The arrest in China of Chang Xiaobing will hardly raise a ripple in the U.S. but it is something we should be paying attention to. The story is in every major financial newspaper because China reported it, given the publicly traded company's investment value. [see http://www.wsj.com/articles/china-telecom-head-detained-by-countrys-antigraft-regulator-1451218892 as an example ] A similar event in the U.S. would be like having the Chairman of the Board of AT&T arrested for public corruption. It would not be something we would miss.
There are two things about this particular arrest. First, unless you were sleeping for the past couple of years, it was hard to miss the number of arrests of public officials in China, most of them associated with the military. Very few of these are what we would call "criminal behavior", but the Chinese have no problem with labeling anything the Party is unhappy about as criminal. Xiaobing must have crossed swords with the wrong people along the way, and they would have to be way up there in the hierarchy of the Party. The three telecoms in China are managed by a special committee run by President Xi Jinping. He controls them very tightly and has quite a bit to say about how they are managed and controlled. He relies on the telecoms to enforce the new counter terror regulations which included both monitoring and "cooperating with investigations", a new term that means give up your encryption and give us back doors when we need one. These are not good for relations with foreign companies that must cooperate with these onerous rules.
Second, Xiaobing was the head of a state-sponsored enterprise, a business with quasi-independence but where the rules and policies of the company are set by the government. The government regulates it and manages it, something that doesn't work out very well anywhere. This is where the arrest of the Chairman of AT&T would be different. He runs a business responsive to the shareholders and the board, not the Democratic Party.
If nothing else, none of the telecoms are going to push back on the policies China has instituted. They make not like the affect it has on their customer relations, but they will be smiling and moving along.
Monday, December 28, 2015
Chinese Pass Backwards Towards Goal
The Chinese legislature, to nobody's great surprise, has passed the most unbelievable counter-terrorism law in recent memory. ABC News, in an AP story yesterday, [http://abcnews.go.com/International/wireStory/chinas-legislature-oks-controversial-anti-terrorism-law-35961983 ] says "They say it is troublesome that telecommunications companies and Internet service providers are required to share encryption keys and back-door access with the police and state security agents seeking to prevent terrorist activities or investigating terror acts." This essentially means no security from the Chinese Central Government and the Communist Party, a strategy that every corporate boardroom will be looking at, if it hasn't already. Nearly everybody has some business with China, and secrets they would like to keep that way. This legislation makes sure there will be none.
But, I feel so much better after reading this article which quotes the government spokesman, ""Relevant regulations in the anti-terrorism law will not affect the normal business operation of companies, and we do not use the law to set up 'back doors' to violate the intellectual property rights of companies," said Li Shouwei of the National People's Congress Standing Committee's legislative affairs commission.
But, I feel so much better after reading this article which quotes the government spokesman, ""Relevant regulations in the anti-terrorism law will not affect the normal business operation of companies, and we do not use the law to set up 'back doors' to violate the intellectual property rights of companies," said Li Shouwei of the National People's Congress Standing Committee's legislative affairs commission.
"The law will not damage people's freedom of speech or religion," Li said."
Today's Wall Street Journal has a similar article, but notes the language of the original draft was watered down, now "technical interfaces and technical support" for "terrorists and criminal" cases. That could prove difficult, since the Chinese have a way of making criminals out of people who were doing business in a way that puts their businesses at a disadvantage. All the assurances in the world are not going to help that situation..
Businesses that operate in China should be paying attention. There is no way to protect business information with this kind of attention being made to the internal IT of a company. If the Chinese government didn't use that information for its own benefit, it wouldn't be such a big deal, but they do. They can make all the right assurances, but they remind me of the assurances they made a few years ago that nobody in China was hacking businesses in the U.S.
Today's Wall Street Journal has a similar article, but notes the language of the original draft was watered down, now "technical interfaces and technical support" for "terrorists and criminal" cases. That could prove difficult, since the Chinese have a way of making criminals out of people who were doing business in a way that puts their businesses at a disadvantage. All the assurances in the world are not going to help that situation..
Businesses that operate in China should be paying attention. There is no way to protect business information with this kind of attention being made to the internal IT of a company. If the Chinese government didn't use that information for its own benefit, it wouldn't be such a big deal, but they do. They can make all the right assurances, but they remind me of the assurances they made a few years ago that nobody in China was hacking businesses in the U.S.
Wednesday, December 23, 2015
Maintenance Sanctions
The term the White House used to describe a continuing round of sanctions against Russia's Friends of Putin (FoP) is something new the realm of sanction making- "maintenance sanctions". It sounds like an apology for doing what Europe has already done, and what we have every justification in doing. The term used is just odd. It sounds like a State Department term, born out of political correctness, and not one that came from Treasury where the enforcement comes.
The sanctions are centered on three people, Gennady Timchenko and Boris and Arkady Rotenberg, who are supposed to be facilitating the moves to allow Russia to avoid the affects of sanctions. Give credit where credit is due; they have been doing a good job of it.
Timchenko was an FoP long before Russia invaded Crimea, belonging to the same judo club, playing hockey together, and establishing political ties in St Petersburg before Putin moved up the chain. Good business people do these kinds of things all the time, and that is how they get rich, which he did. The Wall Street Journal [ http://www.wsj.com/articles/u-s-money-laundering-probe-touches-putins-inner-circle-1415234261 ] reported his connection to a money laundering operation using transfers of oil from one country to another. Forbes puts his worth at around $13Billion so he probably is not traveling much where these sanctions would matter.
The Rotenbergs were also Judo club members and Putin sparing partners in St Petersburg, and also got into oil and gas. The both seemed to benefit less than Timchenko, but more than the average Russian on the street. [ http://www.forbes.com/profile/arkady-rotenberg/ ].
So, we cooperated with Russia on Syria, and they bombed allies of the coalition. We make sanctions on them, but add that they are just "maintenance" on the existing set. Even Europe is doing better. In the meantime, we do next to nothing to help the Ukraine where the real fighting is taking place. Maybe we should remember the reason for those sanctions was Russia's capture of Crimea, 10,425 square miles of land, south of the region where the fighting is taking place. This is about the same size as Massachusetts. When the Syrian shiny news object came along, most of the Washington crowd forgot about Crimea. That is why they do maintenance now.
The sanctions are centered on three people, Gennady Timchenko and Boris and Arkady Rotenberg, who are supposed to be facilitating the moves to allow Russia to avoid the affects of sanctions. Give credit where credit is due; they have been doing a good job of it.
Timchenko was an FoP long before Russia invaded Crimea, belonging to the same judo club, playing hockey together, and establishing political ties in St Petersburg before Putin moved up the chain. Good business people do these kinds of things all the time, and that is how they get rich, which he did. The Wall Street Journal [ http://www.wsj.com/articles/u-s-money-laundering-probe-touches-putins-inner-circle-1415234261 ] reported his connection to a money laundering operation using transfers of oil from one country to another. Forbes puts his worth at around $13Billion so he probably is not traveling much where these sanctions would matter.
The Rotenbergs were also Judo club members and Putin sparing partners in St Petersburg, and also got into oil and gas. The both seemed to benefit less than Timchenko, but more than the average Russian on the street. [ http://www.forbes.com/profile/arkady-rotenberg/ ].
So, we cooperated with Russia on Syria, and they bombed allies of the coalition. We make sanctions on them, but add that they are just "maintenance" on the existing set. Even Europe is doing better. In the meantime, we do next to nothing to help the Ukraine where the real fighting is taking place. Maybe we should remember the reason for those sanctions was Russia's capture of Crimea, 10,425 square miles of land, south of the region where the fighting is taking place. This is about the same size as Massachusetts. When the Syrian shiny news object came along, most of the Washington crowd forgot about Crimea. That is why they do maintenance now.
Tuesday, December 22, 2015
Criminal Behavior, Chinese Style
Businesses, at least for the last few years, have to worry about types of information they collect later being called state secrets. The Chinese do that after the fact, so it is good to be psychic. Now we have the added incentive to be both psychic and quiet about it - Pu Zhiqiang - a lawyer, and one of China's best known rights activists. This kind of legal work is not very well received in China, where crimes are more or less defined "as needed". He was charged with a crime that is difficult to recognize as criminal behavior, "inciting ethnic hatred" and "picking quarrels". He was in custody for 18 months before this sentence, a three-year suspended sentence with conditions of behavior, was announced. His real crime was posting seven messages on the Chinese equivalent of Twitter, criticizing China's ethic policies and blaming specific government officials for their incompetence.
This lowly crime is certainly worth punishment, usually carried out by the social media equivalent of a jury, not by the State Criminal Court system. The Chinese seem bent on criminalizing behavior they can't control and the two examples are far from extensive research on the subject. It is a corrupt system where incompetence is rewarded by political support for attacks against anyone who points out how stupid you are in the way you go about your business.
This lowly crime is certainly worth punishment, usually carried out by the social media equivalent of a jury, not by the State Criminal Court system. The Chinese seem bent on criminalizing behavior they can't control and the two examples are far from extensive research on the subject. It is a corrupt system where incompetence is rewarded by political support for attacks against anyone who points out how stupid you are in the way you go about your business.
The Kurds Can't Win Alone
During the early days of the current Iraq administration, the Kurds were not getting the money they were promised, were cut out of oil revenue sharing that they were supposed to get, and still fought without supplies that were routed through the central government and never seemed to get to where they were needed. The United States was partially responsible for that mess, though it didn't seem to have much influence over the guys in Baghdad.
That problem has not gone away, as a story in the Wall Street Journal reminds us [ Stingy Baghdad Harms the ISIS Fight, 20 December ]. The story says " Through no fault of its own, the Kurdish Regional Government (KRG) is unable to pay the salaries of its employees, including the famed Peshmerga fighting force." You would think that an army of fighters who have done pretty well against ISIS, the same enemy of the central government has, could put aside their differences long enough to fight them together, but that doesn't seem to have happened. More important, the Allied forces in Iraq haven't done a lot to get this show on the road by funding the Kurds directly, if necessary. The Iraq government seems to have adopted the view, held by Iran, that the Kurds are dangerous and should not be encouraged. That might be, as Pew Research points out, that only about 2% of them are Shia Muslims like our Iranian buddies.
I'm not sure we fought the Iraq war to make a religious statement to the world about the benefits of one Muslim group or another. Iraq seems to be making that distinction, not the people supporting this government. It follows Iran. We seem to have spent billions of dollars establishing a group of leaders who are not very good allies. This is what passes for democracy in the Middle East.
The Kurds cannot fight without resources. Turkey is in a quandary over this because trying to keep tabs on the various groups of Kurds, some fighting Turkey and some not, has not proven to be easy. Iran is not happy with the Kurds being strong in an area they are weak in and they certainly don't trust any of the Sunnis. When governments make decisions more on religious grounds than common sense, we get a tangled mess that benefits nobody. No wonder we have such a difficult time getting rid of these terrorists who live there..
That problem has not gone away, as a story in the Wall Street Journal reminds us [ Stingy Baghdad Harms the ISIS Fight, 20 December ]. The story says " Through no fault of its own, the Kurdish Regional Government (KRG) is unable to pay the salaries of its employees, including the famed Peshmerga fighting force." You would think that an army of fighters who have done pretty well against ISIS, the same enemy of the central government has, could put aside their differences long enough to fight them together, but that doesn't seem to have happened. More important, the Allied forces in Iraq haven't done a lot to get this show on the road by funding the Kurds directly, if necessary. The Iraq government seems to have adopted the view, held by Iran, that the Kurds are dangerous and should not be encouraged. That might be, as Pew Research points out, that only about 2% of them are Shia Muslims like our Iranian buddies.
I'm not sure we fought the Iraq war to make a religious statement to the world about the benefits of one Muslim group or another. Iraq seems to be making that distinction, not the people supporting this government. It follows Iran. We seem to have spent billions of dollars establishing a group of leaders who are not very good allies. This is what passes for democracy in the Middle East.
The Kurds cannot fight without resources. Turkey is in a quandary over this because trying to keep tabs on the various groups of Kurds, some fighting Turkey and some not, has not proven to be easy. Iran is not happy with the Kurds being strong in an area they are weak in and they certainly don't trust any of the Sunnis. When governments make decisions more on religious grounds than common sense, we get a tangled mess that benefits nobody. No wonder we have such a difficult time getting rid of these terrorists who live there..
As it Turns Out, No Donald
ISIS is not going to be showing videos of Donald Trump anytime soon. The idea that they care about the internal politics of the U.S. Is mostly fantasy invented by people who want to believe that everyone cares about our politics. Most of the people it is trying to reach probably don't know who he is and could care less if he runs or doesn't. If an errant bomb falls on a family in Syria, an ISIS propagandist will be there to make sure the blood of that child is clearly on camera. The Taliban did it almost every day with bombs falling on "wedding parties" and family gatherings, where everyone present was carrying an AK-47. It is, after all, a dangerous country and even a bride has to be protected.
This illusion is part of the psychological warfare that every country uses and groups like ISIS and the Taliban have picked up from them. They say, in a way, that these people are trying to live peaceful lives and some foreign power comes along and bombs them. Nothing could be further from the truth. The Taliban, Hizbollah, and ISIS have used the local populations of villages as hostages with the clear intent of making them targets. They won't let the hostages run, and the live among them as protection from the bombs. Israel has videos of Palastinians gathering on the rooftops of buildings so they wouldn't be bombed. These are people who intentionally used the only weapon they had to stop them. Those bombs are the great equalizer, something the Taliban and ISIS can't match. Groups who protest the air and drone strikes try to come off as a ground swell of popular uprising against foreigners who bomb them, when the signs they carry are clearly not made in the back room of some mud house where the video is shot.
If any of you actually believe ISIS cares one bit about who we elect as President, then look around at what they send out on social media. It isn't pretty stuff made in Hollywood. It isn't even that "slick" of a production. It is largely crude, barbaric rambling of psychotic killers. The few that aren't - real exceptions - are justification for killing others who don't believe the same way they do. Muslims are finding out that a good number of them are included.
Monday, December 21, 2015
China Tells U.S. To Give
The Chinese are usually subtle about making a point, but Bloomberg has an article today that describes a less than subtle approach to U.S. Objections to their spread of territory. [ See, David Tweed, China Tells U.S. To Stop Flexing Military Muscle in Asia, 21 December 2015 ] Wang Yi, China's Foreign Minister is lecturing the U.S. On how to behave in their foreign policy. Don't show off your military power; don't get to close to seas that China claims as its own; don't sell things to Taiwan. Objections noted.
So, the bottom line here is that China expects the United States to behave like they agree with China over their claim to the entire South China Sea, including those little islands where a B-52 wandered last week, and the big island of Taiwan. It doesn't occur to the Foreign Minister that the Chinese claim to an area 1000 miles from its shores doesn't carry much weight and should be ignored. When I wrote my first book five years ago, The Chinese Information War, they were already trying to in force claims that were not recognized by most of their neighbors in that region. They hadn't built up the Sprately Islands yet, but still told everyone they owned it. They haven't stopped claiming it; they haven't let up on the rhetoric; they haven't changed their approach to other countries that send ships and airplanes into the area, as a BBC crew did this year. They broadcast repeated warnings to anyone that gets close. They don't mind if others object to their view, but they will continue to claim the seas well beyond their territorial waters. They act surprised when anyone challenges their claims, usually by flying or floating through the area. They act like continuing to claim the area will eventually win out. They retaliate by sending ships into our territorial waters in Alaska. "There will be consequences" they say.
We really can't accept their claims, and the Chinese cannot enforce them. But the countries around the South China Sea are more affected than the U.S. These are ridiculous, unsupportable claims equivalent to Mexico laying claim to California territories they once owned. Countries other than just the U.S. Need to stand up to this kind of expansion. We should be sending hundreds of multinational planes and ships through that territory and universally ignoring their warnings. Let them figure out one day that the rest of the world doesn't follow China just because it says we should.
