So, after this past weekend's news shows, we have the Mike Rogers, from the House Permanent Select Committee on Intelligence, and Homeland Security Committee Chairman Michael McCaul, confirming that Snowden was a spy, after all, and probably had help from the FSB. The KGB, predecessor to the FSB, was Putin's home before he came to office. The news media calls this a "revelation", which only means they hadn't even thought about it before theses two stated the obvious.
As I have been saying for months now, Snowden didn't act like a guy who saw something on his computer that he didn't like, and defected because he wanted to help us get to be a better country. Rogers says he looked for things that were not privacy related, and seem to be those kinds of things that could only undermine the intelligence collection capabilities of the United States. It looks like the Russians were helping him, or at least, that is being investigated as a possibility.
This wouldn't be the first time the Russians have helped a U.S. person steal classified information. Up until Snowden, Walker was the worst, having given over the crypto keys that were used to encrypt hundreds of thousands of exchanges. Manning made that easier by publishing the ones he had. They didn't even have to be decrypted.
This is a new way to spy, and I have to say, we ought to credit the Russians for their novel and successful way of going about it. It was a pretty smart way of covering their tracks while they stole everything they possibly could. The spy even admits he did it, gets the press to cover him in the publication of the information he steals, and nobody even looks Russia's way for months. If someone from the FSB was helping him, you can bet that person is not around for the investigation.
Snowden's case has taught us some valuable lessons about contractor security clearances, internal security of our computer networks, and how to use the press to cover spying operations. The Russians have apparently managed to use our own system against us - again. Don't we ever learn that we have procedures to keep these kinds of things from happening again? Instead we have OPM running the security clearance process, and bumbling again and again, to the point that clearances are a mess. OPM's incompetence is starting to affect people in jobs that require a security clearance. We have thousands of people in limbo, waiting for OPM action. They can't get jobs until that happens. I met with 3 over the weekend and all were waiting, without salary, until OPM finished an update. The jobs come and go and they wait.
Our internal computer security, cited over and over again by GAO, is not getting any better. Our laws can't stop the press from releasing anything Snowden gives them. While the President debates what metadata the NSA can keep under what circumstances, the Russians must be laughing at us. We aren't even addressing the kinds of things that Snowden represents. Amazon books:
Monday, January 20, 2014
Friday, January 17, 2014
Obamacare Website Security
For those that do, or have done, government security for IT systems, the hearings yesterday by the House Government Oversight Committee, were surreal. (see http://www.c-span.org/search.aspx?For=CMS) It is long, but worth watching for its politics, security, and professional conduct in the security field. I have 42 years of doing security for government systems and this was the nightmare we used to warn each other about. Having to explain the tortured process of getting a senior manager to accept risk for a signature on an ATO is not normally as painful as this particular one turned out to be, but maybe they should be. The participants were:
DR. KEVIN CHAREST Health & Human Services Department (HHS) CISO
TERESA FRYER Centers for Medicare & Medicaid Serrvices (CMS) CISO
FRANK BAITMAN Health & Human Services Department (HHS) CIO
What we discover in this hearing is that the process in security is so convoluted in large organizations that no one person is at fault. Everybody in this group took FingerPointing 101.
Baitman says each of the 11 operating divisions have their own CIO and CISO, which is enough to confuse anyone. When he says he can't remember being aware of the specifics of any of the security problems with the Obamacare website, it is not hard to figure out why. This kind of management structure is an abomination.
Fryer says she and her CIO passed along their "reservations about the ATO" and indicated they did not want to sign it. She based this on the fact that end-to-end security testing had not been done, and she did not have confidence that "PII information could be protected". She briefed her CIO that they should not release the ATO. That means it wasn't ready.
Both, eventually, briefed Baitman who says this is "not a red flag" to him, though he did consider it "noteworthy". He says he had "no direct understanding of operations or security of CMS." The risk decision was not his to make. Mr. Baitman got an "A" in FingerPointing 101 and may have taken advanced courses after that.
He did, however pass it along to some other people in HHS. He also says, on Sept 1, he recommended doing a Beta deployment but his recommendation was not accepted. Everyone in IT knows what this means to an experienced CIO. It wasn't ready and he knew it wasn't.
