The Energy Games began a number of years ago, resurfaced during the Ukraine crisis when they upped the ante on Ukraine's debt after their candidate suddenly lost support, and now gets played out in Eastern Bloc countries like Lithuania, Bulgaria and Poland. The Russians are not used to playing this game and have had to learn new rules since they squeezed the Ukrainians out of billions of dollars. They are sore losers, for sure.
This time, the new game is being played with US natural gas, which is finally being shipped in new tankers to Greece, Latvia and Poland. These are countries that rely on Russia for their energy needs. [see Georgi Kantchev, With U.S. Gas, Europe Seeks Escape from Russia's Energy Grip, The Wall Street Journal, 25 February 2016 http://www.wsj.com/articles/europes-escape-from-russian-energy-grip-u-s-gas-1456456892 There is a good chart in this article that shows the dependency by country]. Most people already know this, but the fun things in this article is how the Russians went to a lot of trouble to delay that happening.
Kantchev says, "Bulgarian officials allege Russia bankrolled a wave of street protests in 2012 that forced the government to impose a moratorium on shale gas exploration. In 2014, Anders Fogh Rasmussen, then-head of NATO, told reporters that Russia was covertly funding European environmental organizations to campaign against shale gas to help maintain dependence on Russian gas." Gazprom always negotiated with Lithuania on New Years Day, when they could cut off supplies in the dead of winter, as they did in the pre-election run-offs in the Ukraine a number of years ago. Not very subtle.
The Russians then noted that Lithuania was going to buy natural gas from Norway, and lowered their prices to below what Norway was charging. Lithuania bought Norway's gas anyway and are about to buy from the U.S. too. They have played the energy game for too long to not know the rules.
But, the one I like the best was the Russian complaint to the UN that the ship that carried the natural gas would harm the environment in a strip of land between Lithuania and Russia. Really? That must have gotten a few chuckles at the UN offices. The UN found nothing that would harm the environment.
The Russians are trying to manufacture issues to get in the way of energy getting cheaper and purchased from the West. It would be humorous if it weren't so sad.
Monday, February 29, 2016
Thursday, February 25, 2016
Chinese Fighters to South China Sea
It turns out that China has put more than a runway, long-range radar, and housing on those little islands far from home. Gordon Lubold and Chun Han Wong in the Wall Street Journal point out that fighters have been sent there. These are fighters the US would not miss, since they are the latest versions of Chinese jets. [http://www.wsj.com/articles/china-flew-fighter-jets-to-disputed-south-china-sea-island-u-s-officials-say-1456292008]. Apparently, the Chinese are going to ratchet up things in the South China Sea until the US elections are over. Then they can find out what the next President will do. If they are true to form, they are already hacking the candidates so they don't have to guess.
China Inc Watches Over Users
A new report [https://citizenlab.org/2016/02/privacy-security-issues-baidu-browser/] by one of my favorite research groups, Citizen Lab at the University of Toronto, gives us some insight into how deep the Chinese have gone in monitoring their own population, but give an indication they may be monitoring a good deal more than their own. Why does a browser want to transmit the following items back to a host server: user search terms, hard drive serial number, GPS coordinates of the user, nearby wireless networks [including their MAC address] and URLs visited? This is quote from the report:
- The Windows version of Baidu Browser also transmits a number of personally identifiable data points, including a user’s search terms, hard drive serial number model and network MAC address, URL and title of all webpages visited, and CPU model number, without encryption or with easily decryptable encryption.
These are things they are collecting on users of Baidu, the Chinese equivalent of Google, but there is more to it than that. They are also collected by third party apps made with the development kits provided through Baidu. Millions of Android apps are pushed over third party systems to tens of millions of users. Why does Baidu, or anyone in China for that matter, need to know my hard drive serial number and the wireless networks around me? There are only a few uses for any of that information and none of them are good.
At some point we have to wonder how we can continue to trust anything coming out of China. Citizen lab did the analysis of Green Dam, monitoring software that China put on every computer made in China. They said they stopped doing that when the World Trade Organization said that wasn't very nice. All they did was adopt a different strategy for the collection. Now they put it into software that users will download. There has to be a consequence for this or they will continue to monitor everyone they can get to. Google stopped accepting certs from the China NIC last year, so maybe we need to follow suit with software.
Monday, February 22, 2016
China Tightens Rules Again
Josh Chin has a good story in the Wall Street Journal yesterday on China's control of the Internet [China Issues Broad New Rules for Web ] that made me think about businesses trying to operate in China. The last hearings the US-China Economic and Security Review Commission did concerned the barriers China puts up to companies trying to operate in China, and it seemed like they were trying to make it too difficult to continue there. His story just adds to that narrative.
He says, "The new regulations—jointly issued by the ministry of information technology and the publications regulator—ban companies with foreign ownership of any kind from engaging in online publishing, though they allow foreign-invested firms to cooperate with Chinese companies on individual projects, as long as they obtain prior permission from authorities."
The new rules also include a formalization of a 5-year old requirement to store data inside China's borders. That avoids any need for international cooperation in getting access to data.
Remember that this is on top of the onerous rules for providing the government with encryption and source code so no company can hide secrets in computers. I have asked many times why Boards of Directors allow this kind of surrender to Chinese authorities when it means certain loss of trade secret and business information that allows China to get ahead in so many business areas. Can these companies be making that much money? Nothing compensates for the loss of a company's future. In the short term, those profits look huge. In the long run, they mean competition that can put a company out of business. Anyone who takes the money and runs, deserves what they get, but the shareholders should be getting a little more say in whether that is done or not.
He says, "The new regulations—jointly issued by the ministry of information technology and the publications regulator—ban companies with foreign ownership of any kind from engaging in online publishing, though they allow foreign-invested firms to cooperate with Chinese companies on individual projects, as long as they obtain prior permission from authorities."
The new rules also include a formalization of a 5-year old requirement to store data inside China's borders. That avoids any need for international cooperation in getting access to data.
Remember that this is on top of the onerous rules for providing the government with encryption and source code so no company can hide secrets in computers. I have asked many times why Boards of Directors allow this kind of surrender to Chinese authorities when it means certain loss of trade secret and business information that allows China to get ahead in so many business areas. Can these companies be making that much money? Nothing compensates for the loss of a company's future. In the short term, those profits look huge. In the long run, they mean competition that can put a company out of business. Anyone who takes the money and runs, deserves what they get, but the shareholders should be getting a little more say in whether that is done or not.
Friday, February 19, 2016
The Cold War Comes Back
Dmitry Medvedev was in Germany yesterday telling a group of senior leaders at the Security Conference that the West should cooperate more with Russia in their fight for Syria or face a new Cold War. The story is in today's Wall Street Journal, [http://www.wsj.com/articles/russias-medvedev-says-world-is-fighting-a-new-cold-war-1455358705]. It almost reminds me of a Russian Cold War slogan, "What's mine is mine, and what's yours is negotiable." Has everyone forgotten about the Crimea or the shooting war going on in the southern part of the Ukraine?
Apparently, we are supposed to stop thinking about these little transgressions and learn to enjoy our fate, ala Dr. Strangeglove who learned to love the bomb. Never mind that the Russians said they were there to get rid of ISIS, but bombed everyone else but in the first runs on their targets. The Russians need those ports and want Assad to survive so they can keep them. Between Syria and the Ukraine, they have quite a few of those Russian troops out doing God's work. If we just ignore them, we can avoid having another Cold War with Russia. Really? In case everyone forgot, this is how the Cold War started to begin with, a snatch of land called Berlin. It went downhill from there.
I miss the Cold War. Probably a lot of people in Europe do too. The spying, the meddling in elections, the military exercises, and all those proxy wars going on at once. Our intelligence services and militaries made money hand over fist trying to keep up with all the shenanigans. It was a good time for everyone. The Russians want us to see this as a bad time to be avoided. To them, cooperation means leaving them alone to do whatever they want. Common enemies don't make friends like that.
Thursday, February 18, 2016
Letter to the President Unanswered
I wanted to post a link to a letter from two Congressmen to President Obama, pointing to the characterization of the North Korean attack on Sony as "cyber vandalism" a term that hardly fits the crime. They never got a response from the White House, but that isn't surprising.
http://royce.house.gov/uploadedfiles/cyberterrorism_letter_to_obama_02.27.2015.pdf
http://royce.house.gov/uploadedfiles/cyberterrorism_letter_to_obama_02.27.2015.pdf
Wednesday, February 17, 2016
An Encryption Case for Apple
Apple is sticking to its guns and will win. The US Justice Department is actually trying to force Apple to develop code to keep a cell phone from deleting data. They are not asking for software that will undo the encryption. That phone belonged to a terrorist and it is hard to believe Apple would not want to help get whatever is on that phone into the government's hand. They just don't want to write code to do it that could be used in other incidents.
In a previous post [https://www.blogger.com/blogger.g?blogID=9033304048882784982#editor/target=post;postID=309923511951363080;onPublishedMenu=allposts;onClosedMenu=allposts;postNum=12;src=postname ] I mentioned what should be obvious in this case. The National Security and Law Enforcement communities are supposed to stay ahead of terrorists and criminals. They get money from our government to do that, but it certainly looks like they are not doing very well at it. That isn't Apple's, Google, or Microsoft's fault and they should not be forced to write code to undo a security feature that protects a phone from being erased.
Encryption is used in many more places than just cell phones and I see this as a precedent for those who encrypt hard disks, flash drives, and telephones. It is not Apple's job to develop software that will undo security it intentionally put on those devices for our protection. If they are forced to do it, there will be many more cases like this, all allowing the government to force vendors to undo security features that they could undo themselves. Justice can hire a few cyber experts and get them to write code that will do what they want to do. If that can't be done, then raise the banners and call for celebration: Apple finally has a bullet-proof system. Anyone believing that, hold up your hand.
In a previous post [https://www.blogger.com/blogger.g?blogID=9033304048882784982#editor/target=post;postID=309923511951363080;onPublishedMenu=allposts;onClosedMenu=allposts;postNum=12;src=postname ] I mentioned what should be obvious in this case. The National Security and Law Enforcement communities are supposed to stay ahead of terrorists and criminals. They get money from our government to do that, but it certainly looks like they are not doing very well at it. That isn't Apple's, Google, or Microsoft's fault and they should not be forced to write code to undo a security feature that protects a phone from being erased.
Encryption is used in many more places than just cell phones and I see this as a precedent for those who encrypt hard disks, flash drives, and telephones. It is not Apple's job to develop software that will undo security it intentionally put on those devices for our protection. If they are forced to do it, there will be many more cases like this, all allowing the government to force vendors to undo security features that they could undo themselves. Justice can hire a few cyber experts and get them to write code that will do what they want to do. If that can't be done, then raise the banners and call for celebration: Apple finally has a bullet-proof system. Anyone believing that, hold up your hand.
Chinese Cross Redline with Missiles
China has
been doing pretty much what it wanted with those little islands in the South
China Sea, creating land mass from nothing, and putting a runway on it as big
as the one out here in the suburbs at Dulles Airport in Washington D.C.
Nobody has done much of anything to stop them. For the last five
years they have harassed US Navy vessels in the area, warned off any air
traffic that passes through, forced fishing boats out of the waters, and
generally acted like this was their territory even though it is almost 1000
miles from anything Chinese.
Yesterday,
the Defense Minister in Taiwan told us they put surface to air missiles on that
little strip of land. [see Michael
Forsythe’s article today in the New York Times http://www.nytimes.com/2016/02/17/world/asia/china-is-arming-south-china-sea-island-us-says.html
] These happen to be a medium to long
range interceptor which the Chinese also sold to Turkey [ for more details see http://www.globalsecurity.org/military/world/china/hq-9.htm
] In case you were wondering, it is not the missile the Turks used to shoot
down the Russian SU 24 flying over Syria;
that was a U.S. missile, the Aim 9.
The Chinese HQ 9 is a capable missile system that could probably shoot
down most of the aircraft that fly through the airspace above it, even though
that probably isn’t why they put it there.
These
Chinese want to escalate with an old idea.
You don’t have to shoot a missile to get its value. You just need to turn on the radar and paint
the target. Civilian aircraft will never
know that happened because they don’t have the capability to detect the lock on
of a missile radar, but military aircraft do.
They will know when that radar turns on and they are acquired by the
missile, after which they have a couple of options. They can jam the radar, lock on a missile of
their own, or stop flying through that airspace. None
of these are going to get the Chinese to remove this weapon from the
islands.
So, we
are going to have military aircraft flying through this airspace and getting a
report of a radar lock-on. There is
always the possibility that the warnings the Chinese have been giving can be
backed up by firing one of those missiles like the Turks did to the
Russians. That is not going to go well
for either side, since the US does not recognize the Chinese claims on these
islands. If the Chinese shoot down one
of our airplanes, they are going to be looking at a much larger contingent of
US forces in that area, something they do not want.
Right
now, the Chinese seem to think that threatening to do that is enough. We know they could. But, this is not going to get anywhere near
the Chinese removing themselves from these islands, and will only make that
part of it worse. They are saying they
can, and will if necessary, use force to keep these islands and the rest of the
world can pound sand.
This is
what happens when we ignore what we have seen in the buildup of the islands,
the building of a runway, and the weapons being introduced. This took place over a long time and was
visible for anyone to see. It isn’t
possible to hide island building from satellites. Now, we are at a point where weapons have
been introduced and the only way to get them off of those islands is by
matching their escalation. At any point
along their buildup it would have been far less dangerous to take a hard
stand. Now we run the risk of having a
real armed conflict because the Chinese want their own way and are not going to
make it easy for anyone to challenge them.
So, are we going to stop flying over those islands? No, now we are moving a fleet of 7 ships into the area. One of them is an aircraft carrier.
Saturday, February 13, 2016
Retaliation for North Korea
Last week, the Senate unanimously passed legislation imposing sanctions on North Korea, matching legislation passed by the House. The President is put in the position of signing a bill that is veto proof, which is kind of astounding. Getting all the members of both houses of Congress to vote the same way on anything is almost impossible, but these measures come close. So, we might ask why Congress needs to pass legislation for something everyone agrees is needed and why it has taken so long? [ see US Senate Passes North Korea Sanctions Legislation, Wall Street Journal, 10 February. http://www.wsj.com/articles/u-s-senate-passes-north-korea-sanctions-legislation-1455146983].
Two parts of this legislation are interesting in that regard. First, it is related to both the nuclear test North Korea did, and to the cyber attacks it conducted on Sony. Second, it has sanctions directed at Chinese businesses that help North Korea engage in their nuclear activities. It is clear that China has had a hand in almost every aspect of North Korean programs, and we are finally getting around to blaming the real culprit in all the nonsense North Korea does. Crazy as they are, North Korea can't do some of the things they are doing without a lot of technical help and economic assistance from China.
The Sony hack was in November 2014. The nuclear testing was in January 2016. Those events were far apart and seemingly unrelated. The North Koreans must be confused by our lack of response, but the Chinese certainly are not. When I testified at the U.S. China Economic and Security Review Commission, I characterized the Sony attack as a warning to us. It was destructive, i.e. It destroyed information on servers after taking it, sifting through it, and releasing certain parts of it damaging to the studios. It was clearly not something an irrational country with almost no Internet would do. China knows how to demonstrate a concept without being involved, and has done it repeatedly using proxies. North Korea is a favorite.
At the time, David Sanger at the New York Times, said the US was considering a range of responses that included retaliation against China for the theft of security clearance records in June 2015. [ http://www.nytimes.com/2015/08/01/world/asia/us-decides-to-retaliate-against-chinas-hacking.html?_r=0 ]. Many thefts preceded that one, and the US did nothing but the Chinese knew they had crossed a red line with the OPM hack. It was discovered in March and they would have known then that we knew it had happened. After reading Sanger's article, they would have been glad the Sony hack had served it purpose. The US did nothing but talk about retaliation because it had no viable deterrence strategy.
The Chinese are ahead of us in cyber strategy. They demonstrate what will happen if there is retaliation for some of the thefts of data that they have been carrying out. They do it through a proxy so they can deny being involved. Our business leaders look around and say that hack at Sony was something we would not like to have here. They want the White House to be restrained in their response, especially the ones that have big businesses in China. In the meantime, the Chinese steal our technology with impunity. This is not just politics. It is clearly a lack of understanding of the damage done to this country by having China steal anything they can get their electronic hands on.
Two parts of this legislation are interesting in that regard. First, it is related to both the nuclear test North Korea did, and to the cyber attacks it conducted on Sony. Second, it has sanctions directed at Chinese businesses that help North Korea engage in their nuclear activities. It is clear that China has had a hand in almost every aspect of North Korean programs, and we are finally getting around to blaming the real culprit in all the nonsense North Korea does. Crazy as they are, North Korea can't do some of the things they are doing without a lot of technical help and economic assistance from China.
The Sony hack was in November 2014. The nuclear testing was in January 2016. Those events were far apart and seemingly unrelated. The North Koreans must be confused by our lack of response, but the Chinese certainly are not. When I testified at the U.S. China Economic and Security Review Commission, I characterized the Sony attack as a warning to us. It was destructive, i.e. It destroyed information on servers after taking it, sifting through it, and releasing certain parts of it damaging to the studios. It was clearly not something an irrational country with almost no Internet would do. China knows how to demonstrate a concept without being involved, and has done it repeatedly using proxies. North Korea is a favorite.
At the time, David Sanger at the New York Times, said the US was considering a range of responses that included retaliation against China for the theft of security clearance records in June 2015. [ http://www.nytimes.com/2015/08/01/world/asia/us-decides-to-retaliate-against-chinas-hacking.html?_r=0 ]. Many thefts preceded that one, and the US did nothing but the Chinese knew they had crossed a red line with the OPM hack. It was discovered in March and they would have known then that we knew it had happened. After reading Sanger's article, they would have been glad the Sony hack had served it purpose. The US did nothing but talk about retaliation because it had no viable deterrence strategy.
The Chinese are ahead of us in cyber strategy. They demonstrate what will happen if there is retaliation for some of the thefts of data that they have been carrying out. They do it through a proxy so they can deny being involved. Our business leaders look around and say that hack at Sony was something we would not like to have here. They want the White House to be restrained in their response, especially the ones that have big businesses in China. In the meantime, the Chinese steal our technology with impunity. This is not just politics. It is clearly a lack of understanding of the damage done to this country by having China steal anything they can get their electronic hands on.
Tuesday, February 9, 2016
President Obama's Mirror
The last person in world anyone would expect to author an opinion piece on cyber security is the President of the United States. He did not write it, of course, but signed it. It appears in the Wall Street Journal today.
This is, after all, the administration of the Post Office, OPM, the State Department, IRS, Medicare et al hacks that have shown how well the Feds have been dealing with cyber threats. But, the essence of the need for such a pronouncement lies in the statement that 9 out of 10 US citizens think their personal information is out of control. That is a big number.
The President wants his initiative to put $3 billion into renovating Federal IT, mentioning that Social Secrutiy still uses systems and code from the 60's. This reminds me of the OPM hack where the security budget doubled after the third breach. Throwing good money after bad is not a good idea, and throwing $3 billion at IT is certainly a waste of money. They will just build a new Ops Center and bring in more contractors who can spend that money. SSA has been doing that since the 1960s or it wouldn't be in the shape it is in. There are fundamental problems if they can't project upgrades and pay for them over time. This lack of security planning is at the root of most of the hacks the Fed has seen. Look at the IG reports for OPM from 2012 to 2015 to see what I'm talking about. Identified problems went unfunded for years until the bubble burst.
Offering scholarships and "forgiving student loans" to strengthen our corps of cyber experts left me wondering who wrote this piece and what the agenda could possibly be. Getting colleges and universities to strengthen their cyber security courses and include them in business and technical curricula is more important.
And the final piece of wonder comes from the opening of a new cyber security center of excellence in Maryland which will draw together experts who will work on new state of the art security systems for our industry partners. Apparently, industry is not doing well at developing their own and needs government help in doing it. DHS just opened a similar place a couple of years ago, but must not have been able to achieve much because this one is needed. There are over 60 places like this in the US, most built with security money that should have been used to do security and not work on future technologies that never seem to come out of them.
It is time to focus.
Policy is good area to look at, given the lack of requirements for security of systems in government. Our security policies went down the toilet when government started thinking NIST could write policy. They just write guidance, leaving agencies to do what they want. That has led to the kinds of problems we have today. Nothing is mandatory; nothing is done. The new Risk Management Framework and continuous monitoring is an unfunny joke that allows managers to escape any responsibility for security of agency systems.
Put some of that money into security of government leaders who get hacked every time we turn around. Given them secure computers - tablets, cell phones, and desktops - that communicate securely and keep them off of their own computers that don't. Make that mandatory.
Centralize the security budgets of agencies and force them to use that money for security of systems, not fluff. When the Army builds a golf course with funds intended to secure its networks, we have a right to asked why. Building new centers of excellence is not getting us excellence in security.
There is going to be a CISO for the Fed. Whoever they appoint needs some authority over the agencies or it will be for show. The agency CISOs need to report to that person and be accountable to that office. The OPM fiasco would never have happened if somebody above OPM had listened to the needs their IG identified.
This is, after all, the administration of the Post Office, OPM, the State Department, IRS, Medicare et al hacks that have shown how well the Feds have been dealing with cyber threats. But, the essence of the need for such a pronouncement lies in the statement that 9 out of 10 US citizens think their personal information is out of control. That is a big number.
The President wants his initiative to put $3 billion into renovating Federal IT, mentioning that Social Secrutiy still uses systems and code from the 60's. This reminds me of the OPM hack where the security budget doubled after the third breach. Throwing good money after bad is not a good idea, and throwing $3 billion at IT is certainly a waste of money. They will just build a new Ops Center and bring in more contractors who can spend that money. SSA has been doing that since the 1960s or it wouldn't be in the shape it is in. There are fundamental problems if they can't project upgrades and pay for them over time. This lack of security planning is at the root of most of the hacks the Fed has seen. Look at the IG reports for OPM from 2012 to 2015 to see what I'm talking about. Identified problems went unfunded for years until the bubble burst.
Offering scholarships and "forgiving student loans" to strengthen our corps of cyber experts left me wondering who wrote this piece and what the agenda could possibly be. Getting colleges and universities to strengthen their cyber security courses and include them in business and technical curricula is more important.
And the final piece of wonder comes from the opening of a new cyber security center of excellence in Maryland which will draw together experts who will work on new state of the art security systems for our industry partners. Apparently, industry is not doing well at developing their own and needs government help in doing it. DHS just opened a similar place a couple of years ago, but must not have been able to achieve much because this one is needed. There are over 60 places like this in the US, most built with security money that should have been used to do security and not work on future technologies that never seem to come out of them.
It is time to focus.
Policy is good area to look at, given the lack of requirements for security of systems in government. Our security policies went down the toilet when government started thinking NIST could write policy. They just write guidance, leaving agencies to do what they want. That has led to the kinds of problems we have today. Nothing is mandatory; nothing is done. The new Risk Management Framework and continuous monitoring is an unfunny joke that allows managers to escape any responsibility for security of agency systems.
Put some of that money into security of government leaders who get hacked every time we turn around. Given them secure computers - tablets, cell phones, and desktops - that communicate securely and keep them off of their own computers that don't. Make that mandatory.
Centralize the security budgets of agencies and force them to use that money for security of systems, not fluff. When the Army builds a golf course with funds intended to secure its networks, we have a right to asked why. Building new centers of excellence is not getting us excellence in security.
There is going to be a CISO for the Fed. Whoever they appoint needs some authority over the agencies or it will be for show. The agency CISOs need to report to that person and be accountable to that office. The OPM fiasco would never have happened if somebody above OPM had listened to the needs their IG identified.
Friday, February 5, 2016
Spills to Mop Up
When someone has classified information on an unclassified computer, the government euphemistically calls it "a spill". It is like someone had a glass of classified water sitting on a table and accidentally knocked it over on a spot where it must be mopped up. This is not a very accurate way to describe what actually happened. We are finding the State Department exposed to criticism over several of its former leaders who had classified information on one their unclassified, personal computers. It didn't get there accidentally. If a document is removed from a computer that is authorized to process classified information and put on one that is not authorized, some willful act is required, and the people who did it knew it was wrong.
For 10 years, I did training for people who were responsible for protection of classified information. Only rarely did I ever see a person who knew what the rules for protection were, but ignored them. One of those was a woman who was removing classified markings from documents so she could save them on a nice computer network that was not approved to process classified information. It made her job easier. Her boss told her that she could not put classified documents on an unclassified computer, so she removed the markings which she thought would make it unclassified. She was very honest about that belief, but lost her job anyway. There are really two reasons for that. The removal of the markings was willful, and she had training that told her the rules for handling classified things, yet did not follow them.
She is not the only person to believe that removing markings makes something unclassified. Security professionals think it is stupid to believe such a thing, but that doesn't account for the numbers of people who think that way. It isn't the marking that makes a document classified; it it is the content of the message. Ninety-five percent of people who get basic security training know this, but there are always a small minority who quickly forget anything they have learned.
People in government know which computers process classified and which don't. Federal agencies and their contractors have similar rules. Nobody creates classified information on an unclassified computer system - at least on purpose - so there are not very many instances where someone sets down and types out a memo that is Top Secret on his unclassified iPad. It happens occasionally but it is not the norm. Any basic security education will explain that to employees, and all people are required to get that basic orientation.
The person who took information from a computer that was authorized to process it, saw the original classification markings. Documents are marked at the top and bottom and each paragraph is too. It is hard to miss. So, if a spill investigation discovers classified things are not marked, then someone removed those markings. In a few cases, I have seen people ordered to remove markings by a superior. I testified at a hearing for one of those people and he lost his security clearance. He thought it made the work go faster if there were no markings on the things used to make goods on the manufacturing floor. He was right about that; the work went a lot faster.
The loss of a security clearance is administrative, but repeatedly violating national security policy can be criminal. The State Department seems to have a problem that is widespread and has continued for a long time. The leadership is ignoring the security education they were given. The long delay with Hillary Clinton's emails are just one example of how that plays out. She may have done nothing at all, but someone did. Finding that person takes longer.
For 10 years, I did training for people who were responsible for protection of classified information. Only rarely did I ever see a person who knew what the rules for protection were, but ignored them. One of those was a woman who was removing classified markings from documents so she could save them on a nice computer network that was not approved to process classified information. It made her job easier. Her boss told her that she could not put classified documents on an unclassified computer, so she removed the markings which she thought would make it unclassified. She was very honest about that belief, but lost her job anyway. There are really two reasons for that. The removal of the markings was willful, and she had training that told her the rules for handling classified things, yet did not follow them.
She is not the only person to believe that removing markings makes something unclassified. Security professionals think it is stupid to believe such a thing, but that doesn't account for the numbers of people who think that way. It isn't the marking that makes a document classified; it it is the content of the message. Ninety-five percent of people who get basic security training know this, but there are always a small minority who quickly forget anything they have learned.
People in government know which computers process classified and which don't. Federal agencies and their contractors have similar rules. Nobody creates classified information on an unclassified computer system - at least on purpose - so there are not very many instances where someone sets down and types out a memo that is Top Secret on his unclassified iPad. It happens occasionally but it is not the norm. Any basic security education will explain that to employees, and all people are required to get that basic orientation.
The person who took information from a computer that was authorized to process it, saw the original classification markings. Documents are marked at the top and bottom and each paragraph is too. It is hard to miss. So, if a spill investigation discovers classified things are not marked, then someone removed those markings. In a few cases, I have seen people ordered to remove markings by a superior. I testified at a hearing for one of those people and he lost his security clearance. He thought it made the work go faster if there were no markings on the things used to make goods on the manufacturing floor. He was right about that; the work went a lot faster.
The loss of a security clearance is administrative, but repeatedly violating national security policy can be criminal. The State Department seems to have a problem that is widespread and has continued for a long time. The leadership is ignoring the security education they were given. The long delay with Hillary Clinton's emails are just one example of how that plays out. She may have done nothing at all, but someone did. Finding that person takes longer.
Thursday, February 4, 2016
A Russian Thumb in a German Eye
The Russians are ones to stick a finger in the eye of their friends whenever it suits them. That is usually not a very good thing to do and tends to reduce the number of leaders still taking your phone calls. Last Wednesday, Bavaria’s governor Horst Seehofer went to visit Vladimir Putin at Putin's residence outside Moscow. Putin does not receive very many governors, since he is a head of state, but this one has been criticizing German policies on Russian sanctions. Seehofer wants to see them go away, and the national government wants to keep them. Ruth Bender's story in the Wall Street Journal puts this in perspective. [http://www.wsj.com/articles/merkels-bavarian-critic-meets-putin-to-discuss-migrants-sanctions-1454520027]
It is not unlike the Russians to interfere with the politics of another country. They did try to put money into defeating Ronald Reagan, but he still won. They want to meddle. Fine. This move is not very smart since it openly slaps Angela Merkel who was one of the staunchest supporters of Russia during the Crimea takeover and the Ukraine incursions. It is narrow minded, petty, and something the German leader is not going to forget easily.
It is not unlike the Russians to interfere with the politics of another country. They did try to put money into defeating Ronald Reagan, but he still won. They want to meddle. Fine. This move is not very smart since it openly slaps Angela Merkel who was one of the staunchest supporters of Russia during the Crimea takeover and the Ukraine incursions. It is narrow minded, petty, and something the German leader is not going to forget easily.
Tuesday, February 2, 2016
Einstein Fails to Impress -Again
The latest report on Einstein from GAO was badly needed. This boondoggle of a program has been the biggest waste of security money I can remember. Mother Jones, which I seldom read or source, has an article on it in their 29 January issue [http://m.motherjones.com/politics/2016/01/governments-expensive-cybersecurity-system-disaster-says-new-report] claiming it is a $6 billion program (they never spent close to that amount) that doesn't work. The latter part of it is probably accurate. I posted a previous article on David Perera's report about a delay in the implementation of Einstein 3.
[ http://www.politico.com/story/2014/11/federal-cybersecurity-plan-stalls-113044.html] which has had more delays than any computer security project in recent years. Putting DHS in charge of anything computer related is always an interesting experience, but their inability to get capability from money is probably the most telling.
If you ever wanted to know what Einstein 3 was, you need only look at the publicly posted Privacy Impact Statement at [http://www.dhs.gov/sites/default/files/publications/privacy/PIAs/PIA%20NPPD%20E3A%2020130419%20FINAL%20signed.pdf] They should never have posted so much for the public (and every hacker around the world) to read.
Mother Jones points to the GAO's latest report at http://www.gao.gov/assets/680/674829.pdf which is not very flattering, but if you are a security professional, it is worth reading. Just these items from the summary will give you an idea of why it is worth reading:
The Department of Homeland Security’s (DHS) National Cybersecurity Protection System (NCPS) is partially, but not fully, meeting its stated system objectives:
• Intrusion detection: NCPS provides DHS with a limited ability to detect
potentially malicious activity entering and exiting computer networks at
federal agencies. Specifically, NCPS compares network traffic to known
patterns of malicious data, or “signatures,” but does not detect deviations
from predefined baselines of normal network behavior. In addition, NCPS
does not monitor several types of network traffic and its “signatures” do not
address threats that exploit many common security vulnerabilities and thus
may be less effective.
• Intrusion prevention: The capability of NCPS to prevent intrusions (e.g.,
blocking an e-mail determined to be malicious) is limited to the types of
network traffic that it monitors. For example, the intrusion prevention function
monitors and blocks e-mail. However, it does not address malicious content
within web traffic, although DHS plans to deliver this capability in 2016.
• Analytics: NCPS supports a variety of data analytical tools, including a
centralized platform for aggregating data and a capability for analyzing the
characteristics of malicious code. In addition, DHS has further enhancements
to this capability planned through 2018.
• Information sharing: DHS has yet to develop most of the planned
functionality for NCPS’s information-sharing capability, and requirements
were only recently approved. Moreover, agencies and DHS did not always
agree about whether notifications of potentially malicious activity had been
sent or received, and agencies had mixed views about the usefulness of
these notifications. Further, DHS did not always solicit—and agencies did not
always provide—feedback on them.
GAO is usually language neutral in describing how a system actually looks, compared to what it is supposed to do. They would never say things like "These guys have managed to build weak functionality for large sums of money" even though they must want to at times like this. Hooray for Congress requesting this report. While OPM touted Einstein as the reason they detected the Chinese intrusion into our security clearance records, nobody believed them. If you read this report, you know why.
[ http://www.politico.com/story/2014/11/federal-cybersecurity-plan-stalls-113044.html] which has had more delays than any computer security project in recent years. Putting DHS in charge of anything computer related is always an interesting experience, but their inability to get capability from money is probably the most telling.
If you ever wanted to know what Einstein 3 was, you need only look at the publicly posted Privacy Impact Statement at [http://www.dhs.gov/sites/default/files/publications/privacy/PIAs/PIA%20NPPD%20E3A%2020130419%20FINAL%20signed.pdf] They should never have posted so much for the public (and every hacker around the world) to read.
Mother Jones points to the GAO's latest report at http://www.gao.gov/assets/680/674829.pdf which is not very flattering, but if you are a security professional, it is worth reading. Just these items from the summary will give you an idea of why it is worth reading:
The Department of Homeland Security’s (DHS) National Cybersecurity Protection System (NCPS) is partially, but not fully, meeting its stated system objectives:
• Intrusion detection: NCPS provides DHS with a limited ability to detect
potentially malicious activity entering and exiting computer networks at
federal agencies. Specifically, NCPS compares network traffic to known
patterns of malicious data, or “signatures,” but does not detect deviations
from predefined baselines of normal network behavior. In addition, NCPS
does not monitor several types of network traffic and its “signatures” do not
address threats that exploit many common security vulnerabilities and thus
may be less effective.
• Intrusion prevention: The capability of NCPS to prevent intrusions (e.g.,
blocking an e-mail determined to be malicious) is limited to the types of
network traffic that it monitors. For example, the intrusion prevention function
monitors and blocks e-mail. However, it does not address malicious content
within web traffic, although DHS plans to deliver this capability in 2016.
• Analytics: NCPS supports a variety of data analytical tools, including a
centralized platform for aggregating data and a capability for analyzing the
characteristics of malicious code. In addition, DHS has further enhancements
to this capability planned through 2018.
• Information sharing: DHS has yet to develop most of the planned
functionality for NCPS’s information-sharing capability, and requirements
were only recently approved. Moreover, agencies and DHS did not always
agree about whether notifications of potentially malicious activity had been
sent or received, and agencies had mixed views about the usefulness of
these notifications. Further, DHS did not always solicit—and agencies did not
always provide—feedback on them.
GAO is usually language neutral in describing how a system actually looks, compared to what it is supposed to do. They would never say things like "These guys have managed to build weak functionality for large sums of money" even though they must want to at times like this. Hooray for Congress requesting this report. While OPM touted Einstein as the reason they detected the Chinese intrusion into our security clearance records, nobody believed them. If you read this report, you know why.
Too Clever for Our Own Good
If ever there were a case when government was too clever for its own good, Corey Bennett and Katie Bo Williams [ Government software may have let in foreign spies, The Hill, 2 February 2016 http://thehill.com/policy/cybersecurity/267826-government-software-may-have-let-in-foreign-spies ] may have the story that captures it. We will never know if this story is pointing the finger in the right direction, but it makes for a thought-provoking article about what happens when governments get involved in putting back doors in commercial software and get caught. It damages both the commercial company and the government program.
Bennett and Williams point to a case with Juniper Networks ScreenOS, discovered in December last, that may indicate a backdoor put into software by NSA may have been exploited by a foreign government for upwards of three years. ScreenOS is used in firewalls and VPN solutions offered by Juniper [http://www.juniper.net/techpubs/en_US/release-independent/screenos/information-products/pathway-pages/screenos/product/index.html]. The Russians have been doing a lot of work in this area for quite a few years, but the Chinese are following along, particularly in forged domain certs and distribution of software. Both are undermining the core security functions of the Internet.
If we discover that the Russians or Chinese are doing something similar, the government usually classifies the discovery as Secret and only will tell people with security clearances. If this sounds narrow-minded, so be it. Nobody is ever going to say in public how the modified software got into a production item like ScreenOS. If we were to do something like the article infers, i.e. getting someone to put a backdoor in software they owned, we would classify that program as Top Secret and hardly ever tell anyone outside of a few people in government. So, almost always, the security and Intelligence services of a country know more about this area than anyone else. The public never finds out what anyone is doing, until there is no way to protect what has been discovered. That is what happened here. The discovery of the modifications to ScreenOS became public.
Most businesses do not want their products modified for any reason like the one the article talks about. If discovered, the impact on global business operations can be staggering. Our telecoms suffered from the loss of business related to the disclosures by Edward Snowden, even though they were not active participants. Other countries used it as an excuse to promote their own telecoms. In this case, it will be sometime before users will be buying devices that use the software that was modified, even if it wasn't Juniper's fault that it happened. I can't see a business like Juniper allowing such a thing to occur, nor not protecting its supply chain for ScreenOS. They are too business savvy to allow such a thing.
There are other explanations for the kind of attack being portrayed here. First among them is the manipulation of code posted for distribution to these devices at the source, something the Russians and Chinese have done before. It is possible it has nothing to do with an "NSA backdoor" being inserted in the software. It could be the Russians modifying the code and getting it back on a distribution site for the ScreenOS. That would be bad for Juniper, but not willfully bad, since they didn't cooperate in it being done. Users download an update and they get the modifications done by someone else other than the manufacturer. There are several reports of this being done in the energy and oil management business, so it is not particularly new. The fingers usually point Russia's way.
Second, if this really happened the way they say, this would be the compromise of a Classified program operated by the Federal government. Like Stuxnet, it will be analyzed, copied, modified and back out for sale in no time. Nobody benefits from this kind of thing, least of all the countries that did the attack.
Other countries would love to say that this was something NSA did and it didn't work out very well, but there are other ways for the outcome to be the same that are more believable. When you look to wholesale interceptions of supposedly secure communications, NSA does not have a lock on the market anymore.
We still have a good bit to learn about security of software distribution and the general area of supply chain security. Let this be a lesson those who have software they have to get to their customers. The damage to a business won't be easy or simple to overcome.
Subscribe to:
Posts (Atom)