Washington DC, June 26, 2015
For Immediate Release
Technology and Security has launched a new podcast series by the same name. Episodes will be available at
Users will need iTunes to download the new podcast series.
While having an audio version is somewhat of an experiment for us, there have been enough requests for a podcast series that we decided to go ahead and make the programs available.
Some of the podcasts will be based directly on our well-regarded blog, Technology and Security. Others will be available only in podcast format.
Technology and Security aims to relate the importance of technology to national security and national power. The blog’s author, Dr. Stephen Bryen’s recent books include: Essays in Technology, Security and Strategy and the forthcoming Technology Security and National Power: Winners and Losers.
America has long enjoyed being the world’s technology leader. But in some sectors that is starting to change as American technology increasingly has gone off shore, fueling China’s rapid growth and military expansion, and as other countries have closed the technology gap with the United States. These changes and shifts represent a challenge for the future, and for the most part America’s guard still remains down. Should this persist, America will find its ability to maintain its standard of living and safeguard its security increasingly difficult.
Technology and Security explores these issues and more. Part of the blog’s focus is on cyber security, an area where adversaries are having their way harvesting American technological information and undermining governmental and infrastructural functions. Technology and Security helps to explain why this is happening and proposes ways to cope with the situation or strengthen the protection of vital computer networks.
by Stephen Bryen
[A version of this article appeared in the Huffington Post with Rebecca Abrahams]
It now seems that the Office of Personnel Management, which had outsourced its data storage to other Federal agencies, has lost an astonishing 18 million personnel records, including most of those involving security clearances. The information is now in the hands of unknown hackers who almost certainly have bartered the stolen information to willing buyers. Most experts think that the buyer is most likely China, with Russia running a close second.
When a prospective employee applies for a job that requires a security clearance he or she fills out a form called an SF-86 which is called a Questionnaire for National Security Positions. The Questionnaire is extensive and demanding and requires so much information to be handed over to the government that there is virtually nothing left one could dream of adding to it. Your friends, colleagues, bosses, neighbors are all included along with all your personal information. In the wrong hands this document at minimum guarantees easy identity theft. Worse, in the hands of a determined adversary, a person’s vulnerabilities can be exploited including tracking the employee and making sophisticated “phishing” operations possible. Phishing is a technique where a false email or message can be sent to an employee that, when opened, puts spyware on the employee’s computer.
You would think given the explosive importance of the SF-86 form that the government would take strong steps to protect the information. Perish the thought. Nothing like that has been done: in fact, the government passes around these forms to other agencies (such as the FBI) and gives them to contractors for “processing.”
Our government has consistently failed at computer security from the beginning. The first Computer Security Act was passed in 1988, and there have been many subsequent legislative initiatives since then along with Executive Orders and pronouncements from agencies including NSA and the National Institute of Science and Technology (NIST), the latest one just this week.
None of them understand the problem or demonstrate any real willingness to solve it. All of them have the wrong cart in front of the wrong horse.
The truth is that unless special steps are taken to protect sensitive unclassified information the game is lost from the start.
What are those steps? Most fundamentally there are two: compartmenting information and encrypting it. For unclassified information which is what the SF-86 is considered to be, the government neither compartments nor encrypts. NSA won’t let them because the information is not classified: our government security experts keep thinking they can do it another way. No they can’t.
NIST has just put out a new directive for contractors. It is worthless. Why? Because it does not require either compartmentalization or encryption.
Compartmentalization means that not everyone can access everything. It is as simple as that. It can be made weightier by adding a “need to know” requirement, meaning that you are only entitled to look at what is absolutely necessary for your job. Properly administered need to know and compartmentalization protects any major theft of information particularly if the data itself is stored in an encrypted format.
The real crime is the failure of both the administration and the Congress to put in place a higher standard of information protection applying these known and effective tools. While everyone is running around thinking about firing the head of the Office of Personnel Management, perhaps they should think about firing themselves for the crimes against privacy they have perpetrated.
by Stephen Bryen
Attacks on religious institutions, churches, schools, community centers and offices, is far from only an American problem, although the United States has had plenty of it.
In our country churches, synagogues, mosques and temples have been attacked and worshippers going to and from these places have been murdered. Whether we are speaking about Christian churches, Catholic churches, Sikh Temples, Mosques or Synagogues, all of them have been hit by terrorists. I strongly prefer the term “terrorist” to racist or anti-Semite because it best describes what we are up against.
Around the world terrorism against religious institutions is rampant. Whether we talk about Pakistan where religious school children are wantonly murdered, or India, or Iraq and Syria we find such atrocities. In Europe there have been attacks on synagogues and churches and murders of citizens for example in France, Belgium and Denmark among many others.
While some of the attacks are clearly by radicalized individuals, others involve state backing or, state complicity. The bombing of the Asociación Mutual Israelita Argentina which killed 85 people in the building and wounded more than 100 others, there is little doubt, outside of the corrupt politicians of Argentina that the bombing and murder was accomplished by Iranian operatives perhaps in a conspiracy with Argentinian politicians or police.
State sponsored attacks are a growing threat. Outfits like al-Qaeda, the Taliban, ISIS and Boko Haram can operate because they are sponsored and supported by nation-states, providing them with equipment, intelligence and even naming targets. Coptic Christians would not be murdered in Egypt without the help of the Moslem Brotherhood, which the Obama administration befriended. Chechen terrorists in Russia have got backing from Saudi Arabia either directly or through religious cutouts.
For Americans the question is how to confront the problem. It is one thing to try and build community support against terrorism and racism, but at the end of the day there isn’t any empirical evidence that this is a sufficient strategy to combat such crimes. In fact it may act as a deterrent to hard headed preventive strategies that are badly needed. But there is one thing the community writ large can be encouraged to do: when they see a threat either because someone says something or writes something or threatens someone, people do need to respond and bring it to the attention of the larger community and make law enforcement aware. Here we can talk about the importance of social responsibility and the need to act against terrorists, racists and anti-Semites.
Most religious institutions in the United States are unprotected. The same is true in other countries. Their doors are open to terrorists and externally their perimeters are easily penetrated by bombers, either on foot or in vehicles. Few have active surveillance or even passive barriers to prevent such attacks.
There is no single technology that can guarantee complete protection against a fanatic or group of fanatics, and particularly against professional killers like the ones in Buenos Aires. Even so, protection helps reduce the frequency of successful attacks, helps to identify the perpetrators, and can save lives.
The most important first step is to understand the nature of the threat and to have critical intelligence if the risk level is high. More importantly, real time intelligence may help identify the person or persons who plan an attack.
It is no secret that a lot of this information can be found on social media. Dylann Roof, the 21-year-old man charged with the murders at the Emanuel A.M.E. Church in Charleston, had a Web page with his outrageous rantings posted since last February. No one paid any attention. Law enforcement can easily track social media, but they need to be more proactive and not only warn about risk but also confront those threatening the community. Had information on Dylann Roof been distributed to churches and synagogues (he hated Blacks and Jews and many others), they would have been on the lookout for him and maybe the tragedy could have been prevented. Just distributing his photos (from his web site) could have alerted the folks at the A.M.E. Church.
This is a far better strategy than opining about gun control. Gun control is not going to stop a fanatic any more than it is going to stop a determined criminal.
Once you have information that is useful, you must implement a proper organization to aid in protecting a religious institution. Technology can help, but without a good organization and equally vital good training, the risk remains.
While some synagogues have put in place perimeter protection because of their exposure to constant threats, and some have hired guards, there is not much in the way of organization or training of lay people. There is even less at churches.
The Department of Homeland Security has provided funds here and there to buy defensive equipment such as surveillance cameras or alarm systems, but the Department has not thought to provide organizational training. Some police departments do make an effort to help, but usually they have to be asked to do so and often they themselves are not trained to provide perimeter protection services.
Unfortunately the ball has mostly been dropped, which is why alleged terrorists like Dylann Roof can operate and why the greater threat of state sponsored terrorist attacks on religious institutions in the United States is not far from us.
Surely we can do better.
By Stephen Bryen
Larry Klayman’s Judicial Watch has filed a lawsuit in the U.S. District Court for the District of Columbia to obtain the release of documents regarding Hillary Clinton’s efforts to gain approval for use of an iPhone or iPad to conduct official business while she was secretary of state (Judicial Watch, Inc. v. U.S. Department of State (No. 1:15-cv-00646)). The notion is that no such documents exist –that is, during the time she was Secretary of State Ms. Clinton was allegedly using an iPhone, iPad or both and allegedly never asked for clearance.
Unfortunately there is widespread use of smartphones and tablets by US officials, mostly without permission. While these are supposedly for private use and not official business (the latter would entail getting an approval), not much has been made of the use of these devices. But the truth is they constitute a huge security risk for two important reasons: smartphones and tablets are unsafe; officials conduct business on them notwithstanding the risks and in spite of regulations that would require approval to use them.
While the practice no doubt has led to the compromise of sensitive information, most of the time we don’t hear about it. A foreign intelligence service with access to a senior official’s phone would not want to disclose they were listening in, because that would give away an intelligence gold mine. We do know, of course, following disclosures by Edward Snowden, that the US on its own and in cooperation with foreign intelligence services such as GCHQ in the United Kingdom and the BND in Germany, routinely spy on the smartphones and tablets of foreign officials. Indeed, it appears the BND cooperated with NSA in spying even on Chancellor Merkel’s smartphones (over the years at least five of her smartphones were compromised in this way). Even so, anxious not to come up against her own intelligence services or to lose American support on issues of paramount importance to Germany, Mrs. Merkel has defended the BND and tempered her anger over NSA-led spying in Germany aimed at German officials and corporations.
With Ukraine in an uproar in 2013, violent protests in the street, Victoria Nuland called Geoffrey Pyatt, the US Ambassador in Kiev. A full transcript of their conversation was leaked to the press. Here is just one small part of what Nuland and Pyatt had to say:
“Voice thought to be Pyatt’s: I think we’re in play. The Klitschko [Vitaly Klitschko, one of three main opposition leaders] piece is obviously the complicated electron here. Especially the announcement of him as deputy prime minister and you’ve seen some of my notes on the troubles in the marriage right now so we’re trying to get a read really fast on where he is on this stuff. But I think your argument to him, which you’ll need to make, I think that’s the next phone call you want to set up, is exactly the one you made to Yats [Arseniy Yatseniuk, another opposition leader]. And I’m glad you sort of put him on the spot on where he fits in this scenario. And I’m very glad that he said what he said in response.
“Nuland: Good. I don’t think Klitsch should go into the government. I don’t think it’s necessary, I don’t think it’s a good idea.”
Our two genius diplomats, working on an open line, spoke in uncomplimentary terms about Ukrainian leaders. Nuland and Ambassador Pyatt made it even worse by acting as if they were the decision makers on who would take over leadership in the Ukraine.
It isn’t clear what type of phone, landline or cellular, Pyatt was using, but Nuland’s call seems to have been made on a mobile phone. Had she called from her office and had Pyatt been in his, they would have used a secure telephone.
As for the wiretap, that was the easiest part. The Ukrainian telephone system was put there by the Russians before Ukraine became independent. Its trunk lines passes through Moscow. While Nuland’s phone conversation call could have been leaked by anyone, the Moscow connection seems the most likely source. The Russians would surely gain from embarrassing the United States.
A Danger to State Department Employees
State Department officials posted overseas are at significant risk using commercial smartphones and tablets. Most of the time they are on diplomatic assignments with their families, meaning that the already blurry line between “official” business and personal affairs dissolves into nothingness, especially if the host country is unwelcoming or dangerous. Even assignments to posts in such “safe” places as European capitals is a risk, because there are moles in the local intelligence services and police and because terrorists today use sophisticated intercept tools as part of their arsenal of weapons to track targets. A good example is France where Islamic radicals exploited social media connections, especially Facebook, to identify targets in the Jewish community. When you think about the vulnerability of families of diplomats using smartphones equipped with accurate GPS the fact of their personal vulnerability is easy to understand.
Who is Responsible?
It is easy to say that public officials are responsible for their behavior, and if they are using smartphones and tablets without government approval, they create a security risk. But what if they got approval to use these devices from their agency? Does that make it acceptable?
The truth is that using commercial smartphones by government officials is extraordinarily risky and dangerous. It means, as already noted, that conversations can be intercepted, contacts identified, and locations pinpointed.
While convenient to say that officials are acting improperly, or agencies have given approval thoughtlessly, it is even more the case that proper security policy is lacking, not just in the State Department, but throughout the US government. The Pentagon, for example, or the military are no better than State, neither is the White House any safer than the Department of Homeland Security.
We are bombarded these days by different cyber plans concocted by the US government, most of which are unmitigated garbage that achieve nothing. If our government just got smart about smartphones it would be a significant achievement. That our government security experts have failed, and failed dismally, should tell you more than you may want to know about our lack of security and preparedness.
 Excerpted from my forthcoming book, Technology Security and National Power: Winners and Losers (Transaction Publishers, 2016).
 The Defense Department has recently “approved” three smartphones as “secure,” which is a reckless and unjustified step that enhances the danger of using smartphones and tablets in official business.
by Stephen Bryen
founder and former head of the Defense Technology Security Administration
I have been writing about cyber security for many years. I believe I have some credibility in this field. I headed and ran the Defense Department’s program for technology security as the Director of the Defense Technology Security Administration and as a Deputy Under Secretary of Defense. I also started and ran two cyber security companies, one in the 1990’s called SECOM which was the world’s first secure chat program, and currently Ziklag Systems which markets secure mobile smartphones. Over the years I have been increasingly concerned about the vulnerability of our critical infrastructure and the risk to America. My concern has escalated along with growing and successful cyber intrusions into our power, energy, transportation and government grids and networks. And I have found it shocking that no one seems to know what to do about the menace.
Somehow our leaders in the administration and Congress, even Admiral Mike Rogers who heads NSA and the US Cyber Command, all of whom clearly understand the threat and risk, seem clueless on how to fix the problem.
Meanwhile China, Russia, Iran, Syria and plenty of rogue operations are increasing the pressure on us by attacking our computer networks. Nothing is safe. Not our defense Command and Control systems, our missile defenses, our energy grid, our refineries, our nuclear power plants, not even our telecommunications, transportation, water supply or health care systems are secure.
The reason for that is easy to see. All our computer networks rely on computer operating systems hardware and software that has been distributed all over the world. Since almost everything about those systems is public, it is easy for attackers with sufficient resources to take them apart. It should surprise no one that virtually all of our hardware is made in China, introducing a massive vulnerability into our critical infrastructure.
Add to this tremendous weakness the problem of SCADA systems. SCADA is the supervisory control and data acquisition system used by nuclear and conventional power plants, heating and cooling systems, manufacturing centers, refineries and lots of other automated systems. There are only two or three SCADA systems in the market with wide acceptance, and they are used worldwide. Once again, both the hardware and software for SCADA is accessible to foreign regimes and terrorists as well as other rogue actors. It is the SCADA that was the center of the attack on Iran’s uranium enrichment centrifuges where the US and Israel hoped to slow Iran’s acquisition of an atomic bomb. What was done with the Stuxnet worm to damage Iran’s nuclear program likewise can happen to us.
Patching computer operating systems and fixing SCADA software won’t work. This is proven empirically by the growing frequency of successful attacks on critical infrastructure systems,. If patches worked, they would save us from attack. But the plain fact is that they may help a little but not enough to stop a determined and resourceful adversary.
China, one of the countries known to be tampering with our critical infrastructure and helping to finance its growth by stealing defense designs and technology from our leading companies is already taking steps to keep us out of their networks by producing their own computer operating systems they won’t share with us. We should take a clue from China. For critical infrastructure security we need secure operating systems and a new secure SCADA that replaces all the commercial equipment and software we have been using.
Changing over to a government proprietary secure system is a vital step in locking down our networks and management systems. It requires a bold and determined initiative by the US government, and it needs to be accompanied by security measures that are well drawn and deeply monitored to provide an additional layer of protection.
Above all we need a policy based on “win win” not on hopes and fictions we can make what we have work. It is foolish to wait for the worst to happen, as it surely will.