Mr. Meehan, Chairman of the House Cybersecurity Committee, said some Chinese hackers tried to get into the system in November. If they, were trying in November, before end-to-end testing was done, nobody knows if they succeeded. The Chinese are pretty good at this kind of thing, so if they failed, you can bet they tried several other times. They fact that they were not detected is not a big surprise to anyone. He was skeptical of their assurances to the contrary, hesitated, and stopped before saying anymore. I got the impression there was more to say. Each of the persons testifying said there were no reported intrusions into the system, just as there were no reported intrusions into Target before there were reported intrusions. Mr. Cummins, a committee member and frequent foil to Mr. Issa, the Chairman, said anything to the contrary was the use of "scare tactics" by the Republicans.
The most interesting addition to the knowledge about this IT security disaster was a chart indicating there were 17 states which did not have Authority to Connect agreements with CMS. It mentions that CMS should accept the risk for these, and the internal connections to IRS, DHS, SSA, et al, for 90 days. They acknowledged that these were not their risks to take, but they could do it anyway. That was a decision that even Baitman could not make. It would have had to be done higher up in HHS. Amazon books:
DR. KEVIN CHAREST Health & Human Services Department (HHS) CISO
TERESA FRYER Centers for Medicare & Medicaid Serrvices (CMS) CISO
FRANK BAITMAN Health & Human Services Department (HHS) CIO
What we discover in this hearing is that the process in security is so convoluted in large organizations that no one person is at fault. Everybody in this group took FingerPointing 101.
Baitman says each of the 11 operating divisions have their own CIO and CISO, which is enough to confuse anyone. When he says he can't remember being aware of the specifics of any of the security problems with the Obamacare website, it is not hard to figure out why. This kind of management structure is an abomination.
Fryer says she and her CIO passed along their "reservations about the ATO" and indicated they did not want to sign it. She based this on the fact that end-to-end security testing had not been done, and she did not have confidence that "PII information could be protected". She briefed her CIO that they should not release the ATO. That means it wasn't ready.
Both, eventually, briefed Baitman who says this is "not a red flag" to him, though he did consider it "noteworthy". He says he had "no direct understanding of operations or security of CMS." The risk decision was not his to make. Mr. Baitman got an "A" in FingerPointing 101 and may have taken advanced courses after that.
He did, however pass it along to some other people in HHS. He also says, on Sept 1, he recommended doing a Beta deployment but his recommendation was not accepted. Everyone in IT knows what this means to an experienced CIO. It wasn't ready and he knew it wasn't.
Mr. Meehan, Chairman of the House Cybersecurity Committee, said some Chinese hackers tried to get into the system in November. If they, were trying in November, before end-to-end testing was done, nobody knows if they succeeded. The Chinese are pretty good at this kind of thing, so if they failed, you can bet they tried several other times. They fact that they were not detected is not a big surprise to anyone. He was skeptical of their assurances to the contrary, hesitated, and stopped before saying anymore. I got the impression there was more to say. Each of the persons testifying said there were no reported intrusions into the system, just as there were no reported intrusions into Target before there were reported intrusions. Mr. Cummins, a committee member and frequent foil to Mr. Issa, the Chairman, said anything to the contrary was the use of "scare tactics" by the Republicans.
The most interesting addition to the knowledge about this IT security disaster was a chart indicating there were 17 states which did not have Authority to Connect agreements with CMS. It mentions that CMS should accept the risk for these, and the internal connections to IRS, DHS, SSA, et al, for 90 days. They acknowledged that these were not their risks to take, but they could do it anyway. That was a decision that even Baitman could not make. It would have had to be done higher up in HHS. Amazon books:
Thursday, January 9, 2014
New Obamacare Website Security Issues
Darrell Issa is probably not a favorite of CMS, but as Chairman of the House Oversight and Government Reform Committee, he can make them squirm. He is still, rightly, focused on security of the Obamacare website. The Committee's website http://oversight.house.gov/release/issa-challenges-sebelius-false-misleading-statements-healthcare-gov-security/ says they are going to challenge some statements made by Health and Human Services Secretary Kathleen Sebelius about security of the site. It is a curious mix of things they are looking into:
1) that MITRE was conducting ongoing security testing;
2) that MITRE’s preliminary report “did not raise flags about going ahead;”
3) that “no one… suggested that the risks outweighed the importance of moving forward;”
4) that MITRE made recommendations to CMS about moving forward.
