Tuesday, May 10, 2016

Cyberwarfare Goes Mainstream

James D McFarlin

After years of operating in the shadows, cyber weapons are making their presence known in conflicts across the globe.

An NSA-provided map of the United States depicts more the 600 cyberattacks from China over the past five years, making the nation look like a well-hit target from the shooting range.

On December 23, 2015, presumably Russian-led cyberattacks against Ukraine's electric grid took out power to 230,000 citizens in the dead of winter.

The U.S. Navy is concerned enough about China's aggressive moves in the South China Sea to resume training its sailors in navigation using the sextant after a 25 years absence, all in the case of Chinese-led cyberattacks which disable shipboard digital navigation systems.

What is going on here?

Offensive cyberweapons have become increasingly recognized as a must-have capability for protecting and advancing national interests. The result, according to a recent report in The Wall Street Journal, is a "near-frantic and destabilizing global digital arms race" with more than two dozen countries actively building their cyber caches.

Iran's cyber strategies are of particular concern. Whether it be the destruction of some 30,000 Saudi Arabia national oil company computers which came closing to bringing the organization to collapse or continuing attacks against U.S. banking online networks and most recently the breaching of the Bowman Avenue Dam in New York, Iran makes little secret of its cyber reach or ambitions.

As stated recently in the Financial Times, Iran's cyber capabilities have matured from just one more option in their toolkit to a strategic military capability for projecting power. Iran, the article states, is "poised to do something with cyber that will change the way the world looks at it."

How are these escalating global cybersecurity risks going to play out? We don't know. But we do know there is little sense of urgency and even less tangible U.S. strategy to deal with such imminent threats.

In a recent U.S. Senate testimony, asked if he were concerned enough about potential cyber grid attacks to categorize them as acts of war, Lt. Gen. Vincent Stuart replied that if the military had a "much fuller definition of the range of threats in cyberspace it could then begin thinking (emphasis mine) about such consequences."

Homeland Security secretary Jeh Johnson stated his lack of concern when quoted in Ted Koppel's book "Lights Out" as saying that he just doesn't believe such (cyber) attacks will happen.

With this level of denial in full force, the next depiction of attacks against the United States may well be that of a tattered, empty shell, hollowed out from sea to shining sea.

Thursday, April 21, 2016

A New Paradigm in Cybersecurity

James McFarlin

The wide majority of networks and applications powering American businesses, government agencies and military services are aging legacy systems in which security was not a primary design criteria - perhaps not a criteria at all.

With the massive worldwide growth of the Internet and the security risks which accompany this global net mean that we are now paying the price for this design omission.

Cybersecurity for these legacy systems is largely 'bolted on,' an arrangement which provides security ranging from marginally adequate to nonexistent - think the massive Office of Personnel Management (OPM) personnel information misappropriation and Sony Pictures Entertainment theft, system destruction and threats of extortion.

But technology is not the only force in cyber secure operations. Misdirected or lack of executive oversight is a major factor. A recent study, The Accountability Gap: Cybersecurity and Building a Culture of Responsibility, found that while chief information security officers are spending more time in front of boards, information exchange is too often truncated by both the lack of cyber knowledge among board members and the communication ineffectiveness on the part of the technical officers.

The study found the "inability of technical officers to quantify and convey the actual impact of a breach," which limits its importance to the C-suite executives making decisions on cybersecurity budgets and staffing.

Accountancy and consulting firm Deloitte believes the issue to be even deeper. With cybersecurity now affecting virtually all aspects of the organization,"increased focus must be given to addressing a cultural change in the organization." In this new paradigm, "An integrated risk philosophy is mandatory, where cyber risk management and technology must be on an equal footing."

Some organizations, however, have begun top define cybersecurity as a risk management function, thus forcing the viewing of cyber risks into business terms. For many, this is a major transformation which will not come easily.

How long will such alterations take? Cultural change is difficult. But the reality of today's world means cyber breaches will deliver not only financial costs, but risks in customer retention, potential damage to reputation, brands, and in some cases, interruption of business operations.

Addressed in this view, implementing a mindset which incorporates a paradigm shift in organization thinking has become essential and increasingly, urgent.

A recent cybersecurity assessment from accountancy EY placed the issue in perspective, advising that, in cybersecurity, "High alert must be your constant state."

Monday, November 16, 2015

Paris Attacks Tighten US Cyber Options

James McFarlin

The drums of war are sounding closer.

The barbaric ISIS Paris attacks of November 13th, preceded by the bombings in Lebanon and take down of the Russian airliner over Egypt on top of more than 770 reported ISIS terrorist attacks from 2013 to the present are the latest acts aimed at destabilizing and ultimately destroying Western civilization.

More attacks are coming. A US security official remarked today that Paris was certainly "not the only action in the ISIS pipeline." In confirmation of that belief, a video released by Islamic State threatens attacks against Germany, London, Washington DC and other US cities,

America faces threats from 'lone wolf' Islamic extremists and - coming soon - threats from attackers arriving in the waves of Syrian refugees scheduled to hit the nation's shores.

But such threats are dwarfed by the potential damage and massive loss of life from cyberattacks against US power and other critical national infrastructure targets.

