterrorism. CISPA represents an alarming form of corporatism, as it further intertwines government with companies like Google and Facebook.  It permits them to hand over your private communications to government officials without a warrant, circumventing well-established federal laws like the Wiretap Act and the Electronic Communications Privacy Act.  It also grants them broad immunity from lawsuits for doing so, leaving you without recourse for invasions of privacy.  Simply put, CISPA encourages some of our most successful internet companies to act as government spies, sowing distrust of social media and chilling communication in one segment of the world economy where America still leads. MORE (Representative Ron Paul, Chairman of the Subcommittee on Domestic and Monetary Policy, House Financial Services Committee)

Scroll below for more attention from HLSWatch.  A prior post on a related Senate proposal is available here. More to come.

Late Wednesday Update: Politico has a good summary of the state-of-play as of dinner time.   PCWorld is providing good sustained coverage of both political developments and their technical implications.

April 24, 2012

Cybersecurity Awareness and Capacity Building: Some learning objectives

Filed under: Cybersecurity,Education — by Christopher Bellavita on April 24, 2012

Sunday and Monday’s Homeland Security Watch posts reminded me how little I know about cyber fill-in-the-blank issues.  I know more than I did a year ago. But every time I hear or read something from someone who actually understand cyber issues, what I believe I know becomes a much smaller fraction of what I think I could know.

This week’s posts also reminded my of a “cyber awareness” course syllabus a friend sent to me last June when I was trying to make sense of the cyber domain.  The best I can figure out, the 20 page syllabus came from someone named “Paul Herman” at Florida State University.  I have not been able to verify that.

I bring this up for two reasons.

First, this is cyber week on homeland security watch, and I agreed to write something about cyber, severely underestimating how much time it would take to write something coherent about Susan Brenner’s 2009 reminder that “Article I § 8 of the U.S. Constitution gives Congress the “Power To . . . grant Letters of Marque and Reprisal,” and how we might want to consider using that Constitutional authority to encourage “cyber-privateers to deal with cybercriminals.” (See also this related entry on the Morgan Doctrine blog; [and thanks for the idea, KS].)

Second, when I first saw “Paul Herman’s course syllabus” I remember being impressed with how much territory it covered, and how it actually included “learning objectives.”

The syllabus helped me map my own preliminary cyber learning agenda.  I pass a very small portion of it (topics and learning objectives) along today, with the hope it might help someone develop his or her own agenda for learning about (or maybe teaching) this still emerging homeland security issue.

Thank you, “Paul Herman,” whoever you are.


Module 1: The Importance of Cyberspace

Much like globalization writ large, those states and societies that catch the cyberspace bus will tend to move forward, while those that miss it will tend to be left behind.

Learning Objectives:
When you complete this module you should be able to:
• Define Cyberspace and Cybersecurity
• Recognize the centrality of cyberspace to contemporary life
• Recognize the inherent vulnerabilities of utilizing cyberspace
• Differentiate the key sub-dimensions within the overall cybersecurity subject area

Module 2: Invasion of Personal Privacy

Increasingly, individuals’ confidential records and affiliations are stored or expressed on the Internet.

Learning Objectives:
• List the types of personal data that are increasingly connected to the Internet
• Comprehend the visibility of many personal behaviors on the Internet
• Conclude that this type of personal exposure entails risks to individuals

Module 3: Sexual Exploitation / Predation

The Internet lends itself to taking advantage of the physically and emotionally most vulnerable members of society.

Learning Objectives:
• Evaluate the impact on children of their forcible sexual depiction
• Evaluate the impact on women’s status in society
• Analyze the potential for predatory actors on the Internet to misrepresent themselves and lure other gullible participants into dangerous rendezvouses and relationships

Module 4: Disgruntled Insiders

Severe damage is arguably more likely to be done to your organization by persons who legitimately belong there than by external hackers.

Learning Objectives:
• Determine if unhappy employees in an organization are prone to stealing or destroying information assets as a type of revenge or justice seeking
• Determine if unhappy employees in a factory or supply chain are susceptible to being recruited to alter or degrade information and communication technology (ICT) products
• Assess the implications of the … WikiLeaks case

Module 5: Personal Financial Theft

The heist of digitized currency is probably the most prevalent cybercrime in the world.

Learning Objectives:
• Recognize the ease and frequency with which credit card numbers are stolen
• Recognize the susceptibility of financial data, including bank accounts, to being stolen
• Discover that stolen financial account data is sometimes sold to other criminals, or used to blackmail / extort victimized institutions.

Module 6: Corporate Espionage

Building competitive, innovative economies – aided by theft if need be – is probably more conducive to national security than is amassing armaments.

Learning Objectives:
• Estimate the magnitude of the value of stolen Intellectual Property (IP)
• Identify the different types of actors involved in stealing IP
• Explore the potential for commercial competitors to try to ruin one another’s reputation
• Assess the implications of a recent high-vis corporate penetration

Module 7: Violent Extremist Collaboration

Violent extremists bolster one another in cyberspace and exchange tricks of the trade.

