The Obama Administration is Failing the Reliability Test

by Stephen Bryen

It would not surprise me if Israel’s Prime Minister Benjamin Netanyahu does not soon wind up in Moscow working out a strategic deal with Russia’s President, Vladimir Putin.  The reason would not be hard to find.  Israel is facing an existential threat from Iran, has lost all trust in the Obama administration, and has been vilified by unnamed Obama administration people.

There is an old political story that starts out when the late Senator John Sherman Cooper was asked to campaign for a friend.  Arriving at a country store and standing on a soapbox, the good Senator delivered his campaign talk. Just halfway through a voice in the back hollered, “Your full of beans!” (The actual word is not beans, but as a matter of propriety I will tell the story my way.)  The Senator, taken aback, regained his composure and continued, only to be once again greeted by the same exclamation from the old man in the back of the room.  At this point, he rapidly concluded his remarks and got down from the soapbox.  A number of local folks gathered around and apologetically told him, “please don’t believe what that old man hollered to you. He is addle-minded.  He just says what he hears.”

In fact, the anonymous words directed contemptuously toward Netanyahu had to come from the top.  Which is why the White House, trying to mitigate the harm done, could not apologize.  The boss would not tolerate an apology and anyway no one would have the guts to ask him.  So, as they say. the White House just put out that openly saying such things was counterproductive.

Any second-rate analyst in Israel would already understand that the statement came from the top. From this what would they conclude?

Aside from confirming what they already understood regarding personal relationships between Obama and Netanyahu, there was no surprise. But a deeper look reveals much more.  The United States was not any longer a reliable partner.

The question about American reliability has been growing for some time.  It has two dimensions: the strategic posture of the United States in the Middle East; the US-Israel “alliance” as the second.

The US has moved far ahead in jettisoning its friends in the Middle East, denouncing Egypt, faking it with Saudi Arabia, tolerating Turkey’s suppression of their military leaders who for decades supported the United States, and playing fast and loose with Israel’s security.

The US relationship with Iran has shifted significantly and the US has unleashed strategic trade deals with Iran, using its more than willing European allies as a front.  All of this to grease the wheels of a nuclear deal that will be announced after the mid-term elections.  There is a good probability that the Iran nuclear deal will have side arrangements that won’t be made public.  One suspects the Israelis may already be tracking them.

In the recent Gaza war the United States froze the delivery of Hellfire missiles.   Hellfire missiles, as the Pentagon will tell you, are precision tools to be used to remove targets with as little collateral damage as possible.  Freezing their delivery effectively pushed Israel into using other weapons to counter Hamas’ rockets.  So why did the administration do it?  To show its ire at Israel, possibly, but also in a truly Machiavellian twist, to force the Israelis to cause more Palestinian casualties. This hardly qualifies how an ally should treat its partner.  It is paradoxical that in the White House briefing over the “chickens..t” comments, the Press Secretary was anxious to put across how the US helps Israel and that it was Obama who led the charge to get Israel’s Iron Dome program funded.

From the inception of the Jewish state there was always a Russian hope, based on the fact that many of the Palestinian Jews were either socialists or communists, that Russia could strategically align with Israel.  The USSR was the first state to recognize Israel diplomatically.  A few years later the Russians decided that the Jewish state was going to be anti-communist, so the Russians embraced Arab socialism and dropped Israel. Today Russia is not communist and Putin and Netanyahu have a positive relationship.  Israel has an interest in persuading the Russians to help stop the Iranian march to nuclear weapons.  Putin has an interest in putting as much pressure as possible on the United States.  This creates options for both countries.

The Obama administration’s side switching and unreliability is very costly and dangerous.  American power and influence in the Middle East is at an all time low.

Time to Dump Microsoft and Google

by Stephen Bryen

It is time for the US government, critical infrastructure components, the military and important businesses to dump Microsoft and Google.  The products of these two companies, and many others, built primarily for entertainment have no place in sensitive government and business operations.  All of them represent a time bomb whose chain reaction has already started. The constant hacking and intrusion of these systems is robbing the American taxpayer blind and undermining national security.

Our government has long been two-faced about the vulnerabilities of popular operating systems, open source software and the total lack of security that dominates America’s software industry.  That’s because NSA and other intelligence organizations in the US government take advantage of the stunning weakness of these platforms for spying. So, while the government opines about hacking and foreign governments, it is busily at work spending billions of dollars to spy on anyone and everything.

I am not at all against government spying.  It keeps me and my family safe.  It is important and if we decide to curtail it we may pay too high a price enabling terrorists and foreign regimes to bring harm to our country.

My problem is that the two faced approach has blocked any chance to put real security in place for critical computer networks providing essential services, and it has left our military vulnerable to hacking.  Today we know that our energy companies, banks, transportation systems, even our health care delivery has been heavily assaulted from within and without, by foreign and domestic hackers.  Key defense programs have been compromised and billions of dollars worth of data stolen. Important stealth combat systems have been stolen.

America is a rich country, one of the richest in the world. But can we afford the losses we are taking?  Because of the two faced approach, we do not have accurate reporting on how much has gone out the window, but it is a lot. Our government will not own up to the true danger so long as its spying trumps security at home.

Risks are multiplied by the fact that almost all our computer hardware comes from China.  Certainly American companies make some of it although production is abroad, but none of that really matters.  The opportunity to slip micro code into mobile phone and computer platforms is there and plain to see.  But our government offers no guidance on this sore subject, and in fact continually encourages production outside our borders.

Surely at some point in the not so near future tragedy will strike.  Someone will penetrate a nuclear power plant and generate a Three Mile Island type disaster; or Amtrak will end up with trains on the same track heading in opposite directions; or the power grid will go out as it did on overload in 2003; or Air Force One’s elaborate systems could cause a crash landing.  There are plenty more dire scenarios.

The Chinese have got sick and tired of NSA and GCHQ. Thus China is investing in new hardware for its government and military systems and a Chinese operating system without Google and Microsoft.  In a few years China will be better protected than America.  Maybe we should pay attention.  What the Chinese are doing is not just a curiosity.  It is a serious investment that may give them more secure systems than we have.

We waste billions each year trying to graft security onto open, public computer systems and networks that were never build to be secure. Thousands of software engineers from all over the world work for America’s software companies.  Computer technology has become so globalized that trying to manage production and keep any semblance of security is strictly impossible.  Recent bugs found in open source software widely used in all computer systems came from Germany.  It could just as well come from France, the UK, India, Israel, Singapore or China. It seems everyone is playing in this field and these is zero auditing of the final products.  The rush is to get to market.  It can be patched later!  But as we know, once a vulnerability is introduced, it lives on.  The myriad systems that use these products can’t possibly track the known bugs; and the unknown holes in the system rise to the surface at an increasingly fast tempo.

No one can, or needs to, fix the globalized software and hardware industry.  What is needed is a trusted solution that is available only to qualified government, military and critical industries that is build on rigorous, tested security standards and on hardware that is strictly controlled in the United States.  Building a secure system is costly, but the investment is far less than what is going out the window today and certainly less than the risk exposure we currently have.

Some would say that a trusted solution will not stay up with the times and will become a costly and useless artifact.  There are two answers to this complaint.  A security system has a limited purpose and is not like commercial systems with features more geared to entertainment than productivity. Moreover, a security based system should not be divorced from the real world. If important communications, processing or data management solutions are important and attractive, nothing would prevent these from being adapted to a security-based system.

I am far from optimistic our government will throw out Microsoft and Google and all the Chinese hardware it has bought. But without a new way of protecting ourselves we will pay dearly for our government’s short sighted approach to protecting its citizens.

Tagged , , , , , ,

Hacking Back and the Cyber Balance of Power

The Washington Post carried a front page article on October 10th “Hacked Firms Quietly Talk about Fighting Fire with Fire”  about growing corporate anger over successive cyber attacks.  The new theme: go on the offensive.  Hack back!

They are not alone.  The Pentagon has set up a secretive unit called Plan X which is supposed to fight back against hacking. Its “rules of engagement” are classified, and nobody really knows if Plan X is operational or pie in the sky.

But how would “hacking back” work?  The corporate approach, as reported in the Post, seems to be that one can attack the hackers, send them bogus information, as a way of closing them down.  Would this work?

Most of the really bad hacking, attacks on government computers and networks and on America’s critical infrastructure is foreign government sponsored.  The latest banking attacks are thought to be Russian-sponsored, Putin’s reaction to American-led sanctions because of the Ukraine crisis.   And the Senate Armed Services Committee has found that American defense companies are being systematically looted by China through cyber espionage.

Well-financed foreign governments do not directly launch attacks on American companies or our government and military. They would be foolish to do so, especially since they have plenty of other options.  The Russians and Chinese have cadres of hackers who can operate on their behalf.  Occasionally these state-sponsored “independent” hackers make a few extra dollars by stealing credit cards and emptying bank accounts.  Sure you can hack them back, but they will just get another computer and do it again.  Living abroad they are beyond American law enforcement.  The FBI may want to investigate; one can expect few results.

Then there is the problem of recognizing that a hack has occurred.  A study by Verizon which was done with the cooperation of many businesses, security firms and government experts points out that it often takes a long time to uncover an intrusion. If you don’t know you have been ripped off you may in the end find your coffers empty when it is too late.

The level of angst circulating in business and government circles caused by huge financial losses from cyber intrusions (one study says $300 billion per year goes out America’s cyber “pipeline”) suggests we are rapidly reaching a tipping point. The security model we are trying to apply is a failure.

In fact as I have pointed out elsewhere, the security model we have cannot work for the simple reason that it is impossible to protect computer networks when the networks, fixed and mobile platforms, and transmission equipment are composed of open-source computer code and foreign sourced hardware, predominantly manufactured in China.  The time has come for the government to realize we cannot protect America’s resources or critical systems such as telecommunications, energy, health care and banking if they are running on foreign produced equipment and globalized software.

And there is more.

It makes no sense to go after hackers who are employed by foreign governments.  If we want to be serious when our banks are attacked or our nuclear power plants are damaged we have to respond in kind.  This is the ancient rule of warfare. We need to establish a cyber balance of power.  To do so, we have to act like a grown up superpower that is no longer willing to be picked on by hackers and intruders ad nauseam.  It is doubtful the Pentagon’s Plan X rules of engagement allow it to attack the other guy’s critical infrastructure, but maybe they should. If the White House is timid maybe Congress can put some backbone into our leadership.

Successive administrations have kicked the ball down the hall on cyber security.  Leaders have bought into the idea that there is some nice solution just around the corner and all we needed to do is to be more rigorous, spend more money, and apply the right security safeguards. If anything, as spending on security has increased, so have cyber attacks.  There is no empirical evidence that more spending has produced anything approaching a cure.  While it may get them off the hook by throwing more dollars at the problem, a more serious and comprehensive approach is needed and soon.  That approach is tit for tat for those attacking us, and weaning our computer networks and communications systems off  weak, compromised software and Chinese-made hardware.  We would not give our soldiers rifles made in China?  Why do we run our nuclear power plants and government computers on Chinese supplied parts?

The partying going on in Beijing and Moscow will go on until we get serious.  We are still buying the beer.

Tagged , , , , , ,

The “StealthGenie” Complaint May Not Accomplish Anything

[Update: It turns out that police departments around the country have been giving out software so parents can monitor their kids computers, tablets and phones. This controversial spyware distribution flies in the face of the Justice Department's StealthGenie indictment --in fact it makes Justice likely to lose the case if it is ever adjudicated.  It is indeed strange that the DOJ failed to do its homework and seems to have taken a Don Quixote-like approach to the problem, leaving out most of the really bad stuff to go after one amateur.
See http://www.cnet.com/news/police-boosted-parental-control-app-is-a-privacy-mess-says-report/ for one report on the matter.]

Two US Assistant United States Attorneys, Kevin Mikolashek and Jay Prabhu have filed a civil Complaint (Civil No. 1:14-ev 1273) against Hammad Akbar for selling a spyware product called StealthGenie. StealthGenie is an APP that works on a variety of smartphones. The APP surreptitiously records incoming and outgoing phone calls, allows the purchaser to intercept calls in real time without the knowledge of the smartphone user; allows conversations in a boardroom or bedroom to be recorded without the knowledge of the smartphone user, allows incoming and outgoing email, SMS (text) messages and voicemail to be recorded and read; steals the user’s contact list, photos, videos and appointments.
 
StealthGenie works through a commercial server. StealthGenie used Amazon Web Services located in Ashburn, Virginia. All the intercepted information from StealthGenie is stored on Amazon’s server.
 
Hammad Akbar and his employees are Pakistani citizens and Akbar lives in Lahore. The chances of catching up with him are precisely zero. Amazon is not a defendant in the case, although clearly Amazon Web services facilitated StealthGenie operations.
 
The US government view is this kind of APP is an “interception device” under US Code and Federal Rules of Civil Procedure and the sale, marketing, advertising of mobile spying applications is illegal. The US Attorneys evinced specific concern that the spread of this kind of APP would help stalkers, although as the Complaint says, the product was advertised as a means of dealing with spousal cheating, which according to StealGenie’s owners, a company called InvoCode Pvt. Ltd., constituted 65% of the purchasers of the APP.
 
This is the first case brought in a Federal court against spyware APPS. It is unlikely to ever be successfully prosecuted, so the civil Complaint really amounts to a warning to others who make similar products.
 
Today there are hundreds of companies in all parts of the world producing products that resemble StealthGenie. These products are available on the Internet. Some of them are free; others can can be purchased. The simplest of them require physical access to the target’s phone to install the malicious APP. More sophisticated stealthy spyware can get downloaded on a phone without the need for physical access. One way is to embed the spyware into a legitimate product and offer it to the user. Another is to plant a Trojan or other bug in the hardware of the device. Recently some Chinese phones have been found to have built in spyware. There are plenty of other techniques available for professional spies. StealthGenie was meant for amateurs.
 
Whether the government’s legal argument is sound is less than clear. There are many cases where intercept software can be sold where its use is legal. Two examples come to mind: the sale of intercept software to law enforcement and government; the sale of intercept software to business. Business has a right to monitor its employees, and this right has been generally supported in US courts. This right extends to smartphones, computers and other electronics (such as GPS trackers). It would seem, therefore, that if StealthGenie advertised its APPS for certain business spying, there would not have been any grounds for an indictment.
 
Another use of spyware APPS is for parents monitoring children. The US Government Complaint does not address this point. But, again, if an APP is advertised for this purpose, is it legal?
 
Spyware is also extensively used by companies spying on their competitors. Certainly this is not legal, but the government has not bothered to act on such spying? Why?
 
One thing is certain, the government’s action, no matter how well-intentioned, misses the mark in important ways. The widespread spying going on in our society, some of it easily accomplished by monitoring social APPS like Facebook and Twitter, is a real scourge. So too is the monetization of personal information by many of the tech-giants, who are making a fortune exploiting our privacy. We have a very long way to go before any of this is brought to a halt.
Tagged , , , , , ,

What Dura Europos Means to Jews and Christians

The ancient city sits ninety meters above the Euphrates river.  Known in ancient times as Dura Europos, its history spans the most important time for change and strife for Jews and the formative period of Christianity.  Dura Europos (the nearest Syrian village is Salhiyé ) is now under ISIS control.  ISIS has put diggers there who are pick pocketing the artifacts of the city and selling them to brokers on the spot.

Dura Europos has three sanctuaries, a synagogue, an early Christian church and a Roman temple.  The city was founded by the Seleucids in 303 BC.  It would be captured by the Romans in 165 AD  who held it until 256 or 257 AD. Established as a trade hub for caravans and river traffic, Dura Europos also was a melting pot of culture and a place of religious ferment.

