Homeland Security Watch

Sunday and Monday’s Homeland Security Watch posts reminded me how little I know about cyber fill-in-the-blank issues.  I know more than I did a year ago. But every time I hear or read something from someone who actually understand cyber issues, what I believe I know becomes a much smaller fraction of what I think I could know.

This week’s posts also reminded my of a “cyber awareness” course syllabus a friend sent to me last June when I was trying to make sense of the cyber domain.  The best I can figure out, the 20 page syllabus came from someone named “Paul Herman” at Florida State University.  I have not been able to verify that.

I bring this up for two reasons.

First, this is cyber week on homeland security watch, and I agreed to write something about cyber, severely underestimating how much time it would take to write something coherent about Susan Brenner’s 2009 reminder that “Article I § 8 of the U.S. Constitution gives Congress the “Power To . . . grant Letters of Marque and Reprisal,” and how we might want to consider using that Constitutional authority to encourage “cyber-privateers to deal with cybercriminals.” (See also this related entry on the Morgan Doctrine blog; [and thanks for the idea, KS].)

Second, when I first saw “Paul Herman’s course syllabus” I remember being impressed with how much territory it covered, and how it actually included “learning objectives.”

The syllabus helped me map my own preliminary cyber learning agenda.  I pass a very small portion of it (topics and learning objectives) along today, with the hope it might help someone develop his or her own agenda for learning about (or maybe teaching) this still emerging homeland security issue.

Thank you, “Paul Herman,” whoever you are.

As Ms. Herrera-Flanigan introduced in her last post, it is “Cybersecurity Week” for the U.S. House of Representatives. I am going to go out on a limb and guess that it will neither be as popular as the Cherry Blossom Festival or as successful as the Washington Nationals’ pitching staff so far this baseball season.

The problem is not that cyber issues are not important or do not deserve attention.  Legislative action, though almost never the panacea perceived in Washington, would likely be helpful.  The larger issue is that cyber _____ (insert your favorite descriptor here: war, crime, espionage, terrorism, etc.) is terribly difficult to define.

Exactly what is the problem and who should be worried about it? What is the threat and the potential consequences of a successful…something?

Starting with the “hair on fire” group, you have national security mavens such as former Special Advisor to the President for Cyber Security (among other things) Richard Clarke, who is concerned about cybercrime:

FOR the last two months, senior government officials and private-sector experts have paraded before Congress and described in alarming terms a silent threat: cyberattacks carried out by foreign governments. Robert S. Mueller III, the director of the F.B.I., said cyberattacks would soon replace terrorism as the agency’s No. 1 concern as foreign hackers, particularly from China, penetrate American firms’ computers and steal huge amounts of valuable data and intellectual property.

But by failing to act, Washington is effectively fulfilling China’s research requirements while helping to put Americans out of work. Mr. Obama must confront the cyberthreat, and he does not even need any new authority from Congress to do so.

And cyberwar:

Congress should demand answers to questions like: What is the role of cyber war in US military strategy? Is it acceptable to do “preparation of the battlefield” by lacing other countries’ networks with “Trojan horses” or “back doors” in peacetime? Would the United States consider a preemptive cyber attack on another nation? If so, under what circumstances? Does US Cyber Command have a plan to seize control and defend private sector networks in a crisis? Do the rules of engagement for cyber war allow for military commanders to engage in “active defense” under some circumstances? Are there types of targets we will not attack, such as banks or hospitals? If so, how can we assure that they are not the victims of collateral damage from US cyber attacks?

More recently John Brennan, the President’s Counterterrorism and Homeland Security Adviser, took to the Opinion page of the Washington Post to make a similar argument about the threat of cyberattacks:

Before the end of the next business day, companies in every sector of our economy will be subjected to another relentless barrage of cyberintrusions. Intellectual property and designs for new products will be stolen. Personal information on U.S. citizens will be accessed. Defense contractors’ sensitive research and weapons data could be compromised.

Our critical infrastructure — power plants, refineries, transportation systems and water treatment centers — depend on the integrity and security of their computer networks. Approximately 85 percent of this infrastructure is owned and operated by the private sector. Last year alone, there were nearly 200 known attempted or successful cyberintrusions of the control systems that run these facilities, a nearly fivefold increase from 2010. And while most companies take proper precautions, some have unfortunately opted to accept risks that, if exploited, would endanger public safety and national security.

However, noted cyber scholar Evgeny Morozov would like to push down on the brake:

Both Messrs. McConnell and Clarke—as well as countless others who have made a successful transition from trying to fix the government’s cyber security problems from within to offering their services to do the same from without—are highly respected professionals and their opinions should not be taken lightly, if only because they have seen more classified reports. Their stature, however, does not relieve them of the responsibility to provide some hard evidence to support their claims. We do not want to sleepwalk into a cyber-Katrina, but neither do we want to hold our policy-making hostage to the rhetorical ploys of better-informed government contractors.

Steven Walt, a professor of international politics at Harvard, believes that the nascent debate about cyberwar presents “a classical opportunity for threat inflation.” Mr Walt points to the resemblance between our current deliberations about online security and the debate about nuclear arms during the Cold War. Back then, those working in weapons labs and the military tended to hold more alarmist views than many academic experts, arguably because the livelihoods of university professors did not depend on having to hype up the need for arms racing.

Markus Ranum, a veteran of the network security industry and a noted critic of the cyber war hype, points to another similarity with the Cold War. Today’s hype, he says, leads us to believe that “we need to develop an offensive capability in order to defend against an attack that isn’t coming—it’s the old ‘bomber gap’ all over again: a flimsy excuse to militarize.”

The main reason why this concept conjures strong negative connotations is because it is often lumped with all the other evil activities that take place online—cybercrime, cyberterrorism, cyber-espionage. Such lumping, however, obscures important differences. Cybercriminals are usually driven by profit, while cyberterrorists are driven by ideology. Cyber-spies want the networks to stay functional so that they can gather intelligence, while cyberwarriors—the pure type, those working on military operations—want to destroy them.

All of these distinct threats require quite distinct policy responses that can balance the risks with the levels of devastation. We probably want very strong protection against cyberterror, moderate protection against cybercrime, and little to no protection against juvenile cyber-hooliganism.

Perfect security—in cyberspace or in the real world—has huge political and social costs, and most democratic societies would find it undesirable

As you continue to dig deeper, one will find a vigorous continued disagreement about various aspects of the cybertopic.  For example, Foreign Policy published he said/he said articles on cyberwar.  On the “eh” side, Thomas Rid:

Time for a reality check: Cyberwar is still more hype than hazard. Consider the definition of an act of war: It has to be potentially violent, it has to be purposeful, and it has to be political. The cyberattacks we’ve seen so far, from Estonia to the Stuxnet virus, simply don’t meet these criteria.

Indeed, there is no known cyberattack that has caused the loss of human life. No cyberoffense has ever injured a person or damaged a building. And if an act is not at least potentially violent, it’s not an act of war. Separating war from physical violence makes it a metaphorical notion; it would mean that there is no way to distinguish between World War II, say, and the “wars” on obesity and cancer. Yet those ailments, unlike past examples of cyber “war,” actually do kill people.

Pushing back, noted RAND scholar and co-author of the influential book, “The Advent of Netwar,” John Arquilla:

Cyberwar is here, and it is here to stay, despite what Thomas Rid and other skeptics think.

But another notion arose alongside ours — that cyberwar is less a way to achieve a winning advantage in battle than a means of covertly attacking the enemy’s homeland infrastructure without first having to defeat its land, sea, and air forces in conventional military engagements.

I have been bemused by the high level of attention given to this second mode of “strategic cyberwar.” Engaging in disruptive cyberattacks alone is hardly a way to win wars. Think about aerial bombing again: Societies have been standing up to it for the better part of a century, and almost all such campaigns have failed. Civilian populations are just as likely, perhaps even more so, to withstand assaults by bits and bytes. If highly destructive bombing hasn’t been able to break the human will, disruptive computer pinging surely won’t.

Rid seems especially dubious about the potential for this form of strategic cyberwar. And rightly so. But there is ample evidence that this mode of virtual attack is being employed, and with genuinely damaging effects.

Returning to cybercrime, Melissa Hathaway, former acting senior director for cyberspace on the National Security Council,wants to take a “Byte Out of Cybercrime:”

This paper provides a brief overview of the cybercrime problem and examines five case studies to demonstrate that, while national and international law enforcement authorities are working together to address cybercrime, with additional tools they could make even more progress going forward. Today’s efforts are under-resourced and hampered by outdated laws. Nonetheless, by sharing actionable information and applying novel interpretations of the law, authorities around the globe are finding ways to address the cybersecurity problem. The recommendations that follow the case studies seek to build on the successes and lessons learned.

While two Microsoft researchers want us all to take a deep breath and point out some potential problems in trying to estimate the consequences:

We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. Spamming, stealing passwords or pillaging bank accounts might appear a perfect business. Cybercriminals can be thousands of miles from the scene of the crime, they can download everything they need online, and there’s little training or capital outlay required. Almost anyone can do it.

Well, not really.

The harm experienced by users rather than the (much smaller) gain achieved by hackers is the true measure of the cybercrime problem. Surveys that perpetuate the myth that cybercrime makes for easy money are harmful because they encourage hopeful, if misinformed, new entrants, who generate more harm for users than profit for themselves.

Are you confused yet?  I am.  And noted political scientist Joseph Nye does not want to make it any easier by asking simple questions:

The United States may be ahead of other countries in its offensive capabilities in cyber, but because it depends so much on cyber, it is also more vulnerable. What, then, should our policy be? When it comes to thinking about cyber, we are at about the same place people were in 1950 when thinking about the nuclear revolution. We know it is something new and big and that it is transformative, but we haven’t thought out what offense means, what defense means. What is deterrence in such a world? What is strategy? How do we fit the pieces together? Can we establish rules of the road? Can we find an analogue in arms control, or is that an unlikely model for something that is apparently unverifiable? The first efforts at arms control didn’t bear fruit until twenty years after the first nuclear explosion and came about largely to deal with third parties (the Nuclear Non-Proliferation Treaty) or because of concerns with environmental fallout (the Limited Test Ban Treaty). Not until the 1970s, some thirty years after the technology emerged, were the first bilateral arms control agreements signed, and not until the 1980s did leaders of the two superpower nations proclaim that nuclear war cannot be won and must never be fought. Forty years were needed to develop a powerful basic normative agreement. In cyber, we are still around 1950. What this means is that we can no longer treat cyber and the other aspects of power diffusion as something to be left to the technocrats or the intelligence specialists.

We have to develop a broader awareness in the public and in the policy community to be able to think clearly about how we trade off different values and develop sensible strategies for cyber.

So where does this all leave us? With a whole bunch of questions:

What are the cyber threats we should worry about the most?

What cyber threats should be considered “homeland security,” “national security,” “economic security,” or something else entirely?

How can we delineate what are personal, business/NGO, or local/state/federal responsibilities for cybersecurity?

How can we divide up the responsibility pie between all the various actors at the federal level–DHS, DOD, State, etc.?

Will Hollywood do the right thing and resist any temptation to remake “War Games?”

So many questions and, at this point, so few answers.

Today marks the start of the self-declared “Cybersecurity Week” in the House.  Last Friday, the House Republican Leadership announced that four bills would be considered this week to “address the cybersecurity threat facing our country.”  In announcing the schedule, Speaker Boehner, Majority Leader Cantor, and the House GOP’s Cybersecurity Task Force Leader Thornberry, stated:

The focus of these bills is consistent with the recommendations released by the task force last October that address the central issue the federal government and industry have stated must be addressed now: updating existing cybersecurity laws to provide the legal authorities to allow for information-sharing and public-private partnerships. Information-sharing is crucial to stopping the persistent and aggressive threat facing all aspects of our economy, our critical infrastructure, our communications, and our nation’s security.

The focus of these bills is consistent with the recommendations released by the task force last October that address the central issue the federal government and industry have stated must be addressed now: updating existing cybersecurity laws to provide the legal authorities to allow for information-sharing and public-private partnerships. Information-sharing is crucial to stopping the persistent and aggressive threat facing all aspects of our economy, our critical infrastructure, our communications, and our nation’s security.

Overall, the bills enjoyed somewhat bipartisan support, though as discussed in a bit, much of the criticism has been focused on what was not included as what was.  Among the bills to be considered:

• Cyber Intelligence Sharing and Protection Act (H.R. 3523) – A Mike Rogers (R-MI)/Dutch Ruppersberger (D-MD) bill coming out of the Intelligence Committee.  The bill would allow the government to provide classified information to companies to allow them to to protect their networks.  The bill also authorizes private-sector entities to defend their own networks and to those of their customers, and to share cyber threat information with others in the private sector, as well as with the federal government on a purely voluntary basis.   This bill, which many consider the lynchpin of the House efforts, has garnered significant criticism from the privacy and civil liberties groups.  These interests have equated the bill to the doomed SOPA/PIPA bills, stating that it violates Constitutional rights.  The sponsors made significant changes last week to try to address the privacy concerns but still have met criticism.  Just last Friday, House Homeland Security Committee Ranking Member Bennie Thompson (D-MS) sent around a Dear Colleague stating that the bill “would create a “Wild West” of cyber information sharing, where any certified private entity can share information with any government agency.” Despite these criticisms, the bill has garnered the support of numerous companies and technology groups.
• Federal Information Security Amendments (H.R. 4257) – Introduced by Oversight and Government Reform Chairman Darrell Issa, this bill tackles the mess that is the Federal Information Security Management Act (FISMA).  It improves the framework for securing information technology systems, focusing on “automated and continuous” monitoring and dictates that OMB should play a significant role in FISMA compliance. The bill is relatively uncontroversial, as most agree that FISMA needs fixing.
• Cybersecurity Enhancement Act (H.R. 2096) – Another uncontroversial bill is Rep. Mike McCaul’s (R-TX) legislation tackles cyber R&D.  It strengthens NSF and NIST technical standards and cybersecurity awareness, education and talent development capabilities.
• Advancing America’s Networking and Information Technology Research and Development (NITRD) Act (H.R. 3834) - Introduced by Science, Space & Technology Chairman Ralph Hall (R-TX), this bill reauthorizes the NITRD program, including its efforts relating to cyber R&D. This is another bill that is uncontroversial.

Missing from the list above?  Rep. Dan Lungren’s  (R-CA) PRECISE Act, which the Congressman essentially gutted during the House Homeland Security Committee Full Committee mark-up last week so as to win the support of House Republican leadership for inclusion in cybersecurity week.  The bill, which provided for the creation of voluntary cybersecurity standards that would be created by DHS and the private sector, apparently was still too regulatory in nature for the House’s Leadership, which preferred to leave unaddressed how critical infrastructures are secured.  There is still a chance that Rep. Lungren’s bill will be offered during the week, though that is seen as unlikely given Democratic opposition to the scaled back version of the bill that passed out of Committee along partisan lines.

Other issues that are not being addressed this week but we might see legislation on in the coming months:

• cybercrime penalties and authorities. The House Judiciary Committee was expected to mark up legislation this past month but is reassessing its efforts in light of the 9th Circuit’s decision in U.S. vs Nosal a few weeks ago limiting the Computer Fraud and Abuse Act’s application in certain cases;
• electric grid security: House Energy & Commerce may look more closely at cyber efforts to secure smart grids and the like
• data breach/notification: Perhaps the issue that affects consumers the most in their day-to-day lives, it is unclear whether the House will move any legislation on this front, though Rep. Mary Bono Mack (R-CA) of the House Energy & Commerce Committee has mentioned that she is taking a close look at the issue and legislation.

Whatever happens in the House this week, the future of cybersecurity legislation remains unclear. The Senate has the Lieberman-Collins bill that has been awaiting action for months.  Whether the House’s decision to move forward on legislation will motivate the Senate to act is not known though it is clear that the issue of cybersecurity is not going away anytime soon.

Last week, the George Washington University’s Homeland Security Policy Institute (HSPI) held a “Conversation on Cybersecurity Legislation with Mike McConnell, Michael Chertoff, and Senior Congressional Staff.” Video of the event, along with background materials, can be found here: http://www.gwumc.edu/hspi/events/cyberPRF413.cfm

On one hand, the sausage-making portion of the discussion with congressional staff was interesting, if not too enlightening to one uninitiated in the dark legislative arts. On the other, former DHS Secretary Chertoff and former DNI McConnell seemed to echo some of Phil’s framing of the cyber issue in his last post.

Obviously, these two men fall into Phil’s descriptive pot “Those that may make money on increased attention to cybersecurity are in favor of the current proposal.” In fact, both gentlemen agreed that the current legislation is a start, but that more is required.  To be fair, both also have extensive knowledge of the threats and vulnerabilities involved in the cyber domain.

More interesting, to me at least, was their description of the issue of regulation vs. collaboration that serves to reinforce Phil’s frame.  To paraphrase Chertoff: “how can you expect a company that is worth $10 million to voluntarily spend $1 million on cyber security, despite the fact that the cascading vulnerabilities could cost the nation $10 billion?” While McConnell discussed the military’s initial aversion to Goldwater-Nichols reforms, now credited with producing a superior fighting force that not only collaborates because they have to, but because of the specific design of the system such cooperation is something they now want to accomplish.

Phil characterized it in his last post:

While the efficacy of the new bill is debatable, it is clear the current approach — depending almost entirely on voluntary collaboration — has not worked. The weakest links in the cybersecurity system are the least willing to show up, talk turkey, and truly collaborate in sharing information and changing behavior. What do you do when “pretty please”, earnest presentations on self-interest, and peer pressure do not work? What do you do when neglect by one “house” on the block endangers the safety of the entire block (or city)?

Sanctions are needed. But no matter how tough, sanctions will not be sufficient. Whatever sack of sanctions are available, unless the sanctions are used to craft collaboration (rather than mere compliance) cybersecurity will not be enhanced.  The threat of regulatory sanctions may encourage collaboration, but a rigid regulatory approach alone will only achieve minimal compliance, which in cyberspace will always lag behind new threats and vulnerabilities.

If you are interested in cybersecurity, I would highly recommend going back and re-reading Phil’s piece with his intriguing suggestion that cybersecurity lessons can be derived from the model of the Coast Guard: http://www.hlswatch.com/2012/02/24/creating-a-cyber-coast-guard/

Then watch the HSPI event, which may shed some light on the competing legislative priorities and processes that may, hopefully, someday result in a bill: http://www.gwumc.edu/hspi/events/cyberPRF413.cfm

Update:

One new item from today and one a few days old (h/t to Bill Cumming) on the cyber front.

The Washington Post reports on the tussle between the White House and NSA over the access and monitoring for threats/privacy rights divide:

The National Security Agency has pushed repeatedly over the past year to expand its role in protecting private-sector computer networks from cyberattacks but has been rebuffed by the White House, largely because of privacy concerns, according to administration officials and internal documents.

The most contentious issue was a legislative proposal last year that would have required hundreds of companies that provide critical services such as electricity generation to allow their Internet traffic be continuously scanned using computer threat data provided by the spy agency. The companies would have been expected to turn over evidence of potential cyberattacks to the government.