Learning Objectives:
• Recognize how extremist groups and individuals can use cyberspace to incite violent impulses
• Recognize the availability of weapon and explosive device designs on the Internet
• Recognize group tactic sharing and operational attack planning on the Internet

Module 8: Critical Infrastructure Disruption

For ease of operation, many of the services citizens count on – utilities/energy, transportation, and financial markets – are increasingly accessible from the Internet.

Learning Objectives:
• List critical infrastructures
• Explain control systems, and illustrate their importance via the recent Stuxnet case
• Interrelate critical infrastructures and how failure in one might cascade

Module 9: National Security Espionage

In the U.S. case, Pentagon and State Department computer systems are probed thousands of times daily.

Learning Objectives:
• Recognize that the Internet provides nation-states and their intelligence agencies with vastly expanded capabilities to furtively acquire information.
• State some of the military and diplomatic advantages that would come from effective espionage.

Module 10: Information Operations / Cyber War

Cyber war is a force multiplier that developing nations will increasingly want to take account of.

Learning Objectives:
• Recognize that information operations can interfere with critical infrastructure, which is the logistical mechanism for mobilizing in a crisis
• Recognize that degraded targeting data make smart bombs dumb
• Observe that small nation-states are often the target of information operations during a confrontation (as illustrated by Estonia and Georgia opposite Russia in 2007 and 2008, respectively)

Module 11: Summary Patterns

This is a bigger problem than most people realize. Critical infrastructure is increasingly regulated in cyberspace, and such infrastructure is essential for an effective response to any emergency – natural or manmade.

Learning Objectives:
• Deduce or recall examples of how the aforementioned subdivisions of cyber security are nested or interrelated.
• Explain how cyber insecurity can have systemic – economic and/or political – effects
• Recognize that even developing states are not insulated from high-tech cyber concerns

Module 12: Technical Digression

…[It] must be realized that at bottom line, cyber security is heavily a function of computer science / network administration.

Learning Objectives:
• Describe how the leading types of malicious software (malware) work
• Describe the leading techniques exploiters use to trick Internet users.
• Identify several information technology (IT) best practices that aim to blunt computer exploitation

Module 13: A Policy Framework for Cyber Security

While governments alone cannot ensure cybersecurity, they can put in place a policy framework that facilitates it.

Learning Objectives:
• Articulate a case for states to formulate a national cyber strategy
• Explain the connection between legislated authorities and regulatory activities
• List key national cybersecurity institutions
• Identify sources of international / multilateral support

Module 14: A Culture of Cybersecurity

Societal features external to government IT programs contribute to a broad milieu of cyber safety.

Learning Objectives:
• Assess the adequacy of national science and technology (S&T) education
• Examine the adequacy of national business culture for fully incorporating cyber vulnerability into risk management formula
• Comprehend the need for civil society bodies to credential properly trained information security professionals

April 23, 2012

What Is The Nature of the Cyber Threat?

Filed under: Cybersecurity — by Arnold Bogis on April 23, 2012

As Ms. Herrera-Flanigan introduced in her last post, it is “Cybersecurity Week” for the U.S. House of Representatives. I am going to go out on a limb and guess that it will neither be as popular as the Cherry Blossom Festival or as successful as the Washington Nationals’ pitching staff so far this baseball season.

The problem is not that cyber issues are not important or do not deserve attention.  Legislative action, though almost never the panacea perceived in Washington, would likely be helpful.  The larger issue is that cyber _____ (insert your favorite descriptor here: war, crime, espionage, terrorism, etc.) is terribly difficult to define.

Exactly what is the problem and who should be worried about it? What is the threat and the potential consequences of a successful…something?

Starting with the “hair on fire” group, you have national security mavens such as former Special Advisor to the President for Cyber Security (among other things) Richard Clarke, who is concerned about cybercrime:

FOR the last two months, senior government officials and private-sector experts have paraded before Congress and described in alarming terms a silent threat: cyberattacks carried out by foreign governments. Robert S. Mueller III, the director of the F.B.I., said cyberattacks would soon replace terrorism as the agency’s No. 1 concern as foreign hackers, particularly from China, penetrate American firms’ computers and steal huge amounts of valuable data and intellectual property.

But by failing to act, Washington is effectively fulfilling China’s research requirements while helping to put Americans out of work. Mr. Obama must confront the cyberthreat, and he does not even need any new authority from Congress to do so.

And cyberwar:

Congress should demand answers to questions like: What is the role of cyber war in US military strategy? Is it acceptable to do “preparation of the battlefield” by lacing other countries’ networks with “Trojan horses” or “back doors” in peacetime? Would the United States consider a preemptive cyber attack on another nation? If so, under what circumstances? Does US Cyber Command have a plan to seize control and defend private sector networks in a crisis? Do the rules of engagement for cyber war allow for military commanders to engage in “active defense” under some circumstances? Are there types of targets we will not attack, such as banks or hospitals? If so, how can we assure that they are not the victims of collateral damage from US cyber attacks?

More recently John Brennan, the President’s Counterterrorism and Homeland Security Adviser, took to the Opinion page of the Washington Post to make a similar argument about the threat of cyberattacks:

Before the end of the next business day, companies in every sector of our economy will be subjected to another relentless barrage of cyberintrusions. Intellectual property and designs for new products will be stolen. Personal information on U.S. citizens will be accessed. Defense contractors’ sensitive research and weapons data could be compromised.

Our critical infrastructure — power plants, refineries, transportation systems and water treatment centers — depend on the integrity and security of their computer networks. Approximately 85 percent of this infrastructure is owned and operated by the private sector. Last year alone, there were nearly 200 known attempted or successful cyberintrusions of the control systems that run these facilities, a nearly fivefold increase from 2010. And while most companies take proper precautions, some have unfortunately opted to accept risks that, if exploited, would endanger public safety and national security.

However, noted cyber scholar Evgeny Morozov would like to push down on the brake:

Both Messrs. McConnell and Clarke—as well as countless others who have made a successful transition from trying to fix the government’s cyber security problems from within to offering their services to do the same from without—are highly respected professionals and their opinions should not be taken lightly, if only because they have seen more classified reports. Their stature, however, does not relieve them of the responsibility to provide some hard evidence to support their claims. We do not want to sleepwalk into a cyber-Katrina, but neither do we want to hold our policy-making hostage to the rhetorical ploys of better-informed government contractors.

Steven Walt, a professor of international politics at Harvard, believes that the nascent debate about cyberwar presents “a classical opportunity for threat inflation.” Mr Walt points to the resemblance between our current deliberations about online security and the debate about nuclear arms during the Cold War. Back then, those working in weapons labs and the military tended to hold more alarmist views than many academic experts, arguably because the livelihoods of university professors did not depend on having to hype up the need for arms racing.

Markus Ranum, a veteran of the network security industry and a noted critic of the cyber war hype, points to another similarity with the Cold War. Today’s hype, he says, leads us to believe that “we need to develop an offensive capability in order to defend against an attack that isn’t coming—it’s the old ‘bomber gap’ all over again: a flimsy excuse to militarize.”

The main reason why this concept conjures strong negative connotations is because it is often lumped with all the other evil activities that take place online—cybercrime, cyberterrorism, cyber-espionage. Such lumping, however, obscures important differences. Cybercriminals are usually driven by profit, while cyberterrorists are driven by ideology. Cyber-spies want the networks to stay functional so that they can gather intelligence, while cyberwarriors—the pure type, those working on military operations—want to destroy them.

All of these distinct threats require quite distinct policy responses that can balance the risks with the levels of devastation. We probably want very strong protection against cyberterror, moderate protection against cybercrime, and little to no protection against juvenile cyber-hooliganism.

Perfect security—in cyberspace or in the real world—has huge political and social costs, and most democratic societies would find it undesirable

As you continue to dig deeper, one will find a vigorous continued disagreement about various aspects of the cybertopic.  For example, Foreign Policy published he said/he said articles on cyberwar.  On the “eh” side, Thomas Rid:

Time for a reality check: Cyberwar is still more hype than hazard. Consider the definition of an act of war: It has to be potentially violent, it has to be purposeful, and it has to be political. The cyberattacks we’ve seen so far, from Estonia to the Stuxnet virus, simply don’t meet these criteria.

Indeed, there is no known cyberattack that has caused the loss of human life. No cyberoffense has ever injured a person or damaged a building. And if an act is not at least potentially violent, it’s not an act of war. Separating war from physical violence makes it a metaphorical notion; it would mean that there is no way to distinguish between World War II, say, and the “wars” on obesity and cancer. Yet those ailments, unlike past examples of cyber “war,” actually do kill people.

Pushing back, noted RAND scholar and co-author of the influential book, “The Advent of Netwar,” John Arquilla:

Cyberwar is here, and it is here to stay, despite what Thomas Rid and other skeptics think.

But another notion arose alongside ours — that cyberwar is less a way to achieve a winning advantage in battle than a means of covertly attacking the enemy’s homeland infrastructure without first having to defeat its land, sea, and air forces in conventional military engagements.

I have been bemused by the high level of attention given to this second mode of “strategic cyberwar.” Engaging in disruptive cyberattacks alone is hardly a way to win wars. Think about aerial bombing again: Societies have been standing up to it for the better part of a century, and almost all such campaigns have failed. Civilian populations are just as likely, perhaps even more so, to withstand assaults by bits and bytes. If highly destructive bombing hasn’t been able to break the human will, disruptive computer pinging surely won’t.

Rid seems especially dubious about the potential for this form of strategic cyberwar. And rightly so. But there is ample evidence that this mode of virtual attack is being employed, and with genuinely damaging effects.

Returning to cybercrime, Melissa Hathaway, former acting senior director for cyberspace on the National Security Council,wants to take a “Byte Out of Cybercrime:”

This paper provides a brief overview of the cybercrime problem and examines five case studies to demonstrate that, while national and international law enforcement authorities are working together to address cybercrime, with additional tools they could make even more progress going forward. Today’s efforts are under-resourced and hampered by outdated laws. Nonetheless, by sharing actionable information and applying novel interpretations of the law, authorities around the globe are finding ways to address the cybersecurity problem. The recommendations that follow the case studies seek to build on the successes and lessons learned.

While two Microsoft researchers want us all to take a deep breath and point out some potential problems in trying to estimate the consequences:

We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. Spamming, stealing passwords or pillaging bank accounts might appear a perfect business. Cybercriminals can be thousands of miles from the scene of the crime, they can download everything they need online, and there’s little training or capital outlay required. Almost anyone can do it.

Well, not really.

The harm experienced by users rather than the (much smaller) gain achieved by hackers is the true measure of the cybercrime problem. Surveys that perpetuate the myth that cybercrime makes for easy money are harmful because they encourage hopeful, if misinformed, new entrants, who generate more harm for users than profit for themselves.

Are you confused yet?  I am.  And noted political scientist Joseph Nye does not want to make it any easier by asking simple questions:

The United States may be ahead of other countries in its offensive capabilities in cyber, but because it depends so much on cyber, it is also more vulnerable. What, then, should our policy be? When it comes to thinking about cyber, we are at about the same place people were in 1950 when thinking about the nuclear revolution. We know it is something new and big and that it is transformative, but we haven’t thought out what offense means, what defense means. What is deterrence in such a world? What is strategy? How do we fit the pieces together? Can we establish rules of the road? Can we find an analogue in arms control, or is that an unlikely model for something that is apparently unverifiable? The first efforts at arms control didn’t bear fruit until twenty years after the first nuclear explosion and came about largely to deal with third parties (the Nuclear Non-Proliferation Treaty) or because of concerns with environmental fallout (the Limited Test Ban Treaty). Not until the 1970s, some thirty years after the technology emerged, were the first bilateral arms control agreements signed, and not until the 1980s did leaders of the two superpower nations proclaim that nuclear war cannot be won and must never be fought. Forty years were needed to develop a powerful basic normative agreement. In cyber, we are still around 1950. What this means is that we can no longer treat cyber and the other aspects of power diffusion as something to be left to the technocrats or the intelligence specialists.

We have to develop a broader awareness in the public and in the policy community to be able to think clearly about how we trade off different values and develop sensible strategies for cyber.

So where does this all leave us? With a whole bunch of questions:

What are the cyber threats we should worry about the most?

What cyber threats should be considered “homeland security,” “national security,” “economic security,” or something else entirely?

How can we delineate what are personal, business/NGO, or local/state/federal responsibilities for cybersecurity?

How can we divide up the responsibility pie between all the various actors at the federal level–DHS, DOD, State, etc.?

Will Hollywood do the right thing and resist any temptation to remake “War Games?”

So many questions and, at this point, so few answers.

April 22, 2012

Cybersecurity Week in the House

Filed under: Cybersecurity,General Homeland Security — by Jessica Herrera-Flanigan on April 22, 2012

Today marks the start of the self-declared “Cybersecurity Week” in the House.  Last Friday, the House Republican Leadership announced that four bills would be considered this week to “address the cybersecurity threat facing our country.”  In announcing the schedule, Speaker Boehner, Majority Leader Cantor, and the House GOP’s Cybersecurity Task Force Leader Thornberry, stated:

The focus of these bills is consistent with the recommendations released by the task force last October that address the central issue the federal government and industry have stated must be addressed now: updating existing cybersecurity laws to provide the legal authorities to allow for information-sharing and public-private partnerships. Information-sharing is crucial to stopping the persistent and aggressive threat facing all aspects of our economy, our critical infrastructure, our communications, and our nation’s security.

The focus of these bills is consistent with the recommendations released by the task force last October that address the central issue the federal government and industry have stated must be addressed now: updating existing cybersecurity laws to provide the legal authorities to allow for information-sharing and public-private partnerships. Information-sharing is crucial to stopping the persistent and aggressive threat facing all aspects of our economy, our critical infrastructure, our communications, and our nation’s security.

Overall, the bills enjoyed somewhat bipartisan support, though as discussed in a bit, much of the criticism has been focused on what was not included as what was.  Among the bills to be considered:

  • Cyber Intelligence Sharing and Protection Act (H.R. 3523) – A Mike Rogers (R-MI)/Dutch Ruppersberger (D-MD) bill coming out of the Intelligence Committee.  The bill would allow the government to provide classified information to companies to allow them to to protect their networks.  The bill also authorizes private-sector entities to defend their own networks and to those of their customers, and to share cyber threat information with others in the private sector, as well as with the federal government on a purely voluntary basis.   This bill, which many consider the lynchpin of the House efforts, has garnered significant criticism from the privacy and civil liberties groups.  These interests have equated the bill to the doomed SOPA/PIPA bills, stating that it violates Constitutional rights.  The sponsors made significant changes last week to try to address the privacy concerns but still have met criticism.  Just last Friday, House Homeland Security Committee Ranking Member Bennie Thompson (D-MS) sent around a Dear Colleague stating that the bill “would create a “Wild West” of cyber information sharing, where any certified private entity can share information with any government agency.” Despite these criticisms, the bill has garnered the support of numerous companies and technology groups.
  • Federal Information Security Amendments (H.R. 4257) – Introduced by Oversight and Government Reform Chairman Darrell Issa, this bill tackles the mess that is the Federal Information Security Management Act (FISMA).  It improves the framework for securing information technology systems, focusing on “automated and continuous” monitoring and dictates that OMB should play a significant role in FISMA compliance. The bill is relatively uncontroversial, as most agree that FISMA needs fixing.
  • Cybersecurity Enhancement Act (H.R. 2096) – Another uncontroversial bill is Rep. Mike McCaul’s (R-TX) legislation tackles cyber R&D.  It strengthens NSF and NIST technical standards and cybersecurity awareness, education and talent development capabilities.
  • Advancing America’s Networking and Information Technology Research and Development (NITRD) Act (H.R. 3834) - Introduced by Science, Space & Technology Chairman Ralph Hall (R-TX), this bill reauthorizes the NITRD program, including its efforts relating to cyber R&D. This is another bill that is uncontroversial.

Missing from the list above?  Rep. Dan Lungren’s  (R-CA) PRECISE Act, which the Congressman essentially gutted during the House Homeland Security Committee Full Committee mark-up last week so as to win the support of House Republican leadership for inclusion in cybersecurity week.  The bill, which provided for the creation of voluntary cybersecurity standards that would be created by DHS and the private sector, apparently was still too regulatory in nature for the House’s Leadership, which preferred to leave unaddressed how critical infrastructures are secured.  There is still a chance that Rep. Lungren’s bill will be offered during the week, though that is seen as unlikely given Democratic opposition to the scaled back version of the bill that passed out of Committee along partisan lines.

Other issues that are not being addressed this week but we might see legislation on in the coming months:

  • cybercrime penalties and authorities. The House Judiciary Committee was expected to mark up legislation this past month but is reassessing its efforts in light of the 9th Circuit’s decision in U.S. vs Nosal a few weeks ago limiting the Computer Fraud and Abuse Act’s application in certain cases;
  • electric grid security: House Energy & Commerce may look more closely at cyber efforts to secure smart grids and the like
  • data breach/notification: Perhaps the issue that affects consumers the most in their day-to-day lives, it is unclear whether the House will move any legislation on this front, though Rep. Mary Bono Mack (R-CA) of the House Energy & Commerce Committee has mentioned that she is taking a close look at the issue and legislation.

Whatever happens in the House this week, the future of cybersecurity legislation remains unclear. The Senate has the Lieberman-Collins bill that has been awaiting action for months.  Whether the House’s decision to move forward on legislation will motivate the Senate to act is not known though it is clear that the issue of cybersecurity is not going away anytime soon.


February 27, 2012

A discussion on cybersecurity legislation

Filed under: Cybersecurity — by Arnold Bogis on February 27, 2012

Last week, the George Washington University’s Homeland Security Policy Institute (HSPI) held a “Conversation on Cybersecurity Legislation with Mike McConnell, Michael Chertoff, and Senior Congressional Staff.” Video of the event, along with background materials, can be found here: http://www.gwumc.edu/hspi/events/cyberPRF413.cfm

On one hand, the sausage-making portion of the discussion with congressional staff was interesting, if not too enlightening to one uninitiated in the dark legislative arts. On the other, former DHS Secretary Chertoff and former DNI McConnell seemed to echo some of Phil’s framing of the cyber issue in his last post.

Obviously, these two men fall into Phil’s descriptive pot “Those that may make money on increased attention to cybersecurity are in favor of the current proposal.” In fact, both gentlemen agreed that the current legislation is a start, but that more is required.  To be fair, both also have extensive knowledge of the threats and vulnerabilities involved in the cyber domain.

More interesting, to me at least, was their description of the issue of regulation vs. collaboration that serves to reinforce Phil’s frame.  To paraphrase Chertoff: “how can you expect a company that is worth $10 million to voluntarily spend $1 million on cyber security, despite the fact that the cascading vulnerabilities could cost the nation $10 billion?” While McConnell discussed the military’s initial aversion to Goldwater-Nichols reforms, now credited with producing a superior fighting force that not only collaborates because they have to, but because of the specific design of the system such cooperation is something they now want to accomplish.

Phil characterized it in his last post:

While the efficacy of the new bill is debatable, it is clear the current approach — depending almost entirely on voluntary collaboration — has not worked. The weakest links in the cybersecurity system are the least willing to show up, talk turkey, and truly collaborate in sharing information and changing behavior. What do you do when “pretty please”, earnest presentations on self-interest, and peer pressure do not work? What do you do when neglect by one “house” on the block endangers the safety of the entire block (or city)?

Sanctions are needed. But no matter how tough, sanctions will not be sufficient. Whatever sack of sanctions are available, unless the sanctions are used to craft collaboration (rather than mere compliance) cybersecurity will not be enhanced.  The threat of regulatory sanctions may encourage collaboration, but a rigid regulatory approach alone will only achieve minimal compliance, which in cyberspace will always lag behind new threats and vulnerabilities.

If you are interested in cybersecurity, I would highly recommend going back and re-reading Phil’s piece with his intriguing suggestion that cybersecurity lessons can be derived from the model of the Coast Guard: http://www.hlswatch.com/2012/02/24/creating-a-cyber-coast-guard/

Then watch the HSPI event, which may shed some light on the competing legislative priorities and processes that may, hopefully, someday result in a bill: http://www.gwumc.edu/hspi/events/cyberPRF413.cfm


One new item from today and one a few days old (h/t to Bill Cumming) on the cyber front.

The Washington Post reports on the tussle between the White House and NSA over the access and monitoring for threats/privacy rights divide:

The National Security Agency has pushed repeatedly over the past year to expand its role in protecting private-sector computer networks from cyberattacks but has been rebuffed by the White House, largely because of privacy concerns, according to administration officials and internal documents.

The most contentious issue was a legislative proposal last year that would have required hundreds of companies that provide critical services such as electricity generation to allow their Internet traffic be continuously scanned using computer threat data provided by the spy agency. The companies would have been expected to turn over evidence of potential cyberattacks to the government.

NSA officials portrayed these measures as unobtrusive ways to protect the nation’s vital infrastructure from what they say are increasingly dire threats of devastating cyberattacks.

But the White House and Justice Department argued that the proposal would permit unprecedented government monitoring of routine civilian Internet activity, according to documents and officials familiar with the debate. They spoke on the condition of anonymity to describe administration deliberations; internal documents reviewed by The Washington Post backed these descriptions.

A few days ago, the Government Security News website reported on remarks by former NSA and CIA Director Michael Hayden that covered topics not usually associated with cyber issues: mitigation, response, and recovery:

So, when Hayden says the U.S. may be spending too much time thinking about cyber vulnerabilities and not enough time thinking about the actual consequences of a successful cyber attack, it probably makes sense to pay attention.

“We may be at the point of diminishing returns by trying to buy down vulnerability,” the general observed. Instead, he added, maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can “self-heal” or “self-limit” the damages inflicted upon them.

“I cannot stop them at the perimeter,” Hayden acknowledged, “so, how do I deal with the fact that they are on the inside.”

February 24, 2012

Creating a Cyber Coast Guard

Filed under: Congress and HLS,Cybersecurity,Private Sector — by Philip J. Palin on February 24, 2012

It is not yet clear if the Cybersecurity Act of 2012 will be taken up by the whole Senate — as previously announced — or disappear into committee review while under sustained attack by those opposed.

Senator John McCain, one of those opposed, has promised a competing piece of legislation:

The fundamental difference in our alternative approach is that we aim to enter into a cooperative relationship with the entire private sector through information sharing, rather than an adversarial one with prescriptive regulations. Our bill, which will be introduced when we return from the Presidents’ Day recess, will provide a common-sense path forward to improve our nation’s cybersecurity defenses.

Last Friday I outlined the perceived — in my judgment, real — tension between collaboration and compliance that any approach to effective cybersecurity will require. The real debate is over how to resolve this tension: with more dependence on voluntary cooperation or the threat of regulation. (To be clear, the proposal unveiled on February 14 by Senators Lieberman, Collins, and others does not create new regulations per se, but it does initiate a public-private process that would eventually create a regulatory regime.)

Some private sector organizations have welcomed the opportunity to frame-up the process, others are ready to do what they can to stop any movement to regulation. So far the private sector line-up on each side seems mostly to reflect revenue streams. Those that may make money on increased attention to cybersecurity are in favor of the current proposal, those that see cybersecurity mostly as a cost are opposed. (The cost-benefit discussion is, so far, not very sophisticated on either side.)

