When Korea, Japan and the U.S. responded to warnings about how China was going to enforce its airspace identification and challenge, the public press saw the Chinese backing down from any threat to their proclaimed lands. This may be prematurely optimistic, given the Chinese way of fighting.
Chinese doctrine says they will pick the time of fighting, when it is to their advantage. When they fought a war with Viet Nam, in 1979, there were 30,000 casualties. Two years before it started the Vietnamese occupied one of the islands still in dispute, the Spratly Islands, but they also invaded Cambodia and ran out the Khmer Rouge, the China-backed government. Both of these things are quite a bit more disconcerting than trying to plant flags on an island.
In 1985 and early 1986, China was lobbing shells over the border into Viet Nam and threatening it with other types of action. In 1988, they fought battle not far from the Spratlys and 70 Vietnamese sailors were killed. They still have run-ins with each other and have had survey equipment and fishing vessels damaged by the Chinese. We usually think of China and Viet Nam as allies.
For those thinking Korea, Japan and the U.S. are off the hook, given the recent response, remember none of these countries are exactly friends of China. The Chinese will wait for a better time, when they have an advantage, and they will indicate the response was intended as a warning over incursions into its territory. We will have limited response options, and the State Department will crank out warnings until the Chinese get tired of reading them, but nothing much will happen after that. This will be a long and winding road, full of surprises and the occasional casualty. It is the way the Chinese fight - even with their friends.
Amazon Books:
Friday, November 29, 2013
Sunday, November 24, 2013
China's Warning about Islands
There were quite a few stories about the "new" declaration by China of what territories it expects to defend, but most of them concentrated on perceptions rather than the actual way it was presented. (See Reuters, CBS News and BBC for their articles)
The Chinese are not claiming any new territory, but they are saying they are going to make those territories part of their air defense zone. Their web site says:
November 23, 2013, the Chinese government issued a solemn statement announcing the designation of the East China Sea air defense identification zone. It is adapted to the development of the security situation in the country, focusing on safeguarding national sovereignty and territorial airspace security and maintaining order in the air flying legitimate move is necessary to move the country to better exercise the right of self-defense, but also in line with common practice in the world's major coastal countries.
Non-commercial aircraft are going to be challenged in this zone, which should prove interesting to anyone flying military aircraft in this area. It won't just be the Japanese, since a good part of the warning covers Taiwan and area adjacent to S. Korea. These types of challenges are not new, but they are coming at a time when there are many claims being made to the potential oil in the South China Sea. When it gets interesting, is when somebody is challenged for identification, and they ignore it. Are the Chinese going to shoot? They really want us to think about it.
Wednesday, November 20, 2013
Obamacare Website Security-3
The state of the Obamacare website tells us more about the potential for losing vast quantities of information that users put into that system. As I said in a previous post, MITRE already did a report saying security could not be evaluated because the system wasn’t completed. Chao's testimony last week, showed how far short of operational that website actually is. That would have been enough for an experienced CIO to say the risks were too great to go on-line, on the Internet, where hostile hackers will make mincemeat out of anyone who thinks their security is “good enough for government work.” We can debate whether this website was even that, but it is too soon to tell.
There is a process that HHS is supposed to follow to identify risks early on, and deal with them. At http://www.hhs.gov/ocio/policy/index.html#Security you can find these policies. They are vague, and typical of policies that would be a CYA for any agency CIO. Security falls to the HHS CISO, Dr. Kevin Charest, who has not appeared at any of the Committee Hearings on the website roll-out. Charest got a letter from the Committee asking him to explain some relevant issues (especially who signed the Authority To Operate for this system). The full text of the letter follows, but remember these are seldom written without some knowledge of the expected answer. They try to follow the attorney F. Lee Bailey's advice to never ask a question you don't already know the answer to: Amazon books:
October 15, 2013
Mr. Daniel R. Levinson
Inspector General, U.S. Department of Health and Human Services
330 Independence Ave, SW
Washington, D.C. 20201
Dear Inspector General Levinson:
It is widely understood that every information system can be hacked. Cybersecurity is now one of the greatest threats our nation faces. Bad actors are constantly attacking our information infrastructure and looking for opportunities to expose vulnerabilities. Rapidly evolving technology presents a never-ending challenge to safe-guard against catastrophic attacks. Given these realities, we are concerned for the integrity and security of the Data Services Hub (Data Hub)—the new launching pad for the names, addresses, social security numbers, and residency status of Americans seeking health insurance on the federal exchanges.