The period between from 303 BC to 250 AD marks a time of great change in Judaism and Christianity.  It is the period of struggle between the Roman occupiers and Jewish zealots who believed the Romans were polluting the Temple and undermining religion.  It is a period where notions of a savior took hold in both the Jewish and Christian communities and where it was not always possible to distinguish between Christians and Jews.  In the finds at Qumran (popularly known as the site where the Dead Sea scrolls were discovered) we can get an extraordinary insight into the religious fervor, the striving for purity, the anticipation of a messiah, that became the core idea of Christianity.

Of particular importance is the work of the prophet Ezekiel. He was Ezekiel ben-Buzi, who lived in exile in Babylonia between 593 and 571 BC.  Ezekiel’s writings were modified and added to many times, so it is uncertain what truly belongs to him and what his successors added over the years.

Chapter 37 by Ezekiel is most famously known as “dry bones.”

The hand of the Lord was on me, and he brought me out by the Spirit of the Lordand set me in the middle of a valley; it was full of bones.  He led me back and forth among them, and I saw a great many bones on the floor of the valley, bones that were very dry. He asked me, “Son of man, can these bones live?”

“I said, “Sovereign Lord, you alone know.”

” Then he said to me, “Prophesy to these bones and say to them, ‘Dry bones, hear the word of the Lord! This is what the Sovereign Lord says to these bones: I will make breath enter you, and you will come to life.  I will attach tendons to you and make flesh come upon you and cover you with skin; I will put breath in you, and you will come to life. Then you will know that I am the Lord.’”

” So I prophesied as I was commanded. And as I was prophesying, there was a noise, a rattling sound, and the bones came together, bone to bone.  I looked, and tendons and flesh appeared on them and skin covered them, but there was no breath in them.

Then he said to me, “Prophesy to the breath; prophesy, son of man, and say to it, ‘This is what the Sovereign Lord says: Come, breath, from the four winds and breathe into these slain, that they may live.’”  So I prophesied as he commanded me, and breath entered them; they came to life and stood up on their feet—a vast army.”

“Then he said to me: “Son of man, these bones are the people of Israel. They say, ‘Our bones are dried up and our hope is gone; we are cut off.’  Therefore prophesy and say to them: ‘This is what the Sovereign Lord says: My people, I am going to open your graves and bring you up from them; I will bring you back to the land of Israel. Then you, my people, will know that I am the Lord, when I open your graves and bring you up from them.  I will put my Spirit in you and you will live, and I will settle you in your own land. Then you will know that I the Lord have spoken, and I have done it, declares the Lord.’”

These verses speak for themselves and it is this vision that takes hold and dominates Qumran and early Christianity.

Remains of the Dura Europos Synagogue

The incredible Dry Bones mural from Dura Europos

Civilization is possible thanks to historical memory, and the artifacts of the past intensify and validate the integrity of our culture and give proof that our beliefs grow out of the struggles of our forbearers.  We cannot describe in words what we owe to them, but when they leave behind remnants of their vision it moves us spiritually and emotionally.

The Dura Europos synagogue is now threatened as never before by ISIS.  What a tragedy for all of us if we lose this precious symbol of our religious heritage.

Losing the Cyber War: How to Get Out of the Box and Win

by Stephen Bryen

The United States is losing the cyber war.  Despite hugely increased expenditures on cyber security, every day the situation worsens and we continue to fall behind.  As I write there is no government or military website that has not been hacked and vital information stolen. It is not just the government –banks, health care systems, financial transactions, credit card data, identity theft, social security numbers, legal briefs, strategy documents, corporate secrets, intellectual property –the list is nearly endless.

When you are in a war you look for metrics to understand just how well you are doing and what the conflict outcome will be. An Army general surveys the battlefield, estimates his resources, evaluates his technology, and decides on his strategy.  If the general believes he will lose the war, he tells his political leaders and waits for guidance.

There are four possible outcomes in a war: fight to win; fight to a stalemate of some kind; negotiate with the enemy; surrender.

Looking at the current state of affairs in the ongoing cyber war, we can reach some conclusions.

Firstly, right now we cannot fight to win because we do not have either the troops or the technology to win.  No one has figured out a satisfactory offensive strategy other than to convert cyber war into a traditional war.  This is impractical and no one is really willing to go down this path (other than to threaten some sort of offensive cyber warfare).

Secondly, there is no stalemate in cyber warfare available to the United States.  One of the most serious potential threats, China, is too important economically and politically to be seriously challenged. Beyond China there are plenty of other cyber war makers, as in Russia, Iran, Syria and even hackers embedded in countries around the world.   While the US and some of our friends have tried to prosecute some hackers, the triumphs are few and far between.  None of the threats are under sufficient pressure to stop hacking; in fact they are more emboldened than ever.

Thirdly, there is no one to negotiate with today.  Attempts have been made to talk to the Chinese; they deny everything and blame the US for spying on them.

This leaves the surrender option, but unlike territorial war, there is no one to surrender to so we face the prospect of going on losing.  Our critical infrastructure is exposed, our government is losing control of its systems, and our military is watching as its command and control and its vital technology spills out through the back end of its networked systems or through its industrial partners.

Throwing more money at “the problem” is not a panacea.  Our government, military, and critical infrastructure cannot continue running around like chickens with their heads cut off.  That is the sum of what is happening today.

