Adfero Group HSPI

Once again, I was honored to do a presentation for the DHS-sponsored Center for Homeland Security and Defense. This long-term, comprehensive course introduces operational leaders from law enforcement, fire fighting, emergency services, public health, and federal agencies to a wide array of issues, and propels them to intellectually “punch above their weights” in a way they makes them even bigger assets to the Nation than they were when they began. These folks are like sponges – they push one another and their instructors, demand proof, and are skeptical in a healthy way.

For the past month, the Homeland Security Show I host is spotlighting issues in homeland security without the interlude of media packaging stories into three minute segments or subjected to political hyperbole from Capitol Hill. This is not a show about thrillers, even if some of the content is more twisted and strange than most science fiction. Here is a rundown of my guests and show topics and some of our upcoming broadcasts.

When I was a Deputy Assistant Secretary of Defense, every time we tried to do something – like develop cyber security capabilities – we were accused of cravenly seeking new budget allocations. Yet, the only reason I have been, am now, and will continue to push cyber as a key issue is that I believe it is one. In a recent Foreign Policy article, Thomas Rid argues the cyber threat is not real. I sincerely wish he were correct. He is sincerely wrong. Denying threats does not make them go away.

The EPA was set to disregard the counsel of the Department of Justice, water system owners/operators and security experts by posting the non-Off-site Consequence Analysis (non-OCA) sections of the water sector’s RMPs this summer. Amid industry outcry, the EPA changed course and decided to postpone re-establishing public Internet access for certain highly security sensitive categories of information collected by its Risk Management Plan (RMP) Program. Irwin Fletcher said, “It takes a big man to admit when he’s wrong. I am NOT a big man.” Such is the case with the EPA.

Last week, Homeland Security Secretary Janet Napolitano, speaking before the Senate Homeland Security and Governmental Affairs Committee, made a “dire prediction.” She warned the Senate that if Congress does not give DHS “the authority to designate critical infrastructure and set risk-based cyber security standards for it” [in] “a year or 18 months…we would have suffered a major infiltration or attack, and we will find that some part of our critical infrastructure was a gap.” The Secretary’s prediction and roundabout effort to foist responsibility on the Congress for her Department’s obvious lack of progress in assuring, beyond their protection, the operational resilience of America’s interdependent cyber and physical infrastructure challenges is — at best —ill-conceived.

The two distinctly different Senate Cyber-Security bills currently making their way through the US Congress respond to the ever-increasing cyber assaults on the US, and particularly the CIKR sectors. It is clear that action must be taken to further harden our IT systems from these asymmetrical and often successful attacks. But remember cyber-security is a balancing act based on the risk tolerance of corporations and agencies. We have enough regulations already in place. What we need is more information sharing on a two-way street.

The issue that many of use have discussed at length has now gone mainstream. 60 Minutes yesterday offered a report on Stuxnet that was actually fairly well done. Once again, cyber security has reached the apex of popular attention. Boy, if it would only stay there. The general public needs to understand that cyber security is more than just a matter of losing credit card passwords or getting one’s computer hooked into a spam-spitting botnet.

Today’s reality is the Internet is the repository of a huge and growing amount of code (including malware) whose origin and ultimate purpose are unknown. Yet, well-intentioned, repeated government calls for action have not and will not fix a problem enabled by globally deployed technologies. There has been (and continues to be) a great deal of rhetoric and staff activity on the subject, rhetoric is not results and activity is not accomplishment. The current approach to ensuring the operation of America’s critical infrastructures can only be characterized as lessons-observed because we have failed to change our behavior.

Two of my favorite characters from the Muppets are called Waldorf and Statler – they sat in the balcony during the show and grumbled in their crusty, old states about the silly goings on below them. Allow me to introduce myself, I am Statler, and what the United States government is doing in cyber space is ridiculous. What we lack right now in cyber space is a doctrine from which comprehensive and sensible tactics and strategies can flow.