While the efficacy of the new bill is debatable, it is clear the current approach — depending almost entirely on voluntary collaboration — has not worked. The weakest links in the cybersecurity system are the least willing to show up, talk turkey, and truly collaborate in sharing information and changing behavior. What do you do when “pretty please”, earnest presentations on self-interest, and peer pressure do not work? What do you do when neglect by one “house” on the block endangers the safety of the entire block (or city)?

Sanctions are needed. But no matter how tough, sanctions will not be sufficient. Whatever sack of sanctions are available, unless the sanctions are used to craft collaboration (rather than mere compliance) cybersecurity will not be enhanced.  The threat of regulatory sanctions may encourage collaboration, but a rigid regulatory approach alone will only achieve minimal compliance, which in cyberspace will always lag behind new threats and vulnerabilities.

Whichever of the current sides win, execution will be key. The current legislation addresses execution primarily under Title III through a DHS National Center for Cybersecurity and Communications. The new entity would combine several existing offices, and would be directed by a Presidential appointee confirmed by the Senate. Here are the director’s duties enumerated in the current legislation:

(1) manage Federal efforts to secure, protect, and ensure the resiliency of the Federal information infrastructure, national information infrastructure, and national security and emergency preparedness communications infrastructure of the United States, working cooperatively with appropriate government agencies and the private sector;

(2) support private sector efforts to secure, protect, and ensure the resiliency of the national information infrastructure;

(3) prioritize the efforts of the Center to address the most significant risks and incidents that have caused or are likely to cause damage to the Federal information infrastructure, the national information infrastructure, and national security and emergency preparedness communications infrastructure of the United States;

(4) ensure, in coordination with the privacy officer designated under subsection (j), the Privacy Officer appointed under section 222, and the Director of the Office of Civil Rights and Civil Liberties appointed under section 705, that the activities of the Center comply with all policies, regulations, and laws protecting the privacy and civil liberties of United States persons; and

(5) perform such other duties as the Secretary may require relating to the security and resiliency of the Federal information infrastructure, national information infrastructure, and the national security and emergency preparedness communications infrastructure of the United States.

Title III continues for another 28 pages. Included under Authorities and Responsibilities of the Center, “serve as the focal point for, and foster collaboration between, the Federal Government, State and local governments, and private entities on matters relating to the security of the national information infrastructure.”

On page 114 of the proposed legislation a supervisor training program for the Center is set out. The current language suggests Senator Akaka and his staff have persisted in pushing his perennial concerns. It’s all good. It could be better.

The currently proposed training program  is mostly internally focused. I suggest language be added to focus on mission achievement. Consider for a moment a supervisor training curriculum focused on just one of the duties listed above, ” support private sector efforts to secure, protect, and ensure the resiliency of the national information infrastructure”

What is the nature of the private sector?

What are the private sector’s current efforts related to cyberspace?

What does “secure”, “protect”, and “ensure the resiliency” of cyberspace mean?

What is the national information infrastructure?

What does it mean to “support” the private sector? Why this verb rather than another?

That would be an interesting — valuable — curriculum.   Develop similar curricula around each of the statutory goals, include private sector participants in the curriculum… and a whole new approach to private-public collaboration might be cultivated.

This curriculum should  include a heavy dose of culture, a culture of private-public collaboration.  If the Center becomes a cyber-SEC none of us will be any safer.   Cybersecurity cannot focus on accountability after-the-fact.  The focus must be on cultivating a culture of prevention and resilience, not compliance.

For this purpose, I propose the Akaka Academy for Cybersecurity give close attention to the way the Coast Guard cultivates a collaborative relationship with owners and operators of marine vessels. Just for a taste of what I mean, consider the implications of the following written instruction from a Coast Guard flag officer… and this is not atypical, this approach is entirely consistent with  standard Coast Guard practice.

The Coast Guard’s objective is to administer vessel inspection laws and regulations so as to promote safe, well equipped vessels that are suitable for their intended service. It is not the Coast Guard’s intent to place unnecessary economic and operational burdens upon the marine industry. In determining inspection requirements and procedures, inspection personnel must recognize and give due consideration to the following factors:

  • Delays to vessels, which can be costly, need to be balanced against the risks imposed by continued operation of the vessel, with safety of life, property, and the environment always the predominant factor over economics;
  • Certain types of construction, equipment, and/or repairs are more economically advantageous to the vessel operator and can provide the same measure of safety;
  • Some repairs can be safely delayed and can be more economically accomplished at a different place and time;
  • The overall safety of a vessel and its operating conditions, such as route, hours of operations, and type of operation, should be considered in determining inspection requirements;
  • Vessels are sometimes subject to operational requirements of organizations and agencies other than the Coast Guard; and
  • A balance must be maintained between the requirements of safety and practical operation. Arbitrary decisions or actions that contribute little to the vessel’s safety and tend to discourage the construction or operation of vessels must be avoided.

I know of no better example of effective private-public collaboration than that of the U.S. Coast Guard with the industry it helps regulate, serve, and sometimes save.  It is a cultural model well-suited to the cyber domain.

February 17, 2012

Cybersecurity Act: Collaboration v. Compliance?

Filed under: Congress and HLS,Cybersecurity,Private Sector — by Philip J. Palin on February 17, 2012

On Valentine’s Day the Senate Homeland Security and Governmental Affairs Committee released a proposed Cybersecurity Act of 2012.  The Committee’s Chairman, Joseph Lieberman (I-CT) and ranking member, Susan Collin’s (R-ME) are co-sponsors.

The roll-out has been impressive.  Check out the Committee’s website for gobs of additional background.  All-star testimony was taken on Thursday.

My HLSWatch colleague, Jessica Herrera-Flanigan has authored a persuasive piece for Roll Call pushing for quick adoption.  Rapid approval by the Senate is a big part of the legislative strategy.

Every cyber-specialist, like Jessica, I have communicated with supports the legislation.  Those on the Hill who have come out against are – so far – objecting mostly to procedural or cost concerns. (The best political update I could find on Friday morning is from Ellen Nakashima at the Washington Post.)

Yesterday I used a cross-continent flight to read the 205 pages of statutory prose.  Politico called it a “door-stop of a bill.”

Taken at face-value the language could hardly be more benign.

The clear intent is to prevent when possible – and mitigate when prevention is not possible – “the risk of national or regional catastrophic damage within the United States caused by damage or unauthorized access to information infrastructure…”

To achieve this and similar goals the legislation frames and facilitates a rather intricate process of private-public consultations, information exchange, risk analyses, certification, audits, education, research, and exercises.

In a whole host of ways the language implicitly – but quite obviously – acknowledges that cyber security is not possible without extraordinary – just for emphasis: extra-ordinary – cooperation between government and the private sector and between various elements of the private sector.

As a result, the proposed legislation goes to amazing lengths to encourage information exchange on cyber threats, vulnerabilities, and more.  For example, here are three sections of Title VII Information Sharing (page 163):

(d) EXEMPTION FROM PUBLIC DISCLOSURE.—An cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall be— (1) exempt from disclosure under section 552(b)(3) of title 5, United States Code, or any comparable State law; and (2) treated as voluntarily shared information under section 552 of title 5, United States Code, or any comparable State law.

(e) EXEMPTION FROM EX PARTE LIMITATIONS.— Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall not be subject to the rules of any governmental entity or judicial doctrine regarding ex parte communications with a decision making official.

(f) EXEMPTION FROM WAIVER OF PRIVILEGE.—Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) may not be construed to be a waiver of any applicable privilege or protection provided under Federal, State, tribal, or territorial law, including any trade secret protection.

Please, please, please let us know when you are in danger, we promise not to hold you accountable. The federal government is made into a worried parent trying to protect a troubled teenager.

No one tells me the cyberthreat is overdone.   Most tell me it is already worse than is generally known. Threats, vulnerabilities, and consequences are expected to grow.

Everyone seems ready to agree – at least behind closed-doors – the legislation is well-intended and designed to tee-up a meaningful process of private-public consultations, not pre-ordain the results of that consultation.  If anything, many cybersecurity mavens find the proposed language entirely too tentative and toothless.

But one Chief Information Officer I talked with calls the bill a “Trojan horse, superficially attractive and deeply dangerous.”  According to this person the legislation is fundamentally flawed because it moves the focus of discussion from collaboration to compliance.  “As soon as compliance is the agenda,” he says, “the lawyers take over. We will hardly ever see a technologist again.  That’s not what we need.  They are going to replace a messy, difficult, but realistic process of collaboration with an orderly and mostly meaningless process of certification and compliance.  Risk management is hard.  Compliance is easy.  In one case you invest in real outcomes, in the other you create a legally defensible illusion.”

When I outlined the CIO’s critique to a self-defined “Hill Rat” (and lawyer) who has been involved in cybersecurity, he responded, “The lawyers are already too involved.  That’s been a problem.  It’s been easy for government relations people to show up.   We need CIOs, CTOs, CFOs, COOs, and CEOs.  One way to read the legislation is as a small but very sharp blade to cut through the veil of lawyers behind which too many of our cyber-assets are obscured.  No one wants to regulate, but we need to get real about the risk.”

As the Congressional staffer continued he went even further, “You know what?  This is really an anti-regulation bill. Unless we do something like this and get much better at the drill than today, a major system is going to be taken down and people will die.  Russian mafia, Iranian Quds, Chinese class project – who knows who?  Then just imagine the rush to regulation.”

Maybe I am overly influenced by two men who were each speaking with evident candor and concern.   But I come away thinking they are probably both right.

The issue is not so much current Congressional intent as longer-term execution.  Whenever legislation is adopted, how can we keep the focus on substantive collaboration?  Next Friday I will offer a suggestion.

« Previous PageNext Page »