The entire infrastructure of information technology is based on mostly an open architecture approach to computer systems and network infrastructure.  That is conducive to a fairly rapid spiral development of new commercial technology. Unfortunately, the commercial approach downside is that security plays second or third fiddle to the push for bagging commercial dollars from investors and customers alike.

It is very well known that spending money on security does not “produce” anything, so putting money and resources into security systems is resented by investors and corporations, even by individual users who often chafe under security restrictions and operational limitations.

The commercial computer space is heavily tilted toward entertainment and not to business or industry, No where has the entertainment element enjoyed more success than in mobile devices such as smartphones and tablets; for the most part there is not even a pretense of security in these systems.

We have to recognize that the entertainment function of computer systems and networks, mobile and fixed, is a fact of life. Where we go wrong is to use the same operating systems and network support for entertainment as we do for government, business, and the military.  Adding to that, the same underbelly developmental system, a global collection of non-vetted persons and risky manufacturing locations, adds to the conundrum.

A great indicator of the collective mindset today is shifting everything over to so-called cloud systems, even where we don’t have the slightest idea of how these clouds are managed or how easily they can be compromised.  The Pentagon, which obviously knows better, is today endorsing cloud systems that are big risk, just as they are supporting mobile platforms that have been hacked to death.

It is time to break free from the open source globalized approach when it comes to government, military and critical infrastructure mobile and fixed computers and networks.  Instead of wasting billions on hopeless security “solutions” while we continue to fall behind in the cyber war battle, is senseless, wasteful, frustrating and demonstrates bad leadership and hopeless management.  Let’s stop.

What we need a an American secure operating system and an American secure network environment built in a trusted environment by reliable people in safe manufacturing locations.  Not in China.  Not offshore.  Here.

The talent to do this surely exists, it is just being wasted today on “other” projects.

A Strategic Plan would look like this:

1. Replace all critical infrastructure operating systems and networks with a US developed secure operating system in three to five years.

2. Assure that connectivity outside of the secure environment is carried out separately from vital secure computing.

3. Impose the massive use of encryption and truly protected authentication on the new secure operating system.

4. Make sure all OS and Secure Network users are properly cleared and vetted.

5. Put in place a compartmentalization system based on need to know and create a series of decentralized and regulated security centers to make sure the thresholds on need to know and a permission based environment are carefully maintained.

6. Do not use any equipment made outside the United States in the critical infrastructure.

7. Create a T&E center to check all hardware, firmware, software with independent auditors and engineers.

8. Create a Red Team to constantly try and break the system, point out vulnerabilities, and fix them immediately.  The Red Team should be large and heavily incentivized to find problems.

9. Never, ever, share the US system with anyone outside the US.  Make sure that the technology is controlled fully by the US government.  And design the system so that if a piece is lost, it can be deactivated remotely and never be useful to an adversary or enemy.

10. Make sure the intellectual property, the technology developers, the Red Teams, and the system of compartmentalization are secret.

Clearly we cannot continue to run our country when there is global knowledge parity of computer systems, hardware and software we use and where most of our critical products are produced outside the US, especially in China.  Nor can we sit around and wait for the inevitable collapse of our military command and control, electrical grid, transportation network, banking services or our health care system.

The above proposal sets a direction for a solution.  We can win the cyber war.

Tagged , , , , ,

Give Me $46 Billion and I will Build a Safe Computer System

ABI Research estimates that cyber security spending on the critical infrastructure was $46 billion last year. The largest part of these dollars was spent in the United States.

2014-09-05-pptLower.PNG

Meanwhile, in the United States, Federal government agencies have stepped up their efforts to improve cyber security protection. The Pentagon is tripling its staffing of cyber security professionals even while critical defense programs are being cancelled or curtailed. By 2016, the Pentagon should have 6,000 cyber professionals at work. In a boastful speech describing the Defense Department’s investment in cyber, Defense Secretary Hagel says they are on the way to building “a modern cyberforce.” To back up his words, the Pentagon announced last June that by 2018 the Pentagon planned to spend $23 billion on cyber security.

The Defense Department also created a United States Cyber Command (originated in 2009) which is located at Ft. Meade, Maryland, the home of the National Security Agency. The Cyber Command (officially USCYBERCOM) is headed by a Navy Admiral, Michael S. Rogers, and is subordinate to the US Strategic Command. Strategic Command involves space operations (such as military satellites), information operations (such as information warfare), missile defense, global command and control, intelligence, surveillance, and reconnaissance , global strike and strategic deterrence (the United States nuclear arsenal), and combating weapons of mass destruction. Thus USCYBERCOM is part of the Defense Department’s most sensitive organization that includes control over America’s strategic nuclear missiles.

But despite this massive spending and the hiring of thousands of security professionals, the United States has thus far failed to protect government agencies, the rest of the critical infrastructure of the United States, regular businesses, and personal security. Despite the billions sunk into the effort each year, none of the investment has stopped the Russians, the Chinese, the Iranians, the Syrians, or the tens of thousands of hackers from pounding America’s computer networks. To date there have been massive hits against government computer systems, health care systems, banking and finance, power companies including nuclear facilities and energy companies, and defense companies. Vast amounts of information have been either stolen, overwritten or mutilated by hackers. Today no one can be sure whether our communications are safe, whether the lights will stay on, whether our early warning systems will function. Instead of curtailing the threat, every evidence points to its escalating out of control.

Has anyone bothered to ask why this is so? Now, our leaders, bureaucrats and their academic and industry advisers keep telling us they need to spend more, and like Pavlov’s dogs, when the bell rings, they appropriate more money to fight the threat.

If you have a spare $46 billion laying around there is an answer to computer security. But the answer will not be found in any Federal government plan. All of them are, like Hans Brinker, trying to stick their finger in the leaking dyke.

The reason is easy to discern. All computers, including all mobile devices, operate on open systems that were developed by countless software engineers worldwide. The computer industry and its allied software development is a global industry that is totally insecure. You don’t know who writes the code, the level of competency, the degree of security training, the level of auditing and internal testing for vulnerabilities, or whether some of the engineers are owned by foreign intelligence services or are promoting various ideological causes. Even in the United States, major companies such as Microsoft, Apple, or Google are run by nameless developers who come from a plethora of places (including lots of foreigners). These companies have no ability to properly vet their employees, nor do they have any real incentive to do so.

What makes matters even worse is that we have grown a security industry, already embedded in government and in corporate America, that feeds off the vast amounts of money being thrown at the computer hacking problem. To be frank, these folks have a vested interest in insecurity, because insecurity fuels their budgets. And even if the majority of them are sincere and want to help, their efforts will always fail.

The brilliant Pentagon, which is supposed to know what it is doing in cyber matters, has hired Amazon to provide “cloud” services for Pentagon information and data. The Pentagon has also cleared Samsung (a Korean company), Apple (an American company) and Blackberry (a Canadian company) to provide mobile phones for top Pentagon employees. These Pentagon decisions are intellectually defective and demonstrate that throwing billions of dollars at a problem may only compound the issue. Who clears the people at Samsung, or Blackberry, Apple or Amazon? A lot of folks in Hollywood right now, who stupidly “trusted” Apple’s cloud service, now find their naked bodies (and more) posted on the Internet.

The truth of the matter is that public systems and “open source” software are the real danger. Give us $46 billion and we can fix the problem, at least for the Pentagon and the critical infrastructure by building a truly secure, totally encrypted system that is self contained and invulnerable to hacking. To be safe you must eliminate all open source, public systems for government and critical business enterprises.

Right now you cannot buy a safe operating system because no one has invested in one. That investment is absolutely necessary for our survival and our security, not to mention the protection of our freedom and democracy. Open source public systems will always trample on human rights. They are sources of constant abuse by our enemies.

Let’s face it. The US government made a huge mistake when it decided to rely on public systems for critical communications and data storage. When you think that almost all the hardware is made in China and the folks producing these systems are everywhere around the world, you can see the enormity of the security disaster before us..

Given the destabilizing events around the world, the risks to American vital defense systems and critical infrastructure are reaching the tipping point. It is urgent for our leaders to recognize the nature of the threat and implement a radical change in our computer networks and systems. The Pentagon, DARPA, CYBERCOM, NSA and everyone else involved have a responsibility to figure it out and not just play dumb

PLEASE NOTE: This article, written by Stephen Bryen and Rebecca Abrahams was published on September 5, 2014 in the Huffington Post.  

http://www.huffingtonpost.com/rebecca-abrahams/give-me-46-billion-and-i_b_5773316.html 

 

 

Tagged , , , , , , , , ,

Is China’s New Computer Operating System a Threat?

by Stephen Bryen and Rebecca Abrahams

Originally appeared in the Huffington Post at http://www.huffingtonpost.com/rebecca-abrahams/is-chinas-new-computer-op_b_5738068.html

China has announced it will introduce a new computer operating system in October to replace Windows. Already deeply embarrassed and unhappy over alleged spying on its computers by the US Government, China has vowed to take action.

2014-08-29-_77158751_7e1c290b038944588753fb1fda1d8075.jpg
Its first step was to stop government agencies from using Microsoft’s most recent Windows 8 on their machines. But its latest project, to replace Windows altogether puts China into a new category as challenging US dominance in the ultra-sensitive computer operating system league. Controlling computers today is part and parcel of political power, and China understands this. That’s why China is not only replacing Windows, but it wants to get rid of Apple’s iOS and Google’s Android too.

China has three related opportunities and can be expected to exploit all of them.
The first involves better controlling China’s domestic computers and mobile devices by regulating through the operating system what users can, or cannot, do. China is likely to achieve this through a strongly controlled computer software registration system managed not by Microsoft, Google or Apple but by the Chinese government.

China will gain many benefits. It will have tens of millions of users virtually on launch, and it will control all access by being able to directly regulate software and applications that run on its approved operating system. Likewise, China will likely build in some sort of encryption system linking computers to the Internet, which will create problems for any outside organization to penetrate. And China will stimulate development of domestic software alternatives to Western software products. China will also gain vast experience in how to manage an operating system evolution, how to fix vulnerabilities, how to add features, and how to support software in the field. This will grow a domestic industry that will rapidly mature and will benefit the Chinese state.

Beyond its domestic market, China will be able to look to introducing its software in the global market. China can find a number of opportunities to spread its operating system in many parts of the world. For example, it could potentially challenge both Microsoft and Android computer laptop platforms by offering a cheaper and stronger operating system to users. Price is a big factor in low end laptops and netbooks. China controls most computer manufacturing today. Put an operating system on top, especially one that is open enough to support popular software and social networking products and China could well have a winner. Of course, China’s commercial OS will be different from the one it promotes internally, but this can easily be handled especially if registration and OS downloads are managed by a location-sensitive server.

A third an even bigger opportunity for China is to team with a non-American foreign company to offer an “independent” operating system to customers. This may prove to be attractive to a European partner because the Europeans are quite unhappy with American spying, and they have far less concern, if any, about China than America has. There are plenty of large European companies who are, in the IT world, always playing second fiddle to the U.S. Here is a great chance for them to get ahead. And they can do it on the cheap, since the software investment will be heavily China’s operational and financial responsibility.

Where does this leave US companies? Certainly China will emerge as a heavy weight challenger to the likes of Microsoft, Google and Apple. But it is not just US companies that matter here. The loss of control over where operating systems come from could pose a security challenge for America’s intelligence agencies that will be formidable and hard to overcome. While that is still in the future, it would be foolish not to prepare ourselves for the problems on the road ahead.

Tagged , , , , , ,

Deep Panda: Chinese Leaders Want to Reap the Benefits of Cyber Spying But They Will End Up Depressed

by Stephen Bryen

China shifted its focus from spying on the countries around China to spying on Iraq according to cyber experts who follow Chinese hacking. Called “Deep Panda” it appears China’s leaders were trying to figure out what the United States was going to do about the Iraqi situation after ISIS seized over a third of Iraqi territory. To get answers, the Chinese Deep Panda folks targeted the top strategic think tanks in Washington to try and get answers.

It has long been the case that China’s “official” hackers targeted U.S. government organizations and institutions. But focusing on Think Tanks is something that is, apparently, new.

One presumes that the Chinese wanted to read the emails, texts and opinion pieces of the experts to try and estimate America’s strategic posture to Iraq. While we don’t know the Think Tanks the Chinese targeted, it is likely they chose the ones they feel are most closely aligned with the current administration because their experts would have close ties to Obama’s National Security Council, Pentagon, CIA, State Department and, possibly, to other “insiders” who use the Think Tanks as sounding boards.

Foreign governments with representation in Washington generally devote a lot of effort to gleaning policy information, and it is easier for them to talk to outsiders in Think Tanks then to get appointments with actual decision makers. China, like Russia, and all the friendlier countries (UK, Japan, Israel and many others) collect information and send it home.

But China opted for collecting information by hacking, than by meeting Think Tank specialists. Why?

By relying on a secret operation to steal information China’s leaders probably thought they might find out much more than Think Tank specialists were willing to tell them. China is not in good odor today, even with the liberal Think Tanks that support Obama. That’s is because China is a growing power and increasingly a threat to American interests, of course. But the bigger reason is that China’s increasingly poor track record on human rights and freedom is offensive both to liberal and conservative thinkers in Washington. If a Chinese official, even one who approaches a Think Tank as an ostensibly independent academic, seeking information is likely to find himself or herself accosted about complaints of China’s behavior against dissidents and minorities. From China’s perspective, this means low productivity in garnering needed information. Thus there is good reason to believe that China needs to steal information because it cannot get it through “normal” channels.

China almost certainly has been following the contacts of Think Tank experts with administration officials for years. China maintains a sophisticated cyber-hacking capability with all the latest technology. The incorrigible sloppiness of Americans toward their own security is certainly well known to the Chinese, and it goes without saying they exploit it. The blabbermouths on cellphones, Twitter, Facebook, LinkedIn and everywhere else not only provides timely information on specific policy subjects to the Chinese, but they can very easily connect the dots and figure out who is connected to whom and which relationships are the most productive ones to follow. A Think Tank leader, therefore, will be known by much more than what he or she says; the Chinese will know his best connections, his reliability as a source, and his influence in decision making circles. The rapid shift of operational hacking resources to find out about Iraq, therefore, was quite easy for the Chinese, because they already previously mapped the network and only needed to probe more deeply and urgently to get answers to specific questions they had.

China is a relatively big industrial player in Iraq. Iraq is China’s fifth-largest overseas oil supplier, behind top producer Saudi Arabia, and China as an imported oil consumer is larger than the United States. Unlike the United States, however, China has no military capability of any significance in the Middle East and cannot assure either the stability of oil-supplying regimes nor can they protect the sea lines of communication (SLOC) that bring the oil to China’s refineries. Ironically, while China is in the midst of a significant military build up challenging U.S. interests in Asia, China is depending entirely on the U.S. for its vital oil supplies. While Americans don’t recognize it, a big part of our defense budget directly benefits China in this way while, at the same time, China is assiduously stealing American defense secrets in an unparalleled, brazen manner.

While China could live without Iraq’s oil, and can afford even to lose the $3 billion or so it has invested in Iraqi oil projects, the main Chinese interest is the risk that an out of control Iraq will lead to a general political collapse even beyond Iraq’s borders. A blow up in Saudi Arabia, for example, would create chaos in China and might well spell the end of China’s neo-Communist government.

This is the same threat that, naturally, concerns the U.S. and its European allies. But, if the Chinese have been listening carefully, as they have, they won’t be very happy with what they are hearing through their hacking channels. Right now any effective military response by the United States seems rather unlikely, and it is complicated even further by the foolish moves by the administration to try and use the Iranians and Syrians as proxies (along with Hezbollah) to bail them out of the ISIS onslaught. All this moronic move will achieve is to further frighten Saudi Arabia and push them into ISIS’s outstretched but wicked arms.

In short, China’s leaders have good reason to be depressed. America is not coming to their rescue on a white horse. And China has made almost all the wrong bets in the Middle East.

Tagged , , ,

Is the Supreme Court Cellphone Decision A Bad Decision?

By Stephen Bryen
 
The Supreme Court decision on cellphones, Riley versus California, may seem like an open and shut case because the Court unanimously found that when a person is arrested a cellphone may not be searched without a warrant.   But the seemingly unanimous decision may have more fissures and cracks than most people think, and it is far from certain that in the long run that the much touted “victory” for privacy will, in fact, be sustained either by the Court itself or by Congress and State legislatures.
 
The essence of Riley versus California, and a companion case, U.S. versus Brima Wurie, is that an arresting officer or officers cannot search a person’s cellular phone without obtaining a warrant.  Riley was stopped by a police officer driving with expired number tags.  When stopped the officer found that Riley also had a suspended driver’s license. The car was impounded and searched and guns were found hidden under the car’s hood.  A search of the cell phone turned up a connection between Riley and a street gang and photographs of Riley standing in front of a car that was involved in a shooting a few weeks earlier. Riley was charged, among other things with attempted murder and was convicted with a 15 years to life sentence.  His appeal was based on the fact that the search of his cell phone violated his Fourth Amendment rights.
 
Wurie was picked up in a routine surveillance where the arresting officer thought that a drug sale was taking place.  Wurie had two cell phones that were searched and this led to a location and photos.  The search of the location, an apartment, yielded crack cocaine, weapons and drug paraphernalia.   Wurie was convicted of distributing drugs.  The search of the apartment was covered by an appropriate warrant.  Wurie got 262 months in prison but appealed that the information improperly taken from his cell phones should have been suppressed.
 
The Court needed to consider whether, in fact, the Constitutional rights of the two litigants were violated.  In the Riley case, the decision by the Supreme Court probably frees Riley from a 15 year to life sentence.  In the case of Wurie, he could not be convicted of selling drugs because of lack of proof and would need to be released.
 
It follows, therefore, that the Supreme Court decision in these two cases has a profound impact on law enforcement, and even though the Court reached a unanimous decision, there are a host of problems embedded in the decision, including the danger to society of releasing criminals from jail.
 
The Court did not say that cellphones cannot be searched.  What the Court said is that you need a warrant, in most (but not all) cases before a phone can be searched.
 
Warrants are issued based on probable cause.  The arresting officer or his superiors needs to convince a judge to issue a warrant.  Warrant requests are rarely denied, although a judge may try and narrow the scope of the warrant in certain ways or ask questions before a warrant is issued.  In a Texas case last year Federal Magistrate Judge Stephen Smith in Houston denied a request by the FBI to remotely hack a computer by planting spy software on it.  His action did not completely block the FBI, but it created legal a problem because the Judge wanted to know how to supervise the collecting of information obtained in this way to make sure it was pertinent to a case said to involve alleged bank fraud and identity theft.  Among other things the FBI wanted to remotely control the computer’s webcam. 
 
The Supreme Court, in its unanimous decision, also recognized that there were circumstances when a warrant might not be needed at all when a phone was seized.  For example, the Court noted that if there could be information on a phone that would warn officers of impending danger from associates of the person arrested, the phone could be searched.  This “concession” is a mess for law enforcement.  If they search a phone without a warrant feeling there is an impending danger and find nothing, are they guilty of an illegal search? What is to be done with evidence they may find of criminal activity, but not anything threatening of law enforcement officers?  What if the threat was to the public –e.g., a terrorist attack or other plot against either individuals or groups or sensitive locations? Must the officers abandon this information?  And finally, if they find evidence of criminal activity but not of impending threat to the officers, have they conducted an illegal search and must they abandon any prosecution based on such evidence?
 
In respect to certain categories of crime, murder, terrorism, kidnapping, rape –the Court needs to revisit its decision.  When serious threats are involved, law enforcement should not have to wait for a warrant.  This, it seems, is what Justice Samuel Alito was trying to get at in partially concurring with the other Supreme Court Justices in deciding these cases.  There is little doubt that Justice Alito was uncomfortable and he urged (State) legislatures to enact legislation that draws reasonable distinctions “based on categories of information or perhaps other variables” because, as he says, cell phones pose “new and difficult enforcement problems.”  Justice Alito warns against “using the blunt instrument of the Fourth Amendment” in deciding these matters and points out that the Supreme Court “is poorly positioned to understand and evaluate” these matters.
 
Justice Alito, unfortunately, did not follow through his logic and reach suitable conclusions that properly protect our society.  In fact, one can argue that the unanimous decision of the Supreme Court may create immense risks by creating confusion within law enforcement and in the courts which undermines civil protection and homeland security.
 
The truth is that the Supreme Court’s decision in these cases leads to less safety for citizens, even though its intent was to protect privacy.  The Courts need to recognize that there is a difference between privacy and criminality, and the level and type of threat needs to be part of any Court decision.  At the end of the day, these Supreme Court decisions, universally hailed as a good thing, are probably the reverse.
Tagged , , , , , , , ,
Follow

Get every new post delivered to your Inbox.

Join 1,811 other followers