So, the bottom line here is that China expects the United States to behave like they agree with China over their claim to the entire South China Sea, including those little islands where a B-52 wandered last week, and the big island of Taiwan. It doesn't occur to the Foreign Minister that the Chinese claim to an area 1000 miles from its shores doesn't carry much weight and should be ignored. When I wrote my first book five years ago, The Chinese Information War, they were already trying to in force claims that were not recognized by most of their neighbors in that region. They hadn't built up the Sprately Islands yet, but still told everyone they owned it. They haven't stopped claiming it; they haven't let up on the rhetoric; they haven't changed their approach to other countries that send ships and airplanes into the area, as a BBC crew did this year. They broadcast repeated warnings to anyone that gets close. They don't mind if others object to their view, but they will continue to claim the seas well beyond their territorial waters. They act surprised when anyone challenges their claims, usually by flying or floating through the area. They act like continuing to claim the area will eventually win out. They retaliate by sending ships into our territorial waters in Alaska. "There will be consequences" they say.
We really can't accept their claims, and the Chinese cannot enforce them. But the countries around the South China Sea are more affected than the U.S. These are ridiculous, unsupportable claims equivalent to Mexico laying claim to California territories they once owned. Countries other than just the U.S. Need to stand up to this kind of expansion. We should be sending hundreds of multinational planes and ships through that territory and universally ignoring their warnings. Let them figure out one day that the rest of the world doesn't follow China just because it says we should.
Sunday, December 20, 2015
Russian Covert Forces in Syria
So, how do the Russians keep the number of troops down in Syria, covering their losses when an errant bomb falls on them? They use a couple of methods, outlined in my last book, The New Cyberwar, that are similar to those used in Ukraine to be able to deny (until very recently) that regular army troops were supporting the rebellion. For you Star Wars fans, they were not the good guys in this story.
The Russians first deny that any deaths have occurred. Mothers do not find out their sons have died; they just don't get any letters from them anymore. In some cases, they did allow closed ceremonies for covert forces and these were not covered in the press. Some people took videos and leaked one such story to the New York Times. In other cases, they pretend these people do not exist. They went over for "vacation" and decided to stay. One person, discovered by the Ukraine government, had six I'd cards in different names, one of them from Russian Special Forces. Not the brightest bulb on the planet to be carrying his special forces ID with him.
In a story last week in the Wall Street Journal [http://www.wsj.com/articles/up-to-nine-russian-contractors-die-in-syria-experts-say-1450467757 ] we find that nine contractors were killed when a mortar round fell on them. The story goes on to say, "The incident, experts say, shows how Russia has used contractors to perform quasi-military tasks, avoiding the political repercussions of deploying uniformed troops—and steering clear of the domestic concerns that come with the deaths of soldiers."
It is a sad commentary on a country that does not only not honor its dead, it denies them. Even the CIA puts stars on the wall at the Headquarters. They may not carry a name, but the dead are honored in way everyone understands.
The Russians first deny that any deaths have occurred. Mothers do not find out their sons have died; they just don't get any letters from them anymore. In some cases, they did allow closed ceremonies for covert forces and these were not covered in the press. Some people took videos and leaked one such story to the New York Times. In other cases, they pretend these people do not exist. They went over for "vacation" and decided to stay. One person, discovered by the Ukraine government, had six I'd cards in different names, one of them from Russian Special Forces. Not the brightest bulb on the planet to be carrying his special forces ID with him.
In a story last week in the Wall Street Journal [http://www.wsj.com/articles/up-to-nine-russian-contractors-die-in-syria-experts-say-1450467757 ] we find that nine contractors were killed when a mortar round fell on them. The story goes on to say, "The incident, experts say, shows how Russia has used contractors to perform quasi-military tasks, avoiding the political repercussions of deploying uniformed troops—and steering clear of the domestic concerns that come with the deaths of soldiers."
It is a sad commentary on a country that does not only not honor its dead, it denies them. Even the CIA puts stars on the wall at the Headquarters. They may not carry a name, but the dead are honored in way everyone understands.
Friday, December 18, 2015
OPM Apocalypse II
I have been reading the OPM Inspector General FISMA Report from November 2015, only one month ago. It almost seems like something written for the TV series The Twilight Zone, where reality never seemed to be quite what you expected or could imagine from past experience. OPM is a disaster waiting to happen - again - and nobody in the Federal government seems able to stop it or even slow down the train that led to the compromise of 24 million security clearance records.
OPM still has the same kinds of problems that allowed the Chinese to steal those records, but puts on a face that says they have corrected most of the things that allowed that to be done. So, do we believe what OPM's leadership says, or what the IG says? Had we listened to the the IG in 2012, 2013, or 2014 there is some chance that the theft of data might not have occurred. Can we do this again and still feel good about it? Obviously, OPM thinks it can.
There are some glaring deficiencies in OPM that make it a constant target, but ignoring them will not make them go away:
1. The IG says that 23 systems continue to operate without Authorization. What that really means is that OPM leadership does not want to take the risk of putting their name on anything that might come back to bite them. It reminds me of the IRS, when the CIO was briefed on the vulnerabilities of electronic filing - before it started - and he dropped the report on his desk and said, "I've heard of that. Give that to [one of his assistants] to read." The systems continue to operate without approval.
2. Remedial action is not being carried out where deficiencies have been noted. This is a trick many agencies use. They don't record the actions required to fix a problem so they can't be cited for not doing those things.
3. The systems still aren't being properly monitored for intrusions:
OPM does not have a mature continuous monitoring program, nor established a baseline that is needed to assess one.
The OCIO has implemented an agency-wide information system configuration management policy; however, configuration baselines have not been created for all operating platforms. Also, all operating platforms are not routinely scanned for compliance with configuration baselines.
We are unable to independently attest that OPM has a mature vulnerability scanning program. I kind of wonder about this since OPM IG has access to most of the people in the organization and we have to wonder why they can't find out if such a program exists...
Multi-factor authentication is not required to access OPM systems in accordance with OMB memorandum M-11-11.
OPM has established an Enterprise Network Security Operations Center that is responsible for incident detection and response.
OPM has not fully established a Risk Executive Function.
These are basic things that do not require a PhD to implement, nor a lot of time, yet from one year to the next OPM has the same identified set of problems. The only difference is they have had an identified hack since then. Any normal person would think that would cause an effort to try to correct some of the more egregious ones like not have 2-factor authentication or not doing security scanning. Perhaps the next thing that should be done is get the damned security records out of the hands of OPM and put them back in DoD where they came from.
OPM still has the same kinds of problems that allowed the Chinese to steal those records, but puts on a face that says they have corrected most of the things that allowed that to be done. So, do we believe what OPM's leadership says, or what the IG says? Had we listened to the the IG in 2012, 2013, or 2014 there is some chance that the theft of data might not have occurred. Can we do this again and still feel good about it? Obviously, OPM thinks it can.
There are some glaring deficiencies in OPM that make it a constant target, but ignoring them will not make them go away:
1. The IG says that 23 systems continue to operate without Authorization. What that really means is that OPM leadership does not want to take the risk of putting their name on anything that might come back to bite them. It reminds me of the IRS, when the CIO was briefed on the vulnerabilities of electronic filing - before it started - and he dropped the report on his desk and said, "I've heard of that. Give that to [one of his assistants] to read." The systems continue to operate without approval.
2. Remedial action is not being carried out where deficiencies have been noted. This is a trick many agencies use. They don't record the actions required to fix a problem so they can't be cited for not doing those things.
3. The systems still aren't being properly monitored for intrusions:
OPM does not have a mature continuous monitoring program, nor established a baseline that is needed to assess one.
The OCIO has implemented an agency-wide information system configuration management policy; however, configuration baselines have not been created for all operating platforms. Also, all operating platforms are not routinely scanned for compliance with configuration baselines.
We are unable to independently attest that OPM has a mature vulnerability scanning program. I kind of wonder about this since OPM IG has access to most of the people in the organization and we have to wonder why they can't find out if such a program exists...
Multi-factor authentication is not required to access OPM systems in accordance with OMB memorandum M-11-11.
OPM has established an Enterprise Network Security Operations Center that is responsible for incident detection and response.
OPM has not fully established a Risk Executive Function.
These are basic things that do not require a PhD to implement, nor a lot of time, yet from one year to the next OPM has the same identified set of problems. The only difference is they have had an identified hack since then. Any normal person would think that would cause an effort to try to correct some of the more egregious ones like not have 2-factor authentication or not doing security scanning. Perhaps the next thing that should be done is get the damned security records out of the hands of OPM and put them back in DoD where they came from.