NSA officials portrayed these measures as unobtrusive ways to protect the nation’s vital infrastructure from what they say are increasingly dire threats of devastating cyberattacks.

But the White House and Justice Department argued that the proposal would permit unprecedented government monitoring of routine civilian Internet activity, according to documents and officials familiar with the debate. They spoke on the condition of anonymity to describe administration deliberations; internal documents reviewed by The Washington Post backed these descriptions.

A few days ago, the Government Security News website reported on remarks by former NSA and CIA Director Michael Hayden that covered topics not usually associated with cyber issues: mitigation, response, and recovery:

So, when Hayden says the U.S. may be spending too much time thinking about cyber vulnerabilities and not enough time thinking about the actual consequences of a successful cyber attack, it probably makes sense to pay attention.

“We may be at the point of diminishing returns by trying to buy down vulnerability,” the general observed. Instead, he added, maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can “self-heal” or “self-limit” the damages inflicted upon them.

“I cannot stop them at the perimeter,” Hayden acknowledged, “so, how do I deal with the fact that they are on the inside.”

It is not yet clear if the Cybersecurity Act of 2012 will be taken up by the whole Senate — as previously announced — or disappear into committee review while under sustained attack by those opposed.

Senator John McCain, one of those opposed, has promised a competing piece of legislation:

The fundamental difference in our alternative approach is that we aim to enter into a cooperative relationship with the entire private sector through information sharing, rather than an adversarial one with prescriptive regulations. Our bill, which will be introduced when we return from the Presidents’ Day recess, will provide a common-sense path forward to improve our nation’s cybersecurity defenses.

Last Friday I outlined the perceived — in my judgment, real — tension between collaboration and compliance that any approach to effective cybersecurity will require. The real debate is over how to resolve this tension: with more dependence on voluntary cooperation or the threat of regulation. (To be clear, the proposal unveiled on February 14 by Senators Lieberman, Collins, and others does not create new regulations per se, but it does initiate a public-private process that would eventually create a regulatory regime.)

Some private sector organizations have welcomed the opportunity to frame-up the process, others are ready to do what they can to stop any movement to regulation. So far the private sector line-up on each side seems mostly to reflect revenue streams. Those that may make money on increased attention to cybersecurity are in favor of the current proposal, those that see cybersecurity mostly as a cost are opposed. (The cost-benefit discussion is, so far, not very sophisticated on either side.)

While the efficacy of the new bill is debatable, it is clear the current approach — depending almost entirely on voluntary collaboration — has not worked. The weakest links in the cybersecurity system are the least willing to show up, talk turkey, and truly collaborate in sharing information and changing behavior. What do you do when “pretty please”, earnest presentations on self-interest, and peer pressure do not work? What do you do when neglect by one “house” on the block endangers the safety of the entire block (or city)?

Sanctions are needed. But no matter how tough, sanctions will not be sufficient. Whatever sack of sanctions are available, unless the sanctions are used to craft collaboration (rather than mere compliance) cybersecurity will not be enhanced.  The threat of regulatory sanctions may encourage collaboration, but a rigid regulatory approach alone will only achieve minimal compliance, which in cyberspace will always lag behind new threats and vulnerabilities.

Whichever of the current sides win, execution will be key. The current legislation addresses execution primarily under Title III through a DHS National Center for Cybersecurity and Communications. The new entity would combine several existing offices, and would be directed by a Presidential appointee confirmed by the Senate. Here are the director’s duties enumerated in the current legislation:

(1) manage Federal efforts to secure, protect, and ensure the resiliency of the Federal information infrastructure, national information infrastructure, and national security and emergency preparedness communications infrastructure of the United States, working cooperatively with appropriate government agencies and the private sector;

(2) support private sector efforts to secure, protect, and ensure the resiliency of the national information infrastructure;

(3) prioritize the efforts of the Center to address the most significant risks and incidents that have caused or are likely to cause damage to the Federal information infrastructure, the national information infrastructure, and national security and emergency preparedness communications infrastructure of the United States;

(4) ensure, in coordination with the privacy officer designated under subsection (j), the Privacy Officer appointed under section 222, and the Director of the Office of Civil Rights and Civil Liberties appointed under section 705, that the activities of the Center comply with all policies, regulations, and laws protecting the privacy and civil liberties of United States persons; and

(5) perform such other duties as the Secretary may require relating to the security and resiliency of the Federal information infrastructure, national information infrastructure, and the national security and emergency preparedness communications infrastructure of the United States.

Title III continues for another 28 pages. Included under Authorities and Responsibilities of the Center, “serve as the focal point for, and foster collaboration between, the Federal Government, State and local governments, and private entities on matters relating to the security of the national information infrastructure.”

On page 114 of the proposed legislation a supervisor training program for the Center is set out. The current language suggests Senator Akaka and his staff have persisted in pushing his perennial concerns. It’s all good. It could be better.

The currently proposed training program  is mostly internally focused. I suggest language be added to focus on mission achievement. Consider for a moment a supervisor training curriculum focused on just one of the duties listed above, ” support private sector efforts to secure, protect, and ensure the resiliency of the national information infrastructure”

What is the nature of the private sector?

What are the private sector’s current efforts related to cyberspace?

What does “secure”, “protect”, and “ensure the resiliency” of cyberspace mean?

What is the national information infrastructure?

What does it mean to “support” the private sector? Why this verb rather than another?

That would be an interesting — valuable — curriculum.   Develop similar curricula around each of the statutory goals, include private sector participants in the curriculum… and a whole new approach to private-public collaboration might be cultivated.

This curriculum should  include a heavy dose of culture, a culture of private-public collaboration.  If the Center becomes a cyber-SEC none of us will be any safer.   Cybersecurity cannot focus on accountability after-the-fact.  The focus must be on cultivating a culture of prevention and resilience, not compliance.

For this purpose, I propose the Akaka Academy for Cybersecurity give close attention to the way the Coast Guard cultivates a collaborative relationship with owners and operators of marine vessels. Just for a taste of what I mean, consider the implications of the following written instruction from a Coast Guard flag officer… and this is not atypical, this approach is entirely consistent with  standard Coast Guard practice.

The Coast Guard’s objective is to administer vessel inspection laws and regulations so as to promote safe, well equipped vessels that are suitable for their intended service. It is not the Coast Guard’s intent to place unnecessary economic and operational burdens upon the marine industry. In determining inspection requirements and procedures, inspection personnel must recognize and give due consideration to the following factors:

• Delays to vessels, which can be costly, need to be balanced against the risks imposed by continued operation of the vessel, with safety of life, property, and the environment always the predominant factor over economics;
• Certain types of construction, equipment, and/or repairs are more economically advantageous to the vessel operator and can provide the same measure of safety;
• Some repairs can be safely delayed and can be more economically accomplished at a different place and time;
• The overall safety of a vessel and its operating conditions, such as route, hours of operations, and type of operation, should be considered in determining inspection requirements;
• Vessels are sometimes subject to operational requirements of organizations and agencies other than the Coast Guard; and
• A balance must be maintained between the requirements of safety and practical operation. Arbitrary decisions or actions that contribute little to the vessel’s safety and tend to discourage the construction or operation of vessels must be avoided.

I know of no better example of effective private-public collaboration than that of the U.S. Coast Guard with the industry it helps regulate, serve, and sometimes save.  It is a cultural model well-suited to the cyber domain.

On Valentine’s Day the Senate Homeland Security and Governmental Affairs Committee released a proposed Cybersecurity Act of 2012.  The Committee’s Chairman, Joseph Lieberman (I-CT) and ranking member, Susan Collin’s (R-ME) are co-sponsors.

The roll-out has been impressive.  Check out the Committee’s website for gobs of additional background.  All-star testimony was taken on Thursday.

My HLSWatch colleague, Jessica Herrera-Flanigan has authored a persuasive piece for Roll Call pushing for quick adoption.  Rapid approval by the Senate is a big part of the legislative strategy.

Every cyber-specialist, like Jessica, I have communicated with supports the legislation.  Those on the Hill who have come out against are – so far – objecting mostly to procedural or cost concerns. (The best political update I could find on Friday morning is from Ellen Nakashima at the Washington Post.)

Yesterday I used a cross-continent flight to read the 205 pages of statutory prose.  Politico called it a “door-stop of a bill.”

Taken at face-value the language could hardly be more benign.

The clear intent is to prevent when possible – and mitigate when prevention is not possible – “the risk of national or regional catastrophic damage within the United States caused by damage or unauthorized access to information infrastructure…”

To achieve this and similar goals the legislation frames and facilitates a rather intricate process of private-public consultations, information exchange, risk analyses, certification, audits, education, research, and exercises.

In a whole host of ways the language implicitly – but quite obviously – acknowledges that cyber security is not possible without extraordinary – just for emphasis: extra-ordinary – cooperation between government and the private sector and between various elements of the private sector.

As a result, the proposed legislation goes to amazing lengths to encourage information exchange on cyber threats, vulnerabilities, and more.  For example, here are three sections of Title VII Information Sharing (page 163):

(d) EXEMPTION FROM PUBLIC DISCLOSURE.—An cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall be— (1) exempt from disclosure under section 552(b)(3) of title 5, United States Code, or any comparable State law; and (2) treated as voluntarily shared information under section 552 of title 5, United States Code, or any comparable State law.

(e) EXEMPTION FROM EX PARTE LIMITATIONS.— Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall not be subject to the rules of any governmental entity or judicial doctrine regarding ex parte communications with a decision making official.

(f) EXEMPTION FROM WAIVER OF PRIVILEGE.—Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) may not be construed to be a waiver of any applicable privilege or protection provided under Federal, State, tribal, or territorial law, including any trade secret protection.

Please, please, please let us know when you are in danger, we promise not to hold you accountable. The federal government is made into a worried parent trying to protect a troubled teenager.

No one tells me the cyberthreat is overdone.   Most tell me it is already worse than is generally known. Threats, vulnerabilities, and consequences are expected to grow.

Everyone seems ready to agree – at least behind closed-doors – the legislation is well-intended and designed to tee-up a meaningful process of private-public consultations, not pre-ordain the results of that consultation.  If anything, many cybersecurity mavens find the proposed language entirely too tentative and toothless.

But one Chief Information Officer I talked with calls the bill a “Trojan horse, superficially attractive and deeply dangerous.”  According to this person the legislation is fundamentally flawed because it moves the focus of discussion from collaboration to compliance.  “As soon as compliance is the agenda,” he says, “the lawyers take over. We will hardly ever see a technologist again.  That’s not what we need.  They are going to replace a messy, difficult, but realistic process of collaboration with an orderly and mostly meaningless process of certification and compliance.  Risk management is hard.  Compliance is easy.  In one case you invest in real outcomes, in the other you create a legally defensible illusion.”

When I outlined the CIO’s critique to a self-defined “Hill Rat” (and lawyer) who has been involved in cybersecurity, he responded, “The lawyers are already too involved.  That’s been a problem.  It’s been easy for government relations people to show up.   We need CIOs, CTOs, CFOs, COOs, and CEOs.  One way to read the legislation is as a small but very sharp blade to cut through the veil of lawyers behind which too many of our cyber-assets are obscured.  No one wants to regulate, but we need to get real about the risk.”

As the Congressional staffer continued he went even further, “You know what?  This is really an anti-regulation bill. Unless we do something like this and get much better at the drill than today, a major system is going to be taken down and people will die.  Russian mafia, Iranian Quds, Chinese class project – who knows who?  Then just imagine the rush to regulation.”

Maybe I am overly influenced by two men who were each speaking with evident candor and concern.   But I come away thinking they are probably both right.

The issue is not so much current Congressional intent as longer-term execution.  Whenever legislation is adopted, how can we keep the focus on substantive collaboration?  Next Friday I will offer a suggestion.

Yesterday at the World Economic Forum in Davos, Switzerland Secretary Napolitano unveiled the new National Strategy for Global Supply Chain Security (1.5 megabyte PDF).  The President signed-out the document on Monday.

The strategy offers two goals:

Goal 1: Promote the Efficient and Secure Movement of Goods – The first goal of the Strategy is topromote the timely, efficient flow of legitimate commerce while protecting and securing the supply chain from exploitation, and reducing its vulnerability to disruption. To achieve this goal we will enhance the integrity of goods as they move through the global supply chain. We will also understand and resolve threats early in the process, and strengthen the security of physical infrastructures, conveyances and information assets, while seeking to maximize trade through modernizing supply chain infrastructures and processes.

Goal 2: Foster a Resilient Supply Chain – The second goal of the Strategy is to foster a global supply chain system that is prepared for, and can withstand, evolving threats and hazards and can recover rapidly from disruptions. To achieve this we will prioritize efforts to mitigate systemic vulnerabilities and refine plans to reconstitute the flow of commerce after disruptions.

In my judgment we are much closer to achieving “efficient and secure movement” than we are to a “resilient supply chain”.  The new strategy could help with each, but the tougher task will be the effort “to mitigate systemic vulnerabilities.”

On January 11 the Wall Street Journal reported,

After a decade of streamlining their supply chains to make them less costly, the natural disasters and political upheavals that marked 2011 showed many multinational companies just how vulnerable those links have become.

A senior supply chain executive recently told me (clearly depending on me to protect his name and the name of his firm), “We have several known choke-points. I’m sure there are many more we don’t know about.  It won’t take a major disaster to disrupt supply, just a couple of unusual, probably simultaneous accidents.  I think — hope — there would be a similar impact on our competitors.  But that doesn’t help our consumers.”

“There are ways to mitigate our risk, but they’re all expensive,” another executive explains.  ”And for the last decade and the foreseeable future the lower cost of US supply chain management has been our principal economic advantage.  We’re much better than the Europeans, tons more efficient than the Chinese.  Increase supply chain costs and we lose just about the only advantage the US has left on most commodity trading and even a broad range of high-end specialty goods.”

Again from the Wall Street Journal:

Justifying redundancies is one of the toughest aspects of managing a supply chain, because backstopping doesn’t pay off unless there is a disaster. When CFOs ask about the return on such investments, the answer is, “If we’re lucky, absolutely zero return,” says Sean Cumbie, vice president in charge of global supply-chain management at genetics-testing company Qiagen NV, based in Germany.

The new strategy makes a glancing reference to “appropriate redundancy” which, for most supply chain executives, is like discussing the practical difference between manslaughter and murder.   Whatever you call it, the outcome ain’t pretty.

The senior supply chain guys (and a few gals) are the pioneers of the field.  In the last twenty years they have transformed the known world.  Not just the supply chain world, but the everyday world of billions of consumers.  Today the supply chain is faster, cheaper,  delivers much higher quality with much more assurance and transparency than a quarter century ago.

On most days the supply chain is also stronger, more flexible, and better at handling a range of emergencies and disasters.

But what we saw in Northeast Japan and Thailand has exposed a parallel reality.  Like all networked systems, risk tends to pool in unexpected ways and often unexpected places.  What if the earthquake-and-tsunami had hit the economic heartland of Tokyo and Osaka, instead of the Tohoku periphery?  What’s would the outcome be if  instead of Thai flooding it was an earthquake in San Francisco and down the east side of Santa Clara County?  What happens if the Port of Long Beach is seriously disrupted for an extended period?  What if cyber-vandals — or economic or national or terrorist adversaries –seriously target the digital systems on which the modern supply chain absolutely depends?

In a report — “New Models Addressing Supply Chain and Transport Risk” (7 megabyte PDF) —  released Tuesday, the World Economic Forum found:

Supply chain and transport networks have continuously evolved to deliver capacity, speed, efficiency and customer service through organizational trends such as globalization, specialization, volume consolidation and information availability. The focus on cost optimization has highlighted the tension between cost elimination and network robustness – with the removal of traditional buffers such as safety stock and excess capacity. These developments have shifted risk distributions…(while) their effects have often included sharing risk more broadly around the world, reducing high-frequency risks and focusing risk within sectors, common technologies or nodes. Another common feature has been to disassociate risk from responsibility, misaligning incentives and creating moral hazards – the notion that a party that is insulated from risk will behave differently from how it would behave if it had full exposure to risk.

Most supply chain managers I know tend to discount low frequency, high consequence risks (see related post).  They discount this kind of risk because over the last twenty years they have become true masters of risk management.   They also discount high impact risks because their CEO’s, Boards of Directors, and shareholders reward them for squeezing every possible penny out of supply chain costs.  They discount catastrophic risk because their creation — the modern supply chain — has never experienced a fundamental systemic failure.

Yet.

Many supply chain executives have become what economists sometimes call “risk preferers”, they have learned to maximize their return by skating with great style, grace, and confidence along the edge of chaos.   Each day they become more adept at mastering the chaos.   Is the experienced supply chain executive a sorcerer or  sorcerer’s apprentice?

The new National Strategy is the starting point for a collaborative process of discussion, analysis, and policy development.  It seeks to “develop a culture of mutual interest and shared responsibility” across government and the private sector.  It’s the right goal.  It’s the right way to pursue the goal.

It is a very ambitious goal.

Earlier today the President signed out and the Secretary of Defense released new strategic guidance for the Department of Defense. Following are my quick-takes on those aspects of the document  most closely related to homeland security.

Page 1:

The demise of Osama bin Laden and the capturing or killing of many other senior al-Qa?’ida  leaders have rendered the group far less capable. However, al-Qa?’ida and its affiliates remain active in Pakistan, Afghanistan, Yemen, Somalia, and elsewhere. More broadly,violent extremists will continue to threaten U.S. interests, allies, partners, and the homeland.The primary loci of these threats are South Asia and the Middle East. With the diffusion of destructive technology, these extremists have the potential to pose catastrophic threats thatcould directly affect our security and prosperity. For the foreseeable future, the UnitedStates will continue to take an active approach to countering these threats by monitoring theactivities of non-state threats worldwide, working with allies and partners to establishcontrol over ungoverned territories, and directly striking the most dangerous groups and individuals when necessary.

Page 2:

In the Middle East, the Arab Awakening presents both strategic opportunities and challenges. Regime changes, as well as tensions within and among states under pressure toreform, introduce uncertainty for the future. But they also may result in governments that,over the long term, are more responsive to the legitimate aspirations of their people, and aremore stable and reliable partners of the United States.Our defense efforts in the Middle East will be aimed at countering violent extremists anddestabilizing threats, as well as upholding our commitment to allies and partner states.

Page 3:

To enable economic growth and commerce, America, working in conjunction with allies and partners around the world, will seek to protect freedom of access throughout the globalcommons ?– those areas beyond national jurisdiction that constitute the vital connective tissue of the international system. Global security and prosperity are increasingly dependent on the free flow of goods shipped by air or sea. State and non-state actors pose potential threats to access in the global commons, whether through opposition to existing norms orother anti-access approaches. Both state and non-state actors possess the capability and intent to conduct cyber espionage and, potentially, cyber attacks on the United States, with possible severe effects on both our military operations and our homeland. Growth in the number of space-faring nations is also leading to an increasingly congested and contested space environment, threatening safety and security. The United States will continue to lead global efforts with capable allies and partners to assure access to and use of the global commons, both by strengthening international norms of responsible behavior and by maintaining relevant and interoperable military capabilities.

Page 4:

Acting in concert with other means of national power, U.S. military forces must continue to hold al-Qa?’ida and its affiliates and adherents under constant pressure, wherever they may be. Achieving our core goal of disrupting, dismantling, and defeating al-Qa?’ida and preventing Afghanistan from everbeing a safe haven again will be central to this effort. As U.S. forces draw down in Afghanistan, our global counter terrorism efforts will become more widely distributedand will be characterized by a mix of direct action and security force assistance. Reflecting lessons learned of the past decade, we will continue to build and sustain tailored capabilities appropriate for counter terrorism and irregular warfare. We will also remain vigilant to threats posed by other designated terrorist organizations, such as Hezbollah.

Page 5:

Accordingly, DoD will continue to work with domestic and international allies and partners and invest in advanced capabilities to defend its networks, operational capability, and resiliency in cyberspace and space….

U.S. forces willcontinue to defend U.S. territory from direct attack by state and non-state actors. We willalso come to the assistance of domestic civil authorities in the event such defense fails or in case of natural disasters, potentially in response to a very significant or even catastrophic event. Homeland defense and support to civil authorities require strong,steady?–state force readiness, to include a robust missile defense capability. Threats to the homeland may be highest when U.S. forces are engaged in conflict with an adversary abroad.

Page 6:

The nation has frequently called upon its Armed Forces to respond to a range of situations that threaten the safety and well-being of its citizens and those of other countries. U.S. forces possess rapidly deployable capabilities, including airlift and sealift, surveillance, medical evacuation and care, and communications that can be invaluable in supplementing lead relief agencies, by extending aid to victims of natural or man-made disasters, both at home and abroad. DoD will continue to develop joint doctrine and military response options to prevent and, if necessary, respond to mass atrocities. U.S. forces will also remain capable of conducting non-combatant evacuation operations for American citizens overseas on an emergency basis.

You may see more.   The document includes considerable attention to WMD and cyber threats not excerpted above.

If you arrived at this post looking for shopping deals, you have come to the wrong website.  However, if you are interested in post-Thanksgiving, haze induced, cyber-related leftovers you are definitely in the right place.

The issues surrounding cyber run deep and wide (and sometimes silent). It can be difficult to tease out what is, is not, might be,  or is not even related to homeland security.

• Professor Bellavita recently covered the technical aspects of a suspected cyber attack on critical infrastructure…that turned out not to be a cyber attack on critical infrastructure.  This particular case brings up the issues of communication (who told whom what when and why), risk/vulnerability (what can be attacked, what is being attacked, what is the real–as opposed to imagined–consequences of such an attack), and attribution (“the butler in the library with the candlestick” issue).

• Taking a step back to consider some of these issues at the crossroads of the technological and strategic are the people involved with the “Explorations in Cyber International Relations.”  A joint project between MIT and Harvard’s Kennedy School of Government, it aims to be “a collaborative and interdisciplinary research program that seeks to create a field of international cyber relations for the 21st century.  It is designed as a theoretically rich, and technically informed initiative anchored in diverse tools and methods to identify, measure, model, interpret, and analyze emergent issues, challenges, and responses. The ECIR research plan integrates social sciences, legal studies, computer science, and policy analysis.”

• Three individuals involved with the project have written interesting cyber pieces informed by their professional backgrounds.  Joseph Nye, esteemed professor of international relations and originator of the term “soft power,” considers the strategic implications for world politics of increasing reliance and power of cyberspace.  Melissa Hathaway, former White House cyber adviser, tackles the issue of cybercrime.  Jack Goldsmith, legal scholar and former high-ranking Justice Department official, examines the difficulties arising from the overlap between private and public networks and the security related issues.

• The Department of Defense foreshadowed some of the institutional thinking about cyber issues in a Foreign Affairs article from last fall by Deputy Secretary of Defense William Lynn III (he considered progress a year later here). The Department followed up with a “Strategy for Operating in Cyberspace” this past summer.  However, the Homeland Security Policy Institute’s Frank Cilluffo and Sharon Cardash were not too impressed.

• Coming down from such lofty strategic heights to daily operational issues, organizations at all levels of government as well as those in the private sector are increasingly grappling with the difficulties involved in developing and implementing communication strategies and guidelines in the age of ever increasing social media usage. Emergency Management Magazine hosts a blog dedicated to “crisis and emergency communication strategies” authored by Gerald Baron.  In a recent post, he examines the question “Is Social Media more problem than solution in emergencies?” (HLSWatch’s Mark Chubb recently considered a similar question, and Jim Garrow covers a range of related topics on his blog). What does that particular question and Thanksgiving have in common?  The Dallas Cowboys. Long story short: sometimes it is better to trust the good judgement of your employees and the positive influence of cyberspace than attempt to control the flow of information.  Just as good of a lesson for “America’s Team” as it is for America’s federal, state, and local governmental institutions.

Last Tuesday, Nick Catrantzos, suggested here that reports of the Springfield, Illinois “cyberattack” might have more to do with “Naïve or myopic cyber professionals whose over attention to expediency permits convenient remote access for their technical support colleagues with insufficient attention to the exposure that this condition creates,” than with an attack by foreigners.

He’s right, according to Friday’s Washington Post story by Ellen Nakashima:

A water-pump failure in Illinois that appeared to be the first foreign cyberattack on a public utility in the United States was in fact caused by a plant contractor traveling in Russia, according to a source familiar with a federal investigation of the incident….  The contractor, who had remote access to the computer system, was in Russia on personal business, the source added.

Score one point also for DHS officials who insisted on getting the facts correct before someone lobbies congress for a 350 trillion dollar Water Attack Security Target Enforcement program:

… officials at the Department of Homeland Security, which oversees industrial control system cybersecurity, cautioned from the outset that the report contained “no credible, corroborated data.”

The water pump in question had been experiencing problems, turning on and off and eventually failing, water district board members said. The pump has malfunctioned several times in recent years, a DHS official said.

The “international authority on cybersecurity” who (apparently) first made public the information in the Illinois State Terrorism and Intelligence Center (STIC) report responded to the new details about the attack by attacking:

This [the conflict between the STIC and DHS reports] begs the question why two government agencies disagree over whether a cyber event that damaged equipment had occurred at a water utility….

There are numerous critical infrastructure table-top exercises that assume that notifications such as the STIC report are sufficient to initiate the cyber attack response process. If DHS turns out to be correct in its assumptions, then anyone acting on the STIC warning would have been wasting precious resources addressing a problem that doesn’t exist. At issue is that we need to be quickly informed if an event has occurred so that others who have similar equipment or architectures can take steps to protect themselves in case the event spreads. However, this requires both timely notification and correct information. Right now, it seems that neither of these two conditions may exist in this case.

We now have to wait for DHS and the other government agencies to come to agreement and let us know what has happened. If the STIC report is correct, then we have wasted precious time and allowed many others in the infrastructure to remain potentially vulnerable while we wait to find out if we should do anything.

Perhaps that’s a restatement of the classic expectation of intelligence: “give us accurate, timely, and actionable information.”

Welcome to another dimension of the big data problem.

Or, as our buddy prOf might say, “Take the f*%#!&g SCADA off the internet.”

Water System Hack – The System Is Broken

Hackers ‘hit’ US water treatment systems

Homeland Security investigates possible terrorism in Springfield

Water system may be cyber attack victim

Has stuxnet come to our critical infrastructure shores?  Is it duqu?  Could it be something even worse?

“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Illinois.  At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” DHS spokesman Peter Boogaard explains.

“I dislike, immensely, how the DHS tend to downplay how absolutely FUCKED the state of national infrastructure is” responds someone named “prOf” in a pastebin post that includes, according to pr0f, images of another water system that was hacked.

“I’m not going to expose the details of the box,” prOf promises. “No damage was done to any of the machinery; I don’t really like mindless vandalism. It’s stupid and silly. On the other hand, so is connecting interfaces to your SCADA machinery to the Internet. I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic.”

————————–

Nick Catrantzos, who has written for Homeland Security Watch in the past, is an adjunct professor of Homeland Security and Emergency Management.  More relevant to today’s post, Nick is the former security director for a regional water utility.  Here are his thoughts on the most recent cyber event.

Spotting the Incidental Cyber Saboteur

You need not be evil to be wrong, and the true Achilles’ Heel of recent news about cyber attacks to water infrastructure in the Chicago area (details at http://www.cnn.com/2011/11/18/us/cyber-attack-investigation/index.html?iref=allsearch) is not foreign hackers of SCADA, the supervisory control and data acquisition system that makes it possible to turn a valve by remote control. Hackers have been a known external threat since the personal computer became widespread. Thus, makers of computer- and network-dependent tools like SCADA systems have to offer some protections against hackers just to make their systems marketable.

Why is no one therefore consulting other than self-avowed cyber security experts who are now issuing dire warnings about offshore SCADA hackers who may or may not be Russians? (The may-not possibility arises when these experts point out that clever hackers have the ability to misrepresent the origin of their attacks.). The same hand-wringing experts – or their fellow travelers – belong to the camp that opens the door to this vulnerability in the first place. They are not evil, just wrong.

Remote Access as Double-Edged Sword

Consider: Even the technologically challenged security professional sees the vulnerability to enabling remote access to critical systems, like water infrastructure. How do purveyors of such systems see remote access when marketing to fellow cyber aficionados? It is a selling feature, of course. Why, with remote access, the technician fielding a panic troubleshooting call at midnight can diagnose and solve the problem in pajamas instead of in the field. And the field, when it comes to water infrastructure, often turns out to be at distant sites over bad roads, poor lighting, and unattractive traveling conditions. Solving the problem from home is a win-win for all concerned, since it saves down time, isn’t it? Not if this debate includes security professionals charged with looking at the bigger picture of enterprise-wide vulnerabilities.

What makes it possible for these infrastructure attacks to abuse SCADA? Remote web access adopted in the name of expediency. What is the Achilles’ Heel? Naïve or myopic cyber professionals whose over attention to expediency permits convenient remote access for their technical support colleagues with insufficient attention to the exposure that this condition creates.

Discovering What Some Won’t Admit

How to zero in on the problem? The way not to do it is to rely exclusively on pronouncements of SCADA vendors and their like-minded counterparts in the organization who bought into web-based remote access in the first place. There is a good chance at least some of these people overlooked sharing details of remote access vulnerabilities in discussing the system before upper management and traditional security practitioners.

No, the short path to excellence in uncovering self-introduced remote access exposures is to check logs of trouble calls against field records of physical access to work sites. The more serious cyber professionals know to avoid web-based SCADA access from any home and, instead limit access to SCADA terminals that reside behind the secured perimeter of the institution’s work facilities. Maybe a SCADA technician fielding a trouble call won’t have to drive three hours to diagnose the problem at a remote field site, but he may still have to drive 20 minutes to get to a locked and alarmed office that houses a protected SCADA terminal. At least this is the ideal and advertised state of affairs. But even 20 minutes may, in time, seem too much of an imposition, so the SCADA tech quietly arranges to beta test remote access from — you guessed it — the convenience of his or her own residence. Unofficially, without a lot of fanfare. So much so, that even the boss may not realize this is happening, hence the futility of relying on the cyber function to verify its own status regarding this vulnerability. There is another way to check.

Uncovering the Rest of the Story

If expediency has come to trump security, an examination of audit trails will soon show that technician troubleshooting calls at midnight aren’t matching up to midnight access to facilities housing SCADA terminals. Maybe operators in the field are too immersed in the problem to ask or even care how a SCADA tech is responding to a trouble call. They just want help. Maybe the tech is shrewd enough to avoid volunteering details, reasoning that speed of problem resolution is more important than revealing that this is being done from home via means subject to compromise and exposure to hackers.

However, audit trails won’t lie. Whether it is via manual logs, automated access records, video surveillance archives, or a guard’s register used for having all employees sign in after normal business hours, the discrepancy will surface under scrutiny. The on-call tech who was supposed to go to an employer site to troubleshoot the problem on a protected SCADA terminal will have shown no record of having entered any employer business site at midnight. So how did he or she handle the problem? Remotely. From home. In pajamas. Expediently. And, in the process, exposing the system to exploitable vulnerability.

Caution on Experts Offering Homilies about Cyber Attack

The so-called expert who was quick to criticize government officials on this latest cyber attack claimed he was doing so out of concern that the Department of Homeland Security was deficient in sharing information with other water agencies that could be targeted. If he were truly as conversant with water security as he claimed, he would know that it is not DHS but EPA that exercises the role of lead federal agency for protection of the water infrastructure. He would also know that EPA supports Water ISAC, the Information Sharing and Analysis Center for the water sector, and that the Association of Metropolitan Water Agencies manages that function, which takes the lead in sharing this kind of threat information within the water community, while DHS and local fusion centers do their share of distributing such information as well.

Showing no sign of recognizing these particulars, how could this self-styled expert really know what information on this SCADA threat is or is not circulating within the affected community of interest? A skeptic might conclude that such considerations take a back seat, however, when dire warnings can generate free publicity.

IT vs. Ops

Some over zealous IT departments in utilities that use SCADA see SCADA as a means of supplying bandwidth on which to commingle business applications as well, thereby increasing likely needs for remote access by more employees and raising susceptibility to compromise at the same time.

If employees in Operations at water utilities don’t over concern themselves with security deficiencies in SCADA, it tends to be because they have their hands full avoiding one or two catastrophes a year when SCADA techs unthinkingly shut down the system for maintenance or cause some other disruption without telling Ops in advance. The techs forget that flow changes can result in catastrophic treatment or distribution problems that affect water quality. This often occurs after business hours or on weekends, when the techs operate on the assumption that it is the best time to tinker without users noticing or balking — true enough for the average business network, but not for 24/7 attention to water treatment and distribution.

One sign that too many debacles have been surfacing serially is when Ops wrests the SCADA function away from IT. This does wonders for reducing those kinds of snafu.

A  firefighter, a  cop, and an emergency manager walk into a bar.  This is not a joke.  I was with the three of them.

One had red wine, another had a beer, the third ordered scotch.   I was drinking Dry Sack on the rocks with a twist.

Can you guess which one had which drink?  Can you guess which offered what to the conversation:

“The problem is everyone is in denial about the worst risks.”

“New Orleans after Katrina was simple compared to Sendai after the tsunami.  How about Memphis after New Madrid or LA after the big one?” You can know the real pros by whether or not they pronounce it Maaadrid, as in really crazy.

“How about DC, Pittsburgh, and Birmingham after New Madrid?  How about pipelines, rail bridges, interstates, and the Eastern Interconnect after New Madrid?”  Hows about every little town downstream from a dam?

“How about the whole economy for the next ten years after Long Beach is taken out? I don’t care if it’s tsunami, pandemic, or an IND.”

“How about the whole economy if some cyber-anarchists decide to really screw with credit cards and ATMs?”

“As long as they vaporize my mortgage too.”

The bar talk was not as grim as this suggests.  Extended conversations with this crew are like a public reading of Dante’s Inferno (no Paradiso) with a running commentary by the comedian Lewis Black.  You roar with laughter over a comment that ought not be documented here.   A slightly sick sense of humor is essential to survival in these professions.

“We’re the real problem,” one guy said wrapping his arms around the shoulders of those on either side.  ”We’re too good.  Why worry when the A team’s got your back?”

“Just call 911 and the cavalry always comes.”

“Even under fire… hell, with radioactive brimstone falling from the sky.”

“Thing is, we’re really good at the everyday stuff and lots of the tough stuff.”

“Did you hear about the 911 call because the citizen thought her remote had been stolen.  Cops found it in a drawer.  They responded!”

“That’s the problem, we are so #$!@ responsive we’ve trained the citizens to depend on us.  When the big #$!@ happens they just wait around.”

“Not everyone.”

“Practically EVERYONE!”

“There’s two big pile-ups:  real increasing dependence. Who grows their own food anymore?  Who even eats at home? And where does our food come from? Not anywhere close.  Second pile-up: The #$!@ complicated system works really, really well until it doesn’t work at all.  So there’s no obvious reason to pay much attention, until it’s too late.”

“So… what we’re really good at is hiding the problems?”

“Sure.  There’s a fire.  You put it out.  You get ‘em temporary housing or they go to the in-laws.  I keep gawkers away.  Everything’s fine. No worries. But in Joplin or Tuscaloosa? Even those huge twisters were tiny compared to what we’ll get when the wrong fault shifts under 5 million or a wildfire overwhelms San Diego.  Hows about a CAT 5 and flood surge pounding Miami-Dade?”

“When they call 911 no one will answer, they won’t even get a #$!@ dial-tone!”

“It doesn’t take such a big hit.  Maybe catastrophe comes on little cat feet?  You read Ted Lewis’ new book?  The complex systems we depend on are so intricate  just one little complication and the consequences cascade.”

“Sort of like the 2003 blackout caused by tree branches in Ohio?”

“But the cause wasn’t tree branches, it’s the way WE build and manage systems. Tree branches are a preexisting condition.  Our choices create the vulnerabilities.”

“You know when I was a little kid,” (the guy to his right mimicked the Staten Island accent) we had a farm right down the road.  It’s a landfill now.  The big farms in Jersey, they’re all McMansions.  Mom and pop get their broccoli and peas from California just like all of us.”

“You know what though? The beers alot better than back then.  Hey waitress, another round here.”

SUNDAY UPDATE: According to the BBC – and to the group’s Twitterfeed — LulzSec has disbanded.  The BBC indicates no reason for disbanding has been offered.  To the contrary, I found the LulzSec explanation reasonably clear… and not inconsistent with considerations set out below.

Original post from early Friday morning:

This week three very different men were arrested in three very different places suspected of three very different crimes.

Is it just me or do the three share something important?

Tuesday the Pakistani military confirmed the detention of Brigadier Ali Khan (top left).  The soon-to-retire head of regulations at Army General Headquarters is suspected of using his military connections to support Hizb ut-Tahrir, a pan-Islamist political and religious movement.

Also on Tuesday — half a world away — the head of La Familia cartel was captured.  According to Excelsior, Jose de Jesus Mendez Vargas (middle), age 37, “was arrested in Aguascalientes by elements of the Federal Police, without fighting or deaths reported from the action and was later transferred to the facilities of the SIEDO in Mexico City.” (SIEDO or Subprocuraduría de Investigación Especializada en Delincuencia Organizada or Assistant Attorney General’s Office for Special Investigations.)  Additional coverage is available in English from the Houston Chronicle.

According to The Guardian, “A British teenager has been charged with five offences of computer hacking. Ryan Cleary, 19 (right at age 13), was charged with offences, including a cyber attack on Monday on Britain’s Serious Organised Crime Agency (Soca). Cleary was arrested on Monday evening at his family’s home in Wickford, Essex. His arrest was linked to a series of cyber attacks by a group called LulzSec, which investigators believe had targeted websites including ones belonging to the US government and the electronics giant Sony.”

–+–

We can be more confident of the criminal complicity of Jose de Jesus Mendez Vargas, aka El Chango or The Monkey, than of the other two. La Familia has been one of the principal Mexican drug cartels since at least 2006.  But it was founded in the 1980s as a quasi-religious organization seeking to protect and purify Michoacán, an impoverished region — and Mexican state — west of Mexico City.  El Chango was one of a handful of founders.  In the broadest terms the La Familia narrative has a striking resemblance to the origins of the Afghan Taliban. Religiously inspired reform, resulted in power and was followed by the abuse of power. By the 1990s the group was allied with the Gulf Cartel, in recent years it has established an independent power base.  Even in the murderous context of the Mexican cartels La Familia is known as especially violent.  Jesus Mendez Vargas has defended the use of violence as a form of “divine justice.”

Brigadier Khan has not yet been charged, much less convicted.  According to the Daily Times (Pakistan), “There are contradictory reports that the detained brigadier had been targeted due to his concerted campaign to promote self-reliance and do away with the need for US assistance. The last straw is said to be his outspoken criticism of the US raid in Abbottabad after which he was arrested.”

There is plenty of smoke suggesting burning embers of religious radicalism in the Pakistani military. The group Brigadier Khan is accused of assisting is banned in Pakistan and other majority Muslim nations, but is not on the US State Department’s list of terrorist organizations.  According to the group’s English language website, “Hizb ut-Tahrir is a political party whose ideology is Islam. Its objective is to resume the Islamic way of life by establishing an Islamic State that executes the systems of Islam and carries its call to the world.”

Hizb ut-Tahrir opposes US-Pakistan cooperation. While the Brigadier’s attitudes and actions are currently beyond knowing, the leadership of  Hizb ut-Tahrir is clear in it’s criticism of the United States and the current Pakistani political and military elite:

Even though Pakistan is a strong Muslim country, with an army bigger than America’s, and braver due to the Muslims’ love of Shahadah, you have cheated the people of their right to security by siding with the enemy. Due to your alliance with the open enemies of the Muslims, America’s presence in the region has led to unprecedented insecurity, with America’s private military organizations and intelligence orchestrating a campaign of assassinations and bombings, as they did in Iraq. You added to the harm upon the Muslims, by sending the Muslim soldiers to the tribal areas to fight on behalf of America, just like Musharraf before you. Until now 30,452 people have been killed and injured since 9/11 in America’s war of fitna. Some 2,273 Pakistani soldiers including 78 officers, two Major Generals and five brigadiers besides others, have lost their lives while 6,512 sustained injuries, even though the Western crusaders have only sacrificed 1,582 of their own troops! You are cheating the Muslims of their strength when America is at its weakest, with its allies abandoning it and its economy crippled and collapsing, when there is ample opportunity to allow America’s crusade to collapse rather than supporting it with the blood of Muslims.

To in any way compare LulzSec to La Familia and Hizb ut-Tahrir is, perhaps, to invite an apocalyptic hacker attack on HLSWatch. So… if we disappear, thanks for the memories.

The teenager arrested on Tuesday has been charged on five counts, mostly involving denial-of-service attacks.  His involvement with the LulzSec collaborative of hackers has not been specified.  But some link was confirmed by LulzSec via its Twitterfeed, “Clearly the UK police are so desperate to catch us that they’ve gone and arrested someone who is, at best, mildly associated with us.”

LulzSec has claimed responsibility for a series of successful attacks on the CIA, Sony, PBS, and others around the world. Wednesday they brought down the President of Brazil’s website. Earlier today Lulzsec hacked the Arizona Department of Public Safety data repository and released a broad array of information. They describe themselves as, “a team of entertainment and security experts that specialise in the production of malicious comedic cybermaterials.”  The attack on Sony’s PlayStation network left that system offline for a month.  Not much laughing by the company or its roughly 77 million customers or its depressed shareholders.

The Arizona attack has been explained as a protest against state laws perceived as unjust toward immigrants. The hackers’ motivations are not always clear. On June 17 LulzSec outlined its purposes in a post at Pastebin.  Self-entertainment is big; so is exposing the vulnerability we all share online.  They want to protect us… and “spread fun, fun, fun.”

–+–

I want to be a hero. I want to protect the vulnerable and punish the unjust.

Is this what motivated Ali Khan to follow his father into the military? The Non-Com’s son committed his life to the Army and advanced to brigadier.  Ali’s wife, Anjum, claims, “He loves the Pakistani army more than his life, and he can’t even think of betraying the institution.” His sons are junior officers, proud parts of — until recently? — the only reasonably functioning element of Pakistani society. Who is to blame for the dysfunction of Pakistan, including attacks on the military itself? What and who is the source of this shame? What enemy can the brave Brigadier bring to justice?

Jose de Jesus Mendez Vargas, seeing family and friends disappear into the prison of poverty and madness of drug addiction, was motivated by love of neighbor. According to a Drug Enforcement Administration backgrounder La Familia, “has a strong religious background. It purportedly originated to protect locals from the violence of drug cartels. Now, La Familia Michoacana uses drug proceeds to fuel their agenda that encompasses a Robin Hood-type mentality – steal from the rich and give to the poor. They believe they are doing God’s work, and pass out bibles and money to the poor. La Familia Michoacana also gives money to schools and local officials.” He only decapitated predators (and threw their heads onto dance floors).

According to the Daily Mail the young Mr. Cleary is a deeply troubled man seldom leaving his bedroom, fearful, and suicidal. Yet when asked what he did all day online, he reportedly replied, “God’s work.”

In November 2009 the Times of London published an indepth profile of Goldman Sachs. It included an interview with the unlikely-to-be-arrested CEO of the firm, Lloyd Blankfein. Even while skid-marks from the crash of capitalism were still smoking, Mr. Blankfein was confident of his purpose.

Is it possible to make too much money? “Is it possible to have too much ambition? Is it possible to be too successful?” Blankfein shoots back. “I don’t want people in this firm to think that they have accomplished as much for themselves as they can and go on vacation. As the guardian of the interests of the shareholders and, by the way, for the purposes of society, I’d like them to continue to do what they are doing. I don’t want to put a cap on their ambition. It’s hard for me to argue for a cap on their compensation.” So, it’s business as usual, then, regardless of whether it makes most people howl at the moon with rage? Goldman Sachs, this pillar of the free market, breeder of super-citizens, object of envy and awe will go on raking it in, getting richer than God? An impish grin spreads across Blankfein’s face. Call him a fat cat who mocks the public. Call him wicked. Call him what you will. He is, he says, just a banker “doing God’s work.”

–+–

I should probably leave it there. The case is sufficiently made for anyone who has read this far and cares to consider the case.  But I will be tediously explicit: My ability to mistake my own desires as God’s intention is significant.  I am not alone.

So, some will say, we have further proof for the dangers of divine delusion.  Especially as a believer I agree that danger and delusion are involved.

The issue is how to engage the threat.  I don’t perceive secular empiricism as a promising near-term therapeutic regime. Too many most in need of the therapy are evidently immune to it’s ministrations.  Might we extract a vaccine from the virus itself?

In his 1927 book, “Does Civilization Need Religion”, Reinhold Niebuhr wrote:

Religion intensifies selfishness when it adds sanctity to a respectable selfish life and creates a self-respect which is impervious to emotions of contrition. If the religious ideal is to gain any potency in modern life it must be able to convict men of sin and inspire them to a conversion. But the sins of which they need most to be convicted are those which are covert in the social and economic relations which custom has hallowed; and the conversion of life which is most needed is that which will express itself in terms of the economic and political relationships in which men live…

Religion is therefore under the necessity of developing the critical faculty even while it maintains its naivete and reverence. The necessity of cooperation between the naturally incompatible factors of reason and imagination,of intelligence and moral dynamic, is really the crux of the religious and moral problem in modern civilization. The complexity of modern life demands that moral purpose be astutely guided; but moral purpose itself is rooted in ultra-rational sanctions and may be destroyed by the same intelligence which is needed to direct it. Both humility and love,the highest religious virtues, are ultra-rational; yet they cannot be achieved in an intricate social life without a discriminating intelligence which knows how to uncover covert sins and to discover potential virtues. The incidental limitations which every historic type of religion reveals can be dealt with only if the religious devotee can be persuaded to regard the values of his religion critically…”

Religiously-inspired terrorism — or mayhem or pride — is usually the signal of an immature and ill-considered religiosity.  The most effective solution may be in cultivating a more discriminating and self-critical engagement with the religious domain.

In other words, love others and approach God with deep humility.

A colleague told me about a May 31, 2011 two volume policy report from the Center for A New American Security called  ”America’s Cyber Future: Security And Prosperity In The Information Age.”  The report is available at this link.

From the web page:

America’s growing dependence on cyberspace has created new vulnerabilities that are being exploited as fast as or faster than the nation can respond. Cyber attacks can cause economic damage, physical destruction, and even the loss of human life. They constitute a serious challenge to U.S. national security and demand greater attention from American leaders.

Despite productive efforts by the U.S. government and the private sector to strengthen cyber security, the increasing sophistication of cyber threats continues to outpace progress. To help U.S. policymakers address the growing danger of cyber insecurity, this two-volume report features accessible and insightful chapters on cyber security strategy, policy, and technology by some of the world’s leading experts on international relations, national security, and information technology.

Here is the table of contents:

Volume I

America’s Cyber Future: Security and Prosperity in the Information Age
By Kristin Lord and Travis Sharp

Volume II

Note: Chapters are bookmarked within the Table of Contents.

• Chapter I: Power and National Security in Cyberspace
  By Joseph S. Nye, Jr.
• Chapter II: Cyber Insecurities: The 21st Century Threatscape
  By Mike McConnell
• Chapter III: Separating Threat from the Hype: What Washington Needs to Know about Cyber Security
  By  Gary McGraw and Nathaniel Fick
• Chapter IV: Cyberwar and Cyber Warfare
  By Thomas G. Mahnken
• Chapter V: Non-State Actors and Cyber Conflict
  By Gregory J. Rattray and Jason Healey
• Chapter VI: Cultivating International Cyber Norms
  By Martha Finnemore
• Chapter VII: Cyber Security Governance: Existing Structures, International Approaches and the Private Sector
  By David A. Gross, Nova J. Daly, M. Ethan Lucarelli and Roger H. Miksad
• Chapter VIII: Why Privacy and Cyber Security Clash
  By James A. Lewis
• Chapter IX: Internet Freedom and Its Discontents: Navigating the Tensions with Cyber Security
  By Richard Fontaine and Will Rogers
• Chapter X: The Unprecedented Economic Risks of Network Insecurity
  By Christopher M. Schroeder
• Chapter XI: How Government Can Access Innovative Technology
  By Daniel E. Geer, Jr.
• Chapter XII: The Role of Architecture in Internet Defense
  By Robert E. Kahn
• Chapter XIII: Scenarios for the Future of Cyber Security
  By Peter Schwartz

This post will end with a ten minute and forty second video that is both the best detective story and the scariest homeland security movie I have seen in years.

But first, the set up….

———————————————–

Is there such a thing as cyber terrorism?

I understand there’s something called cyber warfare. And cyber crime. And cyber security. But what about cyber terrorism?

And if there is something called cyber terrorism, has the US been attacked by cyber terrorists? Or maybe that question should be have terrorists attacked the US with cyber weapons? And if not, could they? Will they?

Experts cannot agree whether cyber terrorism is real or even if it is a useful concept.

I have one colleague who claims that no one in the United States has been killed by cyber terrorism. He says maybe it’s not a valid homeland security threat.

I have another friend who teaches a course on homeland security threats. He says nations attack nations with cyber weapons. Non-state actors don’t use cyber weapons. So in the homeland security threat spectrum, he says, cyber is more about sound than significance.

———————————————–

Former DHS Secretary Chertoff sort of disagrees.

He devotes Chaper 8 to cybersecurity in his book “Homeland Security: Assessing the First Five Years.” He underscored that concern in his March 2 appearance with the other two DHS secretaries:

“We’ve seen some very dramatic, publicized attacks, not terrorism so much as espionage and things of that sort. But that is going to become an increasing area of concern for the Department.”

Secretary Napolitano agreed with Chertoff:

… I think cyber will be an ever-evolving area. And the problem with cyber is, almost by the time you’re talking about something, they’re onto the next thing. I mean, it is really a fast-moving field. And, quite frankly, probably none of us on this stage are as good at understanding it as somebody who’s 20 years old and who’s grown up with the computer just as part of life.

———————————————–

The US has a cyber incident annex to the National Response Plan. I think that was updated in September of 2010 with an Interim Version of the National Cyber Incident Response Plan.  I believe that is meant to serve as part of the National Response Framework. But I’m not sure. Cyber security (i.e., cyber crime, cyber warfare, cyber terrorism) is yet another homeland security issue area I know very little about.

———————————————–

The gap in my knowledge was brought to my attention again this weekend when I saw news stories about something called “LizaMoon.” [see here or here for probably more than you want to know about LizaMoon].

As I understand it, LizaMoon is a small piece of computer code that places itself into certain websites; when someone goes to that website, they see a message (and the resulting screen drama) that tries to convince the user the computer they are using is infected. Liza then offers to clean the computer and the trouble expands.

I don’t know if this is a big deal or not. Some reports say over a million websites were infected. Is that a lot? Other reports (like this one ) say it’s not that big of a deal.

———————————————–
Also this weekend, I learned that a firm called Epsilon had (according to its press release):

“…an incident … where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.”

Translated into numbers, “a subset of Epsilon clients” could be several million people.

Perhaps you got an email message today from Hilton, or Target, or Best Buy, or Capital One, or LL Bean, or Walgreens or another Epsilon client that basically said, “Don’t worry; nothing bad happened.”

———————————————–
These were two fairly well publicized cyber incidents over a weekend that included at least the cusp of April Fool’s day.  Maybe I’m overly sensitive to these kinds of incidents since some of my web presence was hacked in December.  It wasn’t terrorism.   But it was disturbing.

Are cyber “attacks” something an inquiring homeland security mind should be concerned about?  I use that word in quotes because I know there are thousands of cyber incursions every day.  How should one even start to think about this cyber stuff?

———————————————–

I went to three government sites that, I thought, would help me frame and understand these incidents: IT-ISAC: The Information Technology Information Sharing and Analysis Center, MS-ISAC: The Multi-State Sharing and Analysis Center, and US-CERT: the United States Computer Emergency Readiness Team.

I thought they might have some information about what I figured might be fairly significant incidents. But if they did, I missed it.

I went back to the sites several times over the weekend, and saw no information about LizaMoon or Epsilon.

But I do have to say the MS-ISAC has a really impressive looking Cyber Operations Center Dashboard.  Looking at it made me feel like Mr. Jones in Bob Dylan’s “Ballad of a Thin Man”:

… something is happening here

But you don’t know what it is

Do you, Mister Jones?

———————————————–

Maybe providing situational awareness for the public is not part of the IT-ISAC, MS-ISAC or US-CERT missions.

The IT-ISAC says:

the mission of the IT-ISAC is to:

• Report, exchange, collect, and analyze across the IT Sector information concerning security incidents, threats, attacks, vulnerabilities, solutions and countermeasures, best security practices and other protective measures,

• Establish a mechanism for systematic and protected exchange and coordination of such information [my emphasis] and trusted collaboration; and

• Provide technical thought leadership to U.S. and International policymakers on cyber security and information sharing issues.

The MS-ISAC says:

The mission of the MS-ISAC is to improve the overall cyber security posture of state, local, territorial and tribal governments. Collaboration and information sharing among members, private sector partners and the DHS are the keys to success.

Major Objectives of the MS-ISAC

• provide two-way sharing of information and early warnings on cyber security threats

• provide a process for gathering and disseminating information on cyber security incidents [my emphasis]

• promote awareness of the interdependencies between cyber and physical critical infrastructure as well as between and among the different sectors

• coordinate training and awareness

• ensure that all necessary parties are vested partners in this effort

The US-CERT says:

US-CERT is charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners.

US-CERT interacts with federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public. [my emphasis]

———————————————–

If it isn’t at least part of their job to provide situation awareness to the public about cyber security matters (i.e., cyber war, cyber crime, cyber terrorism), whose job is it? Have we essentially privatized situational awareness? I learned more about both attacks this weekend by monitoring Twitter.

I guess I’m ok with that as an interim fix.

But is that the plan?

———————————————–

Ok, that’s the set up. Now the movie.

Perhaps you’ve heard of stuxnet. If not, you can read about it here.  The New York Times claims it may be “the most sophisticated cyberweapon ever deployed.”

So, to answer the question I posed at the start of this post, maybe currently there isn’t such a thing as cyber terrorism.

However after watching this video (also available here) — particularly at the 8:45 mark, when the speaker talks about the possibility of a cyber weapon of mass destruction — I think the homeland security enterprise would be foolish to discount the use of cyber weapons by terrorists.

The New York Times had a cyber two-fer on their op-ed page today.

First up, celebrated cyberpunk author William Gibson (credited with coining the phrase “cyberspace” in the early 1980s) who provides historical context for the Stuxnet virus:

IN January 1986, Basit and Amjad Alvi, sibling programmers living near the main train station in Lahore, Pakistan, wrote a piece of code to safeguard the latest version of their heart-monitoring software from piracy. They called it Brain, and it was basically a wheel-clamp for PCs. Computers that ran their program, plus this new bit of code, would stop working after a year, though they cheerfully provided three telephone numbers, against the day. If you were a legitimate user, and could prove it, they’d unlock you.

But in the way of all emergent technologies, something entirely unintended happened. The Alvis’ wheel-clamp was soon copied by a certain stripe of computer hobbyist, who began to distribute it, concealed within various digital documents that people might be expected to want to open. Because almost all these booby-trapped files went out on floppy disks, the virus spread at a pre-Internet snail’s pace.

Should the lights go out in our online bus shelters one day, or some critical control system go spectacularly awry, it may in a sense, however distantly, be because Israel found a way to shut down Iran’s centrifuges. But in another way it will be the result of a bright idea two brothers once had, in the vicinity of Lahore Railway Station, to innocently clamp a digital pirate’s wheel.

Considered something of a cyber-visionary, Gibson points out he foresaw computer viruses becoming strategic weapons deployed by nation states but admits to missing the possibility that they would, for the most part, be the tool of amateur vandals.

The second piece is from Richard Falkenrath, former Bush White House homeland security official and NYPD Counterterrorism Commissioner. He covers a lot of familiar ground, questions of sovereignty and collateral damage, but brings up an interesting new (at least to me) issue:

Under American law the transmission of malicious code is in many cases a criminal offense. This makes sense, given the economy’s reliance on information networks, the sensitivity of stored electronic data and the ever-present risk of attack from viruses, worms and other varieties of malware.

But the president, as commander in chief, does have some authority to conduct offensive information warfare against foreign adversaries. However, as with many presidential powers to wage war and conduct espionage, the extent of his authority has never been enumerated.

This legal ambiguity is problematic because such warfare is far less controllable than traditional military and intelligence operations, and it raises much more complex issues of private property, personal privacy and commercial integrity.

Therefore, before our courts are forced to consider the issue and potentially limit executive powers, as they did after President Harry Truman tried to seize steel plants in the early 1950s, Congress should grant the White House broad authority to wage offensive information warfare.

Both pieces are worth reading in full.