Tag Archives: security

Saving the Critical Infrastructure

by Stephen Bryen

founder and former head of the Defense Technology Security Administration

I have been writing about cyber security for many years.  I believe I have some credibility in this field.  I headed and ran the Defense Department’s program for technology security as the Director of the Defense Technology Security Administration and as a Deputy Under Secretary of Defense.  I also started and ran two cyber security companies, one in the 1990′s called SECOM which was the world’s first secure chat program, and currently Ziklag Systems which markets secure mobile smartphones.  Over the years I have been increasingly concerned about the vulnerability of our critical infrastructure and the risk to America.  My concern has escalated along with growing and successful cyber intrusions into our power, energy, transportation and government grids and networks.  And I have found it shocking that no one seems to  know what to do about the menace.

Somehow our leaders in the administration and Congress, even Admiral Mike Rogers who heads NSA and the US Cyber Command, all of whom clearly understand the threat and risk, seem clueless on how to fix the problem.

Meanwhile China, Russia, Iran, Syria and plenty of rogue operations are increasing the pressure on us by attacking our computer networks.  Nothing is safe.  Not our defense Command and Control systems, our missile defenses, our energy grid, our refineries, our nuclear power plants, not even our telecommunications, transportation, water supply or health care systems are secure.

The reason for that is easy to see.  All our computer networks rely on computer operating systems hardware and software that has been distributed all over the world.  Since almost everything about those systems is public, it is easy for attackers with sufficient resources to take them apart.  It should surprise no one that virtually all of our hardware is made in China, introducing a massive vulnerability into our critical infrastructure.

Add to this tremendous weakness the problem of SCADA systems.  SCADA is the supervisory control and data acquisition system used by nuclear and conventional power plants, heating and cooling systems, manufacturing centers, refineries and lots of other automated systems.  There are only two or three SCADA systems in the market with wide acceptance, and they are used worldwide.  Once again, both the hardware and software for SCADA is accessible to foreign regimes and terrorists as well as other rogue actors.  It is the SCADA that was the center of the attack on Iran’s uranium enrichment centrifuges where the US and Israel hoped to slow Iran’s acquisition of an atomic bomb.  What was done with the Stuxnet worm to damage Iran’s nuclear program likewise can happen to us.

Patching computer operating systems and fixing SCADA software won’t work.  This is proven empirically by the growing frequency of successful attacks on critical infrastructure systems,.  If patches worked, they would save us from attack.  But the plain fact is that they may help a little but not enough to stop a determined and resourceful adversary.

China, one of the countries known to be tampering with our critical infrastructure and helping to finance its growth by stealing defense designs and technology from our leading companies is already taking steps to keep us out of their networks by producing their own computer operating systems they won’t share with us.  We should take a clue from China. For critical infrastructure security we need secure operating systems and a new secure SCADA that replaces all the commercial equipment and software we have been using.

Changing over to a government proprietary secure system is a vital step in locking down our networks and management systems.  It requires a bold and determined initiative by the US government, and it needs to be accompanied by security measures that are well drawn and deeply monitored to provide an additional layer of protection.

Above all we need a policy based on “win win” not on hopes and fictions we can make what we have work. It is foolish to wait for the worst to happen, as it surely will.

Tagged , , , , ,

The “StealthGenie” Complaint May Not Accomplish Anything

[Update: It turns out that police departments around the country have been giving out software so parents can monitor their kids computers, tablets and phones. This controversial spyware distribution flies in the face of the Justice Department’s StealthGenie indictment –in fact it makes Justice likely to lose the case if it is ever adjudicated.  It is indeed strange that the DOJ failed to do its homework and seems to have taken a Don Quixote-like approach to the problem, leaving out most of the really bad stuff to go after one amateur.
See http://www.cnet.com/news/police-boosted-parental-control-app-is-a-privacy-mess-says-report/ for one report on the matter.]

Two US Assistant United States Attorneys, Kevin Mikolashek and Jay Prabhu have filed a civil Complaint (Civil No. 1:14-ev 1273) against Hammad Akbar for selling a spyware product called StealthGenie. StealthGenie is an APP that works on a variety of smartphones. The APP surreptitiously records incoming and outgoing phone calls, allows the purchaser to intercept calls in real time without the knowledge of the smartphone user; allows conversations in a boardroom or bedroom to be recorded without the knowledge of the smartphone user, allows incoming and outgoing email, SMS (text) messages and voicemail to be recorded and read; steals the user’s contact list, photos, videos and appointments.
 
StealthGenie works through a commercial server. StealthGenie used Amazon Web Services located in Ashburn, Virginia. All the intercepted information from StealthGenie is stored on Amazon’s server.
 
Hammad Akbar and his employees are Pakistani citizens and Akbar lives in Lahore. The chances of catching up with him are precisely zero. Amazon is not a defendant in the case, although clearly Amazon Web services facilitated StealthGenie operations.
 
The US government view is this kind of APP is an “interception device” under US Code and Federal Rules of Civil Procedure and the sale, marketing, advertising of mobile spying applications is illegal. The US Attorneys evinced specific concern that the spread of this kind of APP would help stalkers, although as the Complaint says, the product was advertised as a means of dealing with spousal cheating, which according to StealGenie’s owners, a company called InvoCode Pvt. Ltd., constituted 65% of the purchasers of the APP.
 
This is the first case brought in a Federal court against spyware APPS. It is unlikely to ever be successfully prosecuted, so the civil Complaint really amounts to a warning to others who make similar products.
 
Today there are hundreds of companies in all parts of the world producing products that resemble StealthGenie. These products are available on the Internet. Some of them are free; others can can be purchased. The simplest of them require physical access to the target’s phone to install the malicious APP. More sophisticated stealthy spyware can get downloaded on a phone without the need for physical access. One way is to embed the spyware into a legitimate product and offer it to the user. Another is to plant a Trojan or other bug in the hardware of the device. Recently some Chinese phones have been found to have built in spyware. There are plenty of other techniques available for professional spies. StealthGenie was meant for amateurs.
 
Whether the government’s legal argument is sound is less than clear. There are many cases where intercept software can be sold where its use is legal. Two examples come to mind: the sale of intercept software to law enforcement and government; the sale of intercept software to business. Business has a right to monitor its employees, and this right has been generally supported in US courts. This right extends to smartphones, computers and other electronics (such as GPS trackers). It would seem, therefore, that if StealthGenie advertised its APPS for certain business spying, there would not have been any grounds for an indictment.
 
Another use of spyware APPS is for parents monitoring children. The US Government Complaint does not address this point. But, again, if an APP is advertised for this purpose, is it legal?
 
Spyware is also extensively used by companies spying on their competitors. Certainly this is not legal, but the government has not bothered to act on such spying? Why?
 
One thing is certain, the government’s action, no matter how well-intentioned, misses the mark in important ways. The widespread spying going on in our society, some of it easily accomplished by monitoring social APPS like Facebook and Twitter, is a real scourge. So too is the monetization of personal information by many of the tech-giants, who are making a fortune exploiting our privacy. We have a very long way to go before any of this is brought to a halt.
Tagged , , , , , ,

Is China’s New Computer Operating System a Threat?

by Stephen Bryen and Rebecca Abrahams

Originally appeared in the Huffington Post at http://www.huffingtonpost.com/rebecca-abrahams/is-chinas-new-computer-op_b_5738068.html

China has announced it will introduce a new computer operating system in October to replace Windows. Already deeply embarrassed and unhappy over alleged spying on its computers by the US Government, China has vowed to take action.

2014-08-29-_77158751_7e1c290b038944588753fb1fda1d8075.jpg
Its first step was to stop government agencies from using Microsoft’s most recent Windows 8 on their machines. But its latest project, to replace Windows altogether puts China into a new category as challenging US dominance in the ultra-sensitive computer operating system league. Controlling computers today is part and parcel of political power, and China understands this. That’s why China is not only replacing Windows, but it wants to get rid of Apple’s iOS and Google’s Android too.

China has three related opportunities and can be expected to exploit all of them.
The first involves better controlling China’s domestic computers and mobile devices by regulating through the operating system what users can, or cannot, do. China is likely to achieve this through a strongly controlled computer software registration system managed not by Microsoft, Google or Apple but by the Chinese government.

China will gain many benefits. It will have tens of millions of users virtually on launch, and it will control all access by being able to directly regulate software and applications that run on its approved operating system. Likewise, China will likely build in some sort of encryption system linking computers to the Internet, which will create problems for any outside organization to penetrate. And China will stimulate development of domestic software alternatives to Western software products. China will also gain vast experience in how to manage an operating system evolution, how to fix vulnerabilities, how to add features, and how to support software in the field. This will grow a domestic industry that will rapidly mature and will benefit the Chinese state.

Beyond its domestic market, China will be able to look to introducing its software in the global market. China can find a number of opportunities to spread its operating system in many parts of the world. For example, it could potentially challenge both Microsoft and Android computer laptop platforms by offering a cheaper and stronger operating system to users. Price is a big factor in low end laptops and netbooks. China controls most computer manufacturing today. Put an operating system on top, especially one that is open enough to support popular software and social networking products and China could well have a winner. Of course, China’s commercial OS will be different from the one it promotes internally, but this can easily be handled especially if registration and OS downloads are managed by a location-sensitive server.

A third an even bigger opportunity for China is to team with a non-American foreign company to offer an “independent” operating system to customers. This may prove to be attractive to a European partner because the Europeans are quite unhappy with American spying, and they have far less concern, if any, about China than America has. There are plenty of large European companies who are, in the IT world, always playing second fiddle to the U.S. Here is a great chance for them to get ahead. And they can do it on the cheap, since the software investment will be heavily China’s operational and financial responsibility.

Where does this leave US companies? Certainly China will emerge as a heavy weight challenger to the likes of Microsoft, Google and Apple. But it is not just US companies that matter here. The loss of control over where operating systems come from could pose a security challenge for America’s intelligence agencies that will be formidable and hard to overcome. While that is still in the future, it would be foolish not to prepare ourselves for the problems on the road ahead.

Tagged , , , , , ,

Obamacare and Belarus– Follow the Money?

Bill Gertz, one of the leading national security reporters in the United States, broke the story that the Obamacare web software was developed in part in Belarus.   Belarus became an independent country in 1991.  While on paper the country is supposedly democratic, in fact it operates as a kind of dictatorship where the military, police, government and media are controlled.  The OECD calls the country “un-free.  The U.S. relationship to Belarus is somewhat strained, but Belarus has been a way-point for supplies to the ISAF in Afghanistan.

Gertz raised the issue of possible backdoors planted in the software for the Obamacare system.  A backdoor would make it possible for personal information stored on an Obamacare site to be secretly collected by an intruder or hacker.  No one has yet determined whether the software provided has been corrupted, but as Gertz reported, U.S. intelligence agencies warned DHS of the potential risk and news reports say that DHS is investigating the HealthCare.gov web software.  In addition to the government web site, the same software is also being used by all American medical insurance companies and most medical facilities in the U.S.

There have been numerous reports and complaints that the Obamacare websites lacked security.  The lack of security is a major design flaw.  On top of the design problem, the system has been plagued with technical problems.  Sloppily made software can account for many errors, but clumsy backdoors inserted into otherwise operable software can also cause multiple points of failure when the system operates.

Why would software development be outsourced to a foreign country?  The reason is cost.  Belarus is a low cost provider of software services, with prices that are far below costs in the United States.

The U.S. government when it writes a contract agrees in advance to how services are priced.  Usually the standard is provided by the GSA.

Below you will find a comparison of costs for software programming in Belarus and U.S. GSA pricing:

Average software development rates for Belarus in 2010 were:

  • 29 USD/hour – Project Manager
  • 26 USD/hour – Senior developer
  • 22 USD/hour – Middle developer
  • 18 USD/hour – Junior developer

GSA Hourly Rates

Applications Software Subject Matter Expert $141.41
Business Systems Analyst $65.66
Database Admin (DBA) $80.81
Desktop Support Engineer $50.51
ERP Software Subject Matter Expert $237.37
Help Desk Support $38.38
Junior SQA Engineer / Software Quality Assurance $39.39
Network Administrator $56.57
Principal Software Engineer $116.16
Project Manager $63.64
Release Engineer $111.11
Senior Business Systems Analyst $110.10
Senior Database Admin (DBA) $126.26
Senior Network Engineer $101.01
Senior Project Manager $116.16
Senior Software Engineer $85.86
Senior SQA Engineer $70.71
Software Engineer $68.69
Software Programmer/Analyst $80.81
SQA Engineer $50.51
Technical Writer $73.74

Clearly there is a huge difference between U.S. prices and those in Belarus.

The Obamacare website, developed by the company CGI, cost $630 million.   This is a staggering price, and could be one of the largest expenditures ever for any health insurance system.

The CGI contract was a sole source contract.  After much controversy, CGI was fired and another contractor, Accenture, was hired for one year at $91 million.  In all these contracts there was no competition and little or no visibility on the contract parameters.  Thus, for example, we don’t know if the contract permitted subcontracting outside of the United States, and we don’t know if foreign contracting was allowed, whether the contractor was still able to charge DHS at GSA rate levels.

One would think that the Justice Department, as well the the DHS Inspector General, should be examining the CGI contract and considering how charges were made for contract performance.

Don’t hold your breath on any investigation, though.  There is no sunshine in Obamacare.

 

 

 

 

Tagged , , , , ,

Is Knox the Answer to Android Security?

Samsung is offering a special version of its Samsung IV Galaxy smartphone called Knox.  Knox is targeted on the high end financial, business and government communities.  Does Knox solve the problem of smartphone insecurity and significantly reduce risk for its users?  

What is Knox:  Knox is a partitioned mobile platform running two operating systems, one for personal use and one for enterprise use –the enterprise (private) side being within a “container.”

There are other Knox-like partitioned mobile platforms either in the market or entering the market coming from other vendors such as LG, Blackberry, etc.  None of them have been around long enough to know how well they are engineered in relationship to multiple Android vulnerabilities and OS/Kernel weaknesses.

The Knox container has its own separate home screen, launcher, applications and widgets. All the data and applications stored in the container are said to be isolated. It is claimed that no application or process inside the container can interact or communicate with any process outside of it and vice-versa.

All files within the container are encrypted using the Advanced Encryption Standard (AES) cipher algorithm with a 256-bit key.

