Cyber Fear Echo Chamber

Written by SoVaSec on December 2nd, 2009



 

Theologians, Politicians, and Financiers agree! When in doubt use a little fear and not FUD.

Interesting how things pick up right where we left off; with discussion of MAD and CyOffensive Stratagies. A policy of ‘deterrence’ only works when you are not bluffing, and can neutralize your opponent. Hence
Can America take over the internet?”, because thats the only way such a policy would be effective. CyWar is more of a guerrilla operation, there is no specific target to nuke.

 

A threat pops up here, we whack it down, and another one comes up here – this is the environment that many of your enterprise cybersecurity officers are facing,”Bruce McConnell, counselor to DHS’ top cybersecurity official


Threats like al Qaeda?

 

I don’t think they’re the most capable in the world, but they have some capability,”Former Homeland Security Secretary Michael Chertoff


I am worried about some terrorist group [with] the capability to destroy the U.S. money supply,” The impact of such an attack would be “an order of magnitude greater” than the Sept. 11 terrorist attacksthe former Director of National Intelligence Mike McConnell


Spottswoode: From what Intelligence has gathered, it would be 9/11 times 100.
Gary:9/11 times 100? Jesus, that’s–”
Spottswoode: “Yes, 91,100.

Kim Jong Il:It will be 9/11 times 2,356.”
Chris:My god, that’s… I don’t even know what that is.”
Kim Jong Il: Nobody does.” – Team America World Police

 


FBI Suspects Terrorists Are Exploring Cyber Attacks

While there is no evidence that terrorist groups have developed sophisticated cyber-attack capabilities, a lack of security protections in U.S. computer software increases the likelihood that terrorists could execute attacks in the future, the official warned.

If terrorists were to amass such capabilities, they would be wielded with “destructive and deadly intent,”

Cyber agencies mum on how they try to identify cyberattackers

Identifying the sources of cyberattacks might not be technically possible in all cases, federal agencies can draw conclusions based on motive and the consequences of the attack

There is “no evidence” terrorists are ready for CyWar, but Chertoff seems to think they have some capability, and McConnell is worried they will destroy the economy before the bankers finish it off.  I almost feel like some of these people are doing the work of the terrorists by striking fear of  “destructive and deadly” CyAttacks into the hearts of hard working men and women.

McAfee stirred things up the month with some secondhand fearmongering.

Nations all over the world are gearing up for a cyber war and that everyone must adapt to these threats”David Dewalt, McAfee president and CEO

Now the media, which knows exactly squat about CySec, can only put into the echo chamber what they are fed into the. Which is exactly what happens with the McAfee statements.

McAfee Cautions About The Possibility Of Cyber Wars

Cyber Warfare Warning Sounded

Cyber Warfare Warning Sounded
In its annual report on cybercrime, McAfee says that the age of cyber warfare has arrived.

FBI Suspects Terrorists Are Exploring Cyber Attacks

Separately, the computer anti-virus company McAfee Inc. issued a report by Paul Kurtz, who led the cyber-security review for the Obama transition team. He concluded that some cyber-attacks in 2007, including Israeli cyber-attacks on Syria and U.S. cyber-weapons employed in Iraq, constitute cyber-warfare.

Cyber ‘cold’ war may have started

Cyber ‘cold’ war may have started


Hold the phone. A cyber cold war? I’ve been talking about this for several months now. To clarify it is not a ‘cyber cold war’, it is The Cold War. The established and powerful military industrial complex, which Dwight Eisenhower warned us against, is moving its resources into the Intelligence Industrial Complex. The same old players, now working the intelligence angle; The Cold War.

 

CyberWar is a Racket

Under the threat of war, the cost of defense is never too high. A nation is under significant obligation to protect its investments where ever they may be. What we see now, is the transition from physical to electronic defense. The United States is returning to Cold War status. In preparation for this the advancement of technology and the power of the intelligence community is of the foremost importance. In order to maintain a position of dominance, the government must sustain its partnership with wartime industry. Through a metamorphosis of the “military industrial complex”, into a new “intelligence industrial complex”, this accomplishment can be witnessed. The ever present fear of terrorism will still be used as justification for sustained engagement. The new terrorist threat comes from what the media refers to as hackers.

 

Its not even McAfee’s report. It’s Richard A. Clarke’s. See how this works? The Public-Private sycophants spoon feed the media into a frenzy to get them stirred up. The media echo chamber picks up the supplied message, and unsuspecting members of the public become influenced by it and believe the lie, which causes them to be more than willing to vote for any sort of legislation that could remedy the issue. Sounds like we’ve gone back to the Hegelian scheme once again.

Dick Destiny
The report itself is attributed to Paul Kurtz, another of Richard Clarke’s
men. Buttressing quote is furnished by Greg Rattray, another in a small
circle of individuals all known for pushing the coming age of cyberwar.

Paul Kurtz, if you remember, was one of my first picks for CyCzar.

CzarWars Episode 1
Paul Kurtz an Obama advisor who served in the national security council
under bush and Clinton, he has in the white house for long enough to
know its politics. Kurtz is also one of the people quoted in the
findings on which the Cybersecurity Act was drafted saying “the United
States is unprepared to respond to a `cyber-Katrina’ and that `a
massive cyber disruption could have a cascading, long-term impact
without adequate co-ordination between government and the private
sector”. Here is a person that fits my criteria, he is technical,
political, and a possesses an overwhelming desire to over-hype the
cybersecurity threat with the understanding that it will create revenue
to his and others private interests. It’s all about the money. If you
check out the consulting team Paul B. Kurtz is on, it’s also about the
cyber-FUD.


He is also mentioned in the CySecurity Act of 2009:

 

(6) Paul Kurtz,
a Partner and chief operating officer of Good Harbor Consulting as well
as a senior advisor to the Obama Transition Team for cybersecurity,
recently stated that the United States is unprepared to respond to a
`cyber-Katrina’ and that `a massive cyber disruption could have a
cascading, long-term impact without adequate co-ordination between
government and the private sector.’.


The people who stand to make the most profit from a little cyFear create a report. They give it to a company whose name is well known to the general public. The company feeds the report into the media echo chamber which bounces it back and forth making it seem legitimate. The public believes the lie, and is now willing to continue funding the people who stand to make the most profit from a little cyFear.

Hegelian Dialectic – Step 1: need $$$ Step 2: FUD Step 3: $$$

 

 

Despite the apparent lack of leadership or direction, the money is still getting spent. It seems that many of the recommendations set out in the proposed bill 773 are being implemented. Regional CySecurity Centres, and competitions to recruit skilled workers are two I can think of at the moment. In addition to competition based recruitment, thousands of skilled CyOps (Cyber Operators) have been offered employment for the purpose of national CySecurity. It is not just regional centres, which as the bill suggested would be facilitated by existing local institutions, but there are many new structures being constructed.


It’s almost as if they are taking CySecurity and the CyWar seriously, while appearing to seem incompetent. I know what you’re thinking, it’s the government, “
Never ascribe to malice that which is adequately explained by incompetence”, but I’ve never agreed with that statement. I know that by feigning incompetence you can avoid responsibility, it’s even in the Art of War; “Appear weak when you are strong, and strong when you are weak.

By preventing unwanted meddling with development of CyDefenses, the NSA and DHS and their corporate partnerships are actually throwing a fair amount of money at the problem. The issue with the CyCzar, and apparent lack of focus, could be a clever ruse.

So what is the real plan?
Monitoring, storeing and most importantly indexing every communication possible. Why else would the NSA be in charge? Now they have their own Air Force unit, where the CyWar will begin to merge with NetCent Ops. Imagine! A mobile militarized and offensive arm of the NSA; for those hard to reach communications during the next Cold War years.

CyWar is job security for an industry who has run out of sophisticated enemies to fight on the ground.


Bonus:

Buzzword: “IT Eco-System”
Freudian Typo:

Senate Panel: 80 Percent of Cyber Attacks Preventable

We need to, as a nation and as an IT echo system, continue to make it more simple for people to institute protections to determine if they’ve been compromised and to make sure they stay secure,” said Reitinger, a former Microsoft executive.

 

Response to “Thinking about cyber offensive capabilities”

Written by SoVaSec on September 17th, 2009

MAD

http://threatchaos.com/2009/09/thinking-about-cyber-offensive-capabilities/

Should the US engage in offensive cyber attacks?

All warfare is based on deception….

With the NSA’s acquisition of cybercommand, we have a fair indicator of the nation’s digital offensive capability and direction. Cyber attacks such as denial of service are much too public for the intelligence community.  The cyber offensive will come in the form of information collection and subversion of the enemy population, the infowar. Psychological operations will continue to be carried out as they have been for decades, only now with a massive influx of skilled technologists to maintain the competitive electronic edge. Kinetic attacks are also very much a reality. Such was the case when Russia acquired a piece of software corrupted by western intelligence, which caused damage to a pipeline.

“”The result was the most monumental non-nuclear explosion and fire ever seen from space,” he recalls, adding that U.S. satellites picked up the explosion. Reed said in an interview that the blast occurred in the summer of 1982.”

http://www.msnbc.msn.com/id/4394002

Without an external botnet to control, undue stress would be placed on the networks. However, it is likely that the command and control of existing botnets could be subverted by the cybercommand and used to against remote targets. Reflecting on the historical nature of nuclear, biological, and chemical warfare, it does not seem to be a stretch of the imagination to believe that governments would be willing to develop new attacks. By utilizing offensive tactics such as worms, viruses, and even electromagnetic pulse attacks to achieve some objective, suddenly we have a new threat of cyber collateral damage. There is already a precedent for clandestine cyber warfare, and one can only imagine this will continue to escalate.

Will we see cyber Mutually Assured Destruction, the “Deterrence by in-kind response”?

That seems to be how these things reach their apex.  Only by fully developing offensive capability will a nation no longer be subject to a major attack. Or at least that’s the logic behind it.  MAD is the old school way of thinking, and sometimes it’s hard for the old war dogs to learn new tricks. Perhaps through education and training at the local level, a holistic approach to national cyber defense can be effective, this as opposed to relying on government and corporate entities to assume the whole of the burden. One thought on a sort of cyber homeland security is to offer the civilians an opportunity to participate in the federal botnet, offering up their systems willingly to fight the “enemy”.  Learning the lesson from America’s forefathers and establishing a well armed militia for the defense of the nation.

Attacks should not be used as a deterrent, after all the best offense is a good defense, and the enemy could use an event to draw their opponent into a conflict where they possess the higher ground.  One should make their position unassailable, and wait for their opponents to reveal themselves and with it their weakness.

The 24th airborne are training for cyber operations. They are learning to deploy physical assets to defend communications lines, and methods of attack on various targets such as networks, industrial control systems, radio, and air defense. True cyber war will be the combination of traditional combat blended with advanced technological attacks by ‘hacking’ the enemy in the field as a means to gain and advantage. Realistically speaking this is nothing new. ‘Hackers’, and more specifically ‘Crackers’, have played a significant and decisive role in warfare for decades.  Without the employment of these skilled technologists, the result of the Second World War may have been quite different. The connection between cyber war and the NSA is quite clear. By compromising the enemy’s communications, obtaining their documents, and influencing their actions. The outcome of a conflict can be predicted before the first move has ever been made.

On the netcentric battlefield, can there be anything other then western dominance?  The irony there is that there does not seem to be someone their own size to pick on, and they fall victim to the same guerilla warfare that acted as their own midwife into existence. The west owns space, the sky, the airwaves, and the technology. The netcentric warfighter is progressing into the future with little to no opposition, yet continues to fall prey to primitive attacks (though perhaps that’s what the British said about the colonists). I suppose one could envision a future battlefield where technologists play a game of virtual chess, attempting to outhack each other before the first shot is fired.

A cyber Geneva Convention, some UN mandated rules of engagement, would be totally ineffective on the virtual battlefield. Control of the media, political spin, and the very nature of cyber combat, will maintain the air of plausible deniability for any sort of electronic offensive. Protected by secrecy they will be able to carry out operations that supersede any national or international laws.  Privacy, property, and speech have long since fallen victim to this system.

We need to keep in mind the division of roles between the military cybercommand and Homeland cyber security.  Any offensive actions would come from the military.  The protection of non-military government and critical infrastructure systems is the function of Homeland Security.  The protection of the civilian end user of the internet has been delegated to the corporate sector.

So with that perspective, the cybercommand has no role other then military defense of its own networks and to carry out attacks against the enemy. The defense of infrastructure is completely separate. It has less to do with protecting the people, and more focused on defending the critical infrastructure which the government relies upon to operate. In other words, if an attack only affects non-critical sites such as mybook or twitterface, then the general public must look to the corporations to resolve this issue.

The US will continue to conduct intelligence operations against foreign and domestic targets using the most advanced technology and best available labor. Ground forces have been appropriated for kinetic operations. We can call this cyberwar if you wish.

 

Can America Take Over the Internet?

Written by SoVaSec on September 11th, 2009

Original Title : Cyber FUD s773

9.11.2009 – I haven’t forgotten.

A final straw has just broken this camel’s back.  I’m not exactly sure why it suddenly became such a big issue, but the story about “Obama can shut down the Internet” really topped the charts there for a while. I even had someone ask me about it without the facilitation of an electronic or analog device.  Today, I saw one more headline about the topic then was good for me, and as I said it was the last straw.  The thing that bothers me more then the sudden influx of news stories suddenly paying attention to this legislation is that nothing regarding the president’s powers has changed since its introduction. A few of us were making noise about this months ago, and it was no big deal. So some mainstream media must have picked up on it, and the type of people who take in that sort of information ate it up. In what seems to be par for the course, those covering the story have no idea what they are talking about, and are just playing on the popularity of the subject to attract attention to their publication. 

Internet Takedown Links

Let’s just skip over the fertile male bovine fecal matter, and get to the point.

Can Obama Shut Down the Internet?  – New Legislation Gives President Emergency Control.

That is a whole load of ignorance. Obama wouldn’t know how to turn off the internet even if such a thing was possible.  Yes the new legislation does contain wording related to the executive powers of control over critical infrastructure, but in reality this is nothing new. 

Lawmakers strike new tone with proposed bill giving Obama power to shut down Internet

When the bill was release in April, Leslie Harris, president and CEO at the Center for Democracy and Technology (CDT), which promotes democratic values and constitutional liberties for the digital age, told Network World: “We are confident that the communication networks and the Internet would be so designated [as critical infrastructure], so in the interest of national security the president could order them disconnected.”


I suppose this is the right day for this article.

In time of emergency the government has the power to seize control over anything and everything they desire. This includes the communications infrastructure and access to the internet.  If the people covering this story were aware of this, they might have expressed their concern over the redundancy of this power; why are they reminding us of this now?

Existing laws already give the president broad discretion on how to respond to cyberattacks, despite language in a Senate bill that proposes giving the president specific powers during such events, according to experts.

Experts debate expansion of president’s cybersecurity powers

The president has that power under the National Security Strategy, Addicott said. The most recent National Security Strategy was published in 2006.

Addicott said the bill — S.773 — probably included the language to more clearly define how government officials expect to react to a potential threat, Addicott said. There are precedents for presidents acquiring authority in situations where they do not legally need it, he said.


The people pushing this legislation are using scare tactics to advance their agenda. Using the threat of a cyber-911 or cyber-pearl harbor type of event as leverage to wedge the legislation into existence, they are merely trying to grow a new teat on Uncle Sam’s buttocks for them to feed from.

New Threat Scenarios Drive Cybersecurity Planners to Mull Responses

“It could even be a panic if you think about it,” Meyerrose said. “A story catches hold, there’s an attribution that says that country x has infiltrated something and nobody can take anything out of an ATM, or your power is going to go off or your water is going to turn off or whatever. And then a panic ensues. Those are the kinds of things (to consider) when you’re talking about cyber 911s or cyber Pearl Harbors, in my view.”

Meyerrose said laws are in place already for a situation like the one eight years ago, when the United States was attacked and President Bush ordered all aircraft grounded until further notice. But those aren’t easily applicable to cyberspace.

“There are already provisions I believe — and most of the folks in the business and the government believe — that give the powers to the president that allow to effectively do what needs to be done in times of national emergency,” Meyerrose said.

“I would be troubled if the president didn’t have some sort of emergency powers” for the Internet, he added. “The real ambiguity is, what’s the trip wire for making it a national emergency?”

 Obama Administration Seeks “Emergency Control” of the Internet

True enough as far as it goes, these “free market” cheerleaders are extremely solicitous however, when it comes to government defense and security contracts that benefit their clients; so long as the public is spared the burden of exercising effective control as cold cash greases the sweaty palm of the market’s “invisible hand”!


Of course Meyerrose is the former head of technology for the US Spymaster, and is now the traveling salesman for the Harris Corporation which works with the NSA on U.S. SECRET level encrypted communications. In  2008 it was the number one recipient of funds from the Department of Commerce, and makes billions of dollars a year in revenue. Security and cyber is their business. With the cybercommand being hosted by the NSA, I’m sure Harris <HRS> is a stock symbol to watch.

Internet security bill continues to cause uproar

Larry Clinton, president of the Internet Security Alliance, which represents a cross-section of IT companies including Verizon and Nortel, has criticized what he calls vaguely worded language in the latest version.

“It is [still] unclear what authority … is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill,” he states.

However, there are those who say the recommendations make sense. James Lewis of the Center for Strategic and International Studies compared the provisions to President Bush’s decision to shut down airlines after the 9/11 attacks.

“It seems foolish not to have the same authority for cyberspace,” he said, quoted by TheHill.com. “It’s not that the president will wake up in a bad mood one day and implode Yahoo. This would apply only to s
evere national emergencies. … This is a great opportunity to blast us into a new level of discussion about cybersecurity.”


Ok, so not everyone writing about this is in need of immediate cranial rectal extraction, just most of them.  Lewis’ statement points something out that is important to note.


James Lewis of the Center for Strategic and International Studies compared the provisions to President Bush’s decision to shut down airlines after the 9/11 attacks.


Next time you read a story that says ‘the government can’t shut down the internet because 90% of the infrastructure is privately owned’, I want you to think for a moment; did the government own the airlines?  Remember, once these systems are designated as critical infrastructure, regardless of their ownership, they will be required to comply with federal standards which put them indirectly under government control. Depending on who is attached to these networks, the systems will fall under control of either Homeland Security or the NSA.  Both competent agencies with the publics best interests at heart.

Obama Administration Seeks “Emergency Control” of the Internet

Drafted by Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME), “best friends forever” of the National Security Agency (NSA) and the telecommunications industry, they were key enablers of Bush-era warrantless wiretapping and privacy-killing data mining programs that continue apace under Obama.


Once the ‘emergency’ is declared, and the networks are commandeered, privacy’s already dead zombie corpse is beheaded and killed with fire, so not even the illusion of privacy would remain. 

The initial question remains. Can America Take Over The Internet?

My initial reactionary response to this absurd question is “of course not”.  Though after some discussion it seems to be that with enough pressure from the United States, most international corporations, telecommunications providers, and ISP’s are likely to cave and accept the forced compliance standards.  After all if America gets the DNSSEC root, then the DHS will be able to shut down pretty much whatever they want on an international scale, not to mention that the IANA was a US Department of Defense contract which ICANN was created to handle after the death of John Postal

New Agreement Means Greater Independence in Managing the Internet’s System of Unique Identifiers

“The United States Department of Commerce has clearly signaled that multi-stakeholder management of the Internet’s system of unique identifiers is the way ahead and ICANN is the obvious organization to take that responsibility,”- ICANN will no longer have its work prescribed for it. How it works and what it works on is up to ICANN and its community to devise;- ICANN is not required to report every 6 months as it has been under the MOU. It will now provide an annual report that will be targeted to the whole Internet community; – There is no requirement to report regularly to the DOC. The DOC will simply meet with senior ICANN staff from time to time. “The ICANN model of multi-stakeholder consultation is working and this agreement endorses it.


No requirement to report to the Department of Commerce, they can just come over for drinks every once in a while to see how things are going.   “Multi-stakeholder consultation”, makes me wonder where the ICANN is getting its funding.  Strangely enough, the federal funding for ICANN seems to be incompletely listed

ICANN Funding

It is unclear from the above paragraph whether ICANN inherits IANA’s self-proclaimed mandate of ‘Preserving the central coordinating functions of the global Internet for the public good.’ However, it would appear that it is in a good position to assert end-users should be willing to pay. If they are not, then the internet should be allowed to fall apart. Certainly the regulatory authorities who have largely stepped aside to allow this experiment to happen ‘would like to see an economically rational and practical charging system – a contribution per name registered for example.’ Therefore ICANN devises a funding scheme that not only takes account of internediary functions, but goes directly to the beneficiaries of the connectivity ICANN preserves and asks them for a contribution appropriate to the value of their benefit. ICANN provides security and stability. What is the price of that stabilty and security? What further can ICANN do to provide these services? It is in terms of the above argument that, apart from registry contributions, well-wisher contributions (disallowed as political contirbutions long-term?), we devised a quadripartite funding plan which can draw income from the end-user services ICANN provides. However it is not suggested that ICANN, in its not-for-profit guise, should operate these income streams directly -this would hazard the not-for-profit status of ICANN and threaten its mandate-, but that it be an agreed beneficiary on a cost-recovery basis, whilst any other pooled income accrues to internediaries pro rata.


So now, I believe, the question should be: “Can the World Take The Internet From the USA?”
Click to continue »

 

CzarWars Episode II: A lack of the Cojones

Written by SoVaSec on August 10th, 2009

CzarWars Episode II:  A lack of the Cojones

Hathaway is out, and a game of musical chairs is being played to see who gets stuck with the undesirable position of Cybersecurity Coordinator.  There are a number of personal reasons why no one would want to take the job. Whoever is finally selected will likely be lobbying on behalf of a number of interests. They will come in with the understanding they will have no effect on the state of the nation’s cybersecurity, and use the position to influence policies that will benefit the groups he or she represents.  This comes as no surprise after several tarot readings were done asking who the cyberczar would be. At this point a hokey religion and ancient superstition seems to be just as insightful as any of the industry analysts.

I don’t think it’s necessary to go into any great detail about the Hathaway’s resignation. It is important to note that she will remain at her position until August 21. This could possibly indicate a timeframe for the finalization of the selection process for her replacement. She stated that her reasons for leaving were personal. Some have suggested she may move into the private sector and work for her former boss Mike McConnell at Booz Allen Hamilton.

All of the likely czar choices are circling around trying to get seated before the music ends. Who ever is left standing will have to take the czar job. Everyone else will find themselves in various consulting positions where they can affect change, and receive a competitive salary. 

The czar position is one that nobody wants. In addition to Hathaway, let’s not forget that Rod Beckstrom stepped down from his position citing fears over NSA involvement. Now the DHS cybersecurity official, Mischel Kwon, has stepped down from her position as director of US-CERT.  I starting to wonder what the hell is going on up there in the District of Columbia. It could be that Alexander is exercising his power from the NSA to align things to his benefit.  Maybe we are just wasting time waiting for the announcement of the coordinator.


Among those who told the White House thanks but no thanks, The Washington Post reports: former Republican U.S. Rep. Tom Davis of northern Virginia, Microsoft executive Scott Charney, Symantec Chairman John Thompson and retired Air Force Gen. Harry Raduege Jr., the former Defense Information Systems Agency director and co-chair of the Commission on Cybersecurity for the 44th Presidency, which proposed the White House establish a cybersecurity post that has more influence than the job Obama described.


If agency CIOs, CISOs and others responsible for securing government IT are awaiting the appointment of the cybersecurity coordinator to get their marching orders, they’re wasting time. In reality, what will happen in the White House in the coming weeks will have little or no bearing on what agency security managers must do now to perform their jobs.

It’s not like we don’t need a fall guy, someone who can speak to the public about events like the recent electronic attacks on US and Korean networks.  It’s been over two months now since the position of ‘coordinator’ was announced, and it seems like we are headed in the opposite direction of actually filling the position.  Other then acting as a scapegoat, there are a number of other reason why this is something that should have been resolved before the first of June.


•  There is a lot of money being spent on cybersecurity everyday – with no comprehensive strategy. Not only are individual agencies spending millions of dollars on cybersecurity but a highly classified, multiyear, multibillion-dollar project, approved by the Bush Administration called CNCI — or “Cyber Initiative” – had a budget of $30 billion. This initiative was implemented with the goal to secure government, commercial and critical infrastructure computer systems against foreign and domestic intruders. We are talking big bucks here. Would you as a CISO let your business areas spend on security initiatives as they please without any coordination, communication or strategy?  

•  Critical infrastructure needs immediate help. Our critical infrastructure needs help. It is antiquated, prone to viruses and worms, and people doing stupid things ultimately leading to costly disruptions in service. Add to this the potential threats associated with foreign government hackers (Electricity Grid in U.S. Penetrated By Spies) and you’ve got an urgent matter on your hands. Other critical infrastructure breaches (FAA says info on 45,000 workers stolen in data breach) and commercial data losses (Hackers Breach Heartland Payment credit card system) brings no consolation.

•  FISMA has utterly failed at securing government infrastructure. We have all come to realize that FISMA has done little to improve the security of government systems, and created an additional layer of processes and a healthy revenue stream for beltline consulting companies. The Cybersecurity Czar needs to take over the responsibility of ensuring FISMA 2.0 is in line with the current realities on the ground and is able to change the focus from “compliance” to security.  

•  Capture the momentum and excitement. I have never seen such optimism and excitement in the security industry for a government initiative. Security experts and the industry at large is offering to help in whatever capacity they can to improve the nation’s cybersecurity posture. We need to seize the opportunity and come up with a defined strategy (not high level goals and objectives) and strong leadership that can channel this energy into positive action.

•  Perception is almost as important as reality. Many people hailed Mr. Obama’s speech on May 27thas a strong warning to our adversaries that we are serious about security. The recommendations from the cybersecurity review were also heralded as the right first step. But nothing has happened since. We don’t have a plan, any specifics on how those recommendations will be implemented nor a Cybsersecurity Coordinator. By not following it up with action, what message are we sending? We need to at least be perceived as taking security seriously.

I expected the response to the recent attacks on Korean and American systems to be a big wake up call. Instead of the expected Gulf of Tonkin type of response, as time has passed the coverage slowed to a trickle and finally dried up.  It seems the government and military’s incident response tactic is to sweep the event under the rug (so far as the media is concerned).    Things are going to continue to get worse, and while the real techies are hard at work trying to come up with solutions, there is no public face for America’s security solution.  


Most notably, as my colleague Robert McMillan has reported, a botnet of about 50,000 infected computers has been waging a war against U.S. government websites and causing headaches for businesses in the U.S. and South Korea.
“The attack started Saturday, and security experts have credited it with knocking the U.S. Federal Trade Commission’s (FTC’s) Web site offline for parts of Monday and Tuesday. Several other government Web sites have also been targeted, including the U.S. Department of Transportation (DOT),” McMillan wrote, offering this quote from an unnamed DOT spokeswoman: “The DOT has been experiencing network incidents since this past we
ekend. We are working with the U.S. Computer Emergency Readiness Team [US-CERT] at this time.”

Meanwhile, a South Korean researcher investigating the attacks has uncovered a sizable hit list of sites in and out of government, including some high-profile targets in the banking sector.

Maybe Obama is doing the right thing. The last thing we really need is some new jerk coming in and forcing more standards on the security professionals.  The czar would just be one more person in the cycle not actively perusing a solution, and causing more work for everyone else. This factor may already be understood by the corporations and government. There have been numerous employment offers in the public and private sectors for cyber related work. We should see a workforce in the tens-of-thousands in just a couple of years. At which point we may actually need a ‘coordinator’ to manage the new work force.


The response at most agencies has been to turn to outside contractors to perform sensitive work. That’s led to situations such as the one at the Department of Homeland Security, where contractors accounted for 83 percent of the chief information officer’s staff last year.
The report urged the White House cyber czar to enhance training and giving departments expanded authority to hire specialized talent. And it urged Congress to ramp up funding for training programs and scholarships to build a pipeline of qualified workers.

We are still left with the question of who will be the next cyber czar, the position which is officially vacant now.  At this point it seems that no one can fathom who would be willing to take the job, so a tarot reading is just as accurate in this situation as anyone’s opinion.

So what did the cards say?

•  person will be duped in to it for the money and power. they will have neither
•  czar will be duped into thinking they have the power to change the world. talented and naive. a final scapegoat
•  czar has power over nothing. strong beliefs. world behind them, will seem powerful.
•  czar will be well intentioned non-noob restricted by beurocracy and destined for failure

The czar will take the job for the money, and the power, and actually believe they can make a difference. Unfortunately there is no one so seemingly Idealistic and Naive in Washington, except for the President himself. Interestingly enough, though I was focusing on the identity of the new czar, the results give an excellent description of Obama.  
While all of that is painfully obvious in relation to the czar position, I have never seen the cards fall like that before.  While an entertaining anecdote on this story, the fact remains that we are apparently no closer to finding the czar.  This, however, might not be such a big deal. We already know that no one really wants the job any way.
Names of possible candidates seem to pop up to the surface every so often.  It is difficult to determine if they are legitimate candidates, or have just thrown their names into the media for the extra attention.  My current favorite is Franklin D. Kramer.


Franklin D. Kramer:
Distinguished Research Fellow at the Center for Technology and National Security Policy.
Assistant Secretary of Defense for International Security Affairs from March 1996 to February 2001
Deputy Assistant Secretary for European and NATO Affairs from January 1996 to March 1996
Principal Deputy Assistant Secretary of Defense for International Security Affairs from 1979 to 1981
Special Assistant to the Assistant Secretary of Defense for International Security Affairs from 1977 to 1979


“Mr. Kramer is the chairman of the board of the World Affairs Council of Washington, D.C.; chairman of the Committee on Asian and Global Security of the Atlantic Council and on the Executive Committee of the board; a Capstone Professor at George Washington University Elliott School of International Affairs; and on the board of directors and board of advisers of other organizations. Mr. Kramer has been a partner with the Washington, D.C. law firm of Shea and Gardner. Mr. Kramer received a B.A. cum laude from Yale University in 1967 and a J.D. magna cum laude from Harvard Law School in 1971.”


This puts Mr. Kramer in Yale at the same time as George Bush and John Kerry.  There is no specific mention as to if he was also a member of the Skull and Bones society.  His credentials make him the most likely candidate yet. He is a Washington insider, accustomed to dealing with security, and his research fellowship implies an understanding of technology.  Currently he is consulting in the private sector, and is tied to the green movement by serving as director and executive vice president at “Changing World Technologies”.   


Mr. Kramer has served as a director of LSI since September 2001. Since February 2004, Mr. Kramer has been an independent consultant. From March 2001 to May 2005, Mr. Kramer was a lawyer with Shea & Gardner, now Goodwin Procter LLP. Mr. Kramer served as a director of Changing World Technologies, Inc., a privately held energy and environmental service company from February 2002 to April 2006. From February 2002 to December 2003, Mr. Kramer served as Executive Vice President of Changing World Technologies. From January 2004 to January 2006, Mr. Kramer served as a consultant to Changing World Technologies. From March 1996 through February 2001, Mr. Kramer served as Assistant U.S. Secretary of Defense for International Security Affairs. Mr. Kramer currently serves on the boards of directors and board of advisors of various organizations and private companies. Since March 2007, Mr. Kramer has been an Operating Advisor for Pegasus Capital.



Pegasus identifies complex situations where financial, legal or governmental issues might deter conventional investors and creates value by exploring options like revising a business model, entering new markets, introducing new products or technologies, and entering into strategic partnerships.

This sounds like the sort of thing that would be right up the czar’s alley. Working around laws and regulations would help the Intelligence industry quite a bit.  This brings up the question as to who are the so-called ‘security experts’ that are pushing the recommendation for the czar position?  I’ve got a hunch that it’s the same people pushing for the Cybersecurity act, who stand to profit the most from this racket; the Intelligence Industrial Complex. Kramer could tie the .gov, .mil, and .com sectors together for their own benefit.


Hathaway took herself out of the running for the job, most likely because she realized that despite her qualifications, she wasn’t going to get the post. “I wasn’t willing to continue to wait any longer, because I’m not empowered right now to continue to drive the change,” she told The Washington Post. “I’ve concluded that I can do more now from a different role,” most likely in the private sector.
(As an aside, it’s unlikely that she’ll return to the Office of the Director of National Intelligence – where she was on loan to the White House to conduct the “60-day” review of the federal cybersecurity pos
ture – because her “rabbi,” Adm. Mike McConnell, resigned as national intelligence director at about the time she took on the White House assignment. McConnell returned to the business consultancy Booz Allen Hamilton, where they both had worked before coming to the ODNI. Will she rejoin McConnell?)


We are looking at the return of the cold war, and we are unprepared.

Click to continue »

 

The war on ghosts is fought with magic golden bullets

Written by SoVaSec on August 7th, 2009

The war on ghosts is fought with magic golden bullets

There seems to be some confusion, even among security professionals about the United States command structure for cyber. Keith Alexander is not the Cyber Czar; he is in charge of the Cyber Command. For now the czar position remains vacant, as they have not found someone to take the blame for failure like Michael Brown did after Katrina. Officially there is a triumvirate assigned the duties of defending the nation and its .mil, .com, and .gov networks. However, looking at the arrangement more closely, it’s the same old circle jerk. For once I’m even going to proffer a solution.


Sec. Napolitano reinforced the fact that DOD will have the lead over the entire .mil Internet domain. For its part, DHS would lead on the .gov (non-military side of government) as well as the private sector and the .org domains as well.


Starting with Cyber Command, this is the military cyber defense group. Keith Alexander, Director of the NSA, has been made a four-star general by Robert Gates. I suppose that makes him the first ever Cyber General. This is a good example of how the future of cyber defense is going to be a hybrid of the intelligence and defense communities.

The vast majority of new government spending on cybersecurity is going to the Pentagon. The military has thousands of cyber warriors, many of whom are expected to be housed under the new command. Conveniently for Mr. Alexander, his command is likely to be next door to the NSA’s Ft. Mead, Md., campus. Somewhere an accountant’s job suddenly got easier, as most of our tax money is being funneled into the same accounts. Intelligence, kinetic, and cyber wars fight asymmetric ghosts with golden bullets.

Not all Cyber Warriors will be vaulted away in Maryland. Cyber Command also takes control over existing military groups with similar missions, including field units. Before the first bullets fly, soldiers on all sides will be attempting to compromise their opponent’s netcentric equipment. Tracking and targeting equipment will be turned against its masters. UAV’s will be hijacked and controlled by the enemy. Electronic subterfuge will give away your position and force size, while offering the option to create the false digital footprint of nearby reinforcements.


Though the group does not have computer programmers in their ranks, they figure to be involved with physically deploying assets to defend communications lines against hackers. Simply put, the 5th Combat Communications Group will be the deployed arm of America’s cyber defenses.
Training will include how to design, secure, assess, exploit attack and defend various communication networks, including telephones, Internet protocol, satellite, land mobile radio, industrial control systems, integrated air defense and tactical data link.


The position of cyber czar remains vacant. It is no wonder Melissa Hathaway has stepped down, removing herself from the position of Cyber Czar. It seems that most people approached do not want the position, and most analysist’s agree with the fact the czar will have no real power.


As to the role of the newly created White House Cyber Security Advisor, this individual (when named/selected by the President) will play a “purely coordination” role and not be “operational” in any way.
“If there are policy issues to be resolved, [the White House Cyber Security Advisor] will be there to do that.”

Regardless of who becomes the figurehead for Whitehouse cyber security, the DHS will be responsible for securing government systems, specifically those related to the executive office. Essentially, or officially, there will be the electronic equivalent of FEMA (Fails to Effectively Manage Anything). Instead of just responding to an emergency in a timely matter, a mountain of red tape will have to be moved before the first action is taken.

Homeland Security will also be directing the activity of the commercial sector. Not only will they tie their own hands, but through the usual methods of standards and compliance they will force industry into a sort of stagnation. Even now it has gotten to the point where many people spend more time filling out paperwork then they do performing the tasks for which they were hired.
The commercial sector, which owns and operates much of the information infrastructure, will be directed by homeland security. Private sector areas like utilities will be required to maintain compliance with Homeland Security instructions. So while these services (for the moment) are not directly under government control, they still must obey their master the all mighty contract.

Essentially the same corporations involved in the military industrial complex are now developing hardware for the military and government Cybersecurity programs. In return they will continue to receive lucrative government contracts. In the fine print of these contracts, will be the agreement to comply with standards set by the government. This could cause a situation where the corporations are effectively ‘tanked sharks’. In this scenario the normal predatory nature of the corporation is replaced with complacency of daily feedings. Growth will be stunted by the lack of natural environmental competition. Over time fresh blood (in the form of new ‘hacker’ recruits), will be increasingly be required to stimulate the operation. Eventually, this will oversaturate the system, causing it to fail. The bottom line here is the government’s Cybersecurity plan is doomed. It is destined for failure, and ripe for abuse.

This is the point in the story where you are expecting me to tell you what we can do about it. The answer is nothing. Cybersecurity is a big moneymaking circle jerk. If anyone went around fixing problems, and putting people out of jobs, they’d probably be shot by magic bullets. The natural alternative, a constructive answer to ‘what are you going to do about it’, is the suggestion of development of a sort of grass roots security movement. A sort of cyber militia, organized at the local and state level. People within the community holding weekly meetings to discuss the common defense of their neighbors, and maybe gathering regionally on a monthly basis, state wide on a yearly basis, and nationally every other year. Obviously to keep people entertained there would be competitions and contests, prizes, and fun for the whole family.

Why is this the best solution?

Doing things for ourselves is always the best way. The adoption of a Swiss Army model adapted for Cybersecurity will give every household the training necessary to protect themselves at the personal level from cyber threats. This training would carry over into their professions, integrating it into our culture from the ground up, as opposed to being forced upon us from the top down.

The government has put the corporations in charge of our civil cyber defense, which is tantamount to putting a shark in charge of the fish tank. They only see us as something to feed on. In theory we the people are responsible for the actions of the government, but those the stockholders can usually buy enough people to maintain the status quo.


Sources:

http://securitydebrief.adfero.com/pen-and-pad-session-with-the-secretary/ (missing?)

Keesler to train for Cyber Command

Military Comma
nd Is Created for Cyber Security

Robins unit set to defend America’s cyber systems

 

CyberInsurgency – A True Story

Written by SoVaSec on July 24th, 2009

One nation under martial law, the military stands guard against the population. This following days of protest by many who feel the results of the recent election were fabricated. The voice of dissent is publicly silenced with lethal force.  Terrestrial and satellite signals are jammed, including cell phones and foreign broadcast.  The modern police state, a heavy net of surveillance monitors all domestic communications.  In a series of arrests hundreds of people become political prisoners. Authorities raid media outlets, journalists are beaten as their equipment confiscated.  In an effort to dilute the information that leaks out of the country, the military has its own legion of users creating thousands of propaganda blogs.  Despite this opposition, protest continues. 

The riots continue today, a month after the election.  Protesters clash with troops who respond with tear gas.  In undisclosed locations, skilled technologists formed loose alliances to assist the people.  Their goals are as simple as educating people in the use of encrypted communications and services providing anonymous network routing.  This offers civilians a chance to send information securely, and speak their minds without fear of repercussions. 

Government restrictions have been well established. The public is allowed only a limited connection; access has been restricted to 128 kilobytes per second. Their traffic thoroughly inspected, routed into proxy servers, the content filtered, websites are blocked, and services rendered unreachable. Dissenting opinions are intercepted, and confirmed with torture and silenced by death.

In public channels outside of the country, people of various ideologies work together. Unable to free the citizens of that country from physical oppression, they hope to at least provide a means of communication. From around the world they have gathered to brainstorm new ways for the oppressed to maintain access to public web services. Political opinions put aside, a diverse group of people discuss various methods of circumventing control systems.   

Having stumbled into one such a meeting of the minds, I recognized it as a rare opportunity to observe and participate in an electronic insurgency. Though the subject serious and the consequences of failure well understood, the discussion mostly remained technical in nature. This separation from the human aspect of the crisis was enough to allow for the sort of wild creativity that seems to come naturally to successful people. For example, the suggestion of utilizing enigma machines transmitting over Morse code is not the simplest solution. However, it is the idea that is an engine for a train of thought that could eventually arrive at some new solution.  In the end, it was not necessary to reinvent the wheel, and the focus turned towards how to spread existing encryption and privacy technology. The solution must be easy to understand and implement by people with limited technical skills.

Instructions were provided to use FirePGP in combination with GnuPG to send and receive encrypted emails in Gmail. Once their messages are secure, the correspondents require a method to protect their identities. Squid and Tor proxy server software were suggested to anonymize the traffic. Additional details are available for the operation of a Tor-relay, with the goal being to prevent the government to locate sources of information. Other systems are under development to offer civilians access to open communications channels outside their country, and away from the control of their regime.

It was several days after the election before the mainstream media started its coverage. CNN was using information from Twitter, from ultimately unverifiable sources.  A psychological operation was under way to influence the rest of the world, and confuse or expose insurgents using the service. Acting as a live forum for dissent, Twitter was asked by the US State Department to delay scheduled maintenance in order to prevent a possible outage.

This is the story of an international community working together to promote freedom of speech, and private communications in Iran. Public dissent is an event that most governments including the United States have plans to suppress.  They too monitor civilian communications for threats against their authority. Protest has already been caged into ‘free speech zones’. Similar to Iran’s jamming of communications, Executive Orders exist in the United States giving the government the ultimate authority over everything including transportation routes, communications, and even the civilian population who could be used for labor. The planning behind readiness exercise 84 (REX84) shows the government is willing to use its power to detain people who question their authority. Studies such as Operation Cyberstorm show that the United States and its allies are already preparing to defend against activist computer operators, foreign and domestic. Coming legislation, if passed, would require a license to practice computer security. This could classify some unlicensed technologists as terrorists, where they would be no better off then their colleagues in Iran just trying to get an unapproved message out to the world.

Sources:

Martial Law in Tehran-Monday June 29th 2009

Martial Law in Tehran-Monday June 29th 2009

U.S. satellite feeds to Iran jammed :: InfoWar Monitor :: Tracking Cyberpower

U.S. satellite feeds to Iran jammed

Iran blocks TV, radio and phones – but web proves more difficult | Technology | guardian.co.uk

Iran blocks TV, radio and phones – but web proves more difficult

Mousavi’s wife blasts arrests | Philadelphia Inquirer | 07/24/2009

More than 500 remain in prison, including many top politicians from pro-reform political parties, human-rights lawyers, journalists, and activists

Google Translate

This week a letter sent to the 10 thousand to 10 thousand blog mobilization base in commissioning and production of the “Mhtvahay value” is the Internet space.
http://www.bbc.co.uk/persian/iran/2008/11/081119_mg_basij_filtering.shtml (original link)

Greenwave Info

dedicated to spreading useful information about the current protests in Iran.

Iran | OpenNet Initiative <–very comprehensive and informative.

Iran continues to strengthen the legal, administrative and technical aspects of its Internet filtering systems. The Internet censorship system in Iran is one of the most comprehensive and sophisticated in the world. Advances in domestic technical capacity have contributed to the implementation of a centralized filtering strategy and a reduced reliance on Western technologies. Despite the deeply held commitment to regulating Internet content, authorities continue to be challenged in their attempts to control online speech. Political filtering related to the 2009 presidential campaign, including the blocking of Facebook and several opposition party Web sites, brought renewed attention to the role of filtering in Iran.

pastebin – FirePGP tutorial – post number 1465774

Instructions on how to use the Firefox extension, FirePGP, in combination with GnuPG, to send and receive encrypted emails in Gmail.

rbox

rbox: Squid proxy server

rbox-tor: easy to use Tor server

Tor: Relay Configuration Instructions

Configuring a Tor relay

Twitter Retains Spotlight in Iran Coverage – Digits – WSJ

Another delay is being requested, this time by the State Department

NedaNet Resource Page

resource page for NedaNet, a network of hackers formed to support the democratic revolution in Iran.

NSA Spying | Electronic Frontier Foundation

The U.S. government, with assistance from major telecommunications carriers including AT&T, has engaged in a massive program of illegal dragnet surveillance of domestic communications and communications records of millions of ordinary Americans since at least 2001.

Executive Orders | Bill Clinton’s Executive Order 12919

EXECUTIVE ORDER 12919

Rex 84 – Wikipedia, the free encyclopedia

Rex 84, short for Readiness Exercise 1984, is a plan by the United States federal government to test their ability to detain large numbers of American citizens in case of civil unrest or national emergency.


http://cryptome.org/cyberstorm.pdf

National Cyber Exercise: Cyber Storm
National Cyber Security Division

GovTrack: S. 773: Text of Legislation, Introduced in Senate

a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.

(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.

 

Privacy to PreCrime

Written by SoVaSec on July 9th, 2009

 

When the NSA assumed control of the Cyber Command, it stirred up many privacy concerns. As most know they have been intercepting domestic communications for some time While some people are worried about their phone and email conversations being recorded by the government, the other g-men at Google are doing the exact same thing. Of course deleting your g-mail account only prevents you from accessing the information, deleting your account at the NSA will get you a free vacation to Cuba for waterboarding lessons.

 

Throughout your life, little pieces of information are gathered and accumulated. Your profile is constantly amended as data volunteered by yourself is automatically correlated.  Every time someone forfeits some morsel of information, that data is forever public.  This material goes into a database, the security of which will be compromised at some point. We could blame the corporations when they experience a security breach, but honestly who’s at fault for supplying them with the information to begin with?

 

If we are to address privacy concerns, then it is hypocritical to start the finger pointing with the NSA. Thanks to popular social networking sites,  people are willing to give away the most important details of their lives.  It is this very ignorance of the overall value of information that creates risk on a number of levels. Police officers only require a name and date of birth to positively identify most people. The same details can be used by criminals.  Think about that the next time someone mentions their birthday. If that person has their real name associated with the statement, then all of the facts required to build an extensive profile have been provided.  Such a profile, for example, could be used by a criminal to assume an identity, manipulate a person into revealing more information, or even pose a physical threat.  This same method could be used to launch attacks from within an organization through the user. Imagine a sort of phishing attack that affects the user at home. They enter into correspondence via email with a criminal posing as an old friend.  The employee continues this correspondence at work on the company computer. Since the employee feels safe, they are willing to click links, or even download files.

 

There is a whole industry based on gathering data about consumers, and using their personal details for marketing. The obvious signs of this are places like Amazon that recommend items based on site history.  What does your Amazon account say about you?  I don’t buy into that line about “if you’re not doing anything wrong, you don’t have anything to hide”. Would you invite someone into your house to create a behavioral profile based on your possessions?    Just about everything you do reveals some detail about your life.  For example, when you go to sleep your inactivity is noted. Just by looking at your social network updates anyone can know what your sleeping habits are, and possibly where you sleep.  Everything you do is recorded, cataloged, correlated, psychologically analyzed, and put up for sale. The biggest customer for this information is the Federal Government, and because these databases are private, the Freedom of Information Act does not apply.

 

In the past it was common for people to keep a their private names and public names separate.   In Homer’s Oddesy, Ulysses used a clever name to avoid unwanted attention from the other Cyclopes after blinding Polyphemus.  In Christian mythology, God gives Adam the power to name the animals, and so he had some power over them.  What of the clever goblin Rumpelstiltskin who allowed the millers daughter to renege on a deal by giving her a chance to guess his name?  When I first started in networked computing, one of the first things we learned was to contrive a ‘handle’, a pseudonym under which we would carry out our online activities.  Today, it seems, people view this an act of cowardice, or become suspicious to the motivations behind concealing one’s identity.  It wasn’t a hacker thing, it was standing operational procedure. There is no such thing as anonymous internet usage. The best people can do is become aware of how much privacy that has already been lost, and do what they can to hold on to its shredded remains. It’s not about assuming a new identity, it’s about protecting privacy.  Today people  on-line are trading their identity for an illusion of friendship.

 

With the amount of information already in the databases, it is possible for them to know what we want before we do.  Using predictive modeling, marketing companies can already forecast the likelihood of future purchases. This also
means with government access to these details, they can perform similar analysis. Psychographic profiles reveal your personal interests, activities, and opinions, when combined with demographics and other variables, it is possible to triangulate personality in the same manner as physical location. It is trivial to track the physical direction of an individual, the same is also true about their mental direction.

 

Today we have the increased use of biometric identification. It comes with the promise of security, but can pose a new privacy risk.  Clear, the airport security screening service, may be taking the data trade to a new level. The TSA approved company, which required biometric finger and eye scans, has suddenly shut down.  It is likely their database will be transferred to some other private firm which specializes in collecting biometric data.  Since they are working with Lockheed Martin, I’d suggest the database and technology will resurface as part of the new biometric authorization requirement for access to public and private infrastructure.  Unlike passwords, there is no easy way to reset your fingerprints once the database has been compromised. 


Within a few years there will be a global DNA database which will be used for a number of purposes. Utilization of the genome is so important that Francis Collins, who was responsible for the Human Genome Project, has been made director of the National Institute of Health.  If you take a look back at that psychographic profile link, you’ll notice the article was in strategy+business, which is published by Booz and Company the global parent of Booz Allen Hamilton. A representative of Booz Allen was the one who brought to my attention the Global DNA database while giving a talk titled  “Hacking the Genome” at a computer security conference.  Booz Allen is interested in developing psychological and genetic databases, they are also one of the main contractors for organizations such as the NSA . This sort of database, combined with genetic screening, could lead to the ability to determine much of the future of an unborn child.  While this has its merits, like any other system it can be abused. If not kept in check, it could lead to the reincarnation of the eugenics movement of the last century which was forced to re-brand after WWII because of it’s popularity within the leadership of the German National Socialist party as part of their platform for world domination

 

Welcome to the Brave New World!

 

 

Harris Cybersecurity Power Lunch – National Press Club

Written by SoVaSec on June 29th, 2009

SoVaSec goes to Washington

The Harris corporation held a “Cybersecurity Power Lunch” at the National Press Club in Washington DC. The power lunch featured a panel consisting of Tom Davis, Dale Meyerrose, and James Bamford.

First I’d like to thank Harris corporation for hosting the panel, and providing the excellent box lunch and sparkling water.

The stated purpose of the event was to discuss what the challenges of the cyberczar in his first one hundred days. The panel members that were present were to offer the executive, legislative, and media viewpoints on the topic. However General Meyerrose and Congressman Davis are both working for private industries which stand to profit from hyping cyber threats. So in essence there was only the intelligence industry and the media were represented.



Tom Davis  “undefeated and unindicted”

Davis joked about there being no senate confirmation for the cyberczar saying “once they get named they wont have to worry about if they paid their taxes or not”, referencing the number of politicians with unpaid taxes. He also stated “one thing I would note in this town is that if there is a crisis then things can move pretty quickly”. This seems to be a common mindset, using a perceived crisis to accomplish some goal, using the same Hegelian dialectic of problem reaction solution. Davis mentions a ‘cyber pearl harbor’ this perceived crisis is the problem for which a predictable reaction will facilitate an already prepared solution. In this case the threat of cyberterrorisim hyped to the public will justify the continued defense spending. This spending will go to corporations who pay Mr. Meyerrose and Mr. Davis to go on national press tours such as this one.


James Bamford “once information comes into the United States, or goes through the United States, the NSA plays a role”
“the problem is having deep packet inspection into not only foreign communications, but domestic communications as well”


Mr. Bamford made an accurate prediction stating the director of the NSA would be put in charge of CyberCommand, which happened in the recently with the appointment of Lt. Keith Alexander. Bamford expressed his concern a number of times in regards to the NSA’s abuse of power.  His solution was the creation a powerful role for the cyberczar. This position would be above the NSA and other organizations, including privacy advocates.  Mr. Bamford also noted the media hype which surrounds the terms “cyber” and terrorism”


Dale Meyerrose
“were going to look at offensive and defensive differently, its going to be desirable and undesirable
outcomes….stealth will replace the ideas of
offense and defense”

General Meyerrose was able to speak at length and say absolutely nothing, a testament to his career in Washington. As the former Chief Information Officer to the Director of National Intelligence, he is quite skilled at revealing nothing of value when questioned, though near the end of the event he allowed himself to pontificate for just a moment. 

Has cyber so fundamentally changed our culture, and the nature of how we can rule / legislate ourselves that we need another Hoover commission, or Hoover like commission to reorganize the entire executive branch.

The idea is that, in the middle of the 20th century it became obvious that the agrarian setup of particularly the executive arm of the government, was no longer able to deal with the industrial jet age governing of the country.

Has cyber fundamentally changed that that we need another Hoover like commission, and if not when will that happen?

When we go past the elbow in the curve, when will we realize that we should have done that last year or the year before?

I suppose it is no surprise that the attending press were asking non-technical questions. When Davis was asked directly if he had been interviewed for the position for cyberczar he began to literally squirm in his seat, fondling items on the table in front of him like a poker player with a bad tell. Finally he mumbled something about the question being evasive and not understanding it.   I think this illuminates my overall impression of the event. Harris got its self promotion, and the media got their big cyber stories for the week. 

There were several questions I had prepared, but given the format of the event did not have a chance to ask.  After I asked my initial question to Meyerrose regarding the supply chain vulnerabilities, his communication director seemed to be in a hurry to relieve me of the microphone.  I did manage to get off one more question to Mr. Bamford regarding the possibility of John Poindexter reappearing to have a show on FOX called ‘cyber-war stories’ with his old pal Ollie North.  Had Davis not weaseled out of the rest of the event, I intended to ask about his opinion of foreign financiers owning intelligence consultants, such as the Carlyle Group’s recent purchase of Booz Allen Hamilton.  Meyerrose mentioned the blurring of the line between the domestic and foreign paradigm.  Who could benefit more from this then the NSA having legal international wiretapping abilities, and his corporation who provides international communications technology? 

In closing, a question I was asked to relay to Mr. Davis:

What civilian assets should be federalized, how do they really think we should prioritize protection?”

 

CzarWars Episode 1 – The Phantom Finance

Written by SoVaSec on June 24th, 2009

CzarWars Episode 1 -The Phantom Finance

First of all we need to define the various compartments of network security.  There is the Military/Government sector, the DOD is responsible for defending these systems. There is the public government infrastructure, which the DHS will be in charge of defending. There is the private sector which are responsible to defend themselves. mixed in with this is the general protection of the people which will come in usual form of software developed by the private sector.

The announcement has not yet been made for the new cybersecurity coordinator.  though there are many choices, and much speculation. I’ll add to it with my own observations.  All of the choices will be from one of the 3 sectors who have a stake in the cybersecurity plan. Whoever is selected will show what lobby has been successful. The DOD has stated repeatedly they have no interest in backing the position. that leaves the DHS and big business.  It gets a bit complicated because the DHS also has a close private-public collaboration.  So the distinction again needs to be made that there are two levels of defense here. the DHS, while responsible for civilian infrastructure, only takes responsibility for the systems that are government critical. The rest of the work, dealing with what their CISO calls the standard internet pollution, will go to some of the big names in public security. Meaning the responsibility to protect the people will be left to Anti-Virus vendors, and Microsoft. The person who is selected should have an existing understanding of current national security policy.  This would rule out the representatives from a strictly business background. The new cyber coordinator will most likely be someone from inside government, or someone who has recently gone into the private government consulting sector.  Before I continue I should mention Keith Alexander is rumored to be head of the new [cyber]command, but this is not the czar position. Melissa Hathaway already holds a similar white house position, and it is possible that she could receive the promotion – though I get a sense of reluctance either from her, or on the part of the white house.  What we have left is Fred Kramer, the former assistant defense secretary for international affairs under president Clinton, Paul Kurtz an Obama advisor who served in the national security council under bush and Clinton, Maureen Baginski  a former FBI intelligence leader, and Tom Davis.

To update this a little bit, Alexander was selected as head of the CyberCommand, and Tom Davis has expressed that he is quite comfortable in his new position in the private sector, he mentioned he was lucky to get out with out an indictment, and has no plans to return. Davis did act quite nervous when confronted about the position, so it is possible he already has been confirmed and is playing the denial game until the president makes it official.

The cybersecurity coordinator will need to have a technical enough background to understand the details of security recommendations. This person will need to then be able to translate the recommendations into terms that the president can understand, as well as pass them along to the Secretary of Commerce who can choose to request funding from the OMB.  The cyberczar might not have direct power to make changes, but the position is an important one. There is defiantly need for a coordinator to facilitate between the public-private partnership and the Executive Office of the President.  Someone who already has a good understanding of national security, technical knowledge, and political ability.  I’ve made my pick based on the current choices, so when if pull someone out of left field don’t hate.

Paul Kurtz an Obama advisor who served in the national security council under bush and Clinton, he has in the white house for long enough to  know its politics. Kurtz is also one of the people quoted in the findings on which the Cybersecurity Act was drafted saying “the United States is unprepared to respond to a `cyber-Katrina’ and that `a massive cyber disruption could have a cascading, long-term impact without adequate co-ordination between government and the private sector”. Here is a person that fits my criteria, he is technical, political, and a possesses an overwhelming desire to over-hype the cybersecurity threat with the understanding that it will create revenue to his and others private interests.  Its all about the money. If you check out the consulting team Paul B. Kurtz is on, it’s also about the cyber-FUD.

-I don’t want to leave out Maureen Baginski as a possible choice, since the current administration seems to be about equal opportunity employment, breaking barriers, etc.  Baginski is a career NSA gal who was tapped by FBI Director Robert Muller to reform the FBI’s handling of domestic intelligence.  It was suggested that major restructuring within the government might be required to integrate ‘cyber’ as a separate but equal department.-

 

CyberWar is a Racket

Written by SoVaSec on June 15th, 2009

Inspired by ‘War is a Racket’ by Maj. Gen. Smedly Darlington Butler U.S.M.C

CyberWar is a Racket

Under the threat of war, the cost of defense is never too high. A nation is under significant obligation to protect its investments where ever they may be. What we see now, is the transition from physical to electronic defense. The United States is returning to Cold War status. In preparation for this the advancement of technology and the power of the intelligence community is of the foremost importance. In order to maintain a position of dominance, the government must sustain its partnership with wartime industry. Through a metamorphosis of the “military industrial complex”, into a new “intelligence industrial complex”, this accomplishment can be witnessed. The ever present fear of terrorism will still be used as justification for sustained engagement. The new terrorist threat comes from what the media refers to as hackers.

The United States’ trade deficit is in the trillions of dollars. The nation must possess assets for which they use to back the value of money sent overseas. China, for example, has accumulated a surplus of US currency. The deficit exists due to the lack of goods being sold in return. These dollars are then stockpiled or used to buy fuel. The oil cartel uses this petro-dollar as the international rate of exchange. There is already discussion to take the world off of this standard. The dollar has already been abandoned in places where once it was used it as a common currency. The United States needs to be ready to compete in the global market, or in default will continue to forfeit property as payment. If the international oil standard were to shift from the dollar, the American economy could be crushed. Places like China would have no reason to continue accepting currency from the United States as a form of trade. In order to continue doing global business, and maintain the standard of living for most Americans, the United States would need to find an acceptable financial solution. It would be necessary to provide a product or service which can be sold on the international market.

With a shift of strategy by the public-private sector, there is the beginning of what could be a record breaking transition. The same corporations, agencies, and institutions which traditionally have been government contractors understand this move, and are shifting production accordingly. International finance, which in the past has funded one or more sides of various conflicts, is already buying into this new deal. With the new President and his many supporters, the official war should be concluded soon. Although there will always be justification for troops stationed around the globe, much funding for war expenses would no longer be necessary. The companies which produced the equipment, supplied the fuel for the machinery, and paid the workers, would be looking at a massive drop in revenue. To compensate they will begin to offer services in line with the new focus on infrastructure protection. War profits can be an increase of 7856% over peace time. That is a real historical figure of seven-thousand eight-hundred and fifty-six percent. Profit is the only motivation for the existence of a corporation. Existing funding could be redirected towards new projects and a new war. A nation needs a real or fabricated threat to justify taxation to its people, for the necessity of its defenses. In Orwell’s 1984 we saw Emmanuel Goldstein as the fictional ‘enemy of the people’. The character was a phantom used to justify the actions of the state. Some would say there is a modern analogue to the Goldstein character.

It is claimed that Tim Osman, in only 30 years, was partly responsible for the near collapse of not one, but two world empires. He has never been permanently detained despite a concerted global effort. In fact, he taunts the world by sending recordings of himself to media outlets, which use his image as a rallying symbol of fear comparable to Orwell’s construct. It is hard to imagine how a person in need of regular medical attention, can evade the worlds most advanced intelligence gathering network, and continue to avoid capture. A sufficiently disruptive electronic attack would be an excellent pretense to create a new phantom enemy. Sophisticated attacks on domestic infrastructure by unknown foreign entities, could easily be sold to the people as ‘the cost of war hitting home’, against enemies which must be defeated ‘at any cost’. Create a little fear, combined with nationalism, and a popular charismatic leader, and one can accomplish almost anything through the mob mentality.

Operation Cyberstorm has introduced us to the next generation of hypothetical threats. These new terrorists are individuals and groups of technically skilled people. United by a popular voice of dissent, these groups have formed a loosely knit alliance with a common goal of disrupting the global economy. There are individual actors, the known unknowns, who may assist and possibly increase the severity of an electronic attack. To defend the global financial system and domestic infrastructure, the federal government partnered with private industry, and is spear heading the effort to crack down on criminal activity within these groups. It is not an eAl-Queada, or the iTaliban, the new terrorists are hackers. They are the poltergeist in the machine, whenever there is a disruption in internet service, or a random power outage, or any other system the public has come to depend on is interrupted, there will be the suspicion and speculation as to the root cause. If a server catches fire in Phoenix, or suzie1865 can not get to her mytwitterface account, someone is going to cry wolf. When this occurs the justification for more funding is shown to be necessary, the cycle of funding continues. Operation Cyberstorm was not focused on international state sponsored crime, or independent groups of foreign nationals conducting espionage. Though these are the fears represented in the recent legislation and government reviews. The very intangible nature of cyber-bogeymen provides the vagueness needed to justify any measure of prevention, or manner of retaliation.

It is possible that we could see the war funding re-purposed for the improvement of infrastructure, the advancement of technology, and the defense of communications networks. These billions of dollars will continue to flow into the same hands. The nature of security allows the defender to only divulge knowledge when it is to their advantage. The knowledge of potential threats, or even past incidents, is just another form of information which could be released for profit. When the industry shifts from traditional combat to electronic engagement, the resources allocated would create a world class institution. The heavy corporate involvement will open up the opportunity for those holding a large number of dollars to trade them in. The sale of data, proprietary and patented new technologies, and accompanying services, would create an outlet for stockpiled petro-dollars.

However this is not the end of physical combat. With industry there is the necessity for natural resources, the foreign and domestic sources of these materials would continue to require physical protection. To prevent against supply line attacks involving sabotaged materials, increased international oversight would be required at these facilities, which produce today’s high-tech components. Government contractors will supply both electronic and physical security to protect their assets. Tax money is used to fund corporations which are not interested or obligated to protect people’s rights. By partnering with the private sector, the government has relieved itself of much responsibility to the people. This responsibility is transferred to the private sector, which only has the single minded goal of increasing its own profit. This could explain why corporate representatives testify before congress to the need for the very services they provide. The agencies which use their services sit alongside them in agreement. This gives the illusion of a clear and present threat which must be eliminated as soon as possible.

The corporations are lined up with their hands out for increasingly larger slices of the federal pie. Sadly, with the lack of resistance and competition, there will be no organic incentive for innovation. Like a pack of wolves they will only destroy each other fighting over the scraps. Those who rely on the contracts to continue operation are forced into compliance for their ration, forever submitting to the alpha of the pack. The market would not be free, and likely would eventually create a situation where it will be too hollow to support itself and collapse, leading to a very real threat to national security. On the other hand there is a great risk for the continued creation of a technocratic fascist state. In which we would see constant and holistic surveillance to protect against foreign or domestic threats, among which the government themselves admit, is public dissent. America was founded on the principle of dissent against tyranny. It is a patriotic duty to question the motivations of government. Technology can be the key that sets us free, or the yoke under which the many exist to serve the few.

With the end of the war, the media will further turn its attention to programming which numbs the mind. Without the constant reminder of the hellish nature of war the protesters will slowly go away. When the international terrorist computer criminals allegedly cripple some piece of critical infrastructure, and the justification for increased spending be comes a reality, the new victims of war will not draw the public sympathy as do dead and dieing solders in the field. When the power grid is compromised, or restrictions are placed on internet usage, even the anti-war crowd will stand behind the government looking for justice against the terrorists, which have caused their inconvenience. The intelligence assurance community, a government and corporate body, would expand as protectorate of the national electronic infrastructure.

Anyone who operates critical equipment, including networks of computers, will be biometricly catalogued. Some existing uses, of similar government systems, also employ operators in real time remote connection monitoring, as a security measure to ensure the validity of the information transfer, and that standard protocols are being observed. Most domestic communications are intercepted and recorded by the intelligence agencies at various points in the network. Private companies index this information, protecting it from Freedom of Information Act requests. Like so many baseball cards, profiles are bought, sold, and traded.

Information is the new currency. The data centers are the new vaults, the processing facilities the new banks. Where there are banks there will always be robbers. Where there are robbers there will always be lawmen to make pursuit. In their way are things like privacy, the Constitution, and international boundaries. The intelligence agencies are more then willing to put themselves above the law when it suits them. Their collaboration with the private sector gives them special access to infrastructure, which they have already shown the willingness to abuse. Unlike land, gold, and oil, persons and their information are renewable resources, so this new market has infinite growth potential.

 

Twitter links powered by Tweet This v1.8, a WordPress plugin for Twitter.

Get Adobe Flash player