Adfero Group HSPI

If Congress paid even one-tenth the amount of time trying to “fix” its own problems as it does in its petty meddling in the operations of TSA, the general public would have greater confidence in both organizations. Both entities could benefit from meaningful oversight and process improvement. But the joint hearing this week by the House Oversight and House Transportation committees was a one-sided effort, seemingly designed to point out problems without offering any serious solutions to those concerns – and it confirmed (yet again) for me why the Congressional labyrinth of DHS oversight needs to be addressed.

I have to admit, when I got the e-mail notice that DHS Secretary Napolitano had established the Rick Rescorla National Award for Resilience, I went, “Huh? What’s this about?” I drew a complete blank at the name, but then remembered – Rick Rescorla was an American hero long before he safely evacuated over 2,700 Morgan Stanley employees from the World Trade Center on the morning of September 11, 2001. DHS and the Secretary got this absolutely right when they selected Rick Rescorla as the namesake for the resilience award.

Last week, Homeland Security Secretary Janet Napolitano, speaking before the Senate Homeland Security and Governmental Affairs Committee, made a “dire prediction.” She warned the Senate that if Congress does not give DHS “the authority to designate critical infrastructure and set risk-based cyber security standards for it” [in] “a year or 18 months…we would have suffered a major infiltration or attack, and we will find that some part of our critical infrastructure was a gap.” The Secretary’s prediction and roundabout effort to foist responsibility on the Congress for her Department’s obvious lack of progress in assuring, beyond their protection, the operational resilience of America’s interdependent cyber and physical infrastructure challenges is — at best —ill-conceived.

Ten years from now, global water shortages are likely to threaten U.S. security interests. Ask the Director of National Intelligence, the Defense Intelligence Agency or someone from the Central Intelligence Agency; better yet, read the most recent National Intelligence Estimate. According to a senior U.S. intelligence official who briefed reporters on this issue (on condition of anonymity), there is an increasing likelihood that water will be “potentially used as a weapon, where one state denies access to another.”

Major disasters are relatively rare in Cyprus. Other than a magnitude 6.8 earthquake in 1996 that did not result in any casualties (but was the largest since 1953), annual wildfires and droughts, the island nation has generally avoided the brunt of manmade or natural disasters. But alas, tranquillity breeds complacency. In 2011, 98 containers of improperly stored explosives exploded in Cyprus with devastating impacts on human life, infrastructure and the Cypriot economy. Now is the time for Cyprus to address the hazards it faces.

There comes a time when sharing too much information is a dangerous thing, and this is what the Environmental Protection Agency is about to do. In June, the EPA plans to establish Internet access for the public to view the non-Off-site Consequence Analysis (non-OCA) sections of the water sector’s Risk Management Plans (RMPs). The announcement from the Office of Emergency Management cites burdens associated with Freedom of Information Act requests and a need from the FBI and others for greater access to non-OCA data. Here are my two biggest problems with what EPA plans to do.

The two distinctly different Senate Cyber-Security bills currently making their way through the US Congress respond to the ever-increasing cyber assaults on the US, and particularly the CIKR sectors. It is clear that action must be taken to further harden our IT systems from these asymmetrical and often successful attacks. But remember cyber-security is a balancing act based on the risk tolerance of corporations and agencies. We have enough regulations already in place. What we need is more information sharing on a two-way street.

The issue that many of use have discussed at length has now gone mainstream. 60 Minutes yesterday offered a report on Stuxnet that was actually fairly well done. Once again, cyber security has reached the apex of popular attention. Boy, if it would only stay there. The general public needs to understand that cyber security is more than just a matter of losing credit card passwords or getting one’s computer hooked into a spam-spitting botnet.

Today’s reality is the Internet is the repository of a huge and growing amount of code (including malware) whose origin and ultimate purpose are unknown. Yet, well-intentioned, repeated government calls for action have not and will not fix a problem enabled by globally deployed technologies. There has been (and continues to be) a great deal of rhetoric and staff activity on the subject, rhetoric is not results and activity is not accomplishment. The current approach to ensuring the operation of America’s critical infrastructures can only be characterized as lessons-observed because we have failed to change our behavior.

Two of my favorite characters from the Muppets are called Waldorf and Statler – they sat in the balcony during the show and grumbled in their crusty, old states about the silly goings on below them. Allow me to introduce myself, I am Statler, and what the United States government is doing in cyber space is ridiculous. What we lack right now in cyber space is a doctrine from which comprehensive and sensible tactics and strategies can flow.

Join The George Washington University Homeland Security Policy Institute on Wednesday, February 22 for a special Policy and Research Forum Series event featuring Vice Admiral Mike McConnell, USN (Ret.), former Director of National Intelligence, and the Hon. Michael Chertoff, former U.S. Secretary of Homeland Security. They will be joined by senior staff of the U.S. Senate and U.S. House of Representatives for a roundtable discussion regarding pending legislation to address the growing cyber threat to U.S. national security.

Last week, U.S. Attorney Joe Hogsett announced a $1 million fine against OHL Solutions for intentionally failing to screen cargo in accordance with TSA rules. The TSA investigation began in December 2010, and this fine was not a shock to many observers – even before that investigation began, several of us noted that serious TSA enforcement actions seemed just around the corner. But this enforcement action does give rise to a problem – since TSA security plans are so complex and unwieldy, how is it possible to comply with the letter of the law?

Cyber-protest reflects cyber-warfare in its advantages over its physical counterparts; it is difficult for law enforcement to identify and prosecute the cyber-perpetrators. Cyber assaults in all forms are economical to conduct and the financial returns are overwhelming – causing potentially millions of dollars in actual and reputational damage with an attack like the one on Sony or STRATFOR (where payment information was compromised and published causing reputational damage) at a fraction of the cost. Companies MUST understand their protestor risk, particularly online.

Let’s start with a quiz. Who is the biggest spy in modern US history? If you said Aldridge Ames, or Robert Hanson, you’d be wrong. It was PFC Bradley Manning, of WikiLeaks fame, who despite being a very junior analyst in a tactical military HQ, gave away to his accomplice/handler Julian Asange more volume of stolen intel than anyone ever. Bottom line, cyber has changed the world of intel, and this is just one example.

I spoke to students at the Naval Postgraduate School Center for Homeland Defense and Security. The school helps military officers get their master’s degrees, but mine was not a military audience at all – many were homeland leaders from throughout the public and private sectors. To be sure, America has gained a lot since the 9/11 attacks, part of which is a brotherhood shared by all homeland professionals..

By Michael Balboni
In an op-ed for Newsday, I examined Secretary Napolitano’s announcement of a National Strategy for Supply Chain Security, noting that it only mentioned the importance of physical security. Surprisingly, cyber threats were left completely off the table, though it is crucial to recognize that both these threats are actually inexorably intertwined.

By Seth Stodder
This week, the Obama Administration released its long-awaited National Strategy for Global Supply Chain Security. The strategy articulates the Administration’s vision for working with the international partners and the global private sector to both promote the efficient and secure movement of goods throughout the global economy, and also foster the development of a supply chain system more resilient to major disruptions.

Security Debrief contributor Steve Bucci spoke to Federal News Radio’s Francis Rose about things to watch in the cyber realm in 2012. Check out Steve’s interview on In Depth with Francis Rose to learn more about progress in deciphering Stuxnet an Duqu, as well as cloud computing and other cyber issues.

For the past few years, the country has endured a cupcake craze of sorts. Recently, a traveler in Las Vegas had her red velvet cupcake, which was baked into a glass jar for delivery/presentation purposes, confiscated out of concern about the contents of its frosting. Whereas cupcakes in similar jars and boxes had passed through other airport screening without concern, this time the cupcake was a “no go.” The facts are what may appear harmless may not be, and what TSA was doing was its job.

It was a busy year in cyber, and there were a lot of interesting developments. From Stuxnet to social media revolution in the Middle East to smart grid security, 2011 was a challenging year. Looking ahead, we need to continue securing our networks and developing awareness and education programs.