Adfero Group HSPI

By Rob Strayer
It is an unfortunate modern reality that cyber attacks are commonly used to steal money from businesses and individuals. Cyber attacks that disrupt or destroy physical assets, on the other hand, have been rare up to this time. The news over the weekend that a terrorist organization was able to finance its activities by hacking AT&T business customers’ telecommunications accounts represents a new and disturbing development in the use of cyber attacks by terrorists.

Earlier this month, I was at Rutgers University and fortunate to hear retired U.S. Coast Guard Commandant Admiral Thad Allen speak at the 2nd annual Maritime Risk Symposium. In his address, Adm. Allen developed a theme in discussing resilience that I believe bears greater and deeper discussion. He discussed the Joplin, Missouri, tornado devastation this past spring. At the center of this lesson is a school teacher – it is the story of Dr. C.J. Huff, the young teacher-turned-school superintendent who demonstrated resilience in practice.

I am always a few days late on blogs related to big days. I guess it takes the day itself to jog my thoughts sufficiently to write something. Bottom line today: We have a lot to be thankful for here in America. Are we a perfect society? No. Do I wish we were better at meeting the needs of everyone in our country? Absolutely. Is any other place in the world better at that pursuit? An emphatic “NO.” Thank you Lord for allowing me to be born in America.

The first question asked in the Republican Presidential debate last night was on the Patriot Act—and all the candidates got it wrong. The investigative authorities in the act were described as something extraordinary—something special for the needs of national security. That is just incorrect. It is stunning that a decade after 9/11 so much misinformation about the act still pervades the public debate.

As happy/relieved as I am to know that the Russians aren’t out to disrupt our water services, it is important to note that a water system in South Houston was the victim of a real cyber attack. (You’ll recall it occurred in direct response to DHS downplaying of the reported situation in Illinois).The would-be attack, and the actual one, are stark reminders that the threat of cyber attacks are real.

More than a year ago, then-Chairman of the Joint Chiefs of Staff Adm. Michael Mullen spoke about how our growing national debt was becoming a national security threat. It was a stunning statement. With that as a backdrop, along with the federal budget drama of the past year, Congressional leaders pledged to work together, forming a so-called Supercommittee. After much discussion and pandering, we now have our end product – Failure. In fact, it’s bigger than failure… it’s an absolute surrender of leadership.

I have read several articles on the recent water plant cyber intrusion that damaged a pump in a small utility firm’s facility in Illinois. I am not a digital forensics analyst, but I do find the reactions very interesting. Frankly, I don’t know what the Water Plant incident really means, but at this point neither does anyone else. Can we afford to dismiss it, even if it turns out to be amateur hackers? I have said this before; the sky is not falling! However, we still need to up our vigilance and recognize that we have enormous vulnerabilities and competent adversaries.

According to multiple reports last week, a Russian-based hacker launched a cyber attack on a drinking water utility in Illinois that destroyed one of its water pumps. Not only does this mark the first successful international cyber attack on U.S. critical infrastructure, but it’s going to serve as a rallying cry for adversaries and idiots everywhere to try taking down drinking water and wastewater systems. Simply put, this attack is a game changer.

The newest threat to police from hardline protestors is “doxing” – the photographing of police and publishing their personal details, and sometimes that of their families, to the Internet. This tactic has been used to attempt to intimidate officers during events with protestors calling out officers’ names as they film and telling them they will be “doxed.” This tactic is an import from the hardline protest movements in Britain and should be of significant concern to police at all levels of operations and command, although it does have a very simple remedy.

The TSA and the aviation industry acknowledge the unrealistic goal of screening 100 percent of all air cargo that enters, crosses or leaves the country. Some members of Congress, never to miss an oversimplified political solution to a complex problems, call for even more screening than we already (don’t) have.