Knox features are (1) Customizable Secure Boot, (2) TrustZone-based Integrity Measurement Architecture (TIMA), and (3) Security Enhancements for Android. Secure boot, the company claims, is the Knox-enabled device’s first line of defense, ensuring that only verified and authorized software can run on the device bootup. TIMA monitors the kernel.

Knox depends on the user to carefully delineate use between partitions.  Knox does not protect the public partition. Knox runs an APP store for the private side that provides safe APPS for Knox.

Problems with Knox 

Ben Gurion University of Israel is located iBe'er Sheba, Israel

Ben Gurion University of Israel is located in Be’er Sheba, Israel

In the past two months there have been reports of vulnerabilities and flaws in the Knox system.

The latest report comes from the Ben Gurion University Cyber Security Laboratory in Israel.  There two researchers Mordechai Guri and Dudu Mimran (the Security Laboratory Chief Technical Officer) claim that a hacker can easily intercept any data on the secure side of the Knox platform. The researchers also believe that professional hackers could actually modify the Knox platform, effectively compromising it by planting malware or spyware on the platform.  In response a Samsung spokesperson said “Rest assured the core Knox architecture cannot be compromised or infiltrated by such malware.”

Until now, no one has explained how spyware, planted on the public side of the Knox platform, won’t seriously compromise the Knox user.

Researchers should look into two security problems that arise in a dual platform device.

The first problem is what happens if spyware is planted on the public side of the smartphone.  This is the “open” platform that is generally unprotected.  Spyware, or what is called a spy phone, can intercept literally any conversation and any transaction (email, text, video, photo) on the public side of the smartphone.  Professional spy phones can activate a phone’s microphones and cameras without the knowledge of the user and even if the phone is switched off.  Since among the data normally targeted by spy phones are calendars, the intruder knows when to activate the spy phone.  When the intruder does this, either he can immediately stream the information secretly back to his web address, or alternatively he can store it in a hidden folder and stream it back later.  In short, the user remains entirely vulnerable on the public side to spy phones and other malware.

The second problem revolves around the question of the use of hardware on Knox.  A smartphone consists of numerous sensors and transmitting systems including cameras, microphones, Bluetooth, WIFI, voice and data radios, etc.  When a Knox user is booted up on the private side of the phone, are the sensors and radios fully and securely controlled by the Knox platform?  If not, then a spy phone or other malware on the public side can take information from these same sensors being used on the private side of the platform.  This would facilitate spying on the private side as well as on the public side of the platform.

APPS for the private side of the Knox platform are controlled through a store run by Samsung.  Experience with attempts to block malware on Android platforms by auditing APPS in places such as Google Store, have been less than successful.  One anti-virus company reported this past summer that some 1,200 APPS on the Google store over a 7 month period were malware.  And these are the easy ones to detect. Really sophisticated malware is often embedded in legitimate programs.  Because of the plethora of APPS available today, and the diversity of sources (APP production is truly a global enterprise), finding the “bad” ones is a challenge.  If we learned anything from anti-virus software, the “bad” stuff is usually found after many computers are already infected.  When you think of the small universe of enterprise and government users of a product like Samsung, the risk is exponential if a “bad” APP or “bad” modified APP infects the smartphone.

No one really knows if Samsung will be any more successful than Google in protecting APPS, yet this protection is critical under the Knox scheme.  If history shows us anything, one should not be optimistic or confident in the result.

Conclusion

The Knox system offers an effort at a serious security system for an Android platform.  Other companies, such as LG and Blackberry, are working on the same thing.  While the jury is still out on Knox, there is no doubt there are many problems.  It is unlikely either the U.S. government or enterprise customers will, as Samsung says, “rest assured” that Knox is safe.

 

Tagged , , , , , , , ,

How Did They Hack Merkel’s Phone?

by Stephen Bryen, Ziklag Systems

They didn’t tell us, and we did not ask, out of being polite we can assure you.  But we can certainly guess how it was done.   

There are both internal and external vulnerabilities in smartphones.  Let’s look at them. 

In regard to internal vulnerabilities, commercial smartphones (the majority of them manufactured in Asia) contain hardware, firmware and software combined with lots of sensors and radios.   The operating systems of smartphones (such as iPhone, Android-phones, Windows phones, Blackberry and the others) are designed to link up the phone’s hardware, its sensors, and its radios together.  Most of the computer “code” is written to get the job done, but for the most part security plays second or third fiddle on commercial platforms. Indeed, there is so much social networking and connectivity demanded by smartphone users, that the idea of putting in any kind of security perimeter for the smartphone platform is all but verboten.  This makes it easy for intruders, thieves, private eyes, lawyers and governments to spy to their heart’s content. All these need to do is to exploit some social APP (the technique is called ‘Phishing’), plant some malware, or install a spy phone on the mobile device. 