Thursday, December 17, 2015
Using Personal Email for Government Business
Government people were using personal email for government business the day after email was invented. We have a former Secretary of State, running for President, who set up a server to do it from her basement, and a Secretary of Defense who did it for several months - as we found out yesterday. The difference between people who used to do it, and people who do it now, should be obvious to anyone. Hackers were not that prevalent in the early days of email. Today is different.
We are missing something from these high offices - security education. Our security folks are lazy and think sending around a note or an email will suffice to get the attention of an executive who gets 1000 of them a day. If that person finds the email, they have other priorities that keep them from reading it. These kinds of briefings have to be in person, and have to have a credible threat briefing that tells individuals why they shouldn't be using private emails, unless they want those emails to be read by many groups of foreign intelligence, hacker gangs, and kids in the neighborhood with nothing much else to do. We used to read that email and take it in for the leader to see. That was ethical hacking for a purpose. Nobody seems to do that anymore.
This is partly policy, since a few people in State knew what was going on but didn't notice that there was no policy prohibiting the use of personal email for government business. Why there has to be such a policy is a mystery, since presumably we are putting smart people in these positions and they should know better. However, for the sake of appearances, there should be a policy for those who think they can do anything if there is no prohibition against it. It is a flaw in our policy that allows that belief. We should not have to tell every person in a position of trust and leadership what they can and cannot do. As we know, they will do what they want, policy or no policy, so having one that is ignored is no better than not having one. It is just an excuse for being careless.
They are out of excuses for this kind of behavior. We should not accept any. Leaders, in the White House, at the Secretary levels of government, in the military, and all the other places who should no better, should not be allowed any excuses. No email for government business. We spend millions of dollars to make a system they can use to communicate with one another, but they use something else. If that something else is secure, stop spending the money on all those systems. Get contracts with Something Else and start using it. No excuses.
We are missing something from these high offices - security education. Our security folks are lazy and think sending around a note or an email will suffice to get the attention of an executive who gets 1000 of them a day. If that person finds the email, they have other priorities that keep them from reading it. These kinds of briefings have to be in person, and have to have a credible threat briefing that tells individuals why they shouldn't be using private emails, unless they want those emails to be read by many groups of foreign intelligence, hacker gangs, and kids in the neighborhood with nothing much else to do. We used to read that email and take it in for the leader to see. That was ethical hacking for a purpose. Nobody seems to do that anymore.
This is partly policy, since a few people in State knew what was going on but didn't notice that there was no policy prohibiting the use of personal email for government business. Why there has to be such a policy is a mystery, since presumably we are putting smart people in these positions and they should know better. However, for the sake of appearances, there should be a policy for those who think they can do anything if there is no prohibition against it. It is a flaw in our policy that allows that belief. We should not have to tell every person in a position of trust and leadership what they can and cannot do. As we know, they will do what they want, policy or no policy, so having one that is ignored is no better than not having one. It is just an excuse for being careless.
They are out of excuses for this kind of behavior. We should not accept any. Leaders, in the White House, at the Secretary levels of government, in the military, and all the other places who should no better, should not be allowed any excuses. No email for government business. We spend millions of dollars to make a system they can use to communicate with one another, but they use something else. If that something else is secure, stop spending the money on all those systems. Get contracts with Something Else and start using it. No excuses.
Wednesday, December 16, 2015
A Russian Jihadi
We have another case of a person cutting the throat of another human being and saying it is for a good cause. It is hard to understand how this kind of behavior is supposed to get a person into heaven, or why ISIS followers of Islam find it an attractive thing to do. This time, the spokesman is Russian and speaking to the many Russians living and working in that country, most of whom are Christians. [ http://www.wsj.com/articles/russia-grapples-with-its-own-jihadi-john-as-moscow-steps-up-role-in-syria-1450175412 ]
We can always tell who is hurting ISIS by the people it singles out for death. The Russians bombing campaign is having an effect, though it was not what they advertised it to be. They said they were going after ISIS, but they bombed people who were fighting against Assad, most having nothing to do with ISIS. It would seem that ISIS must be hurt by these air strikes or they wouldn't have reacted the way they did.
This guy is one of many killers trained by ISIS to slaughter helpless people in an up-close-and-personal kind of attack. You almost never see ISIS attack an armed individual, though they do show a video of blowing up a truck now and again, and there might be armed people in that truck - maybe not.
It is a curiosity that ISIS only shows the killing of unarmed people, bound and helpless. It is unlikely that this image is the one it wants to convey to the world, but it is the reason why thousands of people evacuate the territories that ISIS holds. Being neutral will not help you avoid being killed. Being innocent will not help you. No group, trying to be a country, has ever been successful with this kind of strategy applied to its population.
We can always tell who is hurting ISIS by the people it singles out for death. The Russians bombing campaign is having an effect, though it was not what they advertised it to be. They said they were going after ISIS, but they bombed people who were fighting against Assad, most having nothing to do with ISIS. It would seem that ISIS must be hurt by these air strikes or they wouldn't have reacted the way they did.
It is a curiosity that ISIS only shows the killing of unarmed people, bound and helpless. It is unlikely that this image is the one it wants to convey to the world, but it is the reason why thousands of people evacuate the territories that ISIS holds. Being neutral will not help you avoid being killed. Being innocent will not help you. No group, trying to be a country, has ever been successful with this kind of strategy applied to its population.
Russian Sanctions to Continue
There was a short reminder from Europe that people don't forget what the Russians did in Crimea or Ukraine. Laurence Norman, in short Wall Street Journal article, says Europe has decided to continue its sanctions against Russian banks, largely because they don't feel the Russians have done much to improve the situation. They still support their Russian speaking allies in the eastern part of Ukraine, and have not changed their stance on Crimea, holding onto it like it was part of Russia, and digging in for the long haul. It will be trouble for them for a long time.
The Russians always act like the next news story is not very far away. That shiny object will change the world's views of their actions and make the world public forget that anything ever happened. Russian news services rack up the stories, when it is in their interest, but stop them when necessary.
We need to be a little more like Europe and look at the long run of events. The Russians are not going to stop meddling in Ukraine's politics, feeding arms to the rebels, or throwing gasoline on any crisis they can manufacture there.
The Russians always act like the next news story is not very far away. That shiny object will change the world's views of their actions and make the world public forget that anything ever happened. Russian news services rack up the stories, when it is in their interest, but stop them when necessary.
We need to be a little more like Europe and look at the long run of events. The Russians are not going to stop meddling in Ukraine's politics, feeding arms to the rebels, or throwing gasoline on any crisis they can manufacture there.
Tuesday, December 15, 2015
China Builds Resentment in South China Sea
I guess I missed the 2014 riots in Vietnam that burned down over 100 Chinese manufacturing facilities, large and small. We have heard next to nothing about it since then, largely due to press controls by China. There was a short piece on the evacuation of 3000+ Chinese citizens from Vietnam in the latest U.S. China Economic and Security Review Commission annual report to Congress, and it kind of made me wonder why the Chinese would have to evacuate its citizens from a country that was supposed to be friends with China. This kind of thing happens all the time to the U.S. but not China.
A country doesn't evacuate it citizens unless there is a real risk something bad will happen to them. Reports in the Financial Times [http://www.ft.com/intl/cms/s/0/251f27a2-de4c-11e3-9640-00144feabdc0.html#axzz3uObULUwO ] and The Wall Street Journal [ http://www.wsj.com/articles/behind-vietnams-anti-china-riots-a-tinderbox-of-wider-grievances-1403058492 ] are pretty illuminating. Bad things might have happened, if the Vietnamese government hadn't stepped in. Three people were killed and a good many businesses burned down, not all of them from the mainland. Taiwan and China suffered equally, as did South Korea. However, we did not see a report of evacuation of their citizens. Once mobs gets started, they sometimes fail to see the differences between friends and enemies.
These events had economic roots, but not the kind one associates with manufacturing in foreign territories, where labor costs, working conditions, and competition from foreign immigrants is enough to get people excited. This was, at least on the surface, about something else - an oil platform the Chinese put in the South China Sea, where Vietnam laid claim to the waters it was floating on. We rarely have riots in the streets over something like that, and we can be pretty sure the Vietnamese rarely do either. They haven't stopped being one of the few remaining Communist Party led countries of the world. China is another. Oil separates politics pretty fast.
Sentiment must have run deeper than just an oil platform to have riots requiring the evacuation of citizens of China. Maybe some of them remember that the Chinese and Vietnamese fought a short war over boundary issues in the North, right after our withdrawal from there. They don't forget as quickly as we do. Maybe the cultures clashed a little bit more than they want to say. Maybe they really are upset that the Chinese would stake a claim to territories long considered to be owned by Vietnam. If so, there will be more to come. In a news special, the BBC sent a small private aircraft over one of the South China Sea islands where the Chinese had been doing a lot of construction. They were repeatedly warned about their penetration of Chinese airspace. The more frequent the warnings the more nervous the flight crew became. The same warnings were given over and over. The Chinese don't seem to care that other countries find their claims dubious and disturbing. It will come to a bad end one day, and the kinds of happenings that led up to the evacuation of their business leaders from Vietnam are just the beginning.
A country doesn't evacuate it citizens unless there is a real risk something bad will happen to them. Reports in the Financial Times [http://www.ft.com/intl/cms/s/0/251f27a2-de4c-11e3-9640-00144feabdc0.html#axzz3uObULUwO ] and The Wall Street Journal [ http://www.wsj.com/articles/behind-vietnams-anti-china-riots-a-tinderbox-of-wider-grievances-1403058492 ] are pretty illuminating. Bad things might have happened, if the Vietnamese government hadn't stepped in. Three people were killed and a good many businesses burned down, not all of them from the mainland. Taiwan and China suffered equally, as did South Korea. However, we did not see a report of evacuation of their citizens. Once mobs gets started, they sometimes fail to see the differences between friends and enemies.
These events had economic roots, but not the kind one associates with manufacturing in foreign territories, where labor costs, working conditions, and competition from foreign immigrants is enough to get people excited. This was, at least on the surface, about something else - an oil platform the Chinese put in the South China Sea, where Vietnam laid claim to the waters it was floating on. We rarely have riots in the streets over something like that, and we can be pretty sure the Vietnamese rarely do either. They haven't stopped being one of the few remaining Communist Party led countries of the world. China is another. Oil separates politics pretty fast.
Sentiment must have run deeper than just an oil platform to have riots requiring the evacuation of citizens of China. Maybe some of them remember that the Chinese and Vietnamese fought a short war over boundary issues in the North, right after our withdrawal from there. They don't forget as quickly as we do. Maybe the cultures clashed a little bit more than they want to say. Maybe they really are upset that the Chinese would stake a claim to territories long considered to be owned by Vietnam. If so, there will be more to come. In a news special, the BBC sent a small private aircraft over one of the South China Sea islands where the Chinese had been doing a lot of construction. They were repeatedly warned about their penetration of Chinese airspace. The more frequent the warnings the more nervous the flight crew became. The same warnings were given over and over. The Chinese don't seem to care that other countries find their claims dubious and disturbing. It will come to a bad end one day, and the kinds of happenings that led up to the evacuation of their business leaders from Vietnam are just the beginning.
Monday, December 14, 2015
Homeland Security Bomb
I had experience with Homeland Security over the years, and always thought they were the least efficient government agency in existence, but they have managed to strike bottom at the Government Oversight Committee hearings.
Government agencies know how to testify at hearings. Anyone who does it gets a briefing on how to behave and answer questions. The information witnesses prepare is carefully gone over and reviewed all the way up to the agency head. Nobody testifies on anything without the senior leadership of the agency knowing what is going to be said.
Jim Jordan, asking questions about the Visa Waiver Program: “Ms. Burriesci, I’ve asked you the number of Americans that have travelled to Syria — you don’t know; the number of Americans that may have travelled and returned — you don’t know; the number of Syrian refugees who have entered the country in the last year — you don’t know; the number of Visa Waiver Program overstays — you don’t know; the number of visa waiver overstays who may have been to Syria before they came here — you don’t know; and the number of American citizens on the no-fly list — and you don’t know.”
We worry about such things, of course, because we have weak border controls and we allow potential terrorists to enter, stay without being removed, go to sanctuary cities and avoid removal, without the slightest bit of oversight. This is what Congress is supposed to do - find out what policies are actually enabled, and make recommendations as to what to do about those that are not. In this case [https://oversight.house.gov/hearing/terrorism-and-the-visa-waiver-program/ ] instead of making everyone feel better about what the government is doing to protect them, we find that not much is being done, the witnesses were ill prepared to talk to major portions of the issues, and we could have any number of people who came on visas and never left. That made me very uncomfortable. Do I feel safer now? No. Do I think our government is on top of immigration and terror screening? No. Do I think Homeland is going to be improving this situation in the near future? Not likely.
Government agencies know how to testify at hearings. Anyone who does it gets a briefing on how to behave and answer questions. The information witnesses prepare is carefully gone over and reviewed all the way up to the agency head. Nobody testifies on anything without the senior leadership of the agency knowing what is going to be said.
Jim Jordan, asking questions about the Visa Waiver Program: “Ms. Burriesci, I’ve asked you the number of Americans that have travelled to Syria — you don’t know; the number of Americans that may have travelled and returned — you don’t know; the number of Syrian refugees who have entered the country in the last year — you don’t know; the number of Visa Waiver Program overstays — you don’t know; the number of visa waiver overstays who may have been to Syria before they came here — you don’t know; and the number of American citizens on the no-fly list — and you don’t know.”
We worry about such things, of course, because we have weak border controls and we allow potential terrorists to enter, stay without being removed, go to sanctuary cities and avoid removal, without the slightest bit of oversight. This is what Congress is supposed to do - find out what policies are actually enabled, and make recommendations as to what to do about those that are not. In this case [https://oversight.house.gov/hearing/terrorism-and-the-visa-waiver-program/ ] instead of making everyone feel better about what the government is doing to protect them, we find that not much is being done, the witnesses were ill prepared to talk to major portions of the issues, and we could have any number of people who came on visas and never left. That made me very uncomfortable. Do I feel safer now? No. Do I think our government is on top of immigration and terror screening? No. Do I think Homeland is going to be improving this situation in the near future? Not likely.
Friday, December 11, 2015
Anonymous Attacks Trump
Well, it wasn't much, but it was something. In today's The Hill, we find a denial of service attack directed at the Trump Towers website. Anonymous claims it was because Trump spoke out against Muslims. How this helps that situation is a mystery. Their work with exposing ISIS accounts, which will pick up again this weekend, is much more valuable in the scheme of things.
Anonymous is described as "an activist group" but The Hill, which is a better assessment than those claiming it is an anarchist group. Anonymous tries to do things that governments could not do, even though they would probably like to now and again.
Anonymous is described as "an activist group" but The Hill, which is a better assessment than those claiming it is an anarchist group. Anonymous tries to do things that governments could not do, even though they would probably like to now and again.
The Bell-Shaped Curve of Terror
Years ago, I met Dr. John Carroll, a Canadian author of the first book I ever read on computer security (1972). He mentioned something in another of his articles about the bell-shaped curve of people in computer crime. Out of every population, there are a certain proportion of people (about 5%) who will not follow rules, even if they know what they are required to do. A subset of those will become criminals. If you think about this as a principle of human nature, it can be applied to the population of terrorists. This kind of takes religion out of the equation.
In all the world, there are a small percentage of people who are pathological killers. It is a small subset of criminals. They will use a handy excuse to kill and savage people who are not strong enough to defend themselves. They rape, kill, demean, and dominate others - the enforcers of any kind of label we want to put on the dominating group. Gangs have them. Countries employ them. Religious groups use them. People who use them, can train them to be better at their job and give them justification to help them sleep at night.
Along the curve, there are people who tolerate this kind of behavior just to be comfortable where they are. To survive, they may have to. There are people who use this kind of person for their own benefit, but stay away from enforcement so they don't get their hands dirty; this includes a group of folks financing their operations. There are people who object to their behavior but can't do anything about what they are doing. There are people who actively fight them.
What we need to do is keep our perspective on who the enemy might be. It isn't all Russians, all Uighurs, all Muslims, or all of any population. We should develop support for those who want behave in a way that is consistent with our objectives. They don't have to fight our enemies, but we need to discourage those on the sidelines from supporting them. We have to encourage those who object to the behavior of our enemies, describe what is objectionable, and expose the logic. We have to help those who are actively fighting.
We seem to be treating our friends and enemies the same, when our enemies are a very small part of a large population of good guys. An equal effort to support our friends and isolate our enemies would seem to work better than what we are doing now.
In all the world, there are a small percentage of people who are pathological killers. It is a small subset of criminals. They will use a handy excuse to kill and savage people who are not strong enough to defend themselves. They rape, kill, demean, and dominate others - the enforcers of any kind of label we want to put on the dominating group. Gangs have them. Countries employ them. Religious groups use them. People who use them, can train them to be better at their job and give them justification to help them sleep at night.
Along the curve, there are people who tolerate this kind of behavior just to be comfortable where they are. To survive, they may have to. There are people who use this kind of person for their own benefit, but stay away from enforcement so they don't get their hands dirty; this includes a group of folks financing their operations. There are people who object to their behavior but can't do anything about what they are doing. There are people who actively fight them.
What we need to do is keep our perspective on who the enemy might be. It isn't all Russians, all Uighurs, all Muslims, or all of any population. We should develop support for those who want behave in a way that is consistent with our objectives. They don't have to fight our enemies, but we need to discourage those on the sidelines from supporting them. We have to encourage those who object to the behavior of our enemies, describe what is objectionable, and expose the logic. We have to help those who are actively fighting.
We seem to be treating our friends and enemies the same, when our enemies are a very small part of a large population of good guys. An equal effort to support our friends and isolate our enemies would seem to work better than what we are doing now.
Thursday, December 10, 2015
Crimea Goes Dark
A lot of bad things happen in the Ukraine, where the Russians and Ukrainians spar regularly, but two weeks ago Crimea was in the news for being without power. People unknown blew up the power tranmission lines heading from Ukraine into Crimea. Let's see, who might benefit from that? It is getting colder there now, and the repairs have only just begun. It isn't slow response that delays them, the Ukrainian Tartars were not allowing the repairs to be done. It isn't much, but there may be more to come.
The pictures we see from Crimea are children who look cold, and are definitely not in schools. The Russian news outlets are flooded with them. You can bet the big naval base at Sevastopol isn't without electricity. The Russians are fighting to maintain that base and access to the Black Sea, the same way they fight for Syrian bases in the Mediterranean. Putin is not giving up anything that helps him project his power into the oceans of the world.
There is a certain justice here. Ukraine has been through a lot with Russia over the past years, and had their energy supplies cut off three times, once in the middle of winter, because they politically didn't agree with Russia which supplied gas to them. Russia took Crimea without a fight, knowing that a good deal of its support came from the Ukraine. The Russians started working on power supplies and telecommunications infrastructure almost in the first week of occupation. That is not something done in a day. The Russians will be exposed to these kinds of annoyances for a long time. I doubt that they have seen the last of this kind of thing, but we have comfort in knowing that the fire the Russians started in Ukraine is not going out anytime soon.
The pictures we see from Crimea are children who look cold, and are definitely not in schools. The Russian news outlets are flooded with them. You can bet the big naval base at Sevastopol isn't without electricity. The Russians are fighting to maintain that base and access to the Black Sea, the same way they fight for Syrian bases in the Mediterranean. Putin is not giving up anything that helps him project his power into the oceans of the world.
There is a certain justice here. Ukraine has been through a lot with Russia over the past years, and had their energy supplies cut off three times, once in the middle of winter, because they politically didn't agree with Russia which supplied gas to them. Russia took Crimea without a fight, knowing that a good deal of its support came from the Ukraine. The Russians started working on power supplies and telecommunications infrastructure almost in the first week of occupation. That is not something done in a day. The Russians will be exposed to these kinds of annoyances for a long time. I doubt that they have seen the last of this kind of thing, but we have comfort in knowing that the fire the Russians started in Ukraine is not going out anytime soon.
Wednesday, December 9, 2015
The Language of ISIS
The indictment of an Akron Ohio man gives us some idea of the language ISIS uses to motivate its charges to kill: "O Brothers in America, know that the jihad against the crusaders is not limited to the lands of the Khilafah, it is a world-wide jihad and their war is not just a war against the Islamic State, it is a war against Islam…Know that it is wajib (translated to “necessary”) for you to kill these kuffar! and now we have made it easy for you by giving you addresses, all you need to do is take the final step, so what are you waiting for? Kill them in their own lands, behead them in their own homes, stab them to death as they walk their streets thinking that they are safe…”
It seems like this kind of language, extracted from Tumblr, is exactly what is wrong with social media. This is incitement to murder. It included addresses of military personnel. No social media outlet allows this kind of material to be posted on line, but our social media are having difficulties keeping up with changing accounts and the volume of material. Maybe they aren't trying hard enough.
We have technology companies who can allow millions of people to communicate in hundreds of different languages, in almost every country in the world, but they don't have search engines to help them find this kind of material inside their own networks. If they can't police their own content, they will eventually get help doing it. This is not a free speech issue, and it will haunt them until they do something about it.
It seems like this kind of language, extracted from Tumblr, is exactly what is wrong with social media. This is incitement to murder. It included addresses of military personnel. No social media outlet allows this kind of material to be posted on line, but our social media are having difficulties keeping up with changing accounts and the volume of material. Maybe they aren't trying hard enough.
We have technology companies who can allow millions of people to communicate in hundreds of different languages, in almost every country in the world, but they don't have search engines to help them find this kind of material inside their own networks. If they can't police their own content, they will eventually get help doing it. This is not a free speech issue, and it will haunt them until they do something about it.
Missiles and Nuclear Material in Iran
Jay Solomon has a couple of articles in the Wall Street Journal that show the quandary the U.S. is in with Iran. They tested medium range missiles with a range of 1200 miles (medium is a relative term in the Middle East where distances are short compared to ballistic missiles flying across an ocean) and the U.S. is trying to help them dispose of nuclear material they already have on hand by moving it over to Kazakhstan. We have to wonder what makes it safer there than in Iran, but that is another matter. This matter is one of trying to help a country comply with a nuclear agreement, when it clearly wants to develop a delivery mechanism that would make having a bomb more dangerous. [Iran, U.S. Seek Deal to Send Enriched Uranium to Kazakhstan (updated 8 Dec 2015) & Iran Test-fires Another Missile, U.S. Says (8 Dec 2015)]
The U.N. has not done much of anything about the missile testing which is a violation of resolutions on Iran, a good clue about how they might respond to violations of others. Fox News says this violates two United Nations Security Council resolutions and is an attempt to improve accuracy of the missiles.
With so many countries invested in a dubious agreement with Iran to delay the building of a bomb, it would be difficult to act against them without the approval of the Russians and Chinese. Good luck with that. Maybe the Russians could benefit from the knowledge that Moscow is almost in range of that newly tested missile.
The U.N. has not done much of anything about the missile testing which is a violation of resolutions on Iran, a good clue about how they might respond to violations of others. Fox News says this violates two United Nations Security Council resolutions and is an attempt to improve accuracy of the missiles.
With so many countries invested in a dubious agreement with Iran to delay the building of a bomb, it would be difficult to act against them without the approval of the Russians and Chinese. Good luck with that. Maybe the Russians could benefit from the knowledge that Moscow is almost in range of that newly tested missile.
Manufacturing Criminals
The Russians know how to hurt a guy. In today's Wall Street Journal is a small piece about the Russians bringing charges on Mikhail Khodorkovsky, once Russia's richest billionaire, driven out of the country by charges that kept him in jail for the middle part of his life. He decided to run against Vladimir Putin in an election and Putin is not one to tolerate that. The way out of any predicament is to make a criminal of your enemy.
In my last book, The New Cyberwar, I used the two cases of Ihor Kolomoyski and Ukrainian Interior Minister, Arsen Avakov who were charged in absentia, just as Khodorkovsky is now. These two are from Ukraine, and were criminalized on trumped-up charges, just as he has been. Avadov was charged with "the use of banned ways and methods of warfare", a term that comes from the International Committee of the Red Cross and treaties on the use of war materials that cause unnecessary suffering. The Russians made posters of these two, one showing Avadov as an evil cartoon character much like the two-faced character in Batman. Criminalizing them accomplishes a couple of things: first, a person will not be able to go back to Russia and his property can be confiscated; second, the Russians can issue a criminal warrant for his arrest and file it with Interpol. Anyone knowing such a thing had been done, would be careful to not travel to one of Russia's allies where extradition could take place. This limits travel and the ability to do business with almost any friends a person might have in Russia. Khodorkovsky, who lives in Switzerland now, probably could care less about that, but grudges go deep in Russia and don't go away when the problem leaves the country. He won't be allowed to completely forget. Some of Putin's enemies have not faired as well, so he may consider himself lucky.
Tuesday, December 8, 2015
Syrian Refugees
While the U.S. debates how many Syrian refugees it might take (and when), the numbers in Germany are staggering. The totals were posted in the Wall Street Journal today and they show almost 485,000 in 2015, but that isn't reflective of the whole. They also had 127,00 Afghans , 93,000 from Iraq, and some others from Kosovo. The population of Germany is 83,000,000 and they are putting over half a million people from some of the most war-torn parts of the world into their economy. So, I wonder what the people of the U.S. would say if the President decided to bring in half a million refugees?
Russians Bypassing Ukraine with Pipeline
Ukraine called for the EU to stop the underwater natural gas pipeline (Nord Stream II) from Russia to Germany [see map]. The Russians have long wanted to avoid transiting the Ukraine with their natural gas and have shut it off a few times to make life miserable for people living there. They did it once in January, just to make a point during a national election. If the Nord II pipeline continues, they will be in a position to cut off the Ukraine again and not affect their biggest clients in the European Union. That will not be good for Ukraine.
The problem is the EU gets the majority of its natural gas from Russia. We would think they would want to get other sources for it, to reduce the dependence on a country that has repeatedly used energy as a weapon of political persuasion. The Russians continue to pressure Ukraine with the debt for unpaid gas bills brought about when their hand-picked leader had to run away from a mess he created. The negotiated debt for natural gas was reduced by Russia just prior to his departure, but after he left, the debt rose dramatically when Gazprom, the Russian energy company, recalculated the amount of the debt. Only a fool would think the Russians won't manipulate the EU with pricing and availability. In some circles, this is called economic extortion. The Russians don't mind playing that game; they are just not very subtle about it.
The problem is the EU gets the majority of its natural gas from Russia. We would think they would want to get other sources for it, to reduce the dependence on a country that has repeatedly used energy as a weapon of political persuasion. The Russians continue to pressure Ukraine with the debt for unpaid gas bills brought about when their hand-picked leader had to run away from a mess he created. The negotiated debt for natural gas was reduced by Russia just prior to his departure, but after he left, the debt rose dramatically when Gazprom, the Russian energy company, recalculated the amount of the debt. Only a fool would think the Russians won't manipulate the EU with pricing and availability. In some circles, this is called economic extortion. The Russians don't mind playing that game; they are just not very subtle about it.
Sunday, December 6, 2015
Liberal ClapTrap
I got a kick out of Chris Christi's comment about the front page editorial by the New York Times. He called it Liberal Claptrap, which was probably not politically correct. What the Times said was out of touch with the average person and certainly not going to get them any points with people outside of New York City. I get a lot of my best stories from the Times and thought it was out of place for them to put this kind of call for gun control on the front page, when they already have an editorial page -- a good place for editorials.
The worst part of their comment was the failure to recognize that the folks who killed a few people in San Bernardino were terrorists. The had bombs made up in their garage and modified their guns to fire on automatic. They were Islamic Extremists, raised in places where that is fashionable. The Times does not seem to see that as any different than a nut case in Colorado who decides to kill people at Planned Parenthood. When I lived in Wyoming I thought everyone had guns, and this doesn't seem abnormal.
Terrorists get guns from a lot of places, but they seldom buy them in a local gun store where their names get recorded. They get guns into Israel, where almost everyone has a gun if they need one. They got them into Paris. In places where they can't get them, like China, they use knives and car bombs. The death toll from knife attacks can be pretty astounding. Terrorists find a way.
In Wyoming, my introduction to the culture came a week after I got there. I was on night patrol in Law Enforcement and we heard shots fired. I drove down to the scene and got there before the local police. There was a guy lying in the parking lot of 7-11 with multiple gun shots, obviously deceased. Nobody in the store was hurt, except the clerk who got pistol whipped. The guy who did that was lying outside. When the Sheriff came he asked what happened and the clerk said the guy beat him up and told the others in the store to get out. They went out and waited for him to come out. Five of them shot him. The Sheriff said, "He must have been from out of town." Denver, as it turned out.
For all of those who say the answer to guns is not more guns, take a look at where terrorists have the most difficult time. All of those places have guns, and the people there know what they are for.
The worst part of their comment was the failure to recognize that the folks who killed a few people in San Bernardino were terrorists. The had bombs made up in their garage and modified their guns to fire on automatic. They were Islamic Extremists, raised in places where that is fashionable. The Times does not seem to see that as any different than a nut case in Colorado who decides to kill people at Planned Parenthood. When I lived in Wyoming I thought everyone had guns, and this doesn't seem abnormal.
Terrorists get guns from a lot of places, but they seldom buy them in a local gun store where their names get recorded. They get guns into Israel, where almost everyone has a gun if they need one. They got them into Paris. In places where they can't get them, like China, they use knives and car bombs. The death toll from knife attacks can be pretty astounding. Terrorists find a way.
In Wyoming, my introduction to the culture came a week after I got there. I was on night patrol in Law Enforcement and we heard shots fired. I drove down to the scene and got there before the local police. There was a guy lying in the parking lot of 7-11 with multiple gun shots, obviously deceased. Nobody in the store was hurt, except the clerk who got pistol whipped. The guy who did that was lying outside. When the Sheriff came he asked what happened and the clerk said the guy beat him up and told the others in the store to get out. They went out and waited for him to come out. Five of them shot him. The Sheriff said, "He must have been from out of town." Denver, as it turned out.
For all of those who say the answer to guns is not more guns, take a look at where terrorists have the most difficult time. All of those places have guns, and the people there know what they are for.
Friday, December 4, 2015
ISIS Air Force
A friend of mine sent a link to a story about ISIS pilots training in a simulator [story ] I can't imagine ISIS trying to fly airplanes in an environment where there are so many coalition aircraft, radars and missiles. They would make great targets. Aside from that, the article says ISIS got this simulator from abroad, whatever that means. It is a reminder that for all the enemies of ISIS, they still have some really powerful friends who help fund and give them support. Now, who would benefit from a stronger bunch of radicals running loose in the world? We would think that no other country would do such a thing. It should remind of the thinking of our intelligence services just prior to 9/11. Why would they want to get pilot training, we were asking ourselves. Who could possibly benefit from that?
Thursday, December 3, 2015
OPM Hackers are The Usual Suspects
Ellen Nakashima had an interesting piece in the Washington Post yesterday[ https://www.washingtonpost.com/world/national-security/chinese-government-has-arrested-hackers-suspected-of-breaching-opm-database/2015/12/02/0295b918-990c-11e5-8917-653b65c809eb_story.html] about the "arrest" of the Chinese hackers who got the data at OPM. There is no information about the suspects, or whether they worked for the government. If ever a story showed the manipulation of our government by China, this one does.
The Post is a ready outlet for the views of the White House staff, and Ellen has good sources in the Washington cyber world. She usually turns out to be right about the events. I checked the China Daily to see if anything had come out in their press about the same subject, and found nothing mentioned since June. The June story was a denial that China had anything to do with this theft of 24 million records of security clearances.
The Post article points to sanctions as the main reason for the arrests. The Chairman's [Xi] visit to the U.S. was being accompanied by internal U.S. discussions of sanctions against companies that benefit from the theft of data that is plowed back into the Chinese economy. The Chinese knew (because they asked several of us) we were considering more harsh action than sanctions. I told them there would be an agreement on cyber because that was what the White House said, but we were considering more than sanctions. [see my 8/3/15 post on David Sanger's New York Times article that describes what was being considered] The story goes, China wanted to head those off by making an arrest of the usual suspects. Apparently, their actions worked, since we saw nothing of sanctions before or after the visit, and none of the more serious kinds of retaliation being discussed were ever carried out.
Can we be so easily influenced that we forget retaliation, forget sanctions, and turn the other cheek? Looks like it. Our political leadership understands one basic thing about human nature: we only pay attention until the next shiny news object comes along. The next time, we may be sorry we didn't make a more forceful statement this time.
The Post is a ready outlet for the views of the White House staff, and Ellen has good sources in the Washington cyber world. She usually turns out to be right about the events. I checked the China Daily to see if anything had come out in their press about the same subject, and found nothing mentioned since June. The June story was a denial that China had anything to do with this theft of 24 million records of security clearances.
The Post article points to sanctions as the main reason for the arrests. The Chairman's [Xi] visit to the U.S. was being accompanied by internal U.S. discussions of sanctions against companies that benefit from the theft of data that is plowed back into the Chinese economy. The Chinese knew (because they asked several of us) we were considering more harsh action than sanctions. I told them there would be an agreement on cyber because that was what the White House said, but we were considering more than sanctions. [see my 8/3/15 post on David Sanger's New York Times article that describes what was being considered] The story goes, China wanted to head those off by making an arrest of the usual suspects. Apparently, their actions worked, since we saw nothing of sanctions before or after the visit, and none of the more serious kinds of retaliation being discussed were ever carried out.
Can we be so easily influenced that we forget retaliation, forget sanctions, and turn the other cheek? Looks like it. Our political leadership understands one basic thing about human nature: we only pay attention until the next shiny news object comes along. The next time, we may be sorry we didn't make a more forceful statement this time.
Wednesday, December 2, 2015
Chinese Trade is Just Business
China runs a trade surplus with the U.S. that, in 2014, is a new record, $342.6 Billion. This is creeping up on the $585 Billion the U.S. spends on Defense every year. Most countries can't afford this kind of debt, and would attempt to cut back on the amount and type of trade to get a better balance. A long list of U.S. companies does business in China, manufacturing products there. [ http://www.jiesworld.com/international_corporations_in_china.htm ] and nobody is asking them to cut back on selling or manufacturing goods in China.
Most businesses see manufacturing in China as "just business", required to reduce the cost of production or get into the largest market in the world. An article in the China Daily [http://www.chinadaily.com.cn/business/2015-11/13/content_22446414.htm ] says that cost difference is down to 4% over the cost of manufacturing in the U.S., though it varies by type of product. Board rooms should take notice. If that market were open, instead of severely restricted by a centrally managed government, the numbers in trade on both sides of the equation might balance out a little better. Instead, it works against us.
GM is going to start selling Chinese cars in the U.S. This is after years of teaching the Chinese to make cars, and bantering with them over theft of designs. The Chinese aircraft manufacturing is getting its footing and beginning to turn out some aircraft that might actually make it in world markets. A report by the U.S.-China Economic and Security Review Commission shows how the industry used joint ventures to skirt technology transfers and steal trade secrets. There is almost no computer that does not have its parts or whole body made in China, accessories like hard drives and routers included. The Chinese control that market. Think about that as you read this text. It was created on a computer made in China, routed to you by equipment made in China, and stored on servers that will one day be Chinese. They control equipment used in the distribution of information.
We are passed the time when this kind of imbalance is "just business" and it is becoming a national security issue. The Chinese have too much leverage over our government. They own large chunks of our debt and they get what they want because of it. At the same time, they steal our technology as a part of a national strategy, plow our ideas back into their manufacturing capability, and increase our debt even more. At some point business leaders need to think of themselves as part of something bigger than the boundaries set by corporate structures. Like GM, they will one day see that manufacturing in China produces competition that is not part of fair trade.
Most businesses see manufacturing in China as "just business", required to reduce the cost of production or get into the largest market in the world. An article in the China Daily [http://www.chinadaily.com.cn/business/2015-11/13/content_22446414.htm ] says that cost difference is down to 4% over the cost of manufacturing in the U.S., though it varies by type of product. Board rooms should take notice. If that market were open, instead of severely restricted by a centrally managed government, the numbers in trade on both sides of the equation might balance out a little better. Instead, it works against us.
GM is going to start selling Chinese cars in the U.S. This is after years of teaching the Chinese to make cars, and bantering with them over theft of designs. The Chinese aircraft manufacturing is getting its footing and beginning to turn out some aircraft that might actually make it in world markets. A report by the U.S.-China Economic and Security Review Commission shows how the industry used joint ventures to skirt technology transfers and steal trade secrets. There is almost no computer that does not have its parts or whole body made in China, accessories like hard drives and routers included. The Chinese control that market. Think about that as you read this text. It was created on a computer made in China, routed to you by equipment made in China, and stored on servers that will one day be Chinese. They control equipment used in the distribution of information.
We are passed the time when this kind of imbalance is "just business" and it is becoming a national security issue. The Chinese have too much leverage over our government. They own large chunks of our debt and they get what they want because of it. At the same time, they steal our technology as a part of a national strategy, plow our ideas back into their manufacturing capability, and increase our debt even more. At some point business leaders need to think of themselves as part of something bigger than the boundaries set by corporate structures. Like GM, they will one day see that manufacturing in China produces competition that is not part of fair trade.
Tuesday, December 1, 2015
Did We See This Coming?
I'm usually not surprised by recommendations made by Congressional Committees since they are usually telegraphed long before they actually come out, but we occasionally get one that isn't. The U.S.-China Economic and Security Review Commission, in their annual report to Congress, made one that got my attention: [That] Congress assesses the coverage of U.S. law to determine whether U.S.-based companies that have been hacked should be allowed to engage in counterintrusions for the purpose of recovering, erasing, or altering stolen data in offending computer networks.
For some reason, I never heard this discussed by business interests or government. Hacking back has always been a troublesome area for industry. For one thing, it requires a good bit of technical expertise and a long-term investment in maintaining a capability that exceeds most business interests. Second, in the case of China, it requires hacking back against entities that are part of, or funded by, the central government. Companies that have business interests in China generally don't want to do that, though they are probably in a better position to do it than companies that don't. They have networks there already.
It seems to me there is a better way to make sure stolen data isn't used. Encrypted data is one way. The OPM database of security clearance data should have been encrypted, as should almost any trade secret data that is needed for a company to maintain a competitive advantage over its competitors. Most data management systems have some type of encryption available and it is not hard to use. I have heard IT shops argue that encryption is "too hard" but they haven't tried it.
Cliff Stoll, who years ago wrote the Cuckoo's Egg, suggested the addition of bogus records that if ever accessed, trigger a security alarm. We tried that in a couple of places and it turned up a couple of scavengers searching for things that were none of their business. One of them could prove it wasn't him, so we were sure that one was a hacker using his credentials. That is a good start.
There are other ways to achieve the objective without starting a hacker war with the Chinese, but I'm wondering where this idea came from.
For some reason, I never heard this discussed by business interests or government. Hacking back has always been a troublesome area for industry. For one thing, it requires a good bit of technical expertise and a long-term investment in maintaining a capability that exceeds most business interests. Second, in the case of China, it requires hacking back against entities that are part of, or funded by, the central government. Companies that have business interests in China generally don't want to do that, though they are probably in a better position to do it than companies that don't. They have networks there already.
It seems to me there is a better way to make sure stolen data isn't used. Encrypted data is one way. The OPM database of security clearance data should have been encrypted, as should almost any trade secret data that is needed for a company to maintain a competitive advantage over its competitors. Most data management systems have some type of encryption available and it is not hard to use. I have heard IT shops argue that encryption is "too hard" but they haven't tried it.
Cliff Stoll, who years ago wrote the Cuckoo's Egg, suggested the addition of bogus records that if ever accessed, trigger a security alarm. We tried that in a couple of places and it turned up a couple of scavengers searching for things that were none of their business. One of them could prove it wasn't him, so we were sure that one was a hacker using his credentials. That is a good start.
There are other ways to achieve the objective without starting a hacker war with the Chinese, but I'm wondering where this idea came from.
Subscribe to:
Posts (Atom)