Join The George Washington University Homeland Security Policy Institute on Wednesday, February 22 for a special Policy and Research Forum Series event featuring Vice Admiral Mike McConnell, USN (Ret.), former Director of National Intelligence, and the Hon. Michael Chertoff, former U.S. Secretary of Homeland Security. They will be joined by senior staff of the U.S. Senate and U.S. House of Representatives for a roundtable discussion regarding pending legislation to address the growing cyber threat to U.S. national security.

Cyber-protest reflects cyber-warfare in its advantages over its physical counterparts; it is difficult for law enforcement to identify and prosecute the cyber-perpetrators. Cyber assaults in all forms are economical to conduct and the financial returns are overwhelming – causing potentially millions of dollars in actual and reputational damage with an attack like the one on Sony or STRATFOR (where payment information was compromised and published causing reputational damage) at a fraction of the cost. Companies MUST understand their protestor risk, particularly online.

Let’s start with a quiz. Who is the biggest spy in modern US history? If you said Aldridge Ames, or Robert Hanson, you’d be wrong. It was PFC Bradley Manning, of WikiLeaks fame, who despite being a very junior analyst in a tactical military HQ, gave away to his accomplice/handler Julian Asange more volume of stolen intel than anyone ever. Bottom line, cyber has changed the world of intel, and this is just one example.

I spoke to students at the Naval Postgraduate School Center for Homeland Defense and Security. The school helps military officers get their master’s degrees, but mine was not a military audience at all – many were homeland leaders from throughout the public and private sectors. To be sure, America has gained a lot since the 9/11 attacks, part of which is a brotherhood shared by all homeland professionals..

By Michael Balboni
In an op-ed for Newsday, I examined Secretary Napolitano’s announcement of a National Strategy for Supply Chain Security, noting that it only mentioned the importance of physical security. Surprisingly, cyber threats were left completely off the table, though it is crucial to recognize that both these threats are actually inexorably intertwined.

Security Debrief contributor Steve Bucci spoke to Federal News Radio’s Francis Rose about things to watch in the cyber realm in 2012. Check out Steve’s interview on In Depth with Francis Rose to learn more about progress in deciphering Stuxnet an Duqu, as well as cloud computing and other cyber issues.

It was a busy year in cyber, and there were a lot of interesting developments. From Stuxnet to social media revolution in the Middle East to smart grid security, 2011 was a challenging year. Looking ahead, we need to continue securing our networks and developing awareness and education programs.

The Israeli media has been awash in reports of an alleged Saudi hacker that goes by the online name of OxOmar and has posted the credit card information, national ID numbers and addresses of thousands of Israelis. According to recent reports, that person may turn out to be nineteen-year-old Omar Habib, who resides in Mexico. Some others, though less convincingly, have alleged that the origin of the attack lies in Iran. Ultimately, the origin and motivations of the cyber attack are less interesting than the nature of the vulnerability that it exposes.

I have opined on the growing threat to the security of mobile computing before. Most people use some sort of mobile device, but how many of them do you think have security measures loaded on them, or even have passwords? We need to get people cognizant of their mobile security requirements, so they stop “walking about naked” from a technological stand point.

America’s intelligence community finds itself pressed to deal with the “Wild West” frontier of an ever-expanding cyber space. From Twitter to blogs to e-mail, the changes are coming hard and fast for governments, businesses and individuals worldwide. The challenges for the American policy maker and the intelligence community are simple and yet hugely complex. So far, by our own admission, we appear not to be passing the grade.

One of the keynote speakers at last week’s Cyber Conference at the Walter Washington Center was Ed Amoroso, the CTO of AT&T. Ed is brilliant, well spoken, and as funny as any speaker I have heard lately. He also has a practical and accurate view of the challenges we are facing in the cyber realm – including LAN protection, botnets and mobile security. He raised lots of great issues and challenged the audience to work out the solutions.