What is a Spy Phone 

A spy phone is specialized spying software that lives “in the background” on a smartphone.  An intruder or hacker controls the smartphone remotely meaning the phone itself can be switched on at any time without the screen lighting up, conversations can be recorded and surreptitiously broadcast, and virtually all the information on the phone can be hijacked. This means contact lists, emails, text messages, photos, videos and files can be grabbed at will. 

Spy phones vary in level of sophistication, but if you want to buy one you can find a commercial spy phone for every type of mobile phone and smartphone.  It is, of course, illegal to listen to someone’s conversations without their permission, but professional spy phone users, and a fair number of amateur sleuths, don’t worry about the legal nicety. That’s why in the U.K. there is a major phone hacking scandal which has to do with stealing text messages, emails, photos and voice mail messages.   

More than 100 major UK firms, not counting a number of newspapers, are said to have engaged in smartphone spying activities, usually working through cutouts (in the main private investigators).  This kind of spying either was for economic gain, efforts to compromise a person by learning about their private life, or for salacious reasons.  The fact that it was widespread and virtually out of control in the UK should forewarn us that the same is true in the United States. 

Chancellor Merkel’s Phone 

German Chancellor holds her mobile phone during the plenary session of the European Parliament in Brussels, 27 June 2007.

German Chancellor holds her mobile phone during the plenary session of the European Parliament in Brussels, 27 June 2007.

Angela Merkel has a smartphone, and she likely has APPS installed that please her.  So one avenue of attack for an intruder is to plant spy phone software on her mobile.  Is this what the German counter-intelligence services (probably the BND or Bundesnachrichendienst) found?  While totally speculation, if they did then they probably could “sanbdbox” Mrs. Merkel’s phone and pretty quickly figure out who was doing the listening.  We don’t know that this is what happened, but some event certainly triggered Merkel to pick up the phone and complain directly to President Obama.  These things, as one knows, just are not done. Gentlemen don’t read the mail of other gentlemen or women, to paraphrase Henry L. Stimson, former U.S. Secretary of War (before we decided we should only be for Defense and not for War). 

External Spying and Intercepts 

The second way to break into a smartphone is external –that is, to intercept conversations.  There are a number of ways to do this.  One can create a false cell phone tower and intercept calls that way.  This method, called IMSI Catching after the International Mobile Subscribe Number that is in every phone, is how you can grab calls from a near proximity to the caller.

In our initial review we thought that “It is unlikely the U.S. used IMSI Catching. ”  Now De Spiegel is reporting that the spying on the Chancellors phone, which may have gone on for more than 10 years,  may have been run out of a U.S. installation in the German capital, a spying operation that was not legally registered with the German government.  The location is about one mile from the offices of the Chancellor.  This would put it in range for an IMSI catcher.  Therefore the use of the IMSI catcher cannot be ruled out.

Another way is to get the cooperation of the telephone company or mobile phone company.  This works in your home country (as the NSA has proven by downloading all the metadata of the phones of U.S. citizens, and who knows what else) but it is not likely to have worked in Germany because the NSA is not in a position to twist the arms of German cell phone and telephone companies.  But it is possible, as an alternative strategy, to tap into trunk lines that carry calls over fiber optic lines.  It seems this is a major shared industry between the NSA and their UK counterparts in GCHQ.  While they might not get all of Merkel’s calls that way, they could get some of them. 

Most Likely Spying Method 

In short, NSA had plenty of options.  We would think the most likely one was to plant a spy phone on Chancellor Merkel’s phone, but it could also have been through an IMSI catcher.   

In Germany there are many that think Merkel should have taken sterner action when the first Snowden revelations about tapping German phones became public.  They say Merkel is, in fact, now also a victim because she did not act. 

The security company Secusmart and the mobile phone producer Blackberry presented their new secure smartphone - with the German eagle - to the Chancellor.

The security company Secusmart and the mobile phone producer Blackberry presented their new secure smartphone – with the German eagle – to the Chancellor.

The plain truth is, of course, that the BND and other German security services were either sleeping at the switch or did not care.  Otherwise they would not have let their chancellor’s phone get compromised by NSA or by anyone else.

Tagged , , , , , , , , , , , ,

All Shook Up –National Security, the Patriot Act and PRISM

by Stephen Bryen

[The views are solely those of the author.]

The United States has been shaken up by the news of pervasive U.S. government spying that touches millions of American citizens.  The first swing of the bat was news that Verizon Business Services was providing on a daily basis a dump of all its land line and mobile metadata to the NSA as a result of a secret type of court order.  While the Verizon story was a leak, it is easy to figure that all the other Verizon phone services, and their competitors such as AT&T, Spring and T-Mobile (and the lesser players) are also coughing up their meta data.
Just as the Verizon story was peaking, another story hit the wires, also originating from the London Guardian.  This, much bigger story, said that pursuant to another court order, all the social media including VOIP favorites such as Skype, were being mass downloaded by the government.  All the stories about these channels being encrypted, turn out to be only partly the truth.  The encryption is not a problem, it seems, if you are inside the servers at Microsoft or Google or Amazon or any of the other players.  And NSA, according to its PRISM program (which was revealed by the Guardian) was clearly inside the servers.  Of course all the “biggies” immediately denied this: but the truth is that they are under a legal obligation to give such denials.
How does this come about?  Public officials, to the extent they will tell, say that the Patriot Act is the authority under which they are authorized to conduct surveillance “suspected terrorists, those suspected of engaging in computer fraud or abuse, and agents of a foreign power who are engaged in clandestine activities.”  While terrorism is the explanation most often given, the mandate is much broader than that, and it is highly subjective.
In fact, the U.S. government has made a decision that to effectively maintain coherence in government and protect national security, the full-blown Patriot Act is an essential component. We live in an age of rapidly proliferating Internet connectivity, social media, and communications globalization.  In this exponentially growing sector, nation states survival may be threatened as never before.
Consider, first of all, the security of leaders in government and industry.  They live in a fishbowl environment where their every move can be tracked and every sentence they write or speak intercepted.  Not only, but the actions of leaders can open important information doors for cyber thieves by outlining connections such as relationships and alliances that can be exploited.  On top of all this, leaders can be represented fraudulently by impostors  fakers, and “mal-verts.”  This can lead to significant mistakes, errors, frauds and disasters.
Consider also the security of technology and the protection of intellectual property.  There are credible studies that show that U.S. technology is being stolen of huge value, estimated as some $300 billion annually.  The U.S. spends roughly $645 billion annually on defense, which includes all war spending and personnel costs.  About $128 billion is spent on procurement each year. So the cyber thefts of defense designs are double what is spent on what is being purchased.  When you add what is being sucked out of the private sector, it is clear that trying to prevent these crimes is, and must be, a priority if the country’s prosperity is to continue, its social compact preserved, and its security safeguarded.
Finally physical threats to America and American citizens also is a major worry.  The Patriot Act is concerned in the first instance with terrorism.  There is broad agreement that the United States is engaged in what is called sometimes the “long war” against terrorism threats.  It should not surprise that a significant part of the “long war” originates in radical Islam, which sees the United States as the Great Satan.  Attacks on Americans, and American allies, is considered a religious duty.  Western values are off the table.  Attacks on churches, synagogues, airlines, communities, public places, is part of the long war.  And the long war is on the verge of getting far worse, not better.  By setting a standard for viciousness and ferocity, the long war is being taken up outside Islam by other radicals and anarchists, right and left.  Fascism is again starting to spread in Europe, and anarchism is rising again in America.  Trying to get a handle on these threats and deal with the broadening threat is a critical duty of government.  The Patriot Act sets the framework for this.
What we don’t know is whether the Patriot Act is being used fairly and honorably.  As it is set up today, there is no satisfactory way to prevent abuses, and it is fairly likely there have been more than some.  If you can go looking for “foreign agents” and “spies” you have a free hand to use these means for intimidating people and for ruining reputations and careers.  There have been enough examples in recent years to make us more than wonder how often this occurs.
So if it is agreed we need a Patriot Act, we should also put in place some independent safeguards.  Without them, there is a great risk that the system will run a muck, out of control, sucking up information that will wind up being used nefariously.  This can’t be 100% prevented, but Congress and the Administration need to figure out a way to put serious controls in place to stop abuse in its tracks and punish those who do that.
The alternative could be public revulsion so great that the Patriot Act and the agencies it feeds will be changed significantly and our security the worse off.
Posted in cyber security | Taggedby Stephen Bryen[The views are solely those of the author.]

The United States has been shaken up by the news of pervasive U.S. government spying that touches millions of American citizens.  The first swing of the bat was news that Verizon Business Services was providing on a daily basis a dump of all its land line and mobile metadata to the NSA as a result of a secret type of court order.  While the Verizon story was a leak, it is easy to figure that all the other Verizon phone services, and their competitors such as AT&T, Spring and T-Mobile (and the lesser players) are also coughing up their meta data.
Just as the Verizon story was peaking, another story hit the wires, also originating from the London Guardian.  This, much bigger story, said that pursuant to another court order, all the social media including VOIP favorites such as Skype, were being mass downloaded by the government.  All the stories about these channels being encrypted, turn out to be only partly the truth.  The encryption is not a problem, it seems, if you are inside the servers at Microsoft or Google or Amazon or any of the other players.  And NSA, according to its PRISM program (which was revealed by the Guardian) was clearly inside the servers.  Of course all the “biggies” immediately denied this: but the truth is that they are under a legal obligation to give such denials.
How does this come about?  Public officials, to the extent they will tell, say that the Patriot Act is the authority under which they are authorized to conduct surveillance “suspected terrorists, those suspected of engaging in computer fraud or abuse, and agents of a foreign power who are engaged in clandestine activities.”  While terrorism is the explanation most often given, the mandate is much broader than that, and it is highly subjective.
In fact, the U.S. government has made a decision that to effectively maintain coherence in government and protect national security, the full-blown Patriot Act is an essential component. We live in an age of rapidly proliferating Internet connectivity, social media, and communications globalization.  In this exponentially growing sector, nation states survival may be threatened as never before.
Consider, first of all, the security of leaders in government and industry.  They live in a fishbowl environment where there every move can be tracked and every sentence they write or speak intercepted.  Not only, but the actions of leaders can open important information doors for cyber thieves by outlining connections such as relationships and alliances that can be exploited.  On top of all this, leaders can be represented fraudulently by impostors  fakers, and “mal-verts.”  This can lead to significant mistakes, errors, frauds and disasters.
Consider also the security of technology and the protection of intellectual property.  There are credible studies that show that U.S. technology is being stolen of huge value, estimated as some $300 billion annually.  The U.S. spends roughly $645 billion annually on defense, which includes all war spending and personnel costs.  About $128 billion is spent on procurement each year. So the cyber thefts of defense designs are double what is spent on what is being purchased.  When you add what is being sucked out of the private sector, it is clear that trying to prevent these crimes is, and must be, a priority if the country’s prosperity is to continue, its social compact preserved, and its security safeguarded.
Finally physical threats to America and American citizens also is a major worry.  The Patriot Act is concerned in the first instance with terrorism.  There is broad agreement that the United States is engaged in what is called sometimes the “long war” against terrorism threats.  It should not surprise that a significant part of the “long war” originates in radical Islam, which sees the United States as the Great Satan.  Attacks on Americans, and American allies, is considered a religious duty.  Western values are off the table.  Attacks on churches, synagogues, airlines, communities, public places, is part of the long war.  And the long war is on the verge of getting far worse, not better.  By setting a standard for viciousness and ferocity, the long war is being taken up outside Islam by other radicals and anarchists, right and left.  Fascism is again starting to spread in Europe, and anarchism is rising again in America.  Trying to get a handle on these threats and deal with the broadening threat is a critical duty of government.  The Patriot Act sets the framework for this.
What we don’t know is whether the Patriot Act is being used fairly and honorably.  As it is set up today, there is no satisfactory way to prevent abuses, and it is fairly likely there have been more than some.  If you can go looking for “foreign agents” and “spies” you have a free hand to use these means for intimidating people and for ruining reputations and careers.  There have been enough examples in recent years to make us more than wonder how often this occurs.
So if it is agreed we need a Patriot Act, we should also put in place some independent safeguards.  Without them, there is a great risk that the system will run a muck, out of control, sucking up information that will wind up being used nefariously.  This can’t be 100% prevented, but Congress and the Administration need to figure out a way to put serious controls in place to stop abuse in its tracks and punish those who do that.
The alternative could be public revulsion so great that the Patriot Act and the agencies it feeds will be changed significantly and our security the worse off.
Tagged , , , , , , , , ,

Will China Stop Cyber-Espionage? Absolutely Not.

by Stephen Bryen and Rebecca Abrahams

2013-06-06-images.jpeg

No matter what President Obama and China’s President Xi Jinping agree this week, China will not stop cyber espionage.

China may decide, as a result of the upcoming summit meeting, to crack down on hackers who operate independently, or who moonlight for profit in the hours they are not working for either China’s government or China’s military. That will be a bone to try and lower the tension that has been building between China and the U.S. on the issue of cyber theft. But it won’t really make a big difference.

There are, roughly speaking, five kinds of cyber crime.

The first is based on vicarious hacking by groups of computer geeks who want to show off their prowess and gain bragging rights for successfully attacking important institutions and organizations. The “thrill” involved is to show how smart they are, how brilliantly they can defeat the CIA or the Pentagon.

The second group grows out of the first but it has become ideological. Ideological hacking is hacking for a political purpose. Many of the ideological hackers are really anarchists in modern dress. This kind of hacking has been growing and is illustrated by phenomena such as Wikileaks and its leader Julian Asange, currently holed up in the Ecuadorian Embassy in London while wanted by Sweden where he has been charged with rape.

The third type of hacking is “For Profit.” Information is stolen, bank accounts and money machines are pilfered, sometimes blackmail is used. For Profit hacking is not always separable from ideological hacking or from vicarious hacking.

Fourth is cyber crime against individuals and political groups carried out by governments. Sometimes this is pursuant to law and follows a legal process, but not always (even in the U.S. where phones can be tapped and computers can be invaded without a warrant or clearance by a court).

Fifth is cyber crime for national security reasons. This is a specialty of China. Recent information says that China is annually stealing $300 billion worth of national security information, much of which is weapons designs.

Why? There are essentially three reasons why China is doing this.

The first is that stealing the information is easy to do. There are hardly any credible barriers to scooping up defense information, government data, and the proprietary information of private companies.

The second reason is that there are not any consequences. This is crime without punishment. And because China owns a large part of the U.S. Treasury, the enthusiasm by U.S. government leaders to crack down is tempered by concern that our own economy would unravel if we push too hard. On top of that, a lot of our top industry people are making money on China.

And the third reason is that China cannot be a superpower without U.S. technology. There is very little innovation in China, despite large investments, the presence of foreign companies, a strong electronics industry, and a huge number of Chinese nationals educated abroad (subsidizing plenty of American graduate schools of engineering, science and cyber studies).

Taken together this put the U.S. in a bind. Lacking a credible strategy to confront the losses, the U.S. defense posture is at risk thanks to the China thieves. And more and more companies will also feel the heat as China’s clones of their products swamp the U.S. market.

Meanwhile, one thing Xi Jinping will not do is allow China to be anything less than a superpower, so he must continue robbing the U.S. blind. And he will.

Tagged , , , , , , , , , ,

An E-Z Pass for Guns?

By Stephen Bryen

Instead of new draconian gun laws of dubious effect, consider the ubiquitous E-Z pass.

Like millions of other Americans, I pay a small monthly fee for my handy E-Z Pass transponder. It gets me through toll booths on highways, bridges and tunnels quickly and efficiently; it crosses State lines without interruption. For the most part, the E-Z Pass billing system is accurate and gives you a helpful record of your travels.

The E-Z Pass is a passive sensor, actually a transceiver activated by a radio signal from the toll booth or toll lane.  The transceiver operates at 915 mhz and transmits information at 500 kilobits per second.  No battery or other power source is needed.  The specific E-Z Pass technology is proprietary, but transceivers for other applications have already been built. Today, RFID (radio frequency identification) devices are inserted into credit cards, building passes, garage gate openers, and Metro fare cards, to name just a few applications.

Can this technology be applied to guns and how would it work?

Putting RFID sensors into manufactured guns and tagging them to the owner is in fact simpler than the E-Z Pass system, because the sensor can be embedded at the time of manufacture or, for guns already in circulation, can be added at a very small cost. Putting antennas around schools, colleges, hospitals, sports stadiums (for example) and public buildings is not complex. Linking the sensors to existing security systems also is reasonably straightforward and not expensive.

Consider this.  A person with a gun approaches an elementary school.  If the school perimeter contained RFID antennas, they could detect the gun, automatically lock down the school, and warn school personnel that there is a potential threat.

Consider this.  At the entrance of the State Department there is a security check that includes an RFID antenna to find a gun.  Even if the gun is hidden or the magnetometer cannot not find it, it is likely the RFID antenna will detect it.

Consider this. At the entrances to the Cherry Hill Mall in New Jersey, there are RFID antennas. If someone enters the mall with a gun, the security guards are immediately alerted.  The detectors are linked to PTZ (pan tilt zoom) cameras that can track the likely gun holder.

RFID technology can buy a lot of protection. It can be implemented quickly in new guns and existing registered guns.  It is low cost.

In fact an Italian company called Chiappa Firearms has already introduced RFID chips in all its new guns.  While their press release is in Italian (http://www.tiropratico.com/Cinzia_Pinzoni/RFID_chiappa.pdf)  they say that the chips are virtually indestructible and that they can be read by remote detectors in microseconds.

Putting protection around schools, for example, compliments existing security systems and procedures and can be done quickly and probably within existing security and infrastructure budgets.

But isn’t the problem illegal guns?  Illegal guns are a major crime problem, but — as we just saw tragically in Newtown — legal guns are often the ones used in incidents such as school shootings, work places attacks, and shootings in public access places or events. For the most part, schools, colleges, malls, work places, and public buildings have only limited, or no defenses against legal or illegal guns, with the preponderance of crime they experience coming from legal guns.

Thirty years ago, I served as Deputy Under Secretary of Defense for Trade and Security Policy, and Director of the Defense Technology Security Administration. Our offices became concerned with Glock pistols that were being made of synthetic polymers (a type of plastic).  The problem was that the “plastic” Glock might not be recognized by metal detectors or X-Ray machines in airports or in secure buildings.  The answer, which the Glock people accepted, was to add some metal powder to the plastic so the gun shape could be seen in an X-Ray machine and picked up by a metal detector.

The RFID tag is a modern evolution of the Glock idea, but with the advantage that it can provide early warning of danger.

In the coming months, the President and Congress are poised to consider new gun laws in response to the multi-victim tragedies of our recent past.  Many of the ideas currently advanced sound draconian, may violate the Second Amendment, and are unlikely to reduce violence committed with legally registered weapons.  An E-Z Pass-type solution wouldn’t reduce the likelihood of a violent attempt being undertaken by a mentally unbalanced or otherwise disturbed person, but it could very well protect innocent people from victimhood.

###

Dr. Stephen Bryen is President of SDB Partners, LLC based in Washington, DC

Tagged , , , , , , , , , , ,
Follow

Get every new post delivered to your Inbox.

Join 1,821 other followers