An odd mix, to be sure. Remember the adage, "never ask a question you don't already know the answer to." If MITRE was not doing security testing, put up warning flags about proceeding, and didn't make recommendations about moving forward with deployment of the site, it would be hard to say on what basis CMS made the risk management decision to deploy.
In a Politico story today, Brett Norman quotes an HHS letter that says:
“There have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information,” the statement said. “An independent security control assessor tested each piece of the Healthcare.gov system that went live October 1 prior to that date with no open high findings”
http://www.politico.com/story/2014/01/darrell-issa-kathleen-sebelius-obamacare-101924.html#ixzz2pubEX9o8
Anyone who has any time at all in cybersecurity, would know that statements like this are not made by anyone. Never.
It is a dangerous thing to say, especially in a system where there are obvious security flaws, the system was deployed before it was ready, and changes are being made on the fly. If there were no Cat 1 security deficiencies, it would be the first system ever built by the government that could say so. Everybody has some problems in development, and with this system, there have been more than just some. They had Cat 1s everywhere else, but they want to say that they had none in security. Preposterous, and unbelievable, but this is, after all, the most fun Washington has had in a long time, so not impossible.
Second, nobody ever says "There have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information...." There was a GAO report published yesterday that left some doubt about how government agencies are handling disclosures, when they know they have them. They don't have consistent ways to identify the loss, collect the data about who is affected, and report the incident to the right agencies. Then, they don't always take appropriate action to deal with the potential damage. If CMS looks like the kind of place you could trust to identify the loss, report the loss, and help the customers, given the political spear dangling from their chest, then you have more faith in them than I would have. Amazon books:
1) that MITRE was conducting ongoing security testing;
2) that MITRE’s preliminary report “did not raise flags about going ahead;”
3) that “no one… suggested that the risks outweighed the importance of moving forward;”
4) that MITRE made recommendations to CMS about moving forward.
An odd mix, to be sure. Remember the adage, "never ask a question you don't already know the answer to." If MITRE was not doing security testing, put up warning flags about proceeding, and didn't make recommendations about moving forward with deployment of the site, it would be hard to say on what basis CMS made the risk management decision to deploy.
In a Politico story today, Brett Norman quotes an HHS letter that says:
“There have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information,” the statement said. “An independent security control assessor tested each piece of the Healthcare.gov system that went live October 1 prior to that date with no open high findings”
http://www.politico.com/story/2014/01/darrell-issa-kathleen-sebelius-obamacare-101924.html#ixzz2pubEX9o8
Anyone who has any time at all in cybersecurity, would know that statements like this are not made by anyone. Never.
It is a dangerous thing to say, especially in a system where there are obvious security flaws, the system was deployed before it was ready, and changes are being made on the fly. If there were no Cat 1 security deficiencies, it would be the first system ever built by the government that could say so. Everybody has some problems in development, and with this system, there have been more than just some. They had Cat 1s everywhere else, but they want to say that they had none in security. Preposterous, and unbelievable, but this is, after all, the most fun Washington has had in a long time, so not impossible.
Second, nobody ever says "There have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information...." There was a GAO report published yesterday that left some doubt about how government agencies are handling disclosures, when they know they have them. They don't have consistent ways to identify the loss, collect the data about who is affected, and report the incident to the right agencies. Then, they don't always take appropriate action to deal with the potential damage. If CMS looks like the kind of place you could trust to identify the loss, report the loss, and help the customers, given the political spear dangling from their chest, then you have more faith in them than I would have. Amazon books:
Friday, January 3, 2014
Snowden's New York Times Friend
The New York Times has said the U.S. should consider clemency for Edward Snowden for disclosure of classified documents. The Times says he did a service to all of us. I have trouble with the logic of that kind of claim, but consider the source.
The only countries that benefited from what Snowden did are Russia and China, and maybe Iran. What Snowden gave up was an intelligence bonanza that didn't cost a thing to collect. It is a gift, with substantial value, that does harm to the U.S.A., his home country.
The Times seem to think of this in terms of what was disclosed that the American public did not know. There are plenty of things that the American public doesn't know and shouldn't know about how we collect intelligence. If you ask the average person on the street to name one thing that Snowden gave up, they probably wouldn't have an answer. They may say, if they read the Times, that NSA is spying on the general public, intercepting their phone calls and storing them somewhere for later analysis. That isn't true, but people who don't know what has been disclosed are swayed by the simple explanation of how our government spies on its own people.
Anyone in law enforcement who has ever had a case of potential terrorism against the U.S. understands the limits of intelligence collection and the limits of sharing information between different agencies. We often wished there was some big pot of data that we could go back to and find out what some idiot who wanted to blow up a bridge in Manhattan was looking for on the Internet, or who he was talking to lately. It takes a court order to get that, and usually more than one. I was surprised we didn't have everything we ever wanted after seeing all the stuff Snowden gave over to people who shouldn't have it. IF it was accurate, and functioned like the slides shows said it did, we should never have had a question about what a person was going to do. We could have gone back to NSA and gotten everything we ever wanted.
We can be fortunate that slide presentations are merely representations of what someone with Powerpoint capability thinks can be done. These are usually people looking for money who wish this could be done and wish they had more money to do it. But, it is just a wish on both sides of the proposal. What they propose never works the way it is supposed to, is almost always over-inflated in its importance, and usually does far less than the slide manager's hope. Snowden was too young and inexperienced to know the difference between a wish and a real capability.
For that reason alone, the Times would hope we would give him some clemency. For what? For being so careful about stealing information; for collecting the NSA entrance requirements so he could work there, or for giving up what he considered to be the most sensitive programs he could find at his job there? Are these the kinds of things we give clemency for?
Show me a reason to give clemency that fits any of the circumstances of his conduct. He is a traitor who cannot come home because he gave up his county's secrets to our enemies. He knew what he was doing, planned it out, and thinks he can get away with it now, if enough people will write articles about it and get the government to think about giving him a break. That isn't the way espionage works. He spied on us, stole our secrets, and now wants forgiveness. The Time's sense of humor on all of this is matched only by the Israeli press who links Snowden to Jonathan Pollard, another spy who gave up secrets and went to jail. He wants clemency too, and the parallels are not lost on us. He can never go home and neither can Snowden. Amazon books:
The only countries that benefited from what Snowden did are Russia and China, and maybe Iran. What Snowden gave up was an intelligence bonanza that didn't cost a thing to collect. It is a gift, with substantial value, that does harm to the U.S.A., his home country.
The Times seem to think of this in terms of what was disclosed that the American public did not know. There are plenty of things that the American public doesn't know and shouldn't know about how we collect intelligence. If you ask the average person on the street to name one thing that Snowden gave up, they probably wouldn't have an answer. They may say, if they read the Times, that NSA is spying on the general public, intercepting their phone calls and storing them somewhere for later analysis. That isn't true, but people who don't know what has been disclosed are swayed by the simple explanation of how our government spies on its own people.
Anyone in law enforcement who has ever had a case of potential terrorism against the U.S. understands the limits of intelligence collection and the limits of sharing information between different agencies. We often wished there was some big pot of data that we could go back to and find out what some idiot who wanted to blow up a bridge in Manhattan was looking for on the Internet, or who he was talking to lately. It takes a court order to get that, and usually more than one. I was surprised we didn't have everything we ever wanted after seeing all the stuff Snowden gave over to people who shouldn't have it. IF it was accurate, and functioned like the slides shows said it did, we should never have had a question about what a person was going to do. We could have gone back to NSA and gotten everything we ever wanted.
We can be fortunate that slide presentations are merely representations of what someone with Powerpoint capability thinks can be done. These are usually people looking for money who wish this could be done and wish they had more money to do it. But, it is just a wish on both sides of the proposal. What they propose never works the way it is supposed to, is almost always over-inflated in its importance, and usually does far less than the slide manager's hope. Snowden was too young and inexperienced to know the difference between a wish and a real capability.
For that reason alone, the Times would hope we would give him some clemency. For what? For being so careful about stealing information; for collecting the NSA entrance requirements so he could work there, or for giving up what he considered to be the most sensitive programs he could find at his job there? Are these the kinds of things we give clemency for?
Show me a reason to give clemency that fits any of the circumstances of his conduct. He is a traitor who cannot come home because he gave up his county's secrets to our enemies. He knew what he was doing, planned it out, and thinks he can get away with it now, if enough people will write articles about it and get the government to think about giving him a break. That isn't the way espionage works. He spied on us, stole our secrets, and now wants forgiveness. The Time's sense of humor on all of this is matched only by the Israeli press who links Snowden to Jonathan Pollard, another spy who gave up secrets and went to jail. He wants clemency too, and the parallels are not lost on us. He can never go home and neither can Snowden. Amazon books: