I found an interesting Chart the other day on the White House Web site,
https://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/omb_presidents_it_budget_for_fy_2016_summary_chart.pdf that shows who won and who lost in the IT budget battles. The biggest winner between budgets for 2015 and 2016 is The Office of Personnel Management - yes, the same one that lost all of our security clearance data and failed to correct even basic things like how they do administrative log-ins across their networks. They got a 48% increase in their budget. This is a lot like the people who pay millions for bridge repair after the bridge has fallen into the lake at rush hour. A little money for fix-up might have saved the bridge.
Looks like the Department of Housing and Urban Development lost the most, 16%. These are good figures for the guys who do marketing and write proposals, but not much use to anybody else. Look at the bottom numbers on this chart, and you realize we spend way more on Information Technology than any government should.
I happened to read Linda Cureton's article called 3 Reasons We Don't Need Federal CIOs [http://www.informationweek.com/government/leadership/3-reasons-we-dont-need-federal-cios/a/d-id/1297423] who used to be CIO for NASA. I have to agree with the way she looks at this. There is no "enterprise" in the Fed and every agency runs its IT like it was the only agency in our government. IT is not a respected profession in the C-suite of the agencies. It is all about mission, whatever it might be. But...
Security is still part of the CIO's responsibility and that is not going away. We have yet to hear from the CIO at OPM, who appeared at her hearing because she had to but said very little after "my comments were added to those of the preceding speaker". Yes, so she couldn't talk about who was really responsible for the decision to take a chance on the operation of a system that was full of holes. Next thing we know, her emails will go missing.
The Chinese must be laughing out loud at the incompetence of this agency. Nobody who got one of those letters from OPM is laughing.
Monday, June 29, 2015
Thursday, June 25, 2015
Clapper on OPM
In today's Wall Street Journal, Damian Paletta says James Clapper, Director of National Intelligence, says China was behind the OPM hack and that deterrence of these kinds of action are partially at fault.
Deterrence strategy falls to the National Security Council which seems to have done next to nothing to prevent the Chinese from continuing to go faster at their collection of information from both US Industries and government offices. That reluctance has cost us more than we know. We can't allow the Chinese to do what they want while we try to keep their support for a dubious deal with Iran on nuclear weapons. That deal is falling apart as we speak, so if they were relying on China's help, they are wasting what breath they have left.
Deterrence is nonexistent. While China sucks our industries dry of trade secrets, plans, strategies and teaming arrangements, they continue to plow ahead with their economic growth. That strategy is working very well for them, and not so well for us. Do we really need Chinese support so much that we want to sell our own companies out to get it?
Deterrence strategy falls to the National Security Council which seems to have done next to nothing to prevent the Chinese from continuing to go faster at their collection of information from both US Industries and government offices. That reluctance has cost us more than we know. We can't allow the Chinese to do what they want while we try to keep their support for a dubious deal with Iran on nuclear weapons. That deal is falling apart as we speak, so if they were relying on China's help, they are wasting what breath they have left.
Deterrence is nonexistent. While China sucks our industries dry of trade secrets, plans, strategies and teaming arrangements, they continue to plow ahead with their economic growth. That strategy is working very well for them, and not so well for us. Do we really need Chinese support so much that we want to sell our own companies out to get it?
Do We Want to Fight China?
The Chinese have a rule of engagement that says they fight when they are ready, and not before. Note that not every country follows that rule, usually to their detriment. What the OPM and a stream of other hacks shows is their readiness to engage, acknowledge their hacking with in-your-face attacks that can be traced to China, and overt acts in the South China Sea. Think of these as warnings.
Sony and South Korea's banking targets (North Korea was held responsible), are equal warnings. Both were destructive and intended to show us that the next big fight will not be the theft of data from private and government sources. It will be a damaging attack against the core services of our country, businesses especially. Lots of information will be released to the public and systems will be destroyed.
That is part of the game of war played by governments. Usually, the basic rules require covert engagement, something the Chinese have done by denying something so easily traced to them. The usual approach is to use deterrence as a way of persuading them that this is not a good idea. Do we have a good deterrence here? No.
So, if they are ready to fight and we don't have a good deterrence, we have to fight too. Are we ready? The military is ready and thinks it can fight, but this war is not about the military capability of a country. Can our businesses withstand an attack if it came? We can't afford to wait to find out. The attack on South Korea cost $500M to repair, and they are a small country. I hope our government has let our industries know how that attack was done and what they should be doing about deflecting a similar effort here.
Sony and South Korea's banking targets (North Korea was held responsible), are equal warnings. Both were destructive and intended to show us that the next big fight will not be the theft of data from private and government sources. It will be a damaging attack against the core services of our country, businesses especially. Lots of information will be released to the public and systems will be destroyed.
That is part of the game of war played by governments. Usually, the basic rules require covert engagement, something the Chinese have done by denying something so easily traced to them. The usual approach is to use deterrence as a way of persuading them that this is not a good idea. Do we have a good deterrence here? No.
So, if they are ready to fight and we don't have a good deterrence, we have to fight too. Are we ready? The military is ready and thinks it can fight, but this war is not about the military capability of a country. Can our businesses withstand an attack if it came? We can't afford to wait to find out. The attack on South Korea cost $500M to repair, and they are a small country. I hope our government has let our industries know how that attack was done and what they should be doing about deflecting a similar effort here.
Wednesday, June 24, 2015
Mr. Chaffetz lights them up
For those who saw the opening remarks of Mr. Chaffetz, Chairman of the Government Oversight and Reform Committee, who spoke today you saw a Congressman fired up. They rarely get that way without cause. He wasn't faking his concern for a public audience. You could see more than the usual "concern" that comes to everyone on the Hill when they are forced into it. He was right on the target.
He hit every major point that should have been made about the incompetence of OPM and described it as "gross negligence" which is the key to any prosecutions that might be prompted. He said the attacks on OPM describe an unsatisfactory condition, yet the position of those testifying describe nothing but progress they have made.
The witnesses went on to confirm exactly what he had said. The testimony was packed with qualifiers and "maybes" that are beyond belief. They want to do better security now. They said they were doing good security, but they want to improve and have "deep concerns". Lordly lord, of course they do, but the data is gone now and it is too late. Now they want money and improvements in the safety and security of your data, but the only one it will help is the new people coming in. They compromised everything else.
As Mr. Chaffetz said, 5 of the 11 systems that were operating without authority were in the CIO's office. That is starting at the top. In 2014, the IG said there were material weaknesses that had not been addressed for 4 years. That is the definition of gross negligence.
We will never get ahead of the game using the same people and the same programs that have been used in the past. They need to go, and be replaced by some new blood that can revitalize and lead in security of those systems. Let them start at OPM.
Opening Statement Chairman Jason Chaffetz OPM: Data Breach June 16, 2015
Last week, we learned that the United States of America may have had what may be the most devastating cyber attack in our nation’s history. And that this may be happening over a long period of time. As we sit here this morning, there is a lot of confusion about exactly what personal information for millions of current and former federal employees and workers was exposed through the latest data breach at Office of Personal Management (OPM).
OPM initially reported that the personal information of over four million federal employees was exposed during this hack. More recent public reports suggest the breach was perhaps far worse than that. It is also unclear exactly what information was exposed. We would like know what information was exposed, over what period of time and who has this vulnerability. The breach potentially included highly sensitive personal background information collected through security clearance applications. The loss of this information puts our federal workforce at risk, particularly our intelligence officers and others working on sensitive projects around the globe.
While we understand some of this information will be classified and can’t be discussed here this morning, we do need clear up exactly what happened and what information was compromised. And we need to understand why the federal government – and OPM in particular – is struggling to guard some of our nation’s most important information.
The fact OPM was breached should come as no surprise given its troubling track record on data security. Each year, the Office of Inspector General reviews and rates its respective agency’s compliance with Federal Information Security standards. According to the last eight years of IG reports, OPM’s data security posture was akin to leaving all the doors and windows open at your house. Since 2007, the OPM IG has rated OPM’s data security as a “material weakness” because the agency had no I.T. policies or procedures.
It is unbelievable to think the agency charged with maintaining and protecting ALL personal information of almost ALL former and current federal employees would have so few information technology policies or procedures. And this didn’t change for eight years.
The IG has also noted the agency “does not maintain a comprehensive inventory of servers, databases, and network devices.” You have to know what you have in order to protect it. Not knowing is unacceptable. The IG also found 11 out of 47 major information systems (or 23 percent) at OPM lacked proper security authorization, meaning the security of 11 major systems was completely outdated and unknown. Five of these 11 systems were in the office of the Chief Information Officer, Ms. Seymour, which is a horrible example to be setting as the person in charge of the agency’s data security.
he IG only recently upgraded OPM to a “significant deficiency” when the agency finally made reorganization of its office of the Chief Information Officer a priority. For any agency to consciously disregard its data security for so long is grossly negligent. And the fact that the agency that did this is responsible for maintaining highly sensitive information on almost all federal employees is in my opinion, even the more egregious.
OPM isn’t alone; a number of other agencies also suffered breaches in the past year. This latest cyber hack comes on the heels of several data breaches across the government, including at the U.S. Postal Service; the State Department; Internal Revenue Service; Nuclear Regulatory Commission; and even the White House.
At the same time, the government is spending more and more on information technology. Last year, across the government we spent almost $80 billion on information technology, with $84 million at OPM alone. But when a nefarious actor is able to infiltrate so many of our government systems, and remain there for months undetected, we clearly aren’t getting our money’s worth. OPM isn’t alone to blame for this failure. The Office of Management and Budget has the responsibility for setting standards for federal cybersecurity practices. And it’s OMB’s job to hold agencies accountable for complying with and enforcing those standards.
The Department of Homeland Security has been given the lead responsibility for serving as the federal government’s “geek squad” to monitor day-to-day cyber security practices. But the technical tools that DHS has deployed to try to protect federal networks apparently aren’t doing the job. While DHS has developed EINSTEIN to monitor government networks, it only detects known intruders, proving completely useless in the latest OPM hack.
The status quo can’t continue; we have to do better. I appreciate our witnesses being here today, especially on short notice. I look forward to learning what we can about the latest breach at OPM in a public setting. More importantly, we need to hear what we are going to do to prevent this from happening in the future.
He hit every major point that should have been made about the incompetence of OPM and described it as "gross negligence" which is the key to any prosecutions that might be prompted. He said the attacks on OPM describe an unsatisfactory condition, yet the position of those testifying describe nothing but progress they have made.
The witnesses went on to confirm exactly what he had said. The testimony was packed with qualifiers and "maybes" that are beyond belief. They want to do better security now. They said they were doing good security, but they want to improve and have "deep concerns". Lordly lord, of course they do, but the data is gone now and it is too late. Now they want money and improvements in the safety and security of your data, but the only one it will help is the new people coming in. They compromised everything else.
As Mr. Chaffetz said, 5 of the 11 systems that were operating without authority were in the CIO's office. That is starting at the top. In 2014, the IG said there were material weaknesses that had not been addressed for 4 years. That is the definition of gross negligence.
We will never get ahead of the game using the same people and the same programs that have been used in the past. They need to go, and be replaced by some new blood that can revitalize and lead in security of those systems. Let them start at OPM.
Opening Statement Chairman Jason Chaffetz OPM: Data Breach June 16, 2015
Last week, we learned that the United States of America may have had what may be the most devastating cyber attack in our nation’s history. And that this may be happening over a long period of time. As we sit here this morning, there is a lot of confusion about exactly what personal information for millions of current and former federal employees and workers was exposed through the latest data breach at Office of Personal Management (OPM).
OPM initially reported that the personal information of over four million federal employees was exposed during this hack. More recent public reports suggest the breach was perhaps far worse than that. It is also unclear exactly what information was exposed. We would like know what information was exposed, over what period of time and who has this vulnerability. The breach potentially included highly sensitive personal background information collected through security clearance applications. The loss of this information puts our federal workforce at risk, particularly our intelligence officers and others working on sensitive projects around the globe.
While we understand some of this information will be classified and can’t be discussed here this morning, we do need clear up exactly what happened and what information was compromised. And we need to understand why the federal government – and OPM in particular – is struggling to guard some of our nation’s most important information.
The fact OPM was breached should come as no surprise given its troubling track record on data security. Each year, the Office of Inspector General reviews and rates its respective agency’s compliance with Federal Information Security standards. According to the last eight years of IG reports, OPM’s data security posture was akin to leaving all the doors and windows open at your house. Since 2007, the OPM IG has rated OPM’s data security as a “material weakness” because the agency had no I.T. policies or procedures.
It is unbelievable to think the agency charged with maintaining and protecting ALL personal information of almost ALL former and current federal employees would have so few information technology policies or procedures. And this didn’t change for eight years.
The IG has also noted the agency “does not maintain a comprehensive inventory of servers, databases, and network devices.” You have to know what you have in order to protect it. Not knowing is unacceptable. The IG also found 11 out of 47 major information systems (or 23 percent) at OPM lacked proper security authorization, meaning the security of 11 major systems was completely outdated and unknown. Five of these 11 systems were in the office of the Chief Information Officer, Ms. Seymour, which is a horrible example to be setting as the person in charge of the agency’s data security.
he IG only recently upgraded OPM to a “significant deficiency” when the agency finally made reorganization of its office of the Chief Information Officer a priority. For any agency to consciously disregard its data security for so long is grossly negligent. And the fact that the agency that did this is responsible for maintaining highly sensitive information on almost all federal employees is in my opinion, even the more egregious.
OPM isn’t alone; a number of other agencies also suffered breaches in the past year. This latest cyber hack comes on the heels of several data breaches across the government, including at the U.S. Postal Service; the State Department; Internal Revenue Service; Nuclear Regulatory Commission; and even the White House.
At the same time, the government is spending more and more on information technology. Last year, across the government we spent almost $80 billion on information technology, with $84 million at OPM alone. But when a nefarious actor is able to infiltrate so many of our government systems, and remain there for months undetected, we clearly aren’t getting our money’s worth. OPM isn’t alone to blame for this failure. The Office of Management and Budget has the responsibility for setting standards for federal cybersecurity practices. And it’s OMB’s job to hold agencies accountable for complying with and enforcing those standards.
The Department of Homeland Security has been given the lead responsibility for serving as the federal government’s “geek squad” to monitor day-to-day cyber security practices. But the technical tools that DHS has deployed to try to protect federal networks apparently aren’t doing the job. While DHS has developed EINSTEIN to monitor government networks, it only detects known intruders, proving completely useless in the latest OPM hack.
The status quo can’t continue; we have to do better. I appreciate our witnesses being here today, especially on short notice. I look forward to learning what we can about the latest breach at OPM in a public setting. More importantly, we need to hear what we are going to do to prevent this from happening in the future.
An Ounce of Prevention
There have been so many hacks of the Federal government these days that it is obvious they have not learned the first lesson of computer security, "You must prevent what you can't detect."
This was a basic rule when I was growing up, which for most of my readers, was a long time ago. Age has some advantages, and in this case, remembering the rules from long ago can sometimes be a benefit.
The hacking method used to get in is almost exclusively phishing attacks using RATS. Long ago (in 2000), RATS were called Remote Access Trojans and I have difficulty getting that term out of my head. Now, they are called Remote Administration Tools, a term meaning what it says. Hackers get remote access, at an Administrator level, to any machine they can get to with this tool. The method of getting to them is the phishing attack. Send them something they want, with the RAT embedded in it, and let the user open the document or graphic. We all do this every day. Hackers do their end every day too.
Why haven't we been able to stop this phishing- RATS method of attack? Because we forgot the first rule of computer security. We must prevent what we can't detect.
We can get better detection. The joke with Einstein was it was detecting known threats. Anti-virus tools can do that, and they don't cost nearly as much. That wasn't what it was supposed to do when DHS spent millions to develop it. If it can't detect the threat, find something that will, and stop spending so much on solutions that can't. There are filtering solutions that will detect embedded code or open attachments before they ever enter the network. It costs money and they have to give up some pet projects to make it work. Doing the same things over and over will not improve the outcome.
We can stop attachments to e-mail, however painful it might be. Still, it is an option that is too late for most people with security clearances or who pay their taxes.
We can get sensitive applications off the Internet. We spend millions to have networks that are separate from the Internet yet aren't secure, so we hold those up as examples of why we shouldn't spend money on separate systems. But we don't stop spending money on those systems either. There is no logic to this. Government systems shouldn't be on the Internet. Only the Chinese and Russians think it is a good idea for us to have every sensitive application we have doing business on the Internet. The Internet isn't safe enough for that to be done, and our Federal government has proven over and over that it can't protect data it uses there.
This was a basic rule when I was growing up, which for most of my readers, was a long time ago. Age has some advantages, and in this case, remembering the rules from long ago can sometimes be a benefit.
The hacking method used to get in is almost exclusively phishing attacks using RATS. Long ago (in 2000), RATS were called Remote Access Trojans and I have difficulty getting that term out of my head. Now, they are called Remote Administration Tools, a term meaning what it says. Hackers get remote access, at an Administrator level, to any machine they can get to with this tool. The method of getting to them is the phishing attack. Send them something they want, with the RAT embedded in it, and let the user open the document or graphic. We all do this every day. Hackers do their end every day too.
Why haven't we been able to stop this phishing- RATS method of attack? Because we forgot the first rule of computer security. We must prevent what we can't detect.
We can get better detection. The joke with Einstein was it was detecting known threats. Anti-virus tools can do that, and they don't cost nearly as much. That wasn't what it was supposed to do when DHS spent millions to develop it. If it can't detect the threat, find something that will, and stop spending so much on solutions that can't. There are filtering solutions that will detect embedded code or open attachments before they ever enter the network. It costs money and they have to give up some pet projects to make it work. Doing the same things over and over will not improve the outcome.
We can stop attachments to e-mail, however painful it might be. Still, it is an option that is too late for most people with security clearances or who pay their taxes.
We can get sensitive applications off the Internet. We spend millions to have networks that are separate from the Internet yet aren't secure, so we hold those up as examples of why we shouldn't spend money on separate systems. But we don't stop spending money on those systems either. There is no logic to this. Government systems shouldn't be on the Internet. Only the Chinese and Russians think it is a good idea for us to have every sensitive application we have doing business on the Internet. The Internet isn't safe enough for that to be done, and our Federal government has proven over and over that it can't protect data it uses there.
WSJ and "Cyber meltdown"
I have to agree that the OPM fiasco was a mess, and the term "meltdown" applies. The Wall Street Journal op-ed today says a little bit about how significant the data was that was taken from the OPM site. What is interesting to me is the speculation on Congressional staff and those investigated for clearances who may not have received one, or never needed one after they were investigated. That was the first time I had heard that that kind of data. As you remember, the first estimate by the OPM was 4M records; now, we hear 18 million. As I said before, those numbers seemed low, given the number of cleared people in government, retired persons, and contractors. If it hasn't occurred to you yet, they may not know how many records they lost. That could be worse than the numbers.
The decision to accept the risk for that data being secured in the way it was ultimately fell to the Director of the Agency. Stonewalling, a typical political activity in Washington is not helpful. Hiding behind the "national security implications" statement by the OPM IG is stupid. That data is gone. All the speculation about what is being done with this data is just that - speculation. We have elections coming up, and that information can be used in a lot of ways that politicians will be fretting over for the next few years. Good. Maybe they will take some action to get systems some security that hold government information. As one of those with records in that system, I want better security in IRS, Social Security, OPM, the Postal Service, and all the rest of the Federal activities that were hacked.
Given the type and frequency of these kinds of hacks on our government, it appears they don't get the message about security of our data. They take risks with it every day, lose it, and do nothing to correct the situation. They paper it over, stonewall, hide the e-mails, obscure the story, and put fingers to their lips to warn employees to keep quiet. This is the way the Chinese do business. We should expect better from our own government.
The decision to accept the risk for that data being secured in the way it was ultimately fell to the Director of the Agency. Stonewalling, a typical political activity in Washington is not helpful. Hiding behind the "national security implications" statement by the OPM IG is stupid. That data is gone. All the speculation about what is being done with this data is just that - speculation. We have elections coming up, and that information can be used in a lot of ways that politicians will be fretting over for the next few years. Good. Maybe they will take some action to get systems some security that hold government information. As one of those with records in that system, I want better security in IRS, Social Security, OPM, the Postal Service, and all the rest of the Federal activities that were hacked.
Given the type and frequency of these kinds of hacks on our government, it appears they don't get the message about security of our data. They take risks with it every day, lose it, and do nothing to correct the situation. They paper it over, stonewall, hide the e-mails, obscure the story, and put fingers to their lips to warn employees to keep quiet. This is the way the Chinese do business. We should expect better from our own government.
Monday, June 22, 2015
Michael Hayden blasts OPM
If you missed the Wall Street Journal today, go buy one for this article alone. Hayden, who is one of the smartest guys around in cyber anywhere, let loose on OPM. For most security professionals he is not saying anything we have not said before, but he says it more straight forward than most - "raw incompetence" led to the disclosure of these records to China. He said, if he had had the chance to get the same kind of information from China, and it was available, he would have gone after it and not asked for permission.
The acts of ommision and comission by OPM are as bad as anything we have heard. They are firing offenses, and yet the White House is staunchly behind they appointee. We have been in Washington long enough to know that lasts until the time is right, or a suitable replacement is found, but it doesn't last forever.
In the meantime, Where is Michael Daniel? Yes, he is the White House Cyberzar (reduced to Coordinator in this Administration) on the NSC staff. Nobody knows what a coordinator does, but the Postal Service, OPM, the CMS folks who botched the website for the Affordable Care Act, and the folks at Homeland who notified their employees about a theft of security data that took place over a year before, need to get their collective rear ends kicked. As a friend of mine said when Homeland sent him a letter about a 2013 attack on their records, I could be broke right now if it had been a criminal gang!
Never have we had this kind of response to so many incidents. Calling for a "sprint" will not help resolve a long term neglect of government security, documented over and over by IG and public disclosures of incompetence. Hayden wouldn't use that word lightly, if it didn't apply.
The acts of ommision and comission by OPM are as bad as anything we have heard. They are firing offenses, and yet the White House is staunchly behind they appointee. We have been in Washington long enough to know that lasts until the time is right, or a suitable replacement is found, but it doesn't last forever.
In the meantime, Where is Michael Daniel? Yes, he is the White House Cyberzar (reduced to Coordinator in this Administration) on the NSC staff. Nobody knows what a coordinator does, but the Postal Service, OPM, the CMS folks who botched the website for the Affordable Care Act, and the folks at Homeland who notified their employees about a theft of security data that took place over a year before, need to get their collective rear ends kicked. As a friend of mine said when Homeland sent him a letter about a 2013 attack on their records, I could be broke right now if it had been a criminal gang!
Never have we had this kind of response to so many incidents. Calling for a "sprint" will not help resolve a long term neglect of government security, documented over and over by IG and public disclosures of incompetence. Hayden wouldn't use that word lightly, if it didn't apply.
Friday, June 19, 2015
China Demands Source Code and Encryption
I usually keep up with what the Chinese are doing, but somehow missed the new laws China has enacted that will allow them to demand source code and encryption used to help a company protect its data. George Chen (see Foreign Policy Feb 2015) says they already have stopped the use of VPNs in China. Of course this is done in the name of counterterrorism.
You have to wonder why source code becomes a counter terror weapon all of a sudden, and why the Chinese have to ask a vendor for it when they have stolen so much of it already. Why any country would give up source code as a condition of operating in China is beyond me. Can the market be so tight that the proprietary protection of source code has to be given up to operate in a country that steals almost everything it can? We need more countries to say they aren't going to give up source code as a condition of operating there, and prohibit them from asking for it. They want reciprocity. Let them start there.
You have to wonder why source code becomes a counter terror weapon all of a sudden, and why the Chinese have to ask a vendor for it when they have stolen so much of it already. Why any country would give up source code as a condition of operating in China is beyond me. Can the market be so tight that the proprietary protection of source code has to be given up to operate in a country that steals almost everything it can? We need more countries to say they aren't going to give up source code as a condition of operating there, and prohibit them from asking for it. They want reciprocity. Let them start there.
Wednesday, June 17, 2015
When one Baseball Team hacks another
Certainly in the realm of unbelievable hacks this one stands out. It is a little hard to say that it was a hack, since apparently someone left an account open and one of the St Louis Cardinal's staff took advantage of the opportunity and got into the accounts of the Houston Astros. There is, as I found out today, some interesting information that baseball teams keep. Algorithms for example, that help them decide which players to sign and which ones to let go. That must be an interesting thing for another team to have. Salaries, of course and some of the internal correspondence that gets sent to "all" must be riviting. None the less, they could use some simple security measures that almost anyone could have mentioned to them, not the least of which is clearing out users when they leave. That is security 101. Changing passwords at regular intervals is also a good one to remember. This reminds me of the way one of our church groups handled their security, not the way a business does it.
What's scary is the way systems are administrered at some of our businesses and government agencies with information far more valuable than those algorithms. We have kind of rolled our staffs down to small numbers to keep the cost down, doing away with separate security positions. They were replaced by admins, who are nice people and might marry one of my relatives one day. But, they are not well trained on security, especially network securirty. Trying to get that training is not an easy thing to do. They are busy and their management does not want to take them away from their work. Now, they start learning by doing, not a very good way to pick up things which might save them from some types of hacks. It can't come close to saving them from the kind of hacks that are going on out there in the real networks of the world. Good thing the Chinese don't have a baseball team that needs to operate like a commercial company. This wasn't a real hack like we usually think of. I wonder why the FBI took the case. They didn't take deflategate.
What's scary is the way systems are administrered at some of our businesses and government agencies with information far more valuable than those algorithms. We have kind of rolled our staffs down to small numbers to keep the cost down, doing away with separate security positions. They were replaced by admins, who are nice people and might marry one of my relatives one day. But, they are not well trained on security, especially network securirty. Trying to get that training is not an easy thing to do. They are busy and their management does not want to take them away from their work. Now, they start learning by doing, not a very good way to pick up things which might save them from some types of hacks. It can't come close to saving them from the kind of hacks that are going on out there in the real networks of the world. Good thing the Chinese don't have a baseball team that needs to operate like a commercial company. This wasn't a real hack like we usually think of. I wonder why the FBI took the case. They didn't take deflategate.
U.S.-China Economic and Security Commision
I got a chance to testify at this Commision and it was good experience. This is one group that is not trying to make political points for itself, nor trying to make soundbites for reelection. They really do want to do something about China hacking our businesses. All they can do is make recommendations to Congress, which seems hell-bent on doing up a treaty with China, like that will do some good.
My brother bet me that I couldn't get across the point of China hacking security companies, network security services, and the public key infrastrructure in 3 minutes and I didn't have that long. It is impossible to get any complex problems across in such short time segments as they allow. However, Google may have done it for me in no longer recognizing certs issued by China's NIC. They annouced in April, after a joint investigation with China, that they would no long accept them. Maybe now, some of the other companies will start looking for certs issued by others who have a China root cert. They are using our e-commerce system against us. Google is not the only one standing up to China, but I wish there were more public stories about what others are doing.
http://www.uscc.gov/Hearings/hearing-commercial-cyber-espionage-and-barriers-digital-trade-china-webcast
My brother bet me that I couldn't get across the point of China hacking security companies, network security services, and the public key infrastrructure in 3 minutes and I didn't have that long. It is impossible to get any complex problems across in such short time segments as they allow. However, Google may have done it for me in no longer recognizing certs issued by China's NIC. They annouced in April, after a joint investigation with China, that they would no long accept them. Maybe now, some of the other companies will start looking for certs issued by others who have a China root cert. They are using our e-commerce system against us. Google is not the only one standing up to China, but I wish there were more public stories about what others are doing.
http://www.uscc.gov/Hearings/hearing-commercial-cyber-espionage-and-barriers-digital-trade-china-webcast
Monday, June 1, 2015
L(3) Communications and Hackers
In an article in today's Wall Street Journal, Drew Fitzgerald [Level 3 Tries to Waylay Hackers ] we have the Internet's biggest problem shining through: as it becomes a more hostile place, few companies or governments find it in their interest to try to control any part of it. China, Russia, Iran, North Korea, and a host of others do not have this problem.
Level (3) Communications, Inc., the giant network company that operates in 60 countries, has decided to do something about hackers crossing its infrastructure. You would think that was a good thing. They shut down some suspicious traffic that was not part of their client base. They closed off some big service providers. Why would anyone not be grateful to them for what they are trying to do?
For the most part, it is because their competition in the network space is reluctant to become "policemen of the Internet". Who should that be? Should be get the FBI to do it in the name of International Crime? Should we get Google, Microsoft, and Amazon? How about letting China do it on contract? They seem to be good at it.
If the other carriers did what Level 3 is doing, the rest of the world wouldn't find it so easy to get into our networks and siphon off our credit and debit card information. They might find it more difficult to steal from our companies. They might have a harder time with phishing attacks. I would rather have service from someone trying to stop this kind of thing than service from a company that does nothing.
Level (3) Communications, Inc., the giant network company that operates in 60 countries, has decided to do something about hackers crossing its infrastructure. You would think that was a good thing. They shut down some suspicious traffic that was not part of their client base. They closed off some big service providers. Why would anyone not be grateful to them for what they are trying to do?
For the most part, it is because their competition in the network space is reluctant to become "policemen of the Internet". Who should that be? Should be get the FBI to do it in the name of International Crime? Should we get Google, Microsoft, and Amazon? How about letting China do it on contract? They seem to be good at it.
If the other carriers did what Level 3 is doing, the rest of the world wouldn't find it so easy to get into our networks and siphon off our credit and debit card information. They might find it more difficult to steal from our companies. They might have a harder time with phishing attacks. I would rather have service from someone trying to stop this kind of thing than service from a company that does nothing.
The Internet Off the Rails
I was struck by L. Gordon Crovitz's Opinion piece in the Wall Street Journal today [ Internet Governance Follies ], because we have forgotten how the Internet is managed and the politics that surround it. He is critical of how we came to be in a position of not supporting the the management function known as ICANN: " Normally, that would have prompted some rethinking by the Internet Corporation for Assigned Names and Numbers, which exercises its authority under a contract from the Commerce Department. Instead, two days later came the surprise announcement from the Obama administration that Icann was so “mature” that it no longer needed U.S. oversight, which the administration planned to end in September 2015."
The position we are in now has completely reversed, apparently partly because of a domain ".sucks" which Jay Rockefeller said would be trouble, 'will be used to unfairly defame individuals, non-profits and businesses,' which has turned out to be true. Gone is Fadi Chehade, recently chairman of ICANN. Contract issued by the Commerce Department has not lapsed and is back on.
This is a mess largely created by our own idea that the Internet should be free, when it is anything but. The Russians, Chinese, North Koreans, and Iranians rigidly control their Internet. Putin says it is "a CIA project." Many others, like Turkey, Syria and Egypt, try to control some of the content. We can't be free, when a plurality of Internet users control the content of the medium. They don't just want to control the content in their own countries; they want to control ours too.
The position we are in now has completely reversed, apparently partly because of a domain ".sucks" which Jay Rockefeller said would be trouble, 'will be used to unfairly defame individuals, non-profits and businesses,' which has turned out to be true. Gone is Fadi Chehade, recently chairman of ICANN. Contract issued by the Commerce Department has not lapsed and is back on.
This is a mess largely created by our own idea that the Internet should be free, when it is anything but. The Russians, Chinese, North Koreans, and Iranians rigidly control their Internet. Putin says it is "a CIA project." Many others, like Turkey, Syria and Egypt, try to control some of the content. We can't be free, when a plurality of Internet users control the content of the medium. They don't just want to control the content in their own countries; they want to control ours too.
Subscribe to:
Posts (Atom)