Adfero Group HSPI

I know lots of people who have written about how “wild” the cyber realm is today, and the lack of “rules” makes it a Hobbesian State of Nature. The bottom line is that in cyber, there is an incredible freedom to digitally take matters into ones own hands. The concept of nation states having a monopoly on the instruments of power is simply not true in cyber, and it does not matter how big ones biceps are if you can work a keyboard.

By Rob Strayer
The decision from the U.S. Court of Appeals in a lawsuit challenging the Transportation Security Administration’s use of Advanced Imaging Technology machines is that they do not constitute an unreasonable search under the Fourth Amendment to the U.S. Constitution. What is significant is the D.C. Circuit’s holding that TSA failed to provide notice and solicit public comments on a new rule that passengers undergo a mandatory whole body scan or a pat down. The court’s decision will have potentially far ranging effects on the Department of Homeland Security and other agencies that seek to implement new security measures.

Social media posts are becoming the new digital fingerprints for law enforcement, providing critical tips and leads on criminal activity. Yet most law enforcement agencies aren’t monitoring or using social media sites to gather intelligence. If an individual in your business district began shouting threats at the crowds, how long would it take for police to be notified and respond? How quickly would your agency respond to the same threats voiced over Twitter, Facebook or the other social media channels?

It is all but impossible for DHS to fulfill its mission of protecting the homeland when the bureaucratic processes they must work with fail to recognize that sometimes a partial solution is better than a delayed solution. Last week the House Homeland Security Subcommittee on Investigations, Oversight and Management held a hearing on technology acquisition. I have little hope that GAO will ever understand the real-world environment in which homeland security acquisition ought to occur. The GAO report released to coincide with the hearing shows me that they just don’t “get it.”

“Wheels stop.” With those two words, the era of the Space Shuttle officially closed. Those two words are traditionally spoken by the Shuttle Commander as the orbiter comes to a complete stop. Today’s space shuttle landing means 6,300 people will be laid off and the Johnson Space Center’s Mission Control will fall silent. For now, we will have to wait until we see what the private sector can provide for a new era in human spaceflight.

OK, I admit to being a Star Wars fan. One of the films’ story lines is the Empire’s attempt to strike back against the rebel forces and crush them. As in time honored tradition back here on Earth, the strategy never works. Watching the not-so-swift vengeance of governments against the Lulzs of the world after the recent spate of internet attacks – well, here we go again.

John Villasenor at Brookings released “Cyber-Physical Attacks and Drone Strikes: The Next Homeland Security Threat,” that is well-worth the time to digest. While the thrust of the paper was to highlight the potential ability of U.S. adversaries to use UAVs to launch a cyber-physical attack, I could not help but think of how such unmanned vehicles might be used for reconnaissance and surveillance purposes along the border. While CBP pursues a “one size fits all” strategy of using Predator UAVs as their sole unmanned platform, the rest of the world apparently sees the advantages of using a mix of significantly smaller unmanned aircraft for surveillance purposes.

It is a legitimate question to ask what we are getting for our money. An even better question, and one that is not so frequently asked, is “Could we have gotten something better for the money we spent?” CBP celebrated 10,000 hours of Predator UAV flight recently, but bragging about that is similar to a hypothetical pizza parlor owner bragging about how the Humvee his shop uses to deliver pizzas has never failed in delivering pizza to his customers. In my mind, only a foolish person would buy a $20,000 slice of pizza, no matter what toppings were on it. Someone needs to ask if the Predator is CBP’s equivalent of that slice of pizza.

I have called many times for better cyber personal hygiene and still believe we need to seek it, teach it, and require it as at least a partial mitigation element. I have even said that “you cannot secure against stupid.” Yet, a colleague argued that technology design should do a better job of protecting users. Here is an article – followed by my colleague’s commentary – on this interesting question: who is to blame for our cyber problems?

One of the more interesting parts of the rejuvenated Anarchist movement has been the adoption of Guy Fawkes as a hero. The Internet movements like Anonymous and a number of other Lulzs have been doing their level Guy Fawkes’ best to flex their muscles against the man. And so Uncle Sam, in the guise of the U.S. Government, is finding out the wild frontier of cyber space is not about to be intimidated by Washington laws or declarations. We focus on nation states. In the new frontier, all the Guy Fawkes are the same.

There are now criminal turf wars going on over the thousands of computers that comprise botnets across America and the world. This “invisible” conflict is unknown to most computer users in America. Botnets can be used to search for and steal money, financial data, passwords, and intellectual property. The size of some of the botnets out there rival and surpass the capabilities of most nation states, and the guys who control them are NOT the good guys.

I have closely watched the reaction to the Obama Administration’s recent moves on cyberspace – 20th century mentalities dealing with a 21st century problem. This frontier is without rules or rulers. However, we have not only a national stake in cyberspace through our defense structure; we also have a vast commercial stake with our banking, electrical and other major national industries depending on its viability and safety. We are at the end of the beginning of cyberspace and the lawless frontier.

Many commentators will point out that the biggest hindrance to wide acceptance of the cloud model for enterprise computing is doubts to its security. For many folks, this concern is real. Can the cloud be secured? Absolutely yes! But we should not be unwise. If the cloud is beckoning you, you have responsibilities as a potential consumer.

House Republicans just unveiled their lean budget for the Department of Homeland Security. Asking DHS to make do with less is reasonable, but precluding DHS from buying more passenger scanning machines – as the new budget makes a point of doing – is foolish.

The cyber conference world continues to grow. There are several dozen cyber-specific events in the next few weeks. This is indicative of a couple things. First, it shows the entire cyber field is still growing unabated and that we are taking it seriously, and second, it shows that lots of conference builders are riding the train. For my part, I’ll be participating in some upcoming cyber events this month.

Many are still fighting what they see as the “good fight” to keep social media (Facebook, Twitter and their ilk) banned from enterprise computer networks. But I’m a security guy. Why am I defending social media when nearly everyone who has any knowledge of this subject says they introduce potential vulnerabilities into networks? It is because I am also a realist. Social Media does introduce vulnerabilities, but we are not going to live without it.

The leadership of the Financial Sector has met in Miami to discuss and learn how to improve their cyber security posture. The financial sector is frankly one of the most lucrative targets available to cyber criminals and other miscreants. For a nation like ours, which is built on democratic capitalism, what sector carries more symbolic value than the financial sector?

I love watching the latest fool-proof Internet technologies and buzz words come along. Sadly, our homeland security is tied to these new technologies, and we are made more vulnerable as a result. Recently, Amazon quietly admitted there was a failure in their system. A failure, by the way, that mucked up not only their works but plenty of others as well.

This past week, McAfee, in conjunction with CSIS, released a report titled, “In the Dark: Crucial Industries Confront Cyberattacks” at the National Press Club. The threats to control systems and other critical infrastructure are severe and changing and while words have been expended on the subject, precious little action to actually protect it has been taken. The report revealed this and other insights.

The FBI has been trumpeting an apparently unprecedented action – obtaining a court order from U.S. District Judge Vanessa Byrant permitting taking over servers that had been communicating with a “botnet” called Coreflood, a malicious software that infects Microsoft windows-based computers. Coreflood is designed to steal usernames, passwords and financial information.