The Iran Deal Will Help Russia Have a Stealth Air Force

by Stephen Bryen

The Iran deal will boost Russia’s arms industry and make it possible for Russia to replace its older aircraft with newer stealth models.

Thanks to the deal approved by the U.S., the allies and by Russia, the arms embargo on Iran will “officially” be lifted in 5 years. But the rush to sell arms to Iran has been on for some time and defense companies from Europe along with the Russians, Chinese and North Koreans have been flocking to Tehran offering their wares.

The biggest single need for Iran is fighter and bomber aircraft. There have been many reports that iran has already made deals with China and Russia, but the big deals are still ahead of us. That’s because until now Iran did not have the cash. The nuclear deal is pouring cash into Iran most of which will be spent on arms.

Iran’s Air Force is dilapidated. It has old F-4 Phantom Jets (64, the number in service not known), F-14’s (44 out of 80 remain in service) and F-5’s (60 out of 140 operational) from the United States. Iran has 30 MIG-29A’s of which 24 are in service and 24 Mirage F1’s that were evacuated from Iraq and never returned. Iran has some 20 Sukhoi-24 bombers and some Sukhoi Su-25’s both of which were formerly Iraqi aircraft. Reportedly Iran sent 7 of the Su-25’s back to Iraq to use against ISIS. Iran also has around 20 Chinese F-7M fighters it bought in the 1980s.

None of the aircraft in Iran’s inventory can stand up to US made F-15’s and F-16’s let alone deal with the F-22 or the forthcoming F-35. For Iran to claim regional power it must upgrade its air force radically. Most of all, to stay abreast it needs a genuine stealth fighter bomber.

That is why the lifting of the arms embargo is fortuitous for Iran since it allows the Russians to offer their new Sukhoi PAK FA T-50 stealth fighter bomber. The T-50 is a fifth generation air superiority and attack aircraft that uses stealth technology, has a supercruise capability and is regarded as far more maneuvreable than the F-22 or the F-35. In fact, the PAK FA T-50 is the Russian Air Force answer to the F-22.

The F-50 is not yet in production. There are many problems on the Russian side, but the biggest one is lack of cash.

That is why the Russians have been working hard to convince India to be the first international customer for the F-50. But the Indians have been taking their time, raising objections, criticizing the workmanship of the aircraft and have evinced alarm about the reliability of the F-50 engines. In turn this has created a major delay in the Russian ability to finance the F-50 for its own air force. Initial production has been delayed and pushed into 2016, with many experts suggesting it will even be delayed further.

Iran, therefore, can bail out the Russian Air Force by helping to finance the PAK-T-50 program. Helping to finance based on future deliveries probably is consistent with the deal struck by the allies, since it is not quite a sale and the aircraft won’t immediately be transferred to Iran.

When the PAK T-50’s get to Iran, Israel, Saudi Arabia and Jordan will face a formidable problem. The Russian plane has the latest radars and weapons packages and its stealth will make it hard to defeat the T-50 with stand off weapons. The entire theory of the F-35, for example, is based on the idea of knocking the enemy out before the enemy detects the F-35. But if Russia’s stealth system turns out to be good, that advantage is liquidated.

For the western countries, most arms sales to Iran are likely to be electronics and spare parts instead of major systems. Iran will want parts for its F-5’s and F-4’s, perhaps for its F-14’s, and may also seek improvements on those platforms such as better radars or electronic warfare pods. But for sure the big potential benefactor is Russia.

One other significant impact is that the opening up of arms sales undermines the sanctions on Russia put there because of Russia’s military adventurism in the Ukraine. For the most part this deal makes those sanctions largely superfluous because, other than the export of its mineral wealth, Russia productivity is largely focused on its military industry. That is why the Russians are pushing so hard on the Ukraine, because a significant share of their military manufacturing is in Ukrainian hands and the Russians want it back.

While Congress will look at the nuclear deal primarily from the point of view of its adequacy and enforceability, the fact that the deal will boost Russia’s arms industry and help it rapidly build its Air Force’s stealth capability is a major strategic concern that should not be swept under the table.

Tagged , , ,

Cyber Security Is A National Security Imperative, But We Are in Failure Mode

by Stephen Bryen
The resignation of the Director of OPM is far from a solution to the massive data breach which now jeopardizes the privacy of millions of Americans and creates a national security threat of unknown and unprecedented dimension.
Worse yet, the government does not have a clue how to fix the problem.  We have the dumbest leaders and managers in the world, and the stupidity is so extreme that there is not a single organization in the government capable of advancing a fix to the cyber threat problem.  Administrations and Congress have been talking about all this for years and passing meaningless legislation that has improved nothing.  Meanwhile America’s adversaries are mining the gold that we as taxpayers underwrite, by stealing our technology and penetrating our entire critical infrastructure such that in any war everything will be shut down: power, water, communications, transport, food supply, fuel –the lot.  The simple minded folks in Washington blow billions of dollars on non-fixes and hire countless of security experts who would not know what to do in a traditional war. What makes anyone think they will know what to do in a cyber war?
The Pentagon stood up an organization to combat cyber crime by fighting fire with fire.  But so far as anyone can tell, they are incapable of doing this because they do not have any rules of engagement and, in any case, have barely an idea of what targets they should address.
There are two major cyber issues afflicting America.
The first is network integrity.  Because we universally rely on crappy commercial software to run our networks, built primarily for accessibility and entertainment, any idea of imposing a security envelope on them is pie in the sky.  They are untrustworthy junk.  Every network is totally vulnerable to denial of service attacks and a host of other penetration schemes for which they are not only ill prepared, they are not prepared at all.
The second issue is protection of information, which our government has proven that it cannot be trusted to carry out the task.  There are billions of records and tons of information ranging from the technological to the personal, from financial to health, that are mishandled by the government all the time.  None of the information is protected by encryption.  None of it is restricted by need to know.  Not only is it careless and sloppy; it is criminal.  The answer is straightforward but, for idiotic institutional reasons (the information is not classified) it is not safeguarded with encryption and compartmentalization.
So what are the answers.
The first is that a sort of Manhattan Project is needed to replace garbage commercial software the government uses for its networks.  This Plan should also include all the critical infrastructure.  A Manhattan Project will be tasked in two years to replace all the garbage with an impenetrable system that works; a system that is kept secret from our enemies; and perhaps even lives on a separate Internet, not the commercial one that is killing us all.
The second is that all government data should be classified which then will require that it is encrypted.  This will stop the nonsense that government officials say they can’t encrypt non-classified information.  The easy solution: classify everything. Collective stupidity is a disease and sometimes it needs a cure that revivifies the dead.  You can be sure the government brain is dead.  It must be fixed.
One of the great problems of government is there is no collective or individual responsibility or accountability.  People screw up and get away with it and the taxpayer is raped over with consistent success.  I am happy the head of OPM resigned, but what about her rotten security staff or the equally inept and incompetent morons who run all the other government agencies. They keep getting their paychecks.
Fire the lot.  Get new people. Put a Manhattan Project in place.  Classify everything and only release what you have to selectively. Take critical infrastructure protection not as a casual “wanna do” but as a national security imperative.  Most of all, fight the war and don’t trust anyone to do it for you.
Tagged ,

Regulating Encryption: Can it be done? Yes.

by Stephen Bryen

NIST Scanner

The Director of the FBI in a warning to Congress points out that ISIS is now using encryption to mask messages it is sending to thousands of Americans favorable to the ISIS cause, exhorting them to kill military and police and other hated targets. He, along with others in the Obama administration are urging “Silicon Valley” to consider building backdoors into encryption products they sell so that law enforcement can tap encrypted phones or computers and properly “do its job.”

But the question is, is there a practical solution?

I have been in the encryption business, or more clearly I have built commercial products that use encryption. In the early 1990’s I founded a company called SECOM (for Secure Communications). We developed a computer chat program that provided a secure, encrypted chat. In those days the Internet was only just getting underway and everyone was using modems (there was no WIFI or data connections except for big business and banks). Nor were there smartphones. The PC, however, was very popular and we built our product to run on PC’s running MSDOS or Windows. And because computers were slow, we built a little plug in computer card which did the actual encryption and decryption work.

Then the fun began. NSA did not like our solution because it was too hard to crack, so they “recommended” reducing the key size. It got to the point where the key size was too small to assure security, and after thinking it over (and investing a lot of development money), we decided we could not sell a product that failed in its critical mission: to protect the users from intercepts. We closed the company.

It was a bad outcome for us. And, as we pointed out at the time, because we used hardware and software we could have controlled who the end users were and assured that only bona fide users, not criminals or terrorists, would have access to the product.

What we went through was nothing new. A few years before IBM had proposed building encryption into all PCs so that all the data stored by them would be secure. NSA again objected, and despite IBM bringing rather heavy guns to bear on the problem, in the person of a direct appeal from the chairman of IBM to the head of the NSA, IBM had to stand down. No encryption chips would live on the IBM circuit board.

NSA and its counterpart the National Institute of Science and Technology (NIST) wear two different hats: on the one hand NSA is charged with carrying out spying in support of its US government “customers”; on the other NSA and NIST produce guidelines for security and even sponsor encryption solutions such as the Advanced Encryption Standard (AES) which has replaced the old Data Encryption Standard (or DES). These sponsored products can be used without any licenses and can be exported abroad.

It may seem odd, therefore, that the government is worried about encryption if it is also facilitating its development and export.

We can add to that known efforts by NIST to actually publish a random number generator for so-called elliptical curve encryption was found to be buggered. The buggered product found its way into corporate security systems in the US and around the world.

The latest alarm in our government is more a consequence of the embarrassing and dangerous leaks by Edward Snowden then anything directly to do with ISIS. Terrorists have been using encryption for a number of years, and they easily get it on the open market. The Russians, Chinese, Europeans, Israelis as well as many companies in the United States develop and sell a wide range of security products that use encryption. And the “Dark Web” on the Internet is also a source of supply for covert type programs and applications.

My own thought is that the government is trying very hard to cut a deal with Snowden so that he will serve a little jail time and then shut up. It seems he still has a large bagful of information that exposes US spying activities. In fact that is the only logical way to interpret statements by our former attorney general Eric Holder who says a deal is possible with Snowden. He should know.

Whatever the case, the availability of encryption on a global scale seems to suggest that trying to control it is a furtive exercise. But that is what the government is saying. So the question is what can the government actually do to mitigate the situation?

Many in Silicon Valley (and here we are talking about most of the really big high tech computer and mobile players in the United States) worry that the government will insist on putting a back door into their encryption schemes, or some other way where the government can get into encrypted communications and data transfers. Clearly this is a scheme the government has pursued for a long time, but it brings with it two risks: either the “security” is so weak as to be meaningless, pushing users to outside solutions or the backdoor or hole in the system is uncovered, as Snowden has already proven. But there is even a third risk: that the backdoor or hole is uncovered by a professional adversary such as China or Russia, meaning that everything you thought was safe is out the window. Given the plethora of escalating exponential cyber attacks on our government and on corporate America, this “solution” is far more dangerous than abandoning encryption altogether, largely because it creates a false expectation of security.

An alternative solution the government could pursue is simply to make the use of encryption in the United States illegal. Such a thing would be very hard to enforce, but in the mobile world it can be done basically by shutting down any encrypted communication that is unauthorized. The technology for this certainly exists today in the form of network sniffers and scanners.

A modified form of the no encryption approach is to allow encryption only on authorized devices that US industry and licensed political and social organizations can use. To me this makes a lot of sense, and in fact I proposed an alternative idea back in the 1980’s when I dealt with export controls.

The idea propounded then was a sort of Gold Card for industry allowing them to get around the red tape and delays that hurt their business performance.

The idea has merit. We are using it today at American airports, either to have more rapid treatment in security processing (the so called “PRE” benefit) or as part of the Global Access Program to allow Americans who travel a lot to get past long lines at border crossings, especially airports.

Such a scheme would make sense in protecting America and allowing us to secure our communications and data. Naturally it would not stop terrorists from using encryption, but they would not be able to use it with their clients and wannabes in the United States. Such communications would be taken down by scanners.

I think this is an excellent solution for law enforcement because it forces the bad guys out into the open. Then it is law enforcement’s job to put them out of business here. And it is the job of the DOD and CIA to shut them down beyond our borders.

Above all else it is vastly important to make America safe, and it is vital that our communications can be secure and our data repositories free from exploitation. This the government itself should understand from its gross mishandling of sensitive but unclassified information, like the millions of non-encrypted records recently stolen by the Chinese.

Let’s hope we can arrive at a sensible solution to security for America.

Tagged , , ,

Money, Money, Money

by Stephen Bryen

One of the best songs in the musical Cabaret is Money performed by Joel Grey and Liza Minnelli. “Money makes the world go ’round.”

Bank De

Bank De “Merkel” from CTV News

And so it does, or at least it affects how the world goes around these days in the midst of the Euro crisis in Greece.

It is worth taking a look at where the money is, and where it isn’t.

For this I will use the per capita income as a measure. Per capita income is derived by taking the gross national product of a country and dividing it by the number of resident producers -namely people who are working. Since not everyone reports actual income and many countries have “black” or hidden economies, many industries keep two sets of books, one has to be careful in taking the numbers we have completely at face value. But even with the possible points of distortion in mind, the numbers are most interesting and revealing.

The highest reported per capital income is Norway with a whopping $97,363 per working person. The closest to this is the tiny municipality of Macao, which derives its income from gambling and comes in at $96,443 per capita. From that lofty number we go to some of the other Scandinavian countries with Denmark at $60,634 and Sweden at $58,887. Next comes the United States at $54,629 followed by Iceland and the Netherlands still in the 50’s. Germany, Europe’s economic powerhouse is lower at $45,620 per capita and the UK, France and Italy are in the mid to high 30’s. So too is Japan at $36,194. In fact, Japan is outperformed in terms of per capita income by the UK at $38,160 and by Israel at $37,031.

Then comes the bad news. Greece is at $21,682; Portugal at $22,080 and Spain, better off at $30,262. Russia is only at $12,735 per capita and Ukraine is at a mere $3,082 (practically bankrupt). Without the Donetsk area, which Ukraine no longer controls, the real per capita is likely to be even lower.

Some questions arise from this analysis.

Question 1: why would Russia be fighting a semi-secret war in the Ukraine which, if it fell into Russian hands (which is happening) would drag down Russia’s standard of living significantly? From an economic as opposed to ideological point of view, unless Russia can achieve something more, occupying the Ukraine is a significantly bad deal for the Russian people.

Question 2: would Russia attack the Baltic states (Latvia, Estonia and Lithuania) for economic reasons? They might certainly because all these countries have strong per capita incomes above that of Russia (Estonia $19,719; Lithuania $16,037 and Latvia $16,037). While Poland is less rich (per capita at $14,422) the ancient enmity between Poland and Russia remains a factor, but all these are NATO countries today which complicates Mr. Putin’s ambitions. Perhaps he is hoping for a continually weakening Europe, and he may get his way.

Question 3: what about Greece? Greece is worse off than Portugal and Spain not counting its substantial debt. Unless Greece can find a receptive Europe willing to write off its debt, its per capita income next year will be even lower. Almost all of this augurs for Greece either completely exiting the Eurozone or creating a second currency to live alongside the Euro. This would make the most sense, but sense does not seem to be an agenda item either for Greece or for Europe.

Europe is frozen into an ideological corner from which extraction is rather difficult for ideological and economic reasons. It is clear that the rich-poor dichotomy in Europe is not sustainable in a world that is increasingly interconnected and aware and politically more mature than when the Eurozone was formed. The European dream was to have a “united” Europe dominated by Germany with the political support of France. Some doubt that France is as strong as it looks and that the French people are so happy with German domination. And all these countries have been flooded with immigrants who drag down their economy and create intractable social and political problems exacerbated by the unwillingness of the newcomers to become French, or German or Dutch and the unwillingness of many nationalists to accept them. Insofar as the euro is concerned, it is a “sovereign” currency realistically only in Germany because the Germans call the economic shots in Europe. All the other have surrendered their national sovereignty to this system.

It still remains to be seen if some accommodation will be made with Greece and whether it can work. Without a significant debt write off, surely it cannot. And short of that Greece cannot survive without a new currency.

Tagged , , , ,

11 Cyber Security Suggestions for Political Campaigns

by Stephen Bryen
As we are now in the midst of a Presidential campaign I am offering some free advice on how to keep the playing field as level as possible.  
 
Today we are deeply immersed in social media, email, texting and the widespread use of all kinds of APPS either to share information or carry out tasks.  Every modern political campaign is going to use all these tools and many more.  So here are suggestions on how to protect yourself.
 
Suggestion #1.  Do not use web based email, even encrypted web based email.  All web based email passes through servers controlled by the companies who offer the service, sometimes for free (like Google and Yahoo) and sometimes for a fee.  What really matters is that anything that passes through a third party server is a big risk.  Given that folks get pretty spun up over ideological and political issues, even the most security conscious companies can’t really control their employees.  The insider threat is greatest where sensitive information is exposed.  Web based email lives off revenue that is generated by key words that are “read” by machines and the information passed to advertisers or anyone who wants to buy the information.  Thus if I plug in the word “Liberal” as a key word, I will automatically know who the “Liberal” folks are on the email system.  That’s for starters. Then you come to the problem that someone wants to know what a particular campaign is doing, or planning, and plugs in a key word such as a candidate’s name, and then harvests the information.  From this one can deduce who are the active supporters and what they are up to.  From there lots of trouble starts.
 
Instead of web based email set up your own server and make sure the server is well protected by a firewall and by some form of two step authentication for the users.  Every campaign should have its own server for email and should make sure it is under their full control and carefully monitored.
 
Suggestion #2.  Do not use Skype, Hangouts or any other “free” service for conferencing.  In fact, don’t use any web based conferencing, even if it is paid.  Set up your own conferencing and your own server.  Listening in on Skype, for example, has been a favorite past time for NSA, but it is also easily hacked by anyone with technological sophistication.  There is sure to be a big secondary market in intercepted Skype calls, with all kinds of juicy bits either offered up at no cost or bought by desperate candidates, probably using cutouts.  Avoid the problem.
 
Suggestion #3. Do not use any APP on your cellphone unless you are sure it is clean and safe, and above all don’t use any APPS you get from the Apple Store or Android Play Store. These APPS often steal your information such as your contacts lists or schedule, or report your location.  It is astonishing how many “permissions” APPS ask for that have nothing to do with their functionality.  This is a tip off that the APP comes with an ulterior motive.  To make matters worse, many of the APPS out there in the public are buggered and have malicious code attached to them in the form of malware and spyware. It is very hard to tell what APPS are clean and which are not. Avoid them all.  If you have designed a special APP for campaign use, it is very important to test its integrity and make sure it is not leaking vital information.  And the APP should not be distributed in a public way.
 
Suggestion #4.  Be careful about cell phone calls, especially if you are in a public area such as an airport, coffee shop, hotel or restaurant.  Today there are lots of cheap IMSI catchers around. An IMSI catcher is a tool that pretends to be a cell tower.  Your cell phone is built to look for the strongest cell phone signal and connect to it.  An IMSI catcher if it is nearby will appear to the phone like a strong signal and it will connect to that “tower.”  Then the IMSI acts as a man in the middle: it grabs your call and connects you to a legitimate cell tower and then to the person you are connected with through the phone company. Meanwhile the IMSI can record your entire phone conversation.
 
Suggestion #5.  Avoid public WIFi.  Public WiFi is very dangerous because it is not encrypted in any way.  Whatever you do across a public WIFI connection is easy to intercept. Like the IMSI catcher it is also common these days for snoops to set up what looks like a public WIFI to snare your connection, even on airplanes or trains.  This means that you are connected through a snooper to the external network and everything you do or say across the WIFI can be picked off. You are far better off using the data connection from the telephone company than using the data connection of a public WIFI.
 
Suggestion #6.  Consider secure smartphones for communications at the top levels of a campaign.  The best secure phones both encrypt the conversation so that if it is intercepted it can’t be listened to, and protect the phone from malware and spyware.  Be aware that most secure phones work through servers, and the people who run the servers, if they are third party, may or may not be reliable.  Be careful here and consider running your own secure phone server.
 
Suggestion #7. Train your staff to follow sound cyber security procedures in all their activities.  Training is very important for two reasons: it helps reduce the chance of human error which is one of the biggest sources of security compromise and it makes people alert to intrusions and threats.  Being ready for various threats is very important.  A denial of service attack could close down a campaign because all its messaging and communications could be blocked.  Knowing what to do when that happens and having alternatives in place means your campaign will not be shut down.
 
Suggestion #8. Vet companies you hire to provide cyber services checking carefully about who are their customers and whom they employ.  The first rule is to ask for a list of a cyber security company’s customers and their employees.  Then hire a private investigations firm to check them carefully.  Outsourcing cyber security support may be very necessary, but it is also risky. One ringer in the bunch and your campaign could be badly compromised.
 
Suggestion #9. Make sure that all campaign personnel who have social media accounts clean them before they come on board.  Set rules on what is allowed or not allowed during the campaign. People today are very careless on what they post on social media.  People “tweet” before they think, and Post before they consider the consequences.  They also give out too much personal information, location information, even family information that might be used by an adversary.  Rules are very important to help mitigate this risk, and monitoring is not only important but probably mandatory.  
 
Suggestion #10.  Keep your most strategic documents, membership lists, and other vital data off line on computers that are not connected to the Internet.  This is the best way to keep your campaign plans safe.  It is also a good idea to encrypt everything, even what is offline.  One of the cottage industries in Washington DC is for cleaning ladies to be accompanied on their late night work by intruders and poachers who download everything they can from office computers.  If the material is encrypted, then it has no value to any intruder.  Be safe; not sorry.
 
Suggestion #11.  Don’t allow cell phones or tablets in any meeting you have.  Cells phones and tablets are walking time bombs.  Their microphones and cameras can be switched on by spyware and can listen in and record your meetings and conversations.  And if there is a computer in the room, unplug it!  Even when not having a conversation make sure your webcam is unplugged (if you can) or covered if you can’t.
 
Above all remember that a political campaign is like any other business or organization in that it must be operated in a responsible way.  If your campaign lacks cyber security you are not only hurting your chances for election but you are hurting your cause and bringing potential harm to colleagues and friends.  Cyber security is not only very important in political campaigns -you can’t succeed without it.
Tagged , , , , ,

Aircraft Carriers and the Future of US Security

by Stephen Bryen

Do we need aircraft carriers and can they fight in a modern war? These are important questions that trouble many defense analysts. While aircraft carriers have proved useful in power projection and recently supported US operations in Iraq and, to a lesser degree, in Syria, the role of aircraft carriers against a well-armed and capable adversary is very much in doubt.

China has developed an anti-ship ballistic missile called the DF-21D, also known as the CSS-5 Mod 4 missile. The missile can be guided against moving ships, including aircraft carriers, and works in tandem with satellites and UAVs for target acquisition. Once this missile reaches full operationaldf21 status no one should be surprised to see it proliferating around the world with countries like Iran and Pakistan first in line to buy them.

Missiles like this make aircraft carrier operations in sensitive areas such as the Indian Ocean and Persian Gulf risky, if not impossible. The DF-21D is a mobile ballistic missile, meaning that neutralizing a DF-21D threat is a very big challenge. Without being able to assure the 21 D’s elimination, carriers and their associated fleets can’t be moved into harms way.

Today’s American aircraft carriers are nuclear powered mega-ships with a crew size of some 5,000 sailors and specialists and with air wings on board. The newest aircraft carrier currently under construction will cost $13 billion just to build not counting the aircraft on board which represents easily another $20 billion. Are these aircraft carriers too big to use?

Some argue that a better approach is to rely on smaller aircraft carriers to do the job. But what is the job?

The aircraft carrier was developed originally more than 100 years ago. The first flight off the deck of a ship was in 1910; the first purpose built aircraft carrier started construction in 1918 and was completed in 1922.

During World War II the aircraft carrier played an important role in supporting American forces trying to push the Japanese off critical island chains. Carriers also played a major role in the Battle of Midway and other attacks where US launched carrier based aircraft challenged Japan’s carriers.

In 1942 the United states lost four Fleet aircraft carriers to Japanese attacks, mainly torpedoes launched by Japanese aircraft or, in the case of the CV-7 Wasp, to a torpedo from a Japanese submarine. In addition the US lost a number of Escort and Light carriers in the war.

Japan lost 15 aircraft carriers of all types between 1942 and 1945.

The British also took heavy carrier losses starting in 1939 with the sinking of the Courageous, 1940 with the destruction of the Glorious, 1942 with the devastating loss of the Ark Royal and in 1942 and with the additional losses of the Eagle and Hermes. Britain also lost three escort carriers in the war.

If World War II gives any clue, it is that aircraft carriers in major wars are vulnerable to enemy attack.

The same would seem to be true today, perhaps even more so because without anti-ballistic missile defenses, aircraft carriers face a very uncertain future.

While aircraft carrier technology continues to advance in certain respects, can we protect the carriers both from missiles and from underwater attack? As of 2014 the US had no plan to build a ballistic missile defense system (BMD) focused on the Chinese missile threat. While the US does have Aegis cruisers equipped with SM-3 missiles and capable radars, these platforms probably can’t successfully intercept and destroy the DF-21D. The question needs to be asked, why invest so much in carriers if we are not going to spend to defend them?

It may be that the role of aircraft carriers is mostly to do power protection against weak countries that cause trouble in places, as in the Middle East. But, as we have noted, even that could change overnight if China starts exporting the DF-21D or the Russians start supplying stealth aircraft to countries of concern,particularly Iran. Already the Russians have supplied quiet and dangerous diesel-electric submarines to Iran in the form of 4,000 ton Kilo class submarines. And they are selling the S-300 anti aircraft missile system to the Iranians, a threat to carrier based aircraft. With Iran on the verge of becoming a nuclear power, the Russians will have to keep feeding the beast, and it is likely they will do so both willingly and profitably.

While the aircraft carrier remains the pride of the American fleet, its future is uncertain and, to a degree, threatened. Its usefulness in big wars and even in sensitive areas such as the Persian Gulf or the Mediterranean, today is in doubt.

Tagged , , , , ,

Technology and Security Podcast on Itunes

Washington DC, June 26, 2015
For Immediate Release

Technology and Security has launched a new podcast series by the same name.  Episodes will be available at

https://itunes.apple.com/us/podcast/technology-security/id1012525063

Users will need iTunes to download the new podcast series.

Look for this cover in Itunes

Look for this cover in Itunes

While having an audio version is somewhat of an experiment for us, there have been enough requests for a podcast series that we decided to go ahead and make the programs available.

Some of the podcasts will be based directly on our well-regarded blog, Technology and Security.  Others will be available only in podcast format.

Technology and Security aims to relate the importance of technology to national security and national power. The blog’s author, Dr. Stephen Bryen’s recent books include: Essays in Technology, Security and Strategy and the forthcoming Technology Security and National Power: Winners and Losers.

America has long enjoyed being the world’s technology leader.  But in some sectors that is starting to change as American technology increasingly has gone off shore, fueling China’s rapid growth and military expansion, and as other countries have closed the technology gap with the United States.  These changes and shifts represent a challenge for the future, and for the most part America’s guard still remains down.  Should this persist, America will find its ability to maintain its standard of living and safeguard its security increasingly difficult.

Technology and Security explores these issues and more.  Part of the blog’s focus is on cyber security, an area where adversaries are having their way harvesting American technological information and undermining governmental and infrastructural functions.  Technology and Security helps to explain why this is happening and proposes ways to cope with the situation or strengthen the protection of vital computer networks.

Tagged , , , ,

The Real Cybercrime

by Stephen Bryen

[A version of this article appeared in the Huffington Post with Rebecca Abrahams]

It now seems that the Office of Personnel Management, which had outsourced its data storage to other Federal agencies, has lost an astonishing 18 million personnel records, including most of those involving security clearances.  The information is now in the hands of unknown hackers who almost certainly have bartered the stolen information to willing buyers.  Most experts think that the buyer is most likely China, with Russia running a close second.

When a prospective employee applies for a job that requires a security clearance he or she fills out a form called an SF-86 which is called a Questionnaire for National Security Positions. The Questionnaire is extensive and demanding and requires so much information to be handed over to the government that there is virtually nothing left one could dream of adding to it.  Your friends, colleagues, bosses, neighbors are all included along with all your personal information. In the wrong hands this document at minimum guarantees easy identity theft. Worse, in the hands of a determined adversary, a person’s vulnerabilities can be exploited including tracking the employee and making sophisticated “phishing” operations possible.  Phishing is a technique where a false email or message can be sent to an employee that, when opened, puts spyware on the employee’s computer.

You would think given the explosive importance of the SF-86 form that the government would take strong steps to protect the information.  Perish the thought.  Nothing like that has been done: in fact, the government passes around these forms to other agencies (such as the FBI) and gives them to contractors for “processing.”

Our government has consistently failed at computer security from the beginning. The first Computer Security Act was passed in 1988, and there have been many subsequent legislative initiatives since then along with Executive Orders and pronouncements from agencies including NSA and the National Institute of Science and Technology (NIST), the latest one just this week.

None of them understand the problem or demonstrate any real willingness to solve it.  All of them have the wrong cart in front of the wrong horse.

The truth is that unless special steps are taken to protect sensitive unclassified information the game is lost from the start.

What are those steps?  Most fundamentally there are two: compartmenting information and encrypting it.   For unclassified information which is what the SF-86 is considered to be, the government neither compartments nor encrypts. NSA won’t let them because the information is not classified: our government security experts keep thinking they can do it another way.  No they can’t.

NIST has just put out a new directive for contractors.  It is worthless.  Why?  Because it does not require either compartmentalization or encryption.

Compartmentalization means that not everyone can access everything.  It is as simple as that.  It can be made weightier by adding a “need to know” requirement, meaning that you are only entitled to look at what is absolutely necessary for your job.  Properly administered need to know and compartmentalization protects any major theft of information particularly if the data itself is stored in an encrypted format.

081203-N-2147L-390 NORFOLK, Va. (Dec. 3, 2008) Sailors on the watch-floor of the Navy Cyber Defense Operations Command monitor, analyze, detect and defensively respond to unauthorized activity within U.S. Navy information systems and computer networks. (U.S. Navy photo by Mass Communications Specialist 1st Class Corey Lewis/Released)

081203-N-2147L-390
NORFOLK, Va. (Dec. 3, 2008) Sailors on the watch-floor of the Navy Cyber Defense Operations Command monitor, analyze, detect and defensively respond to unauthorized activity within U.S. Navy information systems and computer networks. (U.S. Navy photo by Mass Communications Specialist 1st Class Corey Lewis/Released)

The real crime is the failure of both the administration and the Congress to put in place a higher standard of information protection applying these known and effective tools.  While everyone is running around thinking about firing the head of the Office of Personnel Management, perhaps they should think about firing themselves for the crimes against privacy they have perpetrated.

Tagged , , ,

Attacks on Religious Institutions is a Global Problem: Is there a solution?

by Stephen Bryen

Church attack in New Delhi

Church attack in New Delhi

Attacks on religious institutions, churches, schools, community centers and offices, is far from only an American problem, although the United States has had plenty of it.

In our country churches, synagogues, mosques and temples have been attacked and worshippers going to and from these places have been murdered. Whether we are speaking about Christian churches, Catholic churches, Sikh Temples, Mosques or Synagogues, all of them have been hit by terrorists. I strongly prefer the term “terrorist” to racist or anti-Semite because it best describes what we are up against.

Around the world terrorism against religious institutions is rampant. Whether we talk about Pakistan where religious school children are wantonly murdered, or India, or Iraq and Syria we find such atrocities. In Europe there have been attacks on synagogues and churches and murders of citizens for example in France, Belgium and Denmark among many others.

While some of the attacks are clearly by radicalized individuals, others involve state backing or, state complicity. The bombing of the Asociación Mutual Israelita Argentina which killed 85 people in the building and wounded more than 100 others, there is little doubt, outside of the corrupt politicians of Argentina that the bombing and murder was accomplished by Iranian operatives perhaps in a conspiracy with Argentinian politicians or police.

State sponsored attacks are a growing threat. Outfits like al-Qaeda, the Taliban, ISIS and Boko Haram can operate because they are sponsored and supported by nation-states, providing them with equipment, intelligence and even naming targets. Coptic Christians would not be murdered in Egypt without the help of the Moslem Brotherhood, which the Obama administration befriended. Chechen terrorists in Russia have got backing from Saudi Arabia either directly or through religious cutouts.

For Americans the question is how to confront the problem. It is one thing to try and build community support against terrorism and racism, but at the end of the day there isn’t any empirical evidence that this is a sufficient strategy to combat such crimes. In fact it may act as a deterrent to hard headed preventive strategies that are badly needed. But there is one thing the community writ large can be encouraged to do: when they see a threat either because someone says something or writes something or threatens someone, people do need to respond and bring it to the attention of the larger community and make law enforcement aware. Here we can talk about the importance of social responsibility and the need to act against terrorists, racists and anti-Semites.

Most religious institutions in the United States are unprotected. The same is true in other countries. Their doors are open to terrorists and externally their perimeters are easily penetrated by bombers, either on foot or in vehicles. Few have active surveillance or even passive barriers to prevent such attacks.

There is no single technology that can guarantee complete protection against a fanatic or group of fanatics, and particularly against professional killers like the ones in Buenos Aires. Even so, protection helps reduce the frequency of successful attacks, helps to identify the perpetrators, and can save lives.

The most important first step is to understand the nature of the threat and to have critical intelligence if the risk level is high. More importantly, real time intelligence may help identify the person or persons who plan an attack.

It is no secret that a lot of this information can be found on social media. Dylann Roof, the 21-year-old man charged with the murders at the Emanuel A.M.E. Church in Charleston, had a Web page with his outrageous rantings posted since last February. No one paid any attention. Law enforcement can easily track social media, but they need to be more proactive and not only warn about risk but also confront those threatening the community. Had information on Dylann Roof been distributed to churches and synagogues (he hated Blacks and Jews and many others), they would have been on the lookout for him and maybe the tragedy could have been prevented. Just distributing his photos (from his web site) could have alerted the folks at the A.M.E. Church.

This is a far better strategy than opining about gun control. Gun control is not going to stop a fanatic any more than it is going to stop a determined criminal.

Once you have information that is useful, you must implement a proper organization to aid in protecting a religious institution. Technology can help, but without a good organization and equally vital good training, the risk remains.

While some synagogues have put in place perimeter protection because of their exposure to constant threats, and some have hired guards, there is not much in the way of organization or training of lay people. There is even less at churches.

The Department of Homeland Security has provided funds here and there to buy defensive equipment such as surveillance cameras or alarm systems, but the Department has not thought to provide organizational training. Some police departments do make an effort to help, but usually they have to be asked to do so and often they themselves are not trained to provide perimeter protection services.

Unfortunately the ball has mostly been dropped, which is why alleged terrorists like Dylann Roof can operate and why the greater threat of state sponsored terrorist attacks on religious institutions in the United States is not far from us.

Surely we can do better.

Tagged , , ,

What Happened to Snowden’s Files

The London Sunday Times reports that Britain and the US have pulled agents out of China and Russia because information contained in encrypted files stolen by Edward Snowden have been decrypted.

“”His documents were encrypted but they weren’t completely secure and we have now seen our agents and assets being targeted,” a source told the Sunday Times.

What can we understand from this disclosure?

Here are a few thoughts:

  1. There is little doubt that the damage caused by Edward Snowden’s disclosure of highly classified information has been immensely damaging to US and British intelligence gathering, setting aside the latest allegation.  Techniques of modern spying have been extensively exposed making intelligence gathering much more difficult if not impossible in some cases.  The bottom line is that Snowden caused harm to the national security of both countries and also to the friends and allies of the US and Britain.
  2. Snowden’s access to such a wide range of sensitive intelligence while he worked as a contractor to the US government makes clear that most of the standard rules of protecting classified information were not followed and that this sloppiness and poor administration made possible the bulk of Snowden’s criminal activity.  Above all, compartmentalization of classified information, essential to minimize an insider threat, was not properly implemented.
  3. If government files contain the names of spies and agents then our intelligence collection system is badly broken (notwithstanding Snowden), since putting this information into accessible files revealing sources and methods is an incredible systemic blunder.
  4. The idea that a contractor would have access to files containing lists of agents and spies is unimaginable.  It is impossible to be sure that it truly happened, but the statements by highly placed “sources” that this occurred is truly frightening. By now anyone connected with assisting Western intelligence has to be on the run.
  5. Cracking encryption codes takes super computers and a lot of effort especially if files are encrypted with large key sizes and use advanced secret encryption algorithms. The chance of breaking such code is very small even if a potential adversary has unlimited resources to go against the problem.
  6. A related possibility is that key materials were handed over by Snowden or by others to the Russians, Chinese or both.  This is what happened in the John Anthony Walker, Jr.case. He was a United States Navy Chief Warrant Officer and communications specialist convicted of spying for the Soviet Union from 1968 to 1985.  Walker gave the Russians key material enabling them to descramble US Navy coded messages.  Walker exposed a lot of sensitive information because many State Department and DOD messages were passed on through to the Navy and hence were exposed.
  7. There is also the possibility, not to be discounted, that no such compromise of encrypted information has happened but that the story has been leaked to cover up other spying operations that may have been compromised.  The evidence?  It seems a little far fetched that the government would keep any list of its spies and agents in one place, or even put such information into digital files in the first place.  But if there was a mole in one of the spy agencies, the mole could have got this information.  Saying it was Snowden’s fault could have been a motive on either side of the fence: that is, it could have been the Russians or Chinese putting out a false story to hide their mole or moles; it could have been the British or U.S. intelligence putting out a story to cover revealing an inside threat they have fingered.  At the moment the best that can be said is that there is a state of alarm in US and British intelligence and they are deeply concerned about their assets (agents) being rolled up by the Chinese and/or Russians.
  8. Finally there is the possibility that the reports about pulling agents out of harms way are false and that all of this is an attempt to do more damage to Snowden.  I don’t believe this to be the case, however, because putting out an alarm of this kind would automatically damage all the secret relationships the intelligence community has with its operatives.
  9. If encrypted files were compromised then it is vital to find out how. There are a number of serious cryptographers in the United States and the UK who need to be brought in to determine whether US and UK secret encryption is properly implemented.  It would be an error to rely solely on the suppliers of encryption materials or in-house experts.  An objective evaluation is an urgent task.
  10. While we should assume that the glaring mistakes of managing secret intelligence have already been fixed, procedures and methods need another look by qualified experts who are independent and objective. It is frightening to think that our national security is still at risk.
Tagged , , ,
Follow

Get every new post delivered to your Inbox.

Join 2,069 other followers