The last several months in D.C. have witnessed a series of Executive Orders, proposed legislation, bureaucratic action and public bickering over how to “defend” cyberspace. This dividing up of provinces of responsibility in cyberspace is interesting. It is a lovely 20th century way of dealing with a 21st century problem. Setting boundaries in the boundless frontier. Those seeking to harm cyberspace must be laughing up their collective sleeves or Guy Fawkes masks.

The House Homeland Security Subcommittee on Border and Maritime Security held a hearing on how DHS and law enforcement agencies could take advantage of technology used by the Department of Defense. Many DoD systems have a significantly higher cost for civilian agencies than other technologies due to operational complexity and crew requirements. What better example do we have than the CBP’s use of the Predator UAV, which some estimates say costs $32,000 per illegal alien apprehended.

American citizens love their soldiers, a phenomenon that sometimes mystifies people from other countries. For those who offer their service and their life to defend and advance our interests, Americans are quick to offer thanks and praise, as they should. Our veterans and active duty troops deserve it. Yet, for a country that so clearly respects and appreciates its military, we sometimes forget that after the service is done, our veterans must have access to the opportunities, jobs and rewards they fought to protect. This, unfortunately, is not always the case.

The treatment of protestors as the enemy at National Significant Security Events is the most counter-productive action law enforcement could think of. If one is running a policing effort during a NSSE, surely the principal information tool during the final hours before an event and during that event is the population itself. However, by treating all protestors as potential terrorists and critical threats, police significantly reduce the likelihood that protestors will “see something, say something,” because the police have chosen a confrontational relationship rather than a collaborative one.

When the news broke yesterday with rumors and news reports that former DHS Secretary Tom Ridge could be in the running to be the next President of Penn State, I have to admit to some very mixed feelings. They weren’t negative mixed feelings but rather selfish ones. As one of the people fortunate enough to serve under Ridge in the early days of DHS, I got to observe one of the most dynamic individuals I’ve ever met in my life. If his move to Penn State should come to pass, the institution will gain someone who not only can navigate the most dangerous of seas but bring people together in service in ways never done before.

Richard Clarke is at it again. In a conference this week, he stridently appealed to the audience. He warned that the President aught not consider going to war any time in the near future. This because our cyber capabilities are so weak and America’s enemies are sure to use cyber attacks against us. Dick Clarke is a competent and farsighted man who has served this Nation long and well. Why does he seem to relish wallowing in hyperbole? We are NOT boxed in by our cyber insecurities to the point of having no options.

I welcome you to join us on Thursday, November 10, 2011 from 2:00 – 3:00pm for an HSPI Policy and Research Forum event featuring John S. Pistole, Administrator of the Transportation Security Administration (TSA). Mr. Pistole will discuss risk-based, intelligence-driven counterterrorism efforts, and will highlight the layered security approach and advances of TSA technology over the last decade.

For months, DHS has made considerable effort to engage the public with its “See Something, Say Something” campaign. Over the past few days, however, I’ve been wrestling with instances where people who saw and heard some things and did nothing. Take the murder of Jayna Murray in Maryland, the child sex abuse indictment against a Penn State football coach, and a Chinese toddler struck by cars and left helpless in the street. I can offer no acceptable form of explanation for these terrible instances other than to say we’ve failed all of them as friends, neighbors and fellow human beings.

It has been four years since Congress made the bone-headed move mandating 100 percent screening of passenger plane cargo. Serious risk management is not Congress’s bag, as the institution demonstrates often. Fortunately, some elements within DHS sought to forge a new path, wisely piloting a program to conduct risk analyses of inbound air cargo and to focus DHS’s resources on the high-risk cargo, rather than attempting to subject all cargo to the same level of physical screening. This “risk-based” screening has been successful for DHS in other contexts.

Last week, the Senate Homeland Security and Government Affairs Committee held a hearing reviewing TSA screening procedures 10 years after 9/11. The buzz word of the hearing was “risk-based.” This has been characterized in some reporting as TSA’s newest screening strategy. In fact, risk-based screening has been attempted at TSA and DHS for years. The “news” is TSA’s public re-commitment to risk-based screening after several check-point screening miscues went viral.