There is a growing consensus that ISIS cyber threats to the US are increasing and becoming more immediate. Admiral Michael Rogers, director of the National Security Agency and US Cyber Command, believes such attacks are "much more a matter of 'when' rather than 'if'' during his time in command."

ISIS has been widely recognized for its social media prowess in recruiting, radicalization, training and fundraising. But those actions are just the beginning. John Cohen, a former counter-terrorism coordinator at the Department of Homeland Security, believes that "It is only a matter of time until we start seeing ISIS-type organizations using cyber warfare techniques in a more expanded way."

And with America's near-total dependence on computer networks, it has much more at risk than many other nations, and certainly more than extremist groups, which have little to lose.

What is the US to do to deter such actions? Based on the success of cyberattacks throughout the breadth of America's institutions, from banks and retailers to defense contractors and government agencies, it is evident that existing cyber defense capabilities are not adequately effective.

In a sign of recognition that defensive measures must be supplanted or supported by more aggressive tactics, the US has recently accelerated its move toward increasing its offensive cyber weapons capabilities.

But more than a battle of technologies, cyber defenses are evolving into a battle of wills. With the exception of its Stuxnet computer virus targeting Iran's nuclear program, the US has been reluctant to deploy offensive cyber weapons, citing the possibility of such actions triggering counterattacks.

During such indecision, the risks mount. And for America's future, they are huge. Let's hope it does not take a cyber-9/11 attack to trigger America's resolve to deploy offensive cyber weapons to prevent what can be a major calamity.

Wednesday, October 21, 2015

Smaller Businesses Under Increasing Cyberattack

The latest data breach investigations study by Verizon showed that 71% occurred in businesses with fewer than 100 employees.

Ensuring data security for smaller firms is increasingly a game of 'risk and consequences.' Cyber criminals want personal and financial data and will strike when they want and how they want to get it. The most common consequences for small firms are financial loss, customer disruption and extensive recovery efforts.

Cybercriminals will take customer or financial records, donor or client information and proprietary business information critical to the success of the business.

Their goal may be schemes such as data theft, extorting payment for returning a computing network to a working state or submitting fake invoices for payment.

The question for many businesses is what to do about these threats. Turning the problem over to IT does not solve the problem. Cybersecurity is a team sport involving technicians, management and employees.

The largest proportion of data breaches occur because employees are either not following established data security procedures or lack such procedures to follow. Both of these vulnerabilities are addressable.

Steps as basic as providing employee training can limit cyber risks substantially. Excellent training courses are available via the Homeland Security website, where vendors such as SANS Institute offer their products.

Training will not be enough to tame cybersecurity exposure unless security becomes part of the culture of the organization, i.e., "This is how we do business."

Risk and consequences. Limit the former or expect the latter.

Saturday, July 18, 2015

Cyberattacks Have Consequences

James McFarlin

Whether it involves the Office of Personnel Management, the IRS or Department of the Navy, few days go by without news of new cyberattacks against the United States.

Perhaps because there are few examples, little is said about the consequences to the assailants from such attacks.

The Preface of "Aftershock, A Novel" [see image on right] previews a possible scenario of consequences which occur at the highest levels when cyberattack response spins out of control. In today's ever-present cyber-threat environment, this description is worth reading, particularly the foreshadowing presented in the final paragraph. An adaptation:

The early rays of the weak winter sun have yet to seep through the dense morning fog as the first attacks strike San Francisco.

     Power is the first to go, stilling electrical equipment and draping the city in a carpet of darkness. Electric Muni buses stall in the streets. Lacking control signals with which to operate, Southern Pacific trains sit motionless on their tracks. The Bank of America tower, Transamerica Pyramid and other skyscrapers hang over the city like shadowed spires, towering monuments from an age past.

     Attempts to use smart phones yield only the wailing cadence of circuits-busy signals. Land lines, cable and Internet transmissions have vanished as though they never existed, reducing television and computer screens to blank, darkened slates of glass. Only battery-powered devices cling on to their electronic lives, although without connection. It is a world where Internet connections no longer exist.

     Anxious residents cluster in small groups in the streets outside their homes, hands stuffed in jacket pockets for warmth. As to whether they had experienced an earthquake - they thought not. Nor were there claims of having heard explosions. Many clutch laptops, iPads and smart phones, anxiously searching for answers. But answers were not to come.

     The absence of sound envelopes them like a cloak. Conversations turn from nervous banter to speculation, whispers of possibilities, but to no result except to feed a spreading dread of events imagined but not known, growing fears felt but not spoken.

     Residents toss personal belongings into their vehicles and rush to leave the city, only to find bridges and arteries out of San Francisco barricaded by armed squads of National Guardsmen. 

     Growing anxieties are fueled by the sounds of military helicopters and accompanying drones clawing their way over the city like massive birds of prey. Something big, something bad, is happening in the City by the Bay.

     As residents recoil from the shock of the morning's events, 3,000 miles away in the nation's capital an aftershock of infinitely greater magnitude threatens to trigger massive worldwide repercussions in the days to come.

Monday, July 6, 2015

Exploring America's Lack of Cyber Strategy

James McFarlin

The emperor's clothes are coming off. A series of high-profile cyberattacks against government agencies are blasting open the true seriousness of the internal weaknesses in America's lack of cyber preparedness.

And the world is watