Booz Allen Hamilton

...now browsing by tag

 
 

CzarWars Episode II: A lack of the Cojones

Monday, August 10th, 2009

CzarWars Episode II:  A lack of the Cojones

Hathaway is out, and a game of musical chairs is being played to see who gets stuck with the undesirable position of Cybersecurity Coordinator.  There are a number of personal reasons why no one would want to take the job. Whoever is finally selected will likely be lobbying on behalf of a number of interests. They will come in with the understanding they will have no effect on the state of the nation’s cybersecurity, and use the position to influence policies that will benefit the groups he or she represents.  This comes as no surprise after several tarot readings were done asking who the cyberczar would be. At this point a hokey religion and ancient superstition seems to be just as insightful as any of the industry analysts.

I don’t think it’s necessary to go into any great detail about the Hathaway’s resignation. It is important to note that she will remain at her position until August 21. This could possibly indicate a timeframe for the finalization of the selection process for her replacement. She stated that her reasons for leaving were personal. Some have suggested she may move into the private sector and work for her former boss Mike McConnell at Booz Allen Hamilton.

All of the likely czar choices are circling around trying to get seated before the music ends. Who ever is left standing will have to take the czar job. Everyone else will find themselves in various consulting positions where they can affect change, and receive a competitive salary. 

The czar position is one that nobody wants. In addition to Hathaway, let’s not forget that Rod Beckstrom stepped down from his position citing fears over NSA involvement. Now the DHS cybersecurity official, Mischel Kwon, has stepped down from her position as director of US-CERT.  I starting to wonder what the hell is going on up there in the District of Columbia. It could be that Alexander is exercising his power from the NSA to align things to his benefit.  Maybe we are just wasting time waiting for the announcement of the coordinator.


Among those who told the White House thanks but no thanks, The Washington Post reports: former Republican U.S. Rep. Tom Davis of northern Virginia, Microsoft executive Scott Charney, Symantec Chairman John Thompson and retired Air Force Gen. Harry Raduege Jr., the former Defense Information Systems Agency director and co-chair of the Commission on Cybersecurity for the 44th Presidency, which proposed the White House establish a cybersecurity post that has more influence than the job Obama described.


If agency CIOs, CISOs and others responsible for securing government IT are awaiting the appointment of the cybersecurity coordinator to get their marching orders, they’re wasting time. In reality, what will happen in the White House in the coming weeks will have little or no bearing on what agency security managers must do now to perform their jobs.

It’s not like we don’t need a fall guy, someone who can speak to the public about events like the recent electronic attacks on US and Korean networks.  It’s been over two months now since the position of ‘coordinator’ was announced, and it seems like we are headed in the opposite direction of actually filling the position.  Other then acting as a scapegoat, there are a number of other reason why this is something that should have been resolved before the first of June.


•  There is a lot of money being spent on cybersecurity everyday – with no comprehensive strategy. Not only are individual agencies spending millions of dollars on cybersecurity but a highly classified, multiyear, multibillion-dollar project, approved by the Bush Administration called CNCI — or “Cyber Initiative” – had a budget of $30 billion. This initiative was implemented with the goal to secure government, commercial and critical infrastructure computer systems against foreign and domestic intruders. We are talking big bucks here. Would you as a CISO let your business areas spend on security initiatives as they please without any coordination, communication or strategy?  

•  Critical infrastructure needs immediate help. Our critical infrastructure needs help. It is antiquated, prone to viruses and worms, and people doing stupid things ultimately leading to costly disruptions in service. Add to this the potential threats associated with foreign government hackers (Electricity Grid in U.S. Penetrated By Spies) and you’ve got an urgent matter on your hands. Other critical infrastructure breaches (FAA says info on 45,000 workers stolen in data breach) and commercial data losses (Hackers Breach Heartland Payment credit card system) brings no consolation.

•  FISMA has utterly failed at securing government infrastructure. We have all come to realize that FISMA has done little to improve the security of government systems, and created an additional layer of processes and a healthy revenue stream for beltline consulting companies. The Cybersecurity Czar needs to take over the responsibility of ensuring FISMA 2.0 is in line with the current realities on the ground and is able to change the focus from “compliance” to security.  

•  Capture the momentum and excitement. I have never seen such optimism and excitement in the security industry for a government initiative. Security experts and the industry at large is offering to help in whatever capacity they can to improve the nation’s cybersecurity posture. We need to seize the opportunity and come up with a defined strategy (not high level goals and objectives) and strong leadership that can channel this energy into positive action.

•  Perception is almost as important as reality. Many people hailed Mr. Obama’s speech on May 27thas a strong warning to our adversaries that we are serious about security. The recommendations from the cybersecurity review were also heralded as the right first step. But nothing has happened since. We don’t have a plan, any specifics on how those recommendations will be implemented nor a Cybsersecurity Coordinator. By not following it up with action, what message are we sending? We need to at least be perceived as taking security seriously.

I expected the response to the recent attacks on Korean and American systems to be a big wake up call. Instead of the expected Gulf of Tonkin type of response, as time has passed the coverage slowed to a trickle and finally dried up.  It seems the government and military’s incident response tactic is to sweep the event under the rug (so far as the media is concerned).    Things are going to continue to get worse, and while the real techies are hard at work trying to come up with solutions, there is no public face for America’s security solution.  


Most notably, as my colleague Robert McMillan has reported, a botnet of about 50,000 infected computers has been waging a war against U.S. government websites and causing headaches for businesses in the U.S. and South Korea.
“The attack started Saturday, and security experts have credited it with knocking the U.S. Federal Trade Commission’s (FTC’s) Web site offline for parts of Monday and Tuesday. Several other government Web sites have also been targeted, including the U.S. Department of Transportation (DOT),” McMillan wrote, offering this quote from an unnamed DOT spokeswoman: “The DOT has been experiencing network incidents since this past we
ekend. We are working with the U.S. Computer Emergency Readiness Team [US-CERT] at this time.”

Meanwhile, a South Korean researcher investigating the attacks has uncovered a sizable hit list of sites in and out of government, including some high-profile targets in the banking sector.

Maybe Obama is doing the right thing. The last thing we really need is some new jerk coming in and forcing more standards on the security professionals.  The czar would just be one more person in the cycle not actively perusing a solution, and causing more work for everyone else. This factor may already be understood by the corporations and government. There have been numerous employment offers in the public and private sectors for cyber related work. We should see a workforce in the tens-of-thousands in just a couple of years. At which point we may actually need a ‘coordinator’ to manage the new work force.


The response at most agencies has been to turn to outside contractors to perform sensitive work. That’s led to situations such as the one at the Department of Homeland Security, where contractors accounted for 83 percent of the chief information officer’s staff last year.
The report urged the White House cyber czar to enhance training and giving departments expanded authority to hire specialized talent. And it urged Congress to ramp up funding for training programs and scholarships to build a pipeline of qualified workers.

We are still left with the question of who will be the next cyber czar, the position which is officially vacant now.  At this point it seems that no one can fathom who would be willing to take the job, so a tarot reading is just as accurate in this situation as anyone’s opinion.

So what did the cards say?

•  person will be duped in to it for the money and power. they will have neither
•  czar will be duped into thinking they have the power to change the world. talented and naive. a final scapegoat
•  czar has power over nothing. strong beliefs. world behind them, will seem powerful.
•  czar will be well intentioned non-noob restricted by beurocracy and destined for failure

The czar will take the job for the money, and the power, and actually believe they can make a difference. Unfortunately there is no one so seemingly Idealistic and Naive in Washington, except for the President himself. Interestingly enough, though I was focusing on the identity of the new czar, the results give an excellent description of Obama.  
While all of that is painfully obvious in relation to the czar position, I have never seen the cards fall like that before.  While an entertaining anecdote on this story, the fact remains that we are apparently no closer to finding the czar.  This, however, might not be such a big deal. We already know that no one really wants the job any way.
Names of possible candidates seem to pop up to the surface every so often.  It is difficult to determine if they are legitimate candidates, or have just thrown their names into the media for the extra attention.  My current favorite is Franklin D. Kramer.


Franklin D. Kramer:
Distinguished Research Fellow at the Center for Technology and National Security Policy.
Assistant Secretary of Defense for International Security Affairs from March 1996 to February 2001
Deputy Assistant Secretary for European and NATO Affairs from January 1996 to March 1996
Principal Deputy Assistant Secretary of Defense for International Security Affairs from 1979 to 1981
Special Assistant to the Assistant Secretary of Defense for International Security Affairs from 1977 to 1979


“Mr. Kramer is the chairman of the board of the World Affairs Council of Washington, D.C.; chairman of the Committee on Asian and Global Security of the Atlantic Council and on the Executive Committee of the board; a Capstone Professor at George Washington University Elliott School of International Affairs; and on the board of directors and board of advisers of other organizations. Mr. Kramer has been a partner with the Washington, D.C. law firm of Shea and Gardner. Mr. Kramer received a B.A. cum laude from Yale University in 1967 and a J.D. magna cum laude from Harvard Law School in 1971.”


This puts Mr. Kramer in Yale at the same time as George Bush and John Kerry.  There is no specific mention as to if he was also a member of the Skull and Bones society.  His credentials make him the most likely candidate yet. He is a Washington insider, accustomed to dealing with security, and his research fellowship implies an understanding of technology.  Currently he is consulting in the private sector, and is tied to the green movement by serving as director and executive vice president at “Changing World Technologies”.   


Mr. Kramer has served as a director of LSI since September 2001. Since February 2004, Mr. Kramer has been an independent consultant. From March 2001 to May 2005, Mr. Kramer was a lawyer with Shea & Gardner, now Goodwin Procter LLP. Mr. Kramer served as a director of Changing World Technologies, Inc., a privately held energy and environmental service company from February 2002 to April 2006. From February 2002 to December 2003, Mr. Kramer served as Executive Vice President of Changing World Technologies. From January 2004 to January 2006, Mr. Kramer served as a consultant to Changing World Technologies. From March 1996 through February 2001, Mr. Kramer served as Assistant U.S. Secretary of Defense for International Security Affairs. Mr. Kramer currently serves on the boards of directors and board of advisors of various organizations and private companies. Since March 2007, Mr. Kramer has been an Operating Advisor for Pegasus Capital.



Pegasus identifies complex situations where financial, legal or governmental issues might deter conventional investors and creates value by exploring options like revising a business model, entering new markets, introducing new products or technologies, and entering into strategic partnerships.

This sounds like the sort of thing that would be right up the czar’s alley. Working around laws and regulations would help the Intelligence industry quite a bit.  This brings up the question as to who are the so-called ‘security experts’ that are pushing the recommendation for the czar position?  I’ve got a hunch that it’s the same people pushing for the Cybersecurity act, who stand to profit the most from this racket; the Intelligence Industrial Complex. Kramer could tie the .gov, .mil, and .com sectors together for their own benefit.


Hathaway took herself out of the running for the job, most likely because she realized that despite her qualifications, she wasn’t going to get the post. “I wasn’t willing to continue to wait any longer, because I’m not empowered right now to continue to drive the change,” she told The Washington Post. “I’ve concluded that I can do more now from a different role,” most likely in the private sector.
(As an aside, it’s unlikely that she’ll return to the Office of the Director of National Intelligence – where she was on loan to the White House to conduct the “60-day” review of the federal cybersecurity pos
ture – because her “rabbi,” Adm. Mike McConnell, resigned as national intelligence director at about the time she took on the White House assignment. McConnell returned to the business consultancy Booz Allen Hamilton, where they both had worked before coming to the ODNI. Will she rejoin McConnell?)


We are looking at the return of the cold war, and we are unprepared.

Click to continue »

Privacy to PreCrime

Thursday, July 9th, 2009

 

When the NSA assumed control of the Cyber Command, it stirred up many privacy concerns. As most know they have been intercepting domestic communications for some time While some people are worried about their phone and email conversations being recorded by the government, the other g-men at Google are doing the exact same thing. Of course deleting your g-mail account only prevents you from accessing the information, deleting your account at the NSA will get you a free vacation to Cuba for waterboarding lessons.

 

Throughout your life, little pieces of information are gathered and accumulated. Your profile is constantly amended as data volunteered by yourself is automatically correlated.  Every time someone forfeits some morsel of information, that data is forever public.  This material goes into a database, the security of which will be compromised at some point. We could blame the corporations when they experience a security breach, but honestly who’s at fault for supplying them with the information to begin with?

 

If we are to address privacy concerns, then it is hypocritical to start the finger pointing with the NSA. Thanks to popular social networking sites,  people are willing to give away the most important details of their lives.  It is this very ignorance of the overall value of information that creates risk on a number of levels. Police officers only require a name and date of birth to positively identify most people. The same details can be used by criminals.  Think about that the next time someone mentions their birthday. If that person has their real name associated with the statement, then all of the facts required to build an extensive profile have been provided.  Such a profile, for example, could be used by a criminal to assume an identity, manipulate a person into revealing more information, or even pose a physical threat.  This same method could be used to launch attacks from within an organization through the user. Imagine a sort of phishing attack that affects the user at home. They enter into correspondence via email with a criminal posing as an old friend.  The employee continues this correspondence at work on the company computer. Since the employee feels safe, they are willing to click links, or even download files.

 

There is a whole industry based on gathering data about consumers, and using their personal details for marketing. The obvious signs of this are places like Amazon that recommend items based on site history.  What does your Amazon account say about you?  I don’t buy into that line about “if you’re not doing anything wrong, you don’t have anything to hide”. Would you invite someone into your house to create a behavioral profile based on your possessions?    Just about everything you do reveals some detail about your life.  For example, when you go to sleep your inactivity is noted. Just by looking at your social network updates anyone can know what your sleeping habits are, and possibly where you sleep.  Everything you do is recorded, cataloged, correlated, psychologically analyzed, and put up for sale. The biggest customer for this information is the Federal Government, and because these databases are private, the Freedom of Information Act does not apply.

 

In the past it was common for people to keep a their private names and public names separate.   In Homer’s Oddesy, Ulysses used a clever name to avoid unwanted attention from the other Cyclopes after blinding Polyphemus.  In Christian mythology, God gives Adam the power to name the animals, and so he had some power over them.  What of the clever goblin Rumpelstiltskin who allowed the millers daughter to renege on a deal by giving her a chance to guess his name?  When I first started in networked computing, one of the first things we learned was to contrive a ‘handle’, a pseudonym under which we would carry out our online activities.  Today, it seems, people view this an act of cowardice, or become suspicious to the motivations behind concealing one’s identity.  It wasn’t a hacker thing, it was standing operational procedure. There is no such thing as anonymous internet usage. The best people can do is become aware of how much privacy that has already been lost, and do what they can to hold on to its shredded remains. It’s not about assuming a new identity, it’s about protecting privacy.  Today people  on-line are trading their identity for an illusion of friendship.

 

With the amount of information already in the databases, it is possible for them to know what we want before we do.  Using predictive modeling, marketing companies can already forecast the likelihood of future purchases. This also
means with government access to these details, they can perform similar analysis. Psychographic profiles reveal your personal interests, activities, and opinions, when combined with demographics and other variables, it is possible to triangulate personality in the same manner as physical location. It is trivial to track the physical direction of an individual, the same is also true about their mental direction.

 

Today we have the increased use of biometric identification. It comes with the promise of security, but can pose a new privacy risk.  Clear, the airport security screening service, may be taking the data trade to a new level. The TSA approved company, which required biometric finger and eye scans, has suddenly shut down.  It is likely their database will be transferred to some other private firm which specializes in collecting biometric data.  Since they are working with Lockheed Martin, I’d suggest the database and technology will resurface as part of the new biometric authorization requirement for access to public and private infrastructure.  Unlike passwords, there is no easy way to reset your fingerprints once the database has been compromised. 


Within a few years there will be a global DNA database which will be used for a number of purposes. Utilization of the genome is so important that Francis Collins, who was responsible for the Human Genome Project, has been made director of the National Institute of Health.  If you take a look back at that psychographic profile link, you’ll notice the article was in strategy+business, which is published by Booz and Company the global parent of Booz Allen Hamilton. A representative of Booz Allen was the one who brought to my attention the Global DNA database while giving a talk titled  “Hacking the Genome” at a computer security conference.  Booz Allen is interested in developing psychological and genetic databases, they are also one of the main contractors for organizations such as the NSA . This sort of database, combined with genetic screening, could lead to the ability to determine much of the future of an unborn child.  While this has its merits, like any other system it can be abused. If not kept in check, it could lead to the reincarnation of the eugenics movement of the last century which was forced to re-brand after WWII because of it’s popularity within the leadership of the German National Socialist party as part of their platform for world domination

 

Welcome to the Brave New World!

 

S.773 – The Cyber Security Act of 2009 – part 2

Monday, June 1st, 2009

This is the second part in a series concerning the Cybersecurity Act of 2009. s773.  As per request I have broken a large single page into sections. If you liked it the other way let me know. Please forgive my use of the term -cyber-, and any other marketing buzzwords. I’m just reflecting the terminology used.

s.773 Cybersecurity Act of 2009 part 2.


The relationship between the national intelligence agencies, and the private information technology sector has long since been consummated.  There exists a tight federal and private partnership, with the majority of intelligence work being outsourced from the federal level to the corporate.  This legislation is nothing more then a formality. It makes the partnership public knowledge, and gives the intelligence industrial complex an official voice in the white house.

SEC. 3. CYBERSECURITY ADVISORY PANEL.

    (a) IN GENERAL- The President shall establish or designate a Cybersecurity Response Advisory Panel.
    (b) QUALIFICATIONS- The President–
    (1) shall appoint as members of the panel representatives of industry, academic, non-profit organizations, interest groups and advocacy organizations, and State and local governments who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns; and
    (2) may seek and give consideration to recommendations from the Congress, industry, the cybersecurity community, the defense community, State and local governments, and other appropriate organizations.

The President will select people who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns.

This is quite a broad section of potential appointees. There is no mention about how the selection process would be carried out, or what makes one person more qualified then another to serve on the panel. The President is neither qualified to carry out the selection process, nor able to comprehend the details of recommendations given to him.  Instead it would be necessary to create a “National Cyber Security Czar.”  A sort of interpreter to advise the President in terms he can understand, and to give the President’s speech writer terms most people can comprehend.  I suspect what we will ultimately see is the creation of a new cabinet position, a ‘Secretary of Cyberdefense’. Though it seems this has been done in the form of the National Cybersecurity Center.

US Cyber Head Quits Over Threats To Democracy

Rod Beckstrom, the head of the Department of Homeland Security’s National
Cyber Security Center, said last week he would be stepping down
effective March 13.

In a letter to Homeland Security Secretary Janet Napolitano, Beckstrom said
the NSA “dominates most national cyber efforts” and “effectively controls
DHS cyber efforts through detailees, technology insertions and the proposed
move” of the NCSC to an NSA facility at the agency’s Fort Meade, Md.,
headquarters.

In addition to the NCSC there is also the position of White House Cybersecurity Chief. With regards to part one of this article, I feel it important to note that the acting White House Cybersecurity Chief Melissa Hathaway was Senior Advisor to the Director of National Intelligence, Mike McConnell and Cyber Coordination Executive, she specialized in cybersecurity strategies with consulting firm Booz Allen Hamilton.


President Obama made an announcement in regards to the nation’s cybersecurity direction. Included in this plan is the appointment of Chief Cybersecurity Coordinator. It seems they will not be going with the title ‘czar’ this go round. It makes sense for the first people to be approached for positions on the panel will be people already currently employed in the service of the government. Those quoted in the findings would be an excellent example of potential panel members.  Despite the new campaign from the Department of Defense to recruit hackers out of high school, I strongly doubt there will be any application process for independent civilian admission onto the panel. With Ms. Hathaway on the inside, and her former boss on the outside, it seems that not only has the chess board been set, the game has been played and what we are seeing is the results of the match finalized and put down on paper.

Spies for Hire, US pays Carlyle Group to spy-2/3

Click to continue »

Twitter links powered by Tweet This v1.8, a WordPress plugin for Twitter.

Get Adobe Flash player