Tag Archives: security

Humiliation on the High Seas



By Stephen Bryen and Shoshana Bryen

Aug. 25, 2016, at 5:30 p.m.

The United States was humiliated this week when the USS Nitze came under simulated attack by four Iranian missile and torpedo-equipped speedboats in international waters. Despite American warnings, radio calls, flares and foghorns, two of the boats came within a few hundred yards of the Nitze. Iran is harassing American naval warships in the Persian Gulf while Washington refuses to acknowledge Iranian threats for reasons that are both political and practical.


The political reason is that Washington still entertains the idea that Iran can be a friend of America. This view, strongly held by the White House, State Department, Pentagon and CIA, is a true fantasy. No matter how many Iranian statements from top Iranian political and military leaders proclaim their total hatred of the United States, Washington persists in fostering the illusion. There is no immediate cure for a political disease: We have yet to invent an anti-regime-biotic that, when injected into the insane, returns them to normalcy.


As there is no solution, the Obama administration will explain the Persian Gulf incident as some sort of aberration or unauthorized action by the Iranian Revolutionary Guards, or a mistake, but not an act of overt hostility.

Second is the practical reason. The attack on the Nitze, described by the Navy and Pentagon as “unprofessional” and “unsafe,” actually was a test of an Iranian tactic called the “swarming boat” to destroy U.S. warships in the Persian Gulf.

The swarming boat attack is just what it sounds like: a number of fast boats equipped with missiles and torpedoes attack enemy ships from multiple angles to damage or destroy them as quickly as possible. Recently the Iranians added another dimension to the swarming boats: a vessel known as the Ya Mahdi, a remotely piloted fast patrol boat that can fire rockets or be stuffed with explosives. It is a new version of the boat that attacked the USS Cole in Aden in 2000 at a cost of 17 lives, 39 injuries and severe damage to the ship.

Fast patrol boats are maneuverable and operate up to 75 knots, making them hard to hit, particularly as they are built mostly of fiberglass, so they are not so easy to locate with radar. In addition, the defensive weapons on board most U.S. naval ships are inadequate. The old Mark 45 five inch guns fire too slowly and are not optimized against this kind of threat. They also are linked to aged fire control and radars that probably won’t pick up the patrol boats until they are in range to fire their missiles. The rapid-fire Phalanx gun, the gun of last resort on ships like the Nitze, has the same sensor-shooter problem, although some improvements have been made. It is questionable whether the Phalanx can actually stop an intense and multi-vessel attack.


Most important, none of these weapons can shoot down unguided rockets and missiles. The Phalanx fails because its range is too short and its ability to stop a high-speed kinetic round is very poor. And there is no good defense against torpedoes except to try and evade them, which is hard to do in a complex attack.

The Pentagon has known about this threat for a long time, and has opted to do next to nothing about it. Focused on big blue water operations, the Navy is behind a curve 20 years in the making.

Meanwhile, the Iranians keep improving the firepower of their fast patrol boats and adapt Western technology to further raise the threat level. They now have a semi-submersible fast patrol boat they acquired from North Korea and improved. This carries significant firepower and is hard to find and hit. They have taken British technology from the superfast Bladerunner speedboat and turned it into the Seraj-1, which exceeds 55 knots on the surface. A newer version, thought to be the Seraj-2, may reach 80 to 85 knots, far faster than anything in the U.S. inventory. And the Iranians appear able to acquire diesel engines, surface drives and other sophisticated gear from Western sources without any practical interference.

The Pentagon needs to get its act together and come up with tactics and weapons systems to solve the problem of swarm boat attacks. So, too, must the administration stop pretending Iran is not a real threat. Above all, it is time to end America’s humiliation on the high seas.

Tagged , , ,

Why Cyber Security Fails

by Stephen Bryen


The Maginot Line approach to Cyber Security is a self-fulfilling prophecy of disaster.

Today there is a huge cyber security industry organized to try and stop cyber intrusions, information theft, and crippling attacks on the critical infrastructure including our defense systems.  The American government has spent hundreds of billions since the 1980’s to try and build defenses against cyber attacks.  But despite the effort, and the tens of thousands of experts who have worked hard to try and protect information systems, there is a record of failure for all to see.  If anything, Americans are less secure today than last year; and less secure last years then ten years ago.  When it comes to protecting cyber systems, we are in an exponential failure mode.  Why?

Here are the reasons why cyber security fails:

1. Today’s systems are hugely complex and rapidly changing and adapting.  Such complexity means that even with the best of intentions it is extremely difficult to cover all, or even most, of the potential vulnerabilities in operating systems, software, communications and networks. Virtually every modern system has been hacked successfully and repeatedly.

2. Modern hardware and software evolves and as new features, capabilities and functions are added, the old features, capabilities and functions generally are dragged along and remain built into the newest products.  Thus old weaknesses persist and remain lurking even while new vulnerabilities are added to the risk equation.

3. Most software and firmware contains a certain amount of community-developed open source code.  This has led to some notable system disasters such as the Heartbleed bug.  Community developed code may be very good, and most of it is free thereby attracting companies to make use of it. Often it also forms the de facto standard for functions such as communications and security, making it hard to avoid because of the need for compatibility across different platforms including different vintages of applications.  There is no formal policing system for community developed code efforts.  While the people involved often are well meaning, their operations are an easy target for a professional intelligence organization to penetrate.

4. Most operating systems and computer software, even custom built, are commercial or contain commercial elements.  While all large computer software design teams take into account security, it is never their first priority because it is not their customer’s priority.  The customer wants the solution and wants to spend as little as possible in many cases.  The customer also wants ease of use and minimal restrictions placed on any application, network or operating system.  Plug and Play today has a much broader meaning than originally intended: it is the ability to load and use a program with minimal learning curve and maximum payback in terms of achieving functionality.  It is not surprising, therefore, that software companies often are providing patches and updates to try and fix a long list of vulnerabilities in the code they have sold commercially.  All updates and patches usually come well after the vulnerability has already been exploited by the bad guys.  Worse yet, not everyone implements the changes needed in a timely manner, or even at all.

5. Most software companies are globalized.  This means that maintaining anything resembling internal security is extremely difficult.  Only the biggest players can afford to put in place security mechanisms and background checks to try and prevent a hostile organization from penetrating their development centers.  Once you drop below the level of the big guys, personnel security, compartmentalization and other techniques (such as protecting operating code by encrypting core elements) are rarely implemented.  Thus hostile organizations, foreign intelligence services, even rogue hackers find it very easy to penetrate development centers.

6. The US government among others has requested firms specializing in software, web based applications, mobile systems and encryption to create so-called back doors and other weaknesses that are supposedly only known to the US government and the company. Unfortunately there are people such as Edward Snowden who expose these government efforts from time to time.  Even without a Snowden, it is reasonable to assume that well financed foreign intelligence services will figure out where these back doors and gaps exist, meaning that they can join outfits like the NSA in exploiting them.

7. Nation states are investing billions to harvest information from IT systems and use it for improving their own defense systems, finding ways to weaken their adversaries, or simply to get rich.  Banks have been ripped off to the tune of billions, and mostly don’t report it.  Patents and trademarks, legal processes, confidential documents all have been stolen and used either to generate cash, duplicate the effort of the victims, or to create secret funds that can be used for nefarious purposes.  There is a huge criminal enterprise underneath government-run programs in different parts of the world, creating a new class of cyber rich government officials and hackers in a perfect storm of criminal activity, profiteering and use of information to intimidate or destroy rivals or competitors.  It is virtually impossible to stop well financed cyber hacking because it is persistent, deniable and has no consequences to the perpetrator.  Almost no one goes to jail for cyber exploits except a few braggarts who get caught.  Then the government who arrests them makes deals so they can benefit from the know how in their knowledge base.

8. The response to most intrusions and hacking is passive defense.  Wars can never be won with passive defense.  The Maginot Line approach to Cyber Security is a self-fulfilling prophecy of disaster.  All the adversary has to do is to keep trying.  The costs are small, risks are few and mostly non-existent, and rewards are great.  While the Pentagon has put together what it calls Plan X to go after hackers, there is no evidence to suggest we are doing that, the rule of engagement are secret (and it isn’t sure the rules exist), and the idea itself is flawed because it is based on the notion that you can successfully reverse cyber attack the source,  Unfortunately the source of the attack is the foreign government or organized crime network.  It is not the individual hacker or even hacker organization.  These can be replaced, reconfigured, relaunched and they can do their damage from their home country or elsewhere almost as easily. Thus trying to smash them is a furtive game with few tangible rewards.  An attacking organization that can reconstitute itself on demand is not the right target.  The target must be the real source -namely the sponsors.  The sponsors can be got at in only one way– by causing damage to them. This means that if, for example, a cyber organization in China steals F-35 fighter jet information from Lockheed, the answer is not to hit back and attack the cyber organization.  The answer is to attack China’s aerospace industry and disrupt it severely.  Maybe this can be done through a cyber mechanism; but the mechanism is not so important as the deed.  Swift retribution is the only way to let the adversary know that he will pay  each and every time he causes harm. Indeed it is utterly galling and a mark of failure that China is showing off its stealth jet –the Chengdu J-20–which is clearly a rip off of the F-35, and we are sitting on our hands.  World leaders and politicians, as well as military people, understand immediately. Either China has bested America by stealing her secrets, or they suspect a conspiracy between the US and China since it is unbelievable that the US would permit China to steal our technology.  But there it is, staring us in the face, and eroding our national security and out prestige.  How much prestige can the US surrender and not be regarded as the global chump, instead of the global peace keeper?

These are the reasons cyber security fails.  It cannot work as it is done today.  No amount of political blarney can keep covering up the escalating failure and the harm it is causing to our security, eroding our global markets, and putting our businesses, government, infrastructure and personal privacy at great risk.  We have to shed the Maginot Line mentality and change the game if we want to win the war.

Tagged , , ,

No One is Safe in France

No one is safe in France.  The latest murders, including a Normandy priest of 86 years of age, celebrated by ISIS, demonstrates without any doubt the complete incompetence of the French authorities at all levels.  It illustrates either the total disdain for its own citizens, or its inability to understand and act on the threat that is destabilizing French society.  This time the attack was on Catholic churches; previously there were attacks on synagogues, Jewish Kosher stores, and people in night clubs, as well as attacks at sporting events and national celebrations including the mass killing in Nice during a Bastille Day parade.

Why incompetent?

The murder of Priest Father Jacques Hamel could easily have been prevented.   How do we know this?  The press in Europe is reporting today that computer files found in the apartment of a convicted terrorist had this church on the list to be attacked.  That was around a year ago.  So you may ask, what was done?  The answer is, worse than nothing.

When any public or private institution is threatened typically you take two basic steps. The first is to try and eliminate or neutralize the source of the threat.  The second, failing the first step, is to to put strong security in place to protect the threatened sites.

Regarding perimeter security, this church was left entirely unprotected.  There were no guards. The two terrorists (there could be more, this is what we know about now) entered the church through an unlocked back door.  Why was the door unlocked?  Why didn’t the church have any protection.  Responsibility for this falls on the shoulders of the French authorities and, perhaps, on the church if the warnings were passed to them, which is not known at present.  Clearly the congregants in the Church, and those taken hostage, including nuns, had no inkling they were on a  hit list.

Next we come to at least the main terrorist.  Not only was he known to the police, but he had been previously arrested for terrorism and convicted.  It was his apartment that had the computer files that put this church, and others, on the hit list.  He was out of jail under a form of house arrest.  He was wearing an electronic tag and paroled to his parents.  But, under the terms of his release, he was allowed to do anything he wanted during the morning hours, meaning that his electronic tag was not monitored from 0830 until 1230 every day,  The attack at the church in the center of Saint Etienne du Rouvray took place around 10 am.

Why would the French judicial system parole a known terrorist?  Why would they disregard extremely worrisome intelligence and not provide decent protection to their citizens?

The pattern of consistent security failures in France includes far more than what happened in Saint Etienne du Rouvray.  In Nice, despite for-warnings of terrorism, the French police removed guards on the streets allowing a terrorist driving a heavy truck full of weapons to mow down people trapped in the crowds on the main street. Sandra Bertin, a local police officer in Nice, complained that the police who were there were only permitted to carry light weapons, namely small pistols. “The truck dodged the municipal police barrier. The team couldn’t stop it. You can’t burst the tires of a 19-tonner with a revolver. Then other municipal police in plainclothes in the crowd were confronted with it,” she said.  When she came to turn in her report of what she saw happen in Nice, she was asked to change her report.  She refused. The resulting contretemps has resulted in France’s Interior Minister, who is in overall charge of security, to threaten to sue Bertin.

Perhaps France’s Interior Minister can do better.  He can resign.

The lack of security in France is nothing new to France’s Jews who until recently have borne the brunt of France’s poor security environment.  Synagogues and Jewish schools and community centers have been attacked; Jews have been beat up and in some cases murdered on buses and in the metro or walking on the street; Kosher supermarkets have been shot up and many people killed –the list is a long one.  It is one of the reasons why Jews, who have an alternative, can leave France.  But for the rest of the people, that options is really not available.

In Europe right now ISIS and its Jihadi affiliates are waging war.  The Europeans overall don’t know what to do, and have been making a mess by not acting on intelligence, not protecting their borders, and refusing to understand the source of their collective problem.  Whether it is Germany, Belgium France or the UK the coddling of potential terrorists, the lack of connecting intelligence to action, and the weakness of law enforcement including the court system, is making it a sure thing that many more decent people will suffer and die.

Tagged , , ,


by Stephen Bryen*

There is no reason to any longer trust Europe.  Europe is a collection of incompetent and dangerous nation-states with reduced sovereignty that are incapable of defending their borders and inept at ferreting out the terrorists in their midst.  Typically greedy and stupid, Europe’s police and military are all but emasculated, and Europe’s tolerance for domestic and imported terrorism is outright frightening.

With all the refugees pouring in, what are they doing to screen out terrorists?  Nothing.  They have failed to allocate money to buy minimal equipment.  Their security authorities are “detached” keeping their distance from densely populated Muslim communities and the refugees. Madness?  You bet.

While Europeans amuse themselves by beating up on Israel and practicing snarky antisemitism,  they have voluntarily surrendered their countries (such as they are) to domestic and imported Muslim terrorists who are steadily taking control of key neighborhoods, importing large quantities of weapons and explosives, and building close-knit, difficult to penetrate networks. The fact that most law-enforcement and security members speak no Arabic doesn’t help.

Had the terror cell responsible for the Paris and Brussels attacks delayed the attacks, they may have been able also to carry out their reported plan to attack a nuclear power station.

Most Euro-police forces lack the will and, therefore, the tools to go after suspected Muslim terrorists.  They show up after a terror event and parade around wearing body armor, protective helmets, and rapid fire guns. But they are poorly equipped, uncoordinated, and held in check by political leaders who don’t want to rock the boat of their illusions.

Consider the suicide bomber Ibrahim El Bakraoui.  He was deported twice by the Turks who warned the Belgian authorities he was a terrorist threat.  No matter.  The Belgians who promptly ignored the warnings are now responsible for the killing of at least 31 people, more than 330 wounded and for the short and long term enormous economic cost caused by the recent attacks.  But the Belgians insist it’s not their fault. They claim they are doing their best. The prevalent attitude is, “Once people get it into their minds that they’re going to kill people, you can’t stop them,”

No matter what European bigots say about Israel, and they are always screaming the Israelis are Nazis –  even worse, Jews – the fact remains that Israel has one of the best intelligence operations in the world.  Unlike their incompetent counterparts in Europe, they want and work hard to stop terrorism.  They would also like to protect Jews and Israelis who are all too often the target of terror attacks, as they were recently in Belgium.  One can rightfully ask: how come European intelligence, or the CIA, or Interpol didn’t issue proper warnings?

Europe, in its current condition, is not only living in a terrible threat environment largely of its own making. It also presents a major threat to the United States.

Why?  The lax security conditions and gross incompetence in Europe mean that terrorists can get on a plane and come to the United States.  The risk of hijackings, crashing planes or importing terrorists is very high.  Given the lack of effective European intelligence and monitoring, the U.S. should consider stopping all flights from Europe to the U.S. until the mess is cleaned up.

Many will say such measures are extremist and unjustified.  Really?  A flight from Brussels to Dulles Airport, with one or more ISIS terrorist on board could end up smashing into the White House or the CIA complex, or hitting NSA, south of Baltimore or a nuclear power station is frightfully real and immensely dangerous.  Such an event would make Fukushima look small by comparison.  Yet we already know that the same terrorists who blew up the Brussels airport and metro had also planned to blow up a nuclear plant there. Do we think through some heavenly miracle that won’t happen in future?

The European security situation is, at the moment, beyond hopeless.  It is a train wreck with existential implications for America.   Our President’s inability to grasp the danger makes matters that much worse.

America can’t trust Europe right now.  It is urgent that we take measures to protect our homeland.


The terror cell responsible for the Paris and Brussels attacks was planning to attack an unidentified nuclear power station, it has been reported. Pictured is the power plant in Doel, Belgium Read more: http://www.dailymail.co.uk/news/article-3507417/Brussels-bombers-DID-plan-attack-nuclear-power-station-police-uncover-12-hours-footage-jihadists-filmed-outside-plant-director-s-home.html#ixzz43pbfRWDU



*Dr. Stephen Bryen’s latest book is Technology Security and National Power: Winners and Losers (Transaction Publishers).

Tagged , , ,

Regulating Encryption: Can it be done? Yes.

by Stephen Bryen

NIST Scanner

The Director of the FBI in a warning to Congress points out that ISIS is now using encryption to mask messages it is sending to thousands of Americans favorable to the ISIS cause, exhorting them to kill military and police and other hated targets. He, along with others in the Obama administration are urging “Silicon Valley” to consider building backdoors into encryption products they sell so that law enforcement can tap encrypted phones or computers and properly “do its job.”

But the question is, is there a practical solution?

I have been in the encryption business, or more clearly I have built commercial products that use encryption. In the early 1990’s I founded a company called SECOM (for Secure Communications). We developed a computer chat program that provided a secure, encrypted chat. In those days the Internet was only just getting underway and everyone was using modems (there was no WIFI or data connections except for big business and banks). Nor were there smartphones. The PC, however, was very popular and we built our product to run on PC’s running MSDOS or Windows. And because computers were slow, we built a little plug in computer card which did the actual encryption and decryption work.

Then the fun began. NSA did not like our solution because it was too hard to crack, so they “recommended” reducing the key size. It got to the point where the key size was too small to assure security, and after thinking it over (and investing a lot of development money), we decided we could not sell a product that failed in its critical mission: to protect the users from intercepts. We closed the company.

It was a bad outcome for us. And, as we pointed out at the time, because we used hardware and software we could have controlled who the end users were and assured that only bona fide users, not criminals or terrorists, would have access to the product.

What we went through was nothing new. A few years before IBM had proposed building encryption into all PCs so that all the data stored by them would be secure. NSA again objected, and despite IBM bringing rather heavy guns to bear on the problem, in the person of a direct appeal from the chairman of IBM to the head of the NSA, IBM had to stand down. No encryption chips would live on the IBM circuit board.

NSA and its counterpart the National Institute of Science and Technology (NIST) wear two different hats: on the one hand NSA is charged with carrying out spying in support of its US government “customers”; on the other NSA and NIST produce guidelines for security and even sponsor encryption solutions such as the Advanced Encryption Standard (AES) which has replaced the old Data Encryption Standard (or DES). These sponsored products can be used without any licenses and can be exported abroad.

It may seem odd, therefore, that the government is worried about encryption if it is also facilitating its development and export.

We can add to that known efforts by NIST to actually publish a random number generator for so-called elliptical curve encryption was found to be buggered. The buggered product found its way into corporate security systems in the US and around the world.

The latest alarm in our government is more a consequence of the embarrassing and dangerous leaks by Edward Snowden then anything directly to do with ISIS. Terrorists have been using encryption for a number of years, and they easily get it on the open market. The Russians, Chinese, Europeans, Israelis as well as many companies in the United States develop and sell a wide range of security products that use encryption. And the “Dark Web” on the Internet is also a source of supply for covert type programs and applications.

My own thought is that the government is trying very hard to cut a deal with Snowden so that he will serve a little jail time and then shut up. It seems he still has a large bagful of information that exposes US spying activities. In fact that is the only logical way to interpret statements by our former attorney general Eric Holder who says a deal is possible with Snowden. He should know.

Whatever the case, the availability of encryption on a global scale seems to suggest that trying to control it is a furtive exercise. But that is what the government is saying. So the question is what can the government actually do to mitigate the situation?

Many in Silicon Valley (and here we are talking about most of the really big high tech computer and mobile players in the United States) worry that the government will insist on putting a back door into their encryption schemes, or some other way where the government can get into encrypted communications and data transfers. Clearly this is a scheme the government has pursued for a long time, but it brings with it two risks: either the “security” is so weak as to be meaningless, pushing users to outside solutions or the backdoor or hole in the system is uncovered, as Snowden has already proven. But there is even a third risk: that the backdoor or hole is uncovered by a professional adversary such as China or Russia, meaning that everything you thought was safe is out the window. Given the plethora of escalating exponential cyber attacks on our government and on corporate America, this “solution” is far more dangerous than abandoning encryption altogether, largely because it creates a false expectation of security.

An alternative solution the government could pursue is simply to make the use of encryption in the United States illegal. Such a thing would be very hard to enforce, but in the mobile world it can be done basically by shutting down any encrypted communication that is unauthorized. The technology for this certainly exists today in the form of network sniffers and scanners.

A modified form of the no encryption approach is to allow encryption only on authorized devices that US industry and licensed political and social organizations can use. To me this makes a lot of sense, and in fact I proposed an alternative idea back in the 1980’s when I dealt with export controls.

The idea propounded then was a sort of Gold Card for industry allowing them to get around the red tape and delays that hurt their business performance.

The idea has merit. We are using it today at American airports, either to have more rapid treatment in security processing (the so called “PRE” benefit) or as part of the Global Access Program to allow Americans who travel a lot to get past long lines at border crossings, especially airports.

Such a scheme would make sense in protecting America and allowing us to secure our communications and data. Naturally it would not stop terrorists from using encryption, but they would not be able to use it with their clients and wannabes in the United States. Such communications would be taken down by scanners.

I think this is an excellent solution for law enforcement because it forces the bad guys out into the open. Then it is law enforcement’s job to put them out of business here. And it is the job of the DOD and CIA to shut them down beyond our borders.

Above all else it is vastly important to make America safe, and it is vital that our communications can be secure and our data repositories free from exploitation. This the government itself should understand from its gross mishandling of sensitive but unclassified information, like the millions of non-encrypted records recently stolen by the Chinese.

Let’s hope we can arrive at a sensible solution to security for America.

Tagged , , ,

11 Cyber Security Suggestions for Political Campaigns

by Stephen Bryen
As we are now in the midst of a Presidential campaign I am offering some free advice on how to keep the playing field as level as possible.  
Today we are deeply immersed in social media, email, texting and the widespread use of all kinds of APPS either to share information or carry out tasks.  Every modern political campaign is going to use all these tools and many more.  So here are suggestions on how to protect yourself.
Suggestion #1.  Do not use web based email, even encrypted web based email.  All web based email passes through servers controlled by the companies who offer the service, sometimes for free (like Google and Yahoo) and sometimes for a fee.  What really matters is that anything that passes through a third party server is a big risk.  Given that folks get pretty spun up over ideological and political issues, even the most security conscious companies can’t really control their employees.  The insider threat is greatest where sensitive information is exposed.  Web based email lives off revenue that is generated by key words that are “read” by machines and the information passed to advertisers or anyone who wants to buy the information.  Thus if I plug in the word “Liberal” as a key word, I will automatically know who the “Liberal” folks are on the email system.  That’s for starters. Then you come to the problem that someone wants to know what a particular campaign is doing, or planning, and plugs in a key word such as a candidate’s name, and then harvests the information.  From this one can deduce who are the active supporters and what they are up to.  From there lots of trouble starts.
Instead of web based email set up your own server and make sure the server is well protected by a firewall and by some form of two step authentication for the users.  Every campaign should have its own server for email and should make sure it is under their full control and carefully monitored.
Suggestion #2.  Do not use Skype, Hangouts or any other “free” service for conferencing.  In fact, don’t use any web based conferencing, even if it is paid.  Set up your own conferencing and your own server.  Listening in on Skype, for example, has been a favorite past time for NSA, but it is also easily hacked by anyone with technological sophistication.  There is sure to be a big secondary market in intercepted Skype calls, with all kinds of juicy bits either offered up at no cost or bought by desperate candidates, probably using cutouts.  Avoid the problem.
Suggestion #3. Do not use any APP on your cellphone unless you are sure it is clean and safe, and above all don’t use any APPS you get from the Apple Store or Android Play Store. These APPS often steal your information such as your contacts lists or schedule, or report your location.  It is astonishing how many “permissions” APPS ask for that have nothing to do with their functionality.  This is a tip off that the APP comes with an ulterior motive.  To make matters worse, many of the APPS out there in the public are buggered and have malicious code attached to them in the form of malware and spyware. It is very hard to tell what APPS are clean and which are not. Avoid them all.  If you have designed a special APP for campaign use, it is very important to test its integrity and make sure it is not leaking vital information.  And the APP should not be distributed in a public way.
Suggestion #4.  Be careful about cell phone calls, especially if you are in a public area such as an airport, coffee shop, hotel or restaurant.  Today there are lots of cheap IMSI catchers around. An IMSI catcher is a tool that pretends to be a cell tower.  Your cell phone is built to look for the strongest cell phone signal and connect to it.  An IMSI catcher if it is nearby will appear to the phone like a strong signal and it will connect to that “tower.”  Then the IMSI acts as a man in the middle: it grabs your call and connects you to a legitimate cell tower and then to the person you are connected with through the phone company. Meanwhile the IMSI can record your entire phone conversation.
Suggestion #5.  Avoid public WIFi.  Public WiFi is very dangerous because it is not encrypted in any way.  Whatever you do across a public WIFI connection is easy to intercept. Like the IMSI catcher it is also common these days for snoops to set up what looks like a public WIFI to snare your connection, even on airplanes or trains.  This means that you are connected through a snooper to the external network and everything you do or say across the WIFI can be picked off. You are far better off using the data connection from the telephone company than using the data connection of a public WIFI.
Suggestion #6.  Consider secure smartphones for communications at the top levels of a campaign.  The best secure phones both encrypt the conversation so that if it is intercepted it can’t be listened to, and protect the phone from malware and spyware.  Be aware that most secure phones work through servers, and the people who run the servers, if they are third party, may or may not be reliable.  Be careful here and consider running your own secure phone server.
Suggestion #7. Train your staff to follow sound cyber security procedures in all their activities.  Training is very important for two reasons: it helps reduce the chance of human error which is one of the biggest sources of security compromise and it makes people alert to intrusions and threats.  Being ready for various threats is very important.  A denial of service attack could close down a campaign because all its messaging and communications could be blocked.  Knowing what to do when that happens and having alternatives in place means your campaign will not be shut down.
Suggestion #8. Vet companies you hire to provide cyber services checking carefully about who are their customers and whom they employ.  The first rule is to ask for a list of a cyber security company’s customers and their employees.  Then hire a private investigations firm to check them carefully.  Outsourcing cyber security support may be very necessary, but it is also risky. One ringer in the bunch and your campaign could be badly compromised.
Suggestion #9. Make sure that all campaign personnel who have social media accounts clean them before they come on board.  Set rules on what is allowed or not allowed during the campaign. People today are very careless on what they post on social media.  People “tweet” before they think, and Post before they consider the consequences.  They also give out too much personal information, location information, even family information that might be used by an adversary.  Rules are very important to help mitigate this risk, and monitoring is not only important but probably mandatory.  
Suggestion #10.  Keep your most strategic documents, membership lists, and other vital data off line on computers that are not connected to the Internet.  This is the best way to keep your campaign plans safe.  It is also a good idea to encrypt everything, even what is offline.  One of the cottage industries in Washington DC is for cleaning ladies to be accompanied on their late night work by intruders and poachers who download everything they can from office computers.  If the material is encrypted, then it has no value to any intruder.  Be safe; not sorry.
Suggestion #11.  Don’t allow cell phones or tablets in any meeting you have.  Cells phones and tablets are walking time bombs.  Their microphones and cameras can be switched on by spyware and can listen in and record your meetings and conversations.  And if there is a computer in the room, unplug it!  Even when not having a conversation make sure your webcam is unplugged (if you can) or covered if you can’t.
Above all remember that a political campaign is like any other business or organization in that it must be operated in a responsible way.  If your campaign lacks cyber security you are not only hurting your chances for election but you are hurting your cause and bringing potential harm to colleagues and friends.  Cyber security is not only very important in political campaigns -you can’t succeed without it.
Tagged , , , , ,

