Admirals and generals hope to connect with soldiers via their own Facebook pages and blogs. But will they tweet?By Gordon Lubold| Staff Writer for The Christian Science Monitor/ January 20, 2009 editionhttp://features.csmonitor.com/ |
Saturday, February 7, 2009
Military brass joins wired troops
Cyber-Attack Operations Near
| By David A. Fulghum http://www.aviationweek.com/ |
Continuing development of cyber-weapons and experimentation with digital warfare are triggering optimism and the occasional operational U-turn. In a few years, the U.S. Army, Navy and Marine Corps expect to be delivering airborne electronic fires and cyber-attacks for ground troops with a fusion of radio battalions, EA-6B Prowlers, EA-18G Growlers and a range of UAVs. Who actually commands and controls the technology operationally and strategically remains an open question. The uncertainty was illustrated by the formation of Air Force Cyber Command, followed by its months-long pause in bureaucratic limbo and, finally, its re-designation as a numbered air force under U.S. Strategic Command. The institutional tangle was compounded because the services have still not produced a unified plan for electronic warfare and attack. It also contributed to two failures to get the Air Force back into electronic attack with an EB-52 long-range (80-100-naut.-mi.) standoff electronic attack aircraft. The design included the capability to electronically map and attack enemy networks. "It's not about putting iron on targets anymore; it's about fighting the networks," says a U.S. EW specialist and senior technology officer. "But there is the difficulty that no one has owned cyberwarfare in the past. Now with the massive [cyber] attacks on Estonia and Georgia, it's a real threat and nobody has the charter [to combat it]." "The organizations and lines of responsibility are still being worked," agrees Lt. Gen. Dave Deptula, the Air Force's deputy chief of staff for intelligence, surveillance and reconnaissance (ISR). "Let me be honest, we're still at the stage of understanding what cyber is. Cyber-operations broach everything from the tactical to the operational to the strategic. How it is used determines what it is. "My opinion is that we need to normalize operations in cyber just as we've normalized operations in other domains," he says. In an air ops center, "cyberwarfare ought not to be something in a special box that is conducted somewhere else. It needs to be part of the equation in determining a regional contingency plan in equal fashion just like air, space, maritime and ground components." As cyber- and electronic attack technologies emerge, it is becoming harder to distinguish between cyberwarfare, directed energy and electronic attack, intelligence gathering and information operations. Rationalization of all these elements also is complicated by shrinking manpower and funding. Meanwhile, there is the new concept of "hybrid warfare," a term coined by U.S. Joint Forces Command. Characteristics of hybrid war are a "very dynamic, uncertain environment [that creates] a lot of change and persistent conflict," says Vice Adm. Robert Harward, the deputy commander of USJFC. The command's operational predictions include increasing dependence on unmanned sensors and aircraft and small fighting units that will employ directed-energy and cyber-weapons. What the military will look like in 10-15 years "is a little bit of a mystery and may be a little bit of a secret," Defense Secretary Robert Gates told troops in Southwest Asia. But the conflicts in that region are producing templates for future combat - in particular, "the marriage of combat operations and ISR, the ability to dwell over a target, and the ability for relatively small units to have situational awareness of what's going on [around them]," he says. "I think this use of ISR and the integration of intelligence and operations is something we will see continue. This is revolutionizing the way we fight." Gates bemoans the fact that in some areas first-world nations are already falling behind the insurgents. "How did we end up in a place where the country that invented public relations is being out-communicated by a guy in a cave? Partly, we are still operating too much in a 20th century mind-set." Air Force officials managing the intersection of ISR, cyberwar, directed energy and information operations echo that concern. "We need new capabilities to deal with [the enemy's use of advanced technology]," says Deptula. But making the job more difficult is "more demand and fewer resources," he adds. "So we've got to come up with some new approaches. What makes the most sense, given that we're [also] reducing in size?" Part of the answer is high-speed technologies - such as cyberwarfare and high-power microwave (HPM) weapons, he says. But learning to employ them and assign responsibility for their use is still a work in progress. "As we move from speed-of-sound to speed-of-light weapons, we're beginning to see the changes required to deal with cyber-operations," says Deptula. "HPM is going to be another game-changing capability. We're not there yet, but . . . those capabilities are coming out of ISR, so we have to move rapidly to adapt our organizations to integrate those kinds of weapons. What's critical is to create the command relationships and authority to capitalize on those weapons and not restrict their capabilities. "Every service ought to have some sort of cyber-component that organizes, trains and equips to how they present force capabilities for combatant commanders," he says. "Then we have a common definition that each of the services can shape to operationally fit their basic core competencies for conduct of military operations in a regional scenario." As these capabilities are introduced, joint operations are expected to undergo fundamental changes. "We see a [future] environment that is very much focused on distributed, decentralized, leader-centric and network-enabled [units and] structures [placed] throughout the joint forces," says Harward, who is a Navy Seal and former director of special reconnaissance and direct-action missions in Afghanistan and Iraq. Those special ops-like units will be trained to "have the ability to operate with the commander's intent when systems fail and they can't get information," he says. Joint Forces Command also embraces the quick introduction of advanced weaponry. "Everybody recognizes that electronic fires [such as jamming, directed energy and cyberwar] is a capability that ought to be bought, maintained and developed," says Harward. "It's part of the technology advantage that we have right now, and our ability to expand it will pay dividends. We're looking at it in the experimentation phase and how we might move forward." Training for the hybrid war also is likely to look different. Planners want high-fidelity, fighter aircraft-like simulators for ground soldiers so that responses to attacks, ambushes and other encounters are well rehearsed before anyone is thrust into combat. Simulators would also allow operational lessons learned to be immediately fed back into the training. However, researchers are worried that pieces of the digital puzzle are still missing - in particular, projection of new threats that foes may throw at the U.S. "As you go into a new theater of operations, you see [advanced communications and new uses for networks] pop-up everywhere," he says. "The threat is there, ad hoc, undefined and asymmetric. So you have to stand up your capability quickly to defend and fight your networks. It's changing the way we think about deploying software-defined radios [for example]. We're using common modules that have software functions that are adaptable in real time as the threat changes." There also are no digital weapons that can be used by nonspecialists, and there is no ability to duplicate networks so attacks and exploitation can be planned and practiced. As a result, the Defense Advanced Research Projects Agency awarded seven six-month contracts totaling about $25 million as startup funding for a National Cyber Range (NCR). The move is being applauded by military officials, who shared their insights into the effort. It would be the nation's premier cyber-test facility. Candidates would have to provide a complete, integrated system, and Darpa will not act as the integrator. Test analyses are to be unbiased and quantitative assessments of information assurance and survivability tools. The laboratory is to replicate complex, large-scale networks for current and future Defense Dept. weapons and operations. The capabilities to be tested are host security systems, local-area network security tools and suites, wide-area network systems operating on unusual bandwidths, tactical networks (including the problematic mobile ad hoc networks) and new protocol stacks. To further hedge their bets, Darpa officials may fund multiple teams to simultaneously build competing prototype NCRs. Testing of the ranges will include demonstration of "packet capture" and automated attacks. Flexibility and adaptation will likely be the key concept to winning the technology wars, just as it is in conventional combat. "We don't know if knocking down more walls in the intelligence [world], conducting cyber-operations and introducing nonkinetic weapons like HPM are going to be sequential problems, or if they will all arrive together," says Deptula. "I'd like us to accelerate our ability to meet some of the challenges we have with directed-energy weapons because they certainly will be game-changing," he adds. "Once a capability is fielded and begins to be employed, there's a lot to learn between what was anticipated and what actually takes place. Our organizations must evolve accordingly." |
UK CYBER ATTACK REPORTED
HTTP://WWW.DEFENSETECH.ORG/ARCHIVES/004644.HTML
The UK Ministry of Defense (MoD), the DoD equivalent in Britain, has begun to investigate what has been called the most significant cyber security breach after information and evidence surfaces that all emails sent from multiple Royal Air Force stations were sent to IP addresses traced back to Russia.
A hybrid computer virus/worm was able to penetrate MoD system security nearly two weeks ago. An MoD spokesman reportedly said that "action was immediately taken to isolate the infected systems and commence virus-cleansing procedures to protect from re-infection."
This security event resulted in the need to bring down systems and halting email communication across most, if not all, of the military. These reports were just confirmed by British media. Reports that the Royal Air Force had some of their systems impacted as well remain unconfirmed at this point.
The allegations have been made that the MoD has failed to take the necessary steps to secure their systems and to respond to the growing threat of cyber attacks. Digital DNA analysis of the sophisticated virus suggest that it originated somewhere in the former eastern bloc. The impact of the computer virus attack was significant. The MoD stated that the performance of its IT systems had been affected by the computer attack but would not elaborate further.
Other reports suggest that over 24 RAF bases and 75% of Royal Navy ships -- including the aircraft carrier Ark Royal -- systems were infected/impacted. Unconfirmed reports implied that the stations attacked by the worm were ones that would be used to scramble aircraft for Russian bomber intercept. Sources inside the MoD have stated they are investigating the computer virus/worm. However, they firmly denied any knowledge of any e-mails being sent to a Russian.
This attack came on the heels of a similar attack on the Pentagon in the United States. Could this be the same bug? Cyber security experts say they appear to be similar but are not willing to say they were identical. The computer virus caused the Pentagon to ban the use of USB memory sticks or flash drives.
Although the US Department of Defense has not provided any official comment on the attack on their UK ally, one thing is clear, cyber attacks have accelerated and many believe we are on the verge of an all-out cyber war.
Blogging General Reaches Out to Troops, Blows Off Security Fears
Danger Room had several stories recently about military leaders blogging and using social networking to accomplish the mission or get their message out. Gen Oates and Gen Seip (in another Danger Room story) are some senior folks who are embracing the new media. However, many in the military are still reluctant. Cyberspace presents us with not only a threat, but also an opportunity. The art is learning where is the dividing line (if one even exists).
While most of the Army is still wringing its hands trying to figure out what to do about blogs and other social media, the two-star general overseeing 19,000 U.S. soldiers scattered across 17,000 square miles of southern and central Iraq has decided to start blogging himself and holding online chats with his troops.
"There are some concerns by some people, based on the nature of our hierarchical organization, who feel this is inappropriate -- going around the chain of command," Major General Michael Oates, the commander of the Army's Task Force Mountain, tells Danger Room. "It is not in fact going around the chain of command; it allows us to connect to the chain of command in ways we have not been able to experience before."
The general's blog posts are simple -- questions, mostly, designed to be conversation starters. A quick query, on "what need to be changed," led to an improvement in mental health care at Ft. Drum, New York, where is unit is based. Another on "tour lengths in Iraq" sparked a fevered, 40-comment debate with soldiers and family members taking Oates to task in ways that would be unimaginable face-to-face. "Honestly no one really cares what we think," one commenter wrote. "Asking this question is a futile attempt at appearing to be concerned with the welfare of soldiers and their families," sighed another.
Oates doesn't seem bothered by the push-back. "I enjoy the open engagement with my soldiers. I'm interested in hearing their thoughts. And I have no problem with challenging them in an honest open fashion. I think this medium allows that," he says.
Oates first became interested in social media more than two years ago, when it became "blindingly obvious that these soldiers are using these social network systems," he recalls. "I'm always looking for another way to communicate with the soldiers."
Ironically, Oates had to wait until he got over to Iraq to start his social media push; a lumbering military bureaucracy kept him from blogging, while his troops were stationed at Ft. Drum. "We did not get anywhere with it while we were in the United States because the rules, procedures, policies, and regulations are extremely inhibiting to doing that sort of thing."
In many ways it's emblematic of the Army's uncomfortable, uneven relationship with these new ways of publishing. Some generals see the sites as a security risk -- who knows what a blogger might say? Other senior officers are extending a wavering toe into the blogosphere, with stilted, irregular posts. Army public affairs holds private roundtables with top bloggers. At the same time, service secrecy regulations, read literally, make it next-to-impossible for average soldiers to blog.
Oates finds the security concerns overblown. "I think its a normal institutional reaction, conservative reaction to information," he tells Danger Room. "But I tend to think that's a very minor thing; most soldiers don't have critical, national-security-sensitive information. They just don't possess that kind of information, so I don't see that as a problem."
It's not the only way that Oates parts from the stereotype of the general-as-starched-shirt. Online, he's more likely to tease and joke than to issue orders. During a January 4th chat his troops asked -- anonymously -- about the Task Force headquarters' move to Basra, from the luxurious Victory Base Complex.
"What are things looking like for the Basra move, sir? I've heard several different stories," one soldier typed.
"Nothing certain yet," Maj. Gen. Oates responded. "But good chances we will replace UK forces in Basra before we depart. I get harder questions from the school kids."
"What sort of conditions is Basra in now compared to VBC?" another soldier asked.
"No Salsa night," the general deadpanned.
Other questions involved tour lengths, the Army's "stop-loss" policy of forcing soldiers to stay in a war zone, and cost-of-living-adjustments to pay. Oates decided to focus his efforts on this internal audience, as opposed to some other military social media experiments, which try to persuade a larger crowd. For now, he wants to unfiltered access to his troops.
And he wants them to talk right back. The chat gave junior officers and enlisted men a chance to talk directly with their commanding general -- which is unusual, offline. The chat's anonymity let them be frank, even about Oates' beloved (and ill-fated) Texas football teams.
The general shrugs the interactions off as no big deal. "Fundamentally what I'm doing is not new. What I'm doing is communicating with my soldiers. What's new is the medium in which we're communicating."
Obama Administration Outlines Cyber Security Strategy
http://voices.washingtonpost.com/securityfix/2009/01/obama_ administration_outlines.html? wprss=securityfix
Brian Krebs on Computer Security
Obama Administration Outlines Cyber Security Strategy
President Barack Obama's administration has sketched out a broad new strategy to protect the nation's most vital information networks from cyber attack and to boost investment and research on cyber security.
The key points of the plan closely mirrorrecommendations offered late last year by a bipartisan commission of computer security experts, which urged then president-elect Obama to set up a high-level post to tackle cyber security, consider new regulations to combat cyber crime and shore up the security of the nation's most sensitive computer networks.
The strategy, as outlined in a broader policy document on homeland security priorities posted on the Whitehouse.gov Web site Wednesday, states the following goals:
* Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.
* Initiate a Safe Computing R&D Effort and Harden our Nation's Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.
* Protect the IT Infrastructure That Keeps America's Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.
* Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation's trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.
* Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.
* Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age.
While it remains to be seen what resources the Obama administration may devote to these goals, it is an encouraging sign to see the new White House give the vital challenges of cyber security such prominence so soon.
Sunday, August 10, 2008
Georgian Web Sites Under Attack
http://voices.washingtonpost.com/securityfix/2008/08/georgian_web_sites_under_attac.html?nav=rss_blog
by: Brian Krebs
As Russian bombs rained down on towns in separatist towns of the former Soviet republic of Georgia, hackers mounted a digital assault on the nation's top Web properties this week, knocking government Web sites offline and defacing others.
According to reports from security experts who have been monitoring the ongoing cyber attacks, the Web site for the office of Georgia Foreign Affairs (mfa.gov.ge) was hacked, and its homepage was replaced with images depicting Georgia's president as a Nazi. That site is currently offline.
Other Georgian Web properties, such as the Caucasus Network Tbilisi -- key Georgian commercial Internet servers -- remain under sustained attack from thousands of compromised PCs aimed at flooding the sites with so much junk Web traffic that they can no longer accommodate legitimate visitors.
Security Blogger Jart Armin has been tracking the attacks by conducting Internet traces and lookups at key Georgian Web properties.
The apparently coordinated cyber attacks are reminiscent of recent cyber wars waged against other former Soviet republics that have attracted the ire of the Russian government for various political reasons. Last month, a similar assault targeted important Lithuanian government Web sites. In April 2007, the ultra-wired country suffered major disruptions in much of its information infrastructure, thanks largely to Russian hackers who were upset over the removal of a Soviet World War II memorial from the center of Tallinn, the capital of Estonia.
by: Brian Krebs
As Russian bombs rained down on towns in separatist towns of the former Soviet republic of Georgia, hackers mounted a digital assault on the nation's top Web properties this week, knocking government Web sites offline and defacing others.
According to reports from security experts who have been monitoring the ongoing cyber attacks, the Web site for the office of Georgia Foreign Affairs (mfa.gov.ge) was hacked, and its homepage was replaced with images depicting Georgia's president as a Nazi. That site is currently offline.
Other Georgian Web properties, such as the Caucasus Network Tbilisi -- key Georgian commercial Internet servers -- remain under sustained attack from thousands of compromised PCs aimed at flooding the sites with so much junk Web traffic that they can no longer accommodate legitimate visitors.
Security Blogger Jart Armin has been tracking the attacks by conducting Internet traces and lookups at key Georgian Web properties.
The apparently coordinated cyber attacks are reminiscent of recent cyber wars waged against other former Soviet republics that have attracted the ire of the Russian government for various political reasons. Last month, a similar assault targeted important Lithuanian government Web sites. In April 2007, the ultra-wired country suffered major disruptions in much of its information infrastructure, thanks largely to Russian hackers who were upset over the removal of a Soviet World War II memorial from the center of Tallinn, the capital of Estonia.
Chertoff: I'm Listening to the Internet (Not in a Bad Way)
By Ryan Singel August 06, 2008 8:28:51 PM
http://blog.wired.com/27bstroke6/2008/08/chertoff.html
Homeland Security chief Michael Chertoff sat down with Threat Level on Monday in Silicon Valley to talk about laptop searches at the border, the government's new-found interest in computer security, and the continuing saga of overeager terrorist watch lists.
Among the revelations: It seems blog comments inspired him to propose a laptop-tracking application for those who had their computers seized at the border. He also explained why watch-list mismatches are the airlines' fault, and why the government is too secret.
Wired.com: There have been quite a few security czars over the years, but sometime last year, cybersecurity became important. What changed?
Homeland Security Secretary Michael Chertoff: I'm going to give credit to Mike McConnell, the director of national intelligence. When I came on board and we looked at the entire department three-and-a-half years ago, one of the issues we saw was that we didn't have a very mature cybersecurity program. We have US-CERT, which does good work, but we didn't have a program much beyond that.
Frankly, it was hard to get people to explain what they thought our value-add to the program would be. It's not like we are inventing software or firewalls or are competing with McAfee or companies like that.
We could talk about creating a forum where the cyber community could come together and share information, but that seemed like pretty weak tea.
But last year, Mike McConnell and I sat down … and really began talking through what do we do to deal with this issue -- the problem is getting greater.
We have had intrusions. We have had the theft of information over the internet. We are concerned about denial-of-service attacks. We saw the attacks in Estonia.
The sense was we couldn't not deal with the problem because it was hard.
And as I became better acquainted with some of the tools other parts of the government use in terms of capabilities for cybersecurity, that we have used for [the Department of Defense and] for the intelligence community, for example, I was persuaded -- it didn't take a lot of persuasion -- that there ought to be a way to translate this into civilian domains.
And there are two parts to this. One, we have to protect our own civilian assets -- meaning the dot-gov assets.
And there what is involved is getting a hold on the number of access points between .gov domains and the internet, and finding a way to progress from our current Einstein model [DHS's Intrusion Detection Software], which is the passive detection-after-the-fact model, into a real-time detection tool and possibly even a defensive capability with respect to our networks connecting to the internet.
And just getting a handle on that would be a huge benefit in terms of protecting our assets against espionage and also against the possibility of an attack.
The larger challenge -- and frankly one that is further out -- is to find a way to partner with the private sector to enable and encourage them with some to the capabilities that we have to increase their defensive capacities, but on a voluntary basis, meaning not making them do it or regulating them into doing it. But instead offering them the opportunity -- much the same in the non-cyber-world, we go to people who run power plants and dams and we share information and best practices that they can use to defend their own assets.
Wired.com: When you hear talk of cyberwar, people start talking about power plants going down and you get cascading problems. Do we need legislation to give DHS the power to regulate those who run critical infrastructure?
Chertoff: I'd be hesitant to go there with private sector. With the Federal Aviation Administration or other government agencies, I think it is different. I think with the private sector the model is the cooperative model. They have a very strong interest in protecting their assets. But they also have to make a choice about how much they want to partner with the government.
The one thing we don't want to do, because the culture of the internet is opposed to anything that smacks of government clumsy heavy-handedness, is that we don't want to be sitting on the internet, like certain other countries do, where people suspect we are limiting what people can see. We don't want to force people to do what they don't want to do. We don't want them to think we are intruding into their private space.
There is an interdependence on the internet that puts a premium on being a responsible citizen. If you fail to protect your own assets, it doesn't just affect your assets, it affects the assets of everyone linked up to you. So pretty soon, someone who doesn't do a responsible job is going to find themselves ostracized.
The business community is pretty good at understanding that, when they have a threat, and there is capability to defend against the threats, if you don't exhaust every reasonable means, pretty soon you will end up being sued and you will be in bankruptcy court. They have a natural incentive to protect their assets.
Wired.com: What is your threat model? Is the threat level that high?
Chertoff: There are nation states and non-nation states that have the ability to penetrate and filch information and there are certainly other countries in that area as sophisticated as we are -- or close to it -- so naturally you worry about that.
I think you worry about intrusions that steal valuable intellectual property, and you worry to an even greater degree about corruption or disruption of processes.
By corruption, I mean someone enters the financial sector and you begin to corrupt how the system works and it becomes unreliable, people begin to find out they have lost money from their bank account.
The reliability of the system becomes compromised.
There is no question in terms of espionage: It has already materialized. There is a huge amount of penetration of certain government systems that we have had to contend with. Now we are able to defend against a lot of this, but some of it has not been defended against and some of this is out in public
We had the Estonian experience in terms of an attack actually on a system.
If we wait till someone tries this the first time, its going to be a really unhappy circumstance.
Just ask [Treasury Secretary] Hank Paulson. If someone takes out a bank, and all of a sudden you don't know any more if your money is safe, that imperils the entire banking system.
There are some people who believe the current generation of terrorists wants a big visible bang. But you know, the next generation may not want a big visible bang. They might take a quiet satisfaction in watching the entire financial system shutter.
Wired.com: Could we talk about laptops and the borders? (ed. note: The government reserves the right to look through any laptop or electronic device crossing the border, saying it is no different from any other luggage. DHS published the official policy on its website just weeks ago.)
Chertoff: This is something that has been done since there were laptops ... It is not a new program. It is a program that affects only a small number of people. And contrary to what the ACLU says, it is constitutional, because the courts say it is constitutional, including the 9th Circuit most recently.
The only thing that happened recently is that I ordered the policy to be put online in the interests of openness and transparency. We get about 80 million people a year coming to our airports, and a very small number are put into secondary inspection and that's based on some suspicion that the inspector has about the person.
It is that pool of people in secondary that have their things gone through, they can have their luggage and documents gone through. And nowadays because you can bring contraband through on a laptop, they can have their laptop looked at.
You are looking for material that is contraband itself, such as child pornography or information about how to set up remote control IEDs. Or if they are non-Americans, you are looking for information on the laptop about why they should not be admitted.
In many cases, we open the laptop and look at it right there. There are some cases where it is encrypted or it is difficult to assess, we may hold on to laptop for purpose of having someone more expert look at it.
If it turns out there's nothing there of criminal nature or significant in terms of national security or admission to the country, we return the laptop and expunge the information and it evaporates.
If it turns out there is significant information, we may return the laptop and keep the info, or if the laptop is itself evidence of a crime, then once we have PC [probable cause] determination we keep it.
One thing I am thinking of doing is creating a better tracking system so if we do take a laptop off the premises, we find a way to let them track it and after a certain number of days they can inquire about when it going to be returned or what the situation is.
Wired.com: Wouldn't it allay the suspicions of the business community if you had a policy that says we only search through laptops if we have a good reason to do so?
Chertoff: That's exactly why I put it up on the internet. It is on the web to say, 'We only do it when we put you into secondary and we only put you into secondary when there is a suspicion, when there is a reason to suspect something.'
We were trying to say we don't take everyone's laptop and suck it up into a giant vacuum cleaner.
There is some basis for suspicion the inspectors use, and they are the same they have used for decades.
We posted [about the policy] on the Leadership blog and we got a lot of comments. So I said, 'Let's look at all the comments and if there is something we can clarify in the policy because there is a persistent issue, we will do it.'
I am willing to treat this as a bit of an experiment in interactive policy-making. For example, it seemed to bother people, from what I was told, when a laptop is taken elsewhere. So that's where I came up with idea of finding a way to assure people they won't lose their laptop. We are going to track it and make sure we can account for when it is and when they will get it back. So I am willing to do this back and forth in interactive way.
Wired.com: Since people could simply store things on servers or use Gmail, doesn't the program just get at low-hanging fruit?
Chertoff: I'm going to tell you a story from real life. When I was a prosecutor we had had wiretaps for criminal cases for years -- it was a well-known thing. But time and again I would hear the following on a wiretap: "I hope no one is listening in because if they are we are going to jail."
The truth is it is very hard to perfectly avoid being captured if you are doing something wrong simply by saying, 'I'm not going to put it on my laptop. I will put it somewhere else.' They are going to have to be worrying that the other place they are keeping it, the cloud, is being penetrated
Now is it impossible? No, a perfect terrorist could find a way to circumvent this. But if I can reduce the risk by getting rid of 99 percent, I am way ahead of the game.
Wired.com: If you have an encrypted laptop and you are an American citizen and you come back to the border and you get pulled aside for secondary, they want to look through the laptop and you don't want to give the password, what happens?
Chertoff: That's being litigated. I think our view is that you can be required to open it up, in much the same way, that if you have a briefcase and it is locked and you don't want to open the lock. And the hunch is that's a circumstance where the laptop might be seized and taken elsewhere to be decrypted.[In response to a follow-up e-mail, spokesman Russ Knocke clarified.
"Constitutionally, U.S. citizens are permitted entry into the country. However, if they are carrying contraband such as illegal narcotics, they may be taken into custody. In the hypothetical circumstance that a U.S. citizen is entering the country with an encrypted laptop, and that individual is even referred to secondary in the first place, and then that individual refuses to cooperate by providing a password (again, even if we were to get this point), then the laptop could be seized and de-encrypted."]
Wired.com: Almost seven years after 9/11, there are still reports of problems with the government's watch lists. Most recently, Jim Robinson, a former assistant attorney general, says he is stuck on the list.
Chertoff: In the airport environments, supposing there is a terrorist Jim Smith and that person should be on the watch list, the question is how do you distinguish them from the other Jim Smiths and the answer is you need an additional bit of data, such as a birthday.
That would override or eliminate most false positives. In order to allow people to do this, [beginning] about two or three months ago, people who are selectees can give their frequent flier number or birthday, the airline can enter it in system and they can enter that at the kiosk or at home and they can get their boarding pass and it won't be an issue.
One airline has done that very well. There are some airlines that have not done that. They don't want to reconfigure their software, it's not an issue of customer service they care about, and if there are false positives they can blame the government.
We would like to reconfigure in the next year ... so we do the checking. Some of the airlines don't want to do that because they would have to reconfigure their software.
So that's why there was a discussion recently about whether we should fine airlines that don't correct this problem. There is a system for correcting this and which is adding another data point, but the people running the system have to be willing to reconfigure the system. If they don't care, then the problem is going to continue.
Wired.com: But there is no mechanism for me to say I'm not doing what you think I am doing?
Chertoff: There is a redress program. The easiest thing to resolve is that you are not the person we are worried about. The hardest thing to resolve is that you are worried about me, but you shouldn't be -- because, to be honest, there are people who are dangerous who lie about being dangerous.
And if you tell why you have them on list, they will reconfigure or readjust their behavior to not leave the traces that are a problem.
There may be people for whom it is inconvenient to be patted down or asked a few questions. The downside is that if we don't do that except if we have proof someone is an actual terrorist, you are going to have a Mohammed Atta getting on an airplane or crossing the border and that's going to raise the risk.
Wired.com: At what point do stops by law enforcement and four-hour holdups at the airport become a punishment that you can actually protest?
Chertoff: Particularly with respect to Americans, the number of people that are on the list that are not false positives are not that large a number. And if they do raise an issue, we will take a look at what the basis is. And sometimes we will make adjustments.
But if you are asking if we would do a court process where we litigate it, I mean, that effectively would shut it down.
And then I guarantee what would happen is this: If you stopped using the watch list and basically anybody could get on a plane without knowing their identity, sooner or later something would happen -- and people would lose their lives, and then there would be another 9/11 Commission and we'd hear about how you had this system and you would have kept them off and these people lost their loved ones on a plane.
I don't know if they do it anymore, but when I was a kid we all had polio shots, and after a while, you just don't know anyone with polio. And the question was raised was, why are we taking these shots? There's not that much polio around. And one of the reasons there's not that much polio around is that everyone is getting inoculated.
Wired.com: You are talking about sharing information and this being an open process, but so much of the Comprehensive National Cybersecurity Initiative is secret. Homeland Security Presidential Directive 23 -- which authorized the program -- there's still not an unclassified version of it. You can talk about Einstein, but there are other things you can't talk about. There's reportedly $20 billion in the classified intelligence budget for cyber-security. From the outside, it's hard to know what's going on.With that much secrecy, it sounds like security through obscurity.
Chertoff: I think secrecy is one of the hard issues. That's because the culture of the internet is an open culture and I would like to see us be as open as possible. It's obvious that some things can't be open because they compromise things that, if known to others, would diminish our ability to do certain things, whether that be acquire information or take certain stepsWe will have to figure out how to be open to the extent we can while recognizing you live in a world where openness can be a problem too.
It is my fervent hope that more and more of the strategy will be public and only things that really have to be kept secret will be kept secret. But once something is out it is out -- so there is hesitancy and deliberativeness about making things public. But in this case we tried to make public early we were thinking about this.
Wired.com: How do people know this isn't a program about sitting on the internet and monitoring everything?Chertoff: That's why I think the easy part is the government piece, because clearly with government domains, you have a right to protect your own domain.And that's why I emphasize the voluntariness. I think the key to the approach is one where the government offers to work with the private sector. But it has to be consent-based. If you don't want any part of it, then you can walk away.
http://blog.wired.com/27bstroke6/2008/08/chertoff.html
Homeland Security chief Michael Chertoff sat down with Threat Level on Monday in Silicon Valley to talk about laptop searches at the border, the government's new-found interest in computer security, and the continuing saga of overeager terrorist watch lists.
Among the revelations: It seems blog comments inspired him to propose a laptop-tracking application for those who had their computers seized at the border. He also explained why watch-list mismatches are the airlines' fault, and why the government is too secret.
Wired.com: There have been quite a few security czars over the years, but sometime last year, cybersecurity became important. What changed?
Homeland Security Secretary Michael Chertoff: I'm going to give credit to Mike McConnell, the director of national intelligence. When I came on board and we looked at the entire department three-and-a-half years ago, one of the issues we saw was that we didn't have a very mature cybersecurity program. We have US-CERT, which does good work, but we didn't have a program much beyond that.
Frankly, it was hard to get people to explain what they thought our value-add to the program would be. It's not like we are inventing software or firewalls or are competing with McAfee or companies like that.
We could talk about creating a forum where the cyber community could come together and share information, but that seemed like pretty weak tea.
But last year, Mike McConnell and I sat down … and really began talking through what do we do to deal with this issue -- the problem is getting greater.
We have had intrusions. We have had the theft of information over the internet. We are concerned about denial-of-service attacks. We saw the attacks in Estonia.
The sense was we couldn't not deal with the problem because it was hard.
And as I became better acquainted with some of the tools other parts of the government use in terms of capabilities for cybersecurity, that we have used for [the Department of Defense and] for the intelligence community, for example, I was persuaded -- it didn't take a lot of persuasion -- that there ought to be a way to translate this into civilian domains.
And there are two parts to this. One, we have to protect our own civilian assets -- meaning the dot-gov assets.
And there what is involved is getting a hold on the number of access points between .gov domains and the internet, and finding a way to progress from our current Einstein model [DHS's Intrusion Detection Software], which is the passive detection-after-the-fact model, into a real-time detection tool and possibly even a defensive capability with respect to our networks connecting to the internet.
And just getting a handle on that would be a huge benefit in terms of protecting our assets against espionage and also against the possibility of an attack.
The larger challenge -- and frankly one that is further out -- is to find a way to partner with the private sector to enable and encourage them with some to the capabilities that we have to increase their defensive capacities, but on a voluntary basis, meaning not making them do it or regulating them into doing it. But instead offering them the opportunity -- much the same in the non-cyber-world, we go to people who run power plants and dams and we share information and best practices that they can use to defend their own assets.
Wired.com: When you hear talk of cyberwar, people start talking about power plants going down and you get cascading problems. Do we need legislation to give DHS the power to regulate those who run critical infrastructure?
Chertoff: I'd be hesitant to go there with private sector. With the Federal Aviation Administration or other government agencies, I think it is different. I think with the private sector the model is the cooperative model. They have a very strong interest in protecting their assets. But they also have to make a choice about how much they want to partner with the government.
The one thing we don't want to do, because the culture of the internet is opposed to anything that smacks of government clumsy heavy-handedness, is that we don't want to be sitting on the internet, like certain other countries do, where people suspect we are limiting what people can see. We don't want to force people to do what they don't want to do. We don't want them to think we are intruding into their private space.
There is an interdependence on the internet that puts a premium on being a responsible citizen. If you fail to protect your own assets, it doesn't just affect your assets, it affects the assets of everyone linked up to you. So pretty soon, someone who doesn't do a responsible job is going to find themselves ostracized.
The business community is pretty good at understanding that, when they have a threat, and there is capability to defend against the threats, if you don't exhaust every reasonable means, pretty soon you will end up being sued and you will be in bankruptcy court. They have a natural incentive to protect their assets.
Wired.com: What is your threat model? Is the threat level that high?
Chertoff: There are nation states and non-nation states that have the ability to penetrate and filch information and there are certainly other countries in that area as sophisticated as we are -- or close to it -- so naturally you worry about that.
I think you worry about intrusions that steal valuable intellectual property, and you worry to an even greater degree about corruption or disruption of processes.
By corruption, I mean someone enters the financial sector and you begin to corrupt how the system works and it becomes unreliable, people begin to find out they have lost money from their bank account.
The reliability of the system becomes compromised.
There is no question in terms of espionage: It has already materialized. There is a huge amount of penetration of certain government systems that we have had to contend with. Now we are able to defend against a lot of this, but some of it has not been defended against and some of this is out in public
We had the Estonian experience in terms of an attack actually on a system.
If we wait till someone tries this the first time, its going to be a really unhappy circumstance.
Just ask [Treasury Secretary] Hank Paulson. If someone takes out a bank, and all of a sudden you don't know any more if your money is safe, that imperils the entire banking system.
There are some people who believe the current generation of terrorists wants a big visible bang. But you know, the next generation may not want a big visible bang. They might take a quiet satisfaction in watching the entire financial system shutter.
Wired.com: Could we talk about laptops and the borders? (ed. note: The government reserves the right to look through any laptop or electronic device crossing the border, saying it is no different from any other luggage. DHS published the official policy on its website just weeks ago.)
Chertoff: This is something that has been done since there were laptops ... It is not a new program. It is a program that affects only a small number of people. And contrary to what the ACLU says, it is constitutional, because the courts say it is constitutional, including the 9th Circuit most recently.
The only thing that happened recently is that I ordered the policy to be put online in the interests of openness and transparency. We get about 80 million people a year coming to our airports, and a very small number are put into secondary inspection and that's based on some suspicion that the inspector has about the person.
It is that pool of people in secondary that have their things gone through, they can have their luggage and documents gone through. And nowadays because you can bring contraband through on a laptop, they can have their laptop looked at.
You are looking for material that is contraband itself, such as child pornography or information about how to set up remote control IEDs. Or if they are non-Americans, you are looking for information on the laptop about why they should not be admitted.
In many cases, we open the laptop and look at it right there. There are some cases where it is encrypted or it is difficult to assess, we may hold on to laptop for purpose of having someone more expert look at it.
If it turns out there's nothing there of criminal nature or significant in terms of national security or admission to the country, we return the laptop and expunge the information and it evaporates.
If it turns out there is significant information, we may return the laptop and keep the info, or if the laptop is itself evidence of a crime, then once we have PC [probable cause] determination we keep it.
One thing I am thinking of doing is creating a better tracking system so if we do take a laptop off the premises, we find a way to let them track it and after a certain number of days they can inquire about when it going to be returned or what the situation is.
Wired.com: Wouldn't it allay the suspicions of the business community if you had a policy that says we only search through laptops if we have a good reason to do so?
Chertoff: That's exactly why I put it up on the internet. It is on the web to say, 'We only do it when we put you into secondary and we only put you into secondary when there is a suspicion, when there is a reason to suspect something.'
We were trying to say we don't take everyone's laptop and suck it up into a giant vacuum cleaner.
There is some basis for suspicion the inspectors use, and they are the same they have used for decades.
We posted [about the policy] on the Leadership blog and we got a lot of comments. So I said, 'Let's look at all the comments and if there is something we can clarify in the policy because there is a persistent issue, we will do it.'
I am willing to treat this as a bit of an experiment in interactive policy-making. For example, it seemed to bother people, from what I was told, when a laptop is taken elsewhere. So that's where I came up with idea of finding a way to assure people they won't lose their laptop. We are going to track it and make sure we can account for when it is and when they will get it back. So I am willing to do this back and forth in interactive way.
Wired.com: Since people could simply store things on servers or use Gmail, doesn't the program just get at low-hanging fruit?
Chertoff: I'm going to tell you a story from real life. When I was a prosecutor we had had wiretaps for criminal cases for years -- it was a well-known thing. But time and again I would hear the following on a wiretap: "I hope no one is listening in because if they are we are going to jail."
The truth is it is very hard to perfectly avoid being captured if you are doing something wrong simply by saying, 'I'm not going to put it on my laptop. I will put it somewhere else.' They are going to have to be worrying that the other place they are keeping it, the cloud, is being penetrated
Now is it impossible? No, a perfect terrorist could find a way to circumvent this. But if I can reduce the risk by getting rid of 99 percent, I am way ahead of the game.
Wired.com: If you have an encrypted laptop and you are an American citizen and you come back to the border and you get pulled aside for secondary, they want to look through the laptop and you don't want to give the password, what happens?
Chertoff: That's being litigated. I think our view is that you can be required to open it up, in much the same way, that if you have a briefcase and it is locked and you don't want to open the lock. And the hunch is that's a circumstance where the laptop might be seized and taken elsewhere to be decrypted.[In response to a follow-up e-mail, spokesman Russ Knocke clarified.
"Constitutionally, U.S. citizens are permitted entry into the country. However, if they are carrying contraband such as illegal narcotics, they may be taken into custody. In the hypothetical circumstance that a U.S. citizen is entering the country with an encrypted laptop, and that individual is even referred to secondary in the first place, and then that individual refuses to cooperate by providing a password (again, even if we were to get this point), then the laptop could be seized and de-encrypted."]
Wired.com: Almost seven years after 9/11, there are still reports of problems with the government's watch lists. Most recently, Jim Robinson, a former assistant attorney general, says he is stuck on the list.
Chertoff: In the airport environments, supposing there is a terrorist Jim Smith and that person should be on the watch list, the question is how do you distinguish them from the other Jim Smiths and the answer is you need an additional bit of data, such as a birthday.
That would override or eliminate most false positives. In order to allow people to do this, [beginning] about two or three months ago, people who are selectees can give their frequent flier number or birthday, the airline can enter it in system and they can enter that at the kiosk or at home and they can get their boarding pass and it won't be an issue.
One airline has done that very well. There are some airlines that have not done that. They don't want to reconfigure their software, it's not an issue of customer service they care about, and if there are false positives they can blame the government.
We would like to reconfigure in the next year ... so we do the checking. Some of the airlines don't want to do that because they would have to reconfigure their software.
So that's why there was a discussion recently about whether we should fine airlines that don't correct this problem. There is a system for correcting this and which is adding another data point, but the people running the system have to be willing to reconfigure the system. If they don't care, then the problem is going to continue.
Wired.com: But there is no mechanism for me to say I'm not doing what you think I am doing?
Chertoff: There is a redress program. The easiest thing to resolve is that you are not the person we are worried about. The hardest thing to resolve is that you are worried about me, but you shouldn't be -- because, to be honest, there are people who are dangerous who lie about being dangerous.
And if you tell why you have them on list, they will reconfigure or readjust their behavior to not leave the traces that are a problem.
There may be people for whom it is inconvenient to be patted down or asked a few questions. The downside is that if we don't do that except if we have proof someone is an actual terrorist, you are going to have a Mohammed Atta getting on an airplane or crossing the border and that's going to raise the risk.
Wired.com: At what point do stops by law enforcement and four-hour holdups at the airport become a punishment that you can actually protest?
Chertoff: Particularly with respect to Americans, the number of people that are on the list that are not false positives are not that large a number. And if they do raise an issue, we will take a look at what the basis is. And sometimes we will make adjustments.
But if you are asking if we would do a court process where we litigate it, I mean, that effectively would shut it down.
And then I guarantee what would happen is this: If you stopped using the watch list and basically anybody could get on a plane without knowing their identity, sooner or later something would happen -- and people would lose their lives, and then there would be another 9/11 Commission and we'd hear about how you had this system and you would have kept them off and these people lost their loved ones on a plane.
I don't know if they do it anymore, but when I was a kid we all had polio shots, and after a while, you just don't know anyone with polio. And the question was raised was, why are we taking these shots? There's not that much polio around. And one of the reasons there's not that much polio around is that everyone is getting inoculated.
Wired.com: You are talking about sharing information and this being an open process, but so much of the Comprehensive National Cybersecurity Initiative is secret. Homeland Security Presidential Directive 23 -- which authorized the program -- there's still not an unclassified version of it. You can talk about Einstein, but there are other things you can't talk about. There's reportedly $20 billion in the classified intelligence budget for cyber-security. From the outside, it's hard to know what's going on.With that much secrecy, it sounds like security through obscurity.
Chertoff: I think secrecy is one of the hard issues. That's because the culture of the internet is an open culture and I would like to see us be as open as possible. It's obvious that some things can't be open because they compromise things that, if known to others, would diminish our ability to do certain things, whether that be acquire information or take certain stepsWe will have to figure out how to be open to the extent we can while recognizing you live in a world where openness can be a problem too.
It is my fervent hope that more and more of the strategy will be public and only things that really have to be kept secret will be kept secret. But once something is out it is out -- so there is hesitancy and deliberativeness about making things public. But in this case we tried to make public early we were thinking about this.
Wired.com: How do people know this isn't a program about sitting on the internet and monitoring everything?Chertoff: That's why I think the easy part is the government piece, because clearly with government domains, you have a right to protect your own domain.And that's why I emphasize the voluntariness. I think the key to the approach is one where the government offers to work with the private sector. But it has to be consent-based. If you don't want any part of it, then you can walk away.
Beckstrom on cybersecurity
By William Jackson
http://www.gcn.com/online/vol1_no1/46849-1.html
LAS VEGAS — Cybersecurity is hampered by a lack of understanding about the physics and economics of the networks we are trying to defend, according to Rod Beckstrom, director of the Homeland Security Department's National Cyber Security Center, said Thursday at the Black Hat Briefings.
Risk management is a process of balancing security efforts against an acceptable level of risk because absolute security is not possible. But Beckstrom, speaking at the Black Hat Briefings yesterday, said we have no method for valuing our networks or measuring the effectiveness of our security.
"Without the economics, we don't have a risk-management function in terms of our investment," Beckstrom added.
Beckstrom, who has been on the job about four months, did not go into detail about his office's plans, although he said the goal is to build bridges between the military, intelligence and civilian communities in government.
"We're a brand-new government initiative, and we are working on our initial plan," he said. "My job is to help foster cooperation and information-sharing between those three communities."
Information sharing is a common refrain in his comments. His mantra is "all of us are smarter than any of us."
To balance cost and returns in risk management, the amount of money spent on security should not exceed the cost of the losses being prevented. Initial investments in IT security typically bring a high rate of return by sharply reducing losses. But finding the point of diminishing returns is difficult without a good economic model.
"We need to do a lot more work in that area," he said. "We may want to invest in protocols because it might be the best investment we can make."
Fixing flaws in the protocols that underlie our networks would give us the biggest bang for the buck in the federal government's security spending, Beckstrom said. Such fixes are relatively cheap and have a wide impact, although they are not necessarily simple to implement, as the current effort to patch the Domain Name System shows. But in times of emergency, keeping network operations functioning is critical to any response.
http://www.gcn.com/online/vol1_no1/46849-1.html
LAS VEGAS — Cybersecurity is hampered by a lack of understanding about the physics and economics of the networks we are trying to defend, according to Rod Beckstrom, director of the Homeland Security Department's National Cyber Security Center, said Thursday at the Black Hat Briefings.
Risk management is a process of balancing security efforts against an acceptable level of risk because absolute security is not possible. But Beckstrom, speaking at the Black Hat Briefings yesterday, said we have no method for valuing our networks or measuring the effectiveness of our security.
"Without the economics, we don't have a risk-management function in terms of our investment," Beckstrom added.
Beckstrom, who has been on the job about four months, did not go into detail about his office's plans, although he said the goal is to build bridges between the military, intelligence and civilian communities in government.
"We're a brand-new government initiative, and we are working on our initial plan," he said. "My job is to help foster cooperation and information-sharing between those three communities."
Information sharing is a common refrain in his comments. His mantra is "all of us are smarter than any of us."
To balance cost and returns in risk management, the amount of money spent on security should not exceed the cost of the losses being prevented. Initial investments in IT security typically bring a high rate of return by sharply reducing losses. But finding the point of diminishing returns is difficult without a good economic model.
"We need to do a lot more work in that area," he said. "We may want to invest in protocols because it might be the best investment we can make."
Fixing flaws in the protocols that underlie our networks would give us the biggest bang for the buck in the federal government's security spending, Beckstrom said. Such fixes are relatively cheap and have a wide impact, although they are not necessarily simple to implement, as the current effort to patch the Domain Name System shows. But in times of emergency, keeping network operations functioning is critical to any response.
Subscribe to:
Posts (Atom)
Posts