Systems of this complexity require sufficient time to ensure the fundamental and necessary controls that protect data systems are met. Specifically, prior to launching a new data system where consumers will provide their most sensitive personal information, a series of front-end controls should be put in place. However, it is unclear if certain critical best practices were conducted prior to releasing the Data Hub—such as pilot programs and employing White Knight hackers to provide feedback on the system’s vulnerabilities. Furthermore, reports that your office did not review the draft and final security designs for the Data Hub is concerning.
Taking all these factors into account, it is imperative that Congress be provided with the information necessary to understand how the Data Hub was certified and what continuing controls have been put in place to protect Americans who are currently accessing the system. Specifically, we request information on the user access controls for the Department of Health and Human Services (HHS) staff and Navigators that have been determined appropriate for using the Data Hub. Additionally, what system has been implemented to monitor the behavioral patterns of the system to identify suspicious activity?
With regard to the Navigator Program, which does not require a background check for the individuals who will interface directly with the public, what measures have been put in place to ensure accountability? What checks and balances have been put in place to protect Navigators from claims of fraud and abuse? Has HHS implemented continuing education programs necessary to ensure Navigators are aware of the most up-to-date fraud and cybersecurity threats?
Cybersecurity threats also exist as users log into the system, input their personal information, and remain on the internet. What controls are in place to protect Americans from these “man-in-the-middle” attacks?
As you are aware, HHS completed its Final Security Control Assessment (SCA) and issued a Security Authorization Decision. Following this action, on October 1, 2013, the Data Hub was fully implemented. We respectfully request your office provide us with a copy of the Final SCA report, including but not limited to the Certification and Accreditation (C&A) plan, in addition to the Interim Authority To Operate (IATO) or the Authority to Operate (ATO).
If an IATO was issued, we request a copy of this decision, as this report would indicate all known vulnerabilities that were identified, in addition with the current plan to ensure corrective action. If an ATO was issued, we seek to understand who defined the controls that the system must adhere to, as directed by the Office of Management and Budget (OMB), in addition to information detailing whether or not the controls were met, or were deemed deficient. Finally, we request a copy of the mitigation plan that the U.S. Chief Information Officer approved that certifies the Data Hub may be fully implemented.
HHS and the Centers for Medicare and Medicaid Services (CMS) have filed their action, “Notice to establish a new system of records” for the Data Hub in the Federal Register. This action reads, “records are maintained with identifiers for all transactions for a period of 10 years after they are entered into the system” (FR Doc No: 2013-02666). At a House Committee on Oversight and Government Reform hearing on July 17, 2013, Congress was informed by CMS that records obtained from the Data Hub would not be maintained. This statement is in direct conflict with the Federal Register. We ask that you provide further clarification on the authority by which HHS may receive records and not maintain the data.
Thank you in advance for your attention to this letter. We look forward to your prompt reply.
Sincerely,
Diane Black Patrick Meehan
Member of Congress Member of Congress
cc:
Mr. Steven VanRoekel
U.S. Chief Information Officer, Office of Management & Budget
1650 Pennsylvania Avenue, NW
Eisenhower Executive Office Building, Room 262
Washington, DC 20503
Mr. Kevin Charest
Chief Information Security Officer, Department Health and Human Services
200 Independence Ave SW
Washington, D.C., DC 20201
Friday, November 15, 2013
China's Fake Fear of Cisco, et. al.
My grandmother used to tell us that accusing someone of doing something you were already doing yourself, was like the pot calling the kettle black. Today that is not so easy to understand, but back in those days, cast iron was black, the stove fires burned every pot black, so it fit.
We have the best example, in a long time, characterized in a Spencer Ante article in today's Wall Street Journal. (see NSA Fallout: Tech Firms Feel a Chill Inside China) The article says IBM, Cisco, HP, and Microsoft have all suffered declining sales in China due to two things: increased emphasis on buying Chinese products and concern over NSA surveillance. We should probably understand that businesses do not find this kind of setback very funny, but it was hard not to laugh at the reasons given for it.
The Chinese, who have so far managed to steal every piece of electronic data they could get their hands on, can't be very concerned with NSA. They used the same kinds of excuses to harass Walmart and Rio Tinto, accusing the latter of stealing "state secrets" so named after they came into their possession. It is just intimidation. Walmart had action brought against them for making too much profit.
I'm surprised more wasn't made of Huawei and ZTE restrictions in the U.S. We still acuse them of being connected to Chinese Intelligence and both deny any such association. Maybe it is easier to say they "worry" about NSA surveillance, than to fight the allegations against both of them. They undermine U.S. sales in China to benefit their own companies. We owe them a little retribution.
We have the best example, in a long time, characterized in a Spencer Ante article in today's Wall Street Journal. (see NSA Fallout: Tech Firms Feel a Chill Inside China) The article says IBM, Cisco, HP, and Microsoft have all suffered declining sales in China due to two things: increased emphasis on buying Chinese products and concern over NSA surveillance. We should probably understand that businesses do not find this kind of setback very funny, but it was hard not to laugh at the reasons given for it.
The Chinese, who have so far managed to steal every piece of electronic data they could get their hands on, can't be very concerned with NSA. They used the same kinds of excuses to harass Walmart and Rio Tinto, accusing the latter of stealing "state secrets" so named after they came into their possession. It is just intimidation. Walmart had action brought against them for making too much profit.
I'm surprised more wasn't made of Huawei and ZTE restrictions in the U.S. We still acuse them of being connected to Chinese Intelligence and both deny any such association. Maybe it is easier to say they "worry" about NSA surveillance, than to fight the allegations against both of them. They undermine U.S. sales in China to benefit their own companies. We owe them a little retribution.
Obamacare Website Security-2
We finally got to hear testimony from some of the people who were responsible for creating the mess on the Obamacare website, which poses risk to data in their networks. A couple of interesting things came from it.
1. MITRE was doing the Independent Verification &Validation part of the evaluation of the security features of the system. CMS hired an ethical hacker to augment their security testing. He found 7-10 items which were "not serious".
2. MITRE published a report, portions of which were redacted because they showed vulnerabilities to the system. This is actually a good thing, since publication would make it even easier to get into the site, something a normal user cannot do.
3. Only a short part of MITRE's report was read in the open hearing, but it contained the following gem of information: "MITRE was unable to evaluate the Confidentiality or Integrity of the system" because it wasn't ready. The three elements of the security evaluation, Confidentiality, Integrity and Availability, were not even done, yet the Administrator of CMS felt confident enough in their design to sign off on the risks. If good designs were enough, we could throw away those acquisitions manuals and buy good designs. On what basis HHS could make such a decision is a mystery. We know Availability failed.
Several sources today (http://www.nextgov.com/health/2013/11/cms-manager-who-okayed-healthcaregov-missed-security-memo/73625/) site portions of a report saying the security risks were "limitless" in this system. When has anyone ever seen an evaluation like this result in an Authority to Operate (ATO)?
4. Mr. Chao, the Deputy CIO at CMS, said security testing was completed at the component level, but was not able to be completed end-to-end. Component level testing would not include the interfaces to the other systems that connect our sensitive data to this portal. Does CMS feel comfortable accepting that level of risk? Do the other agencies connecting to this portal feel comfortable with accepting them? A Hill article today (http://thehill.com/blogs/healthwatch/health-reform-implementation/189916-top-cms-official-didnt-know-about-obamacare) says Chao was not included on parts of the request for sign-off on the ATO. That didn't seem to keep him from rationalizing the lack of security testing.
5. Mr. Powner, from GAO, twice cautioned that we should be concerned about security while the system is being built. Considering that no security testing had been done that would justify granting an ATO, the risks climb dramatically with changes that are being made on the fly, where political pressures abound. Will the system be tested before the 30th of November when all the changes are supposed to be done? Not likely. They cannot even get the portal to work like a portal. Until it is stable, it would be difficult to test.
We should think twice about putting any data into this system until it is operational, the security testing is complete, and the vulnerabilities are corrected. You can bet the Chinese are already hacking this goldmine. Amazon books:
1. MITRE was doing the Independent Verification &Validation part of the evaluation of the security features of the system. CMS hired an ethical hacker to augment their security testing. He found 7-10 items which were "not serious".
2. MITRE published a report, portions of which were redacted because they showed vulnerabilities to the system. This is actually a good thing, since publication would make it even easier to get into the site, something a normal user cannot do.
3. Only a short part of MITRE's report was read in the open hearing, but it contained the following gem of information: "MITRE was unable to evaluate the Confidentiality or Integrity of the system" because it wasn't ready. The three elements of the security evaluation, Confidentiality, Integrity and Availability, were not even done, yet the Administrator of CMS felt confident enough in their design to sign off on the risks. If good designs were enough, we could throw away those acquisitions manuals and buy good designs. On what basis HHS could make such a decision is a mystery. We know Availability failed.
Several sources today (http://www.nextgov.com/health/2013/11/cms-manager-who-okayed-healthcaregov-missed-security-memo/73625/) site portions of a report saying the security risks were "limitless" in this system. When has anyone ever seen an evaluation like this result in an Authority to Operate (ATO)?
4. Mr. Chao, the Deputy CIO at CMS, said security testing was completed at the component level, but was not able to be completed end-to-end. Component level testing would not include the interfaces to the other systems that connect our sensitive data to this portal. Does CMS feel comfortable accepting that level of risk? Do the other agencies connecting to this portal feel comfortable with accepting them? A Hill article today (http://thehill.com/blogs/healthwatch/health-reform-implementation/189916-top-cms-official-didnt-know-about-obamacare) says Chao was not included on parts of the request for sign-off on the ATO. That didn't seem to keep him from rationalizing the lack of security testing.
5. Mr. Powner, from GAO, twice cautioned that we should be concerned about security while the system is being built. Considering that no security testing had been done that would justify granting an ATO, the risks climb dramatically with changes that are being made on the fly, where political pressures abound. Will the system be tested before the 30th of November when all the changes are supposed to be done? Not likely. They cannot even get the portal to work like a portal. Until it is stable, it would be difficult to test.
We should think twice about putting any data into this system until it is operational, the security testing is complete, and the vulnerabilities are corrected. You can bet the Chinese are already hacking this goldmine. Amazon books:
Friday, November 8, 2013
Obamacare Website Security Testing
The Obamacare website fiasco, about which much has been said, is not just the story of a failed website. Lost in the analysis, was a small sentence that indicated security testing had not been done, "because there was a lack of time". I have heard this excuse, more than once, by some of the biggest software vendors in the land. What it boils down to is a priority list of things that must be done, and security testing doesn't make the list.
What it means to users is simple: We will take the risk with your data, while we make improvements to the website.
Who can make that kind of decision, and how can they rationalize signing off on risks that are not theirs to take? The person responsible for security of the site was a man named Tony Trenkle, CIO at Centers for Medicare and Medicade Services, who according to the CBS news story at http://www.cbsnews.com/8301-250_162-57611202/departing-obamacare-security-official-didnt-sign-off-on-site-launch/, resigned this week and is now gone. He would not sign off on the acceptance of risk, but CMS Administration, Marilyn Tavenner did. CBS's article goes on to say "HHS also says there is an aggressive risk mitigation plan in effect, "the privacy and security of consumers personal information is a top priority for us" and personal information is "protected by stringent security standards." Of course, without security testing, they are not in any position to say what the risks are to the data.
Tavenner's testimony http://oversight.house.gov/wp-content/uploads/2013/07/Tavenner-CMS-Statement-PPACA-Data-Hub-7-17.pdf gives broad assurances that security was met through FISMA, indicating she neither understands, nor appreciates, what FISMA actually does. Years from now, we might see a FISMA report telling us what shortcomings have to be corrected to meet existing requirements, but it won't be soon.
More than once, I have been in the position to brief the person responsible for acceptance of risk. I asked them to acknowledge the risks, accept the mitigation strategy (which limits the amount of time the risk will exist), and fund the mitigation effort. Only on rare occasions will the person in charge decline, and almost always, they decline for a good reason. Usually, there is enough significant risk that going operational is not a good option, but delaying will have serious political consequences. Trenkle would have known there was no security testing, so there was no way to measure the amount and type of risk that had to be mitigated. He also knew the consequences of delay were higher up the food chain. So, he declined to sign. Smart man.
Today's Politico http://www.politico.com/politico44/2013/11/white-house-blocks-tech-chief-from-testifying-on-obamacare-177047.html says the White House is declining to allow Todd Park to testify on the Hill because he is "too busy" repairing damage to the site. The House Committee on Oversight and Government Reform will call a witness list that includes HHS Deputy Assistant Secretary for Information Technology Frank Baitman, CMS Deputy Chief Information Officer Henry Chao, U.S. Chief Information Officer Steve VanRoekel and David Powner, Director of IT management at the Government Accountability Office. Maybe someone could ask how they make a risk assessment on a system that had no security testing done on it. Amazon books:
What it means to users is simple: We will take the risk with your data, while we make improvements to the website.
Who can make that kind of decision, and how can they rationalize signing off on risks that are not theirs to take? The person responsible for security of the site was a man named Tony Trenkle, CIO at Centers for Medicare and Medicade Services, who according to the CBS news story at http://www.cbsnews.com/8301-250_162-57611202/departing-obamacare-security-official-didnt-sign-off-on-site-launch/, resigned this week and is now gone. He would not sign off on the acceptance of risk, but CMS Administration, Marilyn Tavenner did. CBS's article goes on to say "HHS also says there is an aggressive risk mitigation plan in effect, "the privacy and security of consumers personal information is a top priority for us" and personal information is "protected by stringent security standards." Of course, without security testing, they are not in any position to say what the risks are to the data.
Tavenner's testimony http://oversight.house.gov/wp-content/uploads/2013/07/Tavenner-CMS-Statement-PPACA-Data-Hub-7-17.pdf gives broad assurances that security was met through FISMA, indicating she neither understands, nor appreciates, what FISMA actually does. Years from now, we might see a FISMA report telling us what shortcomings have to be corrected to meet existing requirements, but it won't be soon.
More than once, I have been in the position to brief the person responsible for acceptance of risk. I asked them to acknowledge the risks, accept the mitigation strategy (which limits the amount of time the risk will exist), and fund the mitigation effort. Only on rare occasions will the person in charge decline, and almost always, they decline for a good reason. Usually, there is enough significant risk that going operational is not a good option, but delaying will have serious political consequences. Trenkle would have known there was no security testing, so there was no way to measure the amount and type of risk that had to be mitigated. He also knew the consequences of delay were higher up the food chain. So, he declined to sign. Smart man.
Today's Politico http://www.politico.com/politico44/2013/11/white-house-blocks-tech-chief-from-testifying-on-obamacare-177047.html says the White House is declining to allow Todd Park to testify on the Hill because he is "too busy" repairing damage to the site. The House Committee on Oversight and Government Reform will call a witness list that includes HHS Deputy Assistant Secretary for Information Technology Frank Baitman, CMS Deputy Chief Information Officer Henry Chao, U.S. Chief Information Officer Steve VanRoekel and David Powner, Director of IT management at the Government Accountability Office. Maybe someone could ask how they make a risk assessment on a system that had no security testing done on it. Amazon books:
Monday, November 4, 2013
New Leaks, Are They Snowden's?
In the Sunday New York Times, Scott Shane put together some new information about what and where NSA was collecting intelligence about these things:
1. Information about positions of the U.N. secretary general, prior to a meeting with our President.
2. Interception of 478 e-mails which helped to foil a plan by jihadists to kill a Swedish artist.
3. Surveillance information about FARC rebels later turned over to over to the Colombian government.
4. Surveillance of Iran's Ayatollah Ali Khamenei, aircraft entering and leaving the airspace around him, his vehicles, weapons, and conversations of aides, down to the details of what was discussed.
5. Surveillance of Somali officials, a U.N. political officer communicating by e-mail, and a local rep from a charity World Vision.
(See: No Morsel Too Minuscule For All-Consuming N.S.A., New York Times, Nov 3, 2013)
The sources of most of these examples are said to be documents that came from Edward Snowden. I watch for these documents, because they are sensitive intelligence matters that should not appear in public and they damage our national security. I haven't seen that many, and I am starting to get the idea that the New York Times, the Guardian, and the Washington Post can write a ton of articles based on their own sources, and say they came from Snowden's stash of documents. We wouldn't have any way of knowing the truth of it, anymore than we would know the truth of the source of the examples they are using. Nobody in the government will acknowledge the truth of any of them, even when they appear in the public media. Nobody can challenge the voracity of the newspapers' statements, nor question whether they really came from Snowden.
The inference in this article is that NSA collects, analyzes and distributes intelligence about almost every aspect of any persons life, anywhere in the world. There would have never been an attack on 9/11, Somali pirates would never capture a ship on the open seas, the FARC would not exist as an organization, and Iran would not have a nuclear program, to speak of, if it were really true that NSA could sweep up everything, and use it to make predictions about what was going to happen anywhere, anytime.
That doesn't stop the press from bringing phony "charges" of NSA's abuses of their sanctioned mission. What this does is undermine our intelligence collection capability, to the benefit of the Russians and Chinese who are the only other countries that can come close to us in that regard. Does anyone think that Snowden picked Hong Kong at random, as the jumping off point for his escapades? Do we think he sought asylum in Russia because he "just happened to be at the airport in Moscow"? Both countries benefit from these disclosures. What we need to find out, and the White House certainly could if they wanted, is where is this information the press is publishing really coming from? I doubt that is just Snowden's documents. It is an easy way to protect other sources by saying so, and we should try to find out who those sources really are.
1. Information about positions of the U.N. secretary general, prior to a meeting with our President.
2. Interception of 478 e-mails which helped to foil a plan by jihadists to kill a Swedish artist.
3. Surveillance information about FARC rebels later turned over to over to the Colombian government.
4. Surveillance of Iran's Ayatollah Ali Khamenei, aircraft entering and leaving the airspace around him, his vehicles, weapons, and conversations of aides, down to the details of what was discussed.
5. Surveillance of Somali officials, a U.N. political officer communicating by e-mail, and a local rep from a charity World Vision.
(See: No Morsel Too Minuscule For All-Consuming N.S.A., New York Times, Nov 3, 2013)
The sources of most of these examples are said to be documents that came from Edward Snowden. I watch for these documents, because they are sensitive intelligence matters that should not appear in public and they damage our national security. I haven't seen that many, and I am starting to get the idea that the New York Times, the Guardian, and the Washington Post can write a ton of articles based on their own sources, and say they came from Snowden's stash of documents. We wouldn't have any way of knowing the truth of it, anymore than we would know the truth of the source of the examples they are using. Nobody in the government will acknowledge the truth of any of them, even when they appear in the public media. Nobody can challenge the voracity of the newspapers' statements, nor question whether they really came from Snowden.
The inference in this article is that NSA collects, analyzes and distributes intelligence about almost every aspect of any persons life, anywhere in the world. There would have never been an attack on 9/11, Somali pirates would never capture a ship on the open seas, the FARC would not exist as an organization, and Iran would not have a nuclear program, to speak of, if it were really true that NSA could sweep up everything, and use it to make predictions about what was going to happen anywhere, anytime.
That doesn't stop the press from bringing phony "charges" of NSA's abuses of their sanctioned mission. What this does is undermine our intelligence collection capability, to the benefit of the Russians and Chinese who are the only other countries that can come close to us in that regard. Does anyone think that Snowden picked Hong Kong at random, as the jumping off point for his escapades? Do we think he sought asylum in Russia because he "just happened to be at the airport in Moscow"? Both countries benefit from these disclosures. What we need to find out, and the White House certainly could if they wanted, is where is this information the press is publishing really coming from? I doubt that is just Snowden's documents. It is an easy way to protect other sources by saying so, and we should try to find out who those sources really are.