Technology and Security Podcast on Itunes

Washington DC, June 26, 2015
For Immediate Release

Technology and Security has launched a new podcast series by the same name.  Episodes will be available at


Users will need iTunes to download the new podcast series.

Look for this cover in Itunes

Look for this cover in Itunes

While having an audio version is somewhat of an experiment for us, there have been enough requests for a podcast series that we decided to go ahead and make the programs available.

Some of the podcasts will be based directly on our well-regarded blog, Technology and Security.  Others will be available only in podcast format.

Technology and Security aims to relate the importance of technology to national security and national power. The blog’s author, Dr. Stephen Bryen’s recent books include: Essays in Technology, Security and Strategy and the forthcoming Technology Security and National Power: Winners and Losers.

America has long enjoyed being the world’s technology leader.  But in some sectors that is starting to change as American technology increasingly has gone off shore, fueling China’s rapid growth and military expansion, and as other countries have closed the technology gap with the United States.  These changes and shifts represent a challenge for the future, and for the most part America’s guard still remains down.  Should this persist, America will find its ability to maintain its standard of living and safeguard its security increasingly difficult.

Technology and Security explores these issues and more.  Part of the blog’s focus is on cyber security, an area where adversaries are having their way harvesting American technological information and undermining governmental and infrastructural functions.  Technology and Security helps to explain why this is happening and proposes ways to cope with the situation or strengthen the protection of vital computer networks.

Tagged , , , ,

The Real Cybercrime

by Stephen Bryen

[A version of this article appeared in the Huffington Post with Rebecca Abrahams]

It now seems that the Office of Personnel Management, which had outsourced its data storage to other Federal agencies, has lost an astonishing 18 million personnel records, including most of those involving security clearances.  The information is now in the hands of unknown hackers who almost certainly have bartered the stolen information to willing buyers.  Most experts think that the buyer is most likely China, with Russia running a close second.

When a prospective employee applies for a job that requires a security clearance he or she fills out a form called an SF-86 which is called a Questionnaire for National Security Positions. The Questionnaire is extensive and demanding and requires so much information to be handed over to the government that there is virtually nothing left one could dream of adding to it.  Your friends, colleagues, bosses, neighbors are all included along with all your personal information. In the wrong hands this document at minimum guarantees easy identity theft. Worse, in the hands of a determined adversary, a person’s vulnerabilities can be exploited including tracking the employee and making sophisticated “phishing” operations possible.  Phishing is a technique where a false email or message can be sent to an employee that, when opened, puts spyware on the employee’s computer.

You would think given the explosive importance of the SF-86 form that the government would take strong steps to protect the information.  Perish the thought.  Nothing like that has been done: in fact, the government passes around these forms to other agencies (such as the FBI) and gives them to contractors for “processing.”

Our government has consistently failed at computer security from the beginning. The first Computer Security Act was passed in 1988, and there have been many subsequent legislative initiatives since then along with Executive Orders and pronouncements from agencies including NSA and the National Institute of Science and Technology (NIST), the latest one just this week.

None of them understand the problem or demonstrate any real willingness to solve it.  All of them have the wrong cart in front of the wrong horse.

The truth is that unless special steps are taken to protect sensitive unclassified information the game is lost from the start.

What are those steps?  Most fundamentally there are two: compartmenting information and encrypting it.   For unclassified information which is what the SF-86 is considered to be, the government neither compartments nor encrypts. NSA won’t let them because the information is not classified: our government security experts keep thinking they can do it another way.  No they can’t.

NIST has just put out a new directive for contractors.  It is worthless.  Why?  Because it does not require either compartmentalization or encryption.

Compartmentalization means that not everyone can access everything.  It is as simple as that.  It can be made weightier by adding a “need to know” requirement, meaning that you are only entitled to look at what is absolutely necessary for your job.  Properly administered need to know and compartmentalization protects any major theft of information particularly if the data itself is stored in an encrypted format.

081203-N-2147L-390 NORFOLK, Va. (Dec. 3, 2008) Sailors on the watch-floor of the Navy Cyber Defense Operations Command monitor, analyze, detect and defensively respond to unauthorized activity within U.S. Navy information systems and computer networks. (U.S. Navy photo by Mass Communications Specialist 1st Class Corey Lewis/Released)

NORFOLK, Va. (Dec. 3, 2008) Sailors on the watch-floor of the Navy Cyber Defense Operations Command monitor, analyze, detect and defensively respond to unauthorized activity within U.S. Navy information systems and computer networks. (U.S. Navy photo by Mass Communications Specialist 1st Class Corey Lewis/Released)

The real crime is the failure of both the administration and the Congress to put in place a higher standard of information protection applying these known and effective tools.  While everyone is running around thinking about firing the head of the Office of Personnel Management, perhaps they should think about firing themselves for the crimes against privacy they have perpetrated.

Tagged , , ,

Attacks on Religious Institutions is a Global Problem: Is there a solution?

by Stephen Bryen

Church attack in New Delhi

Church attack in New Delhi

Attacks on religious institutions, churches, schools, community centers and offices, is far from only an American problem, although the United States has had plenty of it.

In our country churches, synagogues, mosques and temples have been attacked and worshippers going to and from these places have been murdered. Whether we are speaking about Christian churches, Catholic churches, Sikh Temples, Mosques or Synagogues, all of them have been hit by terrorists. I strongly prefer the term “terrorist” to racist or anti-Semite because it best describes what we are up against.

Around the world terrorism against religious institutions is rampant. Whether we talk about Pakistan where religious school children are wantonly murdered, or India, or Iraq and Syria we find such atrocities. In Europe there have been attacks on synagogues and churches and murders of citizens for example in France, Belgium and Denmark among many others.

While some of the attacks are clearly by radicalized individuals, others involve state backing or, state complicity. The bombing of the Asociación Mutual Israelita Argentina which killed 85 people in the building and wounded more than 100 others, there is little doubt, outside of the corrupt politicians of Argentina that the bombing and murder was accomplished by Iranian operatives perhaps in a conspiracy with Argentinian politicians or police.

State sponsored attacks are a growing threat. Outfits like al-Qaeda, the Taliban, ISIS and Boko Haram can operate because they are sponsored and supported by nation-states, providing them with equipment, intelligence and even naming targets. Coptic Christians would not be murdered in Egypt without the help of the Moslem Brotherhood, which the Obama administration befriended. Chechen terrorists in Russia have got backing from Saudi Arabia either directly or through religious cutouts.

For Americans the question is how to confront the problem. It is one thing to try and build community support against terrorism and racism, but at the end of the day there isn’t any empirical evidence that this is a sufficient strategy to combat such crimes. In fact it may act as a deterrent to hard headed preventive strategies that are badly needed. But there is one thing the community writ large can be encouraged to do: when they see a threat either because someone says something or writes something or threatens someone, people do need to respond and bring it to the attention of the larger community and make law enforcement aware. Here we can talk about the importance of social responsibility and the need to act against terrorists, racists and anti-Semites.

Most religious institutions in the United States are unprotected. The same is true in other countries. Their doors are open to terrorists and externally their perimeters are easily penetrated by bombers, either on foot or in vehicles. Few have active surveillance or even passive barriers to prevent such attacks.

There is no single technology that can guarantee complete protection against a fanatic or group of fanatics, and particularly against professional killers like the ones in Buenos Aires. Even so, protection helps reduce the frequency of successful attacks, helps to identify the perpetrators, and can save lives.

The most important first step is to understand the nature of the threat and to have critical intelligence if the risk level is high. More importantly, real time intelligence may help identify the person or persons who plan an attack.

It is no secret that a lot of this information can be found on social media. Dylann Roof, the 21-year-old man charged with the murders at the Emanuel A.M.E. Church in Charleston, had a Web page with his outrageous rantings posted since last February. No one paid any attention. Law enforcement can easily track social media, but they need to be more proactive and not only warn about risk but also confront those threatening the community. Had information on Dylann Roof been distributed to churches and synagogues (he hated Blacks and Jews and many others), they would have been on the lookout for him and maybe the tragedy could have been prevented. Just distributing his photos (from his web site) could have alerted the folks at the A.M.E. Church.

This is a far better strategy than opining about gun control. Gun control is not going to stop a fanatic any more than it is going to stop a determined criminal.

Once you have information that is useful, you must implement a proper organization to aid in protecting a religious institution. Technology can help, but without a good organization and equally vital good training, the risk remains.

While some synagogues have put in place perimeter protection because of their exposure to constant threats, and some have hired guards, there is not much in the way of organization or training of lay people. There is even less at churches.

The Department of Homeland Security has provided funds here and there to buy defensive equipment such as surveillance cameras or alarm systems, but the Department has not thought to provide organizational training. Some police departments do make an effort to help, but usually they have to be asked to do so and often they themselves are not trained to provide perimeter protection services.

Unfortunately the ball has mostly been dropped, which is why alleged terrorists like Dylann Roof can operate and why the greater threat of state sponsored terrorist attacks on religious institutions in the United States is not far from us.

Surely we can do better.

Tagged , , ,

Hillary’s Phone and the True Security Risk to the United States

By Stephen Bryen

Larry Klayman’s Judicial Watch has filed a lawsuit in the U.S. District Court for the District of Columbia to obtain the release of documents regarding Hillary Clinton’s efforts to gain approval for use of an iPhone or iPad to conduct official business while she was secretary of state (Judicial Watch, Inc. v. U.S. Department of State (No. 1:15-cv-00646)).  The notion is that no such documents exist –that is, during the time she was Secretary of State Ms. Clinton was allegedly using an iPhone, iPad or both and allegedly never asked for clearance.

Unfortunately there is widespread use of smartphones and tablets by US officials, mostly without permission.  While these are supposedly for private use and not official business (the latter would entail getting an approval), not much has been made of the use of these devices.  But the truth is they constitute a huge security risk for two important reasons: smartphones and tablets are unsafe; officials conduct business on them notwithstanding the risks and in spite of regulations that would require approval to use them.

While the practice no doubt has led to the compromise of sensitive information, most of the time we don’t hear about it.  A foreign intelligence service with access to a senior official’s phone would not want to disclose they were listening in, because that would give away an intelligence gold mine.  We do know, of course, following disclosures by Edward Snowden, that the US on its own and in cooperation with foreign intelligence services such as GCHQ in the United Kingdom and the BND in Germany, routinely spy on the smartphones and tablets of foreign officials.  Indeed, it appears the BND cooperated with NSA in spying even on Chancellor Merkel’s smartphones (over the years at least five of her smartphones were compromised in this way).  Even so, anxious not to come up against her own intelligence services or to lose American support on issues of paramount importance to Germany, Mrs. Merkel has defended the BND and tempered her anger over NSA-led spying in Germany aimed at German officials and corporations.

Nuland’s Phone

With Ukraine in an uproar in 2013, violent protests in the street, Victoria Nuland called Geoffrey Pyatt, the US Ambassador in Kiev. A full transcript of their conversation was leaked to the press.  Here is just one small part of what Nuland and Pyatt had to say:

“Voice thought to be Pyatt’s: I think we’re in play. The Klitschko [Vitaly Klitschko, one of three main opposition leaders] piece is obviously the complicated electron here. Especially the announcement of him as deputy prime minister and you’ve seen some of my notes on the troubles in the marriage right now so we’re trying to get a read really fast on where he is on this stuff. But I think your argument to him, which you’ll need to make, I think that’s the next phone call you want to set up, is exactly the one you made to Yats [Arseniy Yatseniuk, another opposition leader]. And I’m glad you sort of put him on the spot on where he fits in this scenario. And I’m very glad that he said what he said in response.

“Nuland: Good. I don’t think Klitsch should go into the government. I don’t think it’s necessary, I don’t think it’s a good idea.”[1]

Our two genius diplomats, working on an open line, spoke in uncomplimentary terms about Ukrainian leaders.  Nuland and Ambassador Pyatt made it even worse by acting as if they were the decision makers on who would take over leadership in the Ukraine.

It isn’t clear what type of phone, landline or cellular, Pyatt was using, but Nuland’s call seems to have been made on a mobile phone.  Had she called from her office and had Pyatt been in his, they would have used a secure telephone.

As for the wiretap, that was the easiest part.  The Ukrainian telephone system was put there by the Russians before Ukraine became independent.  Its trunk lines passes through Moscow.  While Nuland’s phone conversation call could have been leaked by anyone, the Moscow connection seems the most likely source.  The Russians would surely gain from embarrassing the United States.[2]

A Danger to State Department Employees

State Department officials posted overseas are at significant risk using commercial smartphones and tablets.  Most of the time they are on diplomatic assignments with their families, meaning that the already blurry line between “official” business and personal affairs dissolves into nothingness, especially if the host country is unwelcoming or dangerous.  Even assignments to posts in such “safe” places as European capitals is a risk, because there are moles in the local intelligence services and police and because terrorists today use sophisticated intercept tools as part of their arsenal of weapons to track targets. A good example is France where Islamic radicals exploited social media connections, especially Facebook, to identify targets in the Jewish community. When you think about the vulnerability of families of diplomats using smartphones equipped with accurate GPS the fact of their personal vulnerability is easy to understand.

Who is Responsible?

It is easy to say that public officials are responsible for their behavior, and if they are using smartphones and tablets without government approval, they create a security risk.  But what if they got approval to use these devices from their agency?  Does that make it acceptable?[3]

The truth is that using commercial smartphones by government officials is extraordinarily risky and dangerous.  It means, as already noted, that conversations can be intercepted, contacts identified, and locations pinpointed.

While convenient to say that officials are acting improperly, or agencies have given approval thoughtlessly, it is even more the case that proper security policy is lacking, not just in the State Department, but throughout the US government. The Pentagon, for example, or the military are no better than State, neither is the White House any safer than the Department of Homeland Security.

We are bombarded these days by different cyber plans concocted by the US government, most of which are unmitigated garbage that achieve nothing. If our government just got smart about smartphones it would be a significant achievement.  That our government security experts have failed, and failed dismally, should tell you more than you may want to know about our lack of security and preparedness.


1] http://www.bbc.com/news/world-europe-26079957

[2] Excerpted from my forthcoming book, Technology Security and National Power: Winners and Losers (Transaction Publishers, 2016).

[3] The Defense Department has recently “approved” three smartphones as “secure,” which is a reckless and unjustified step that enhances the danger of using smartphones and tablets in official business.

Tagged , , , ,
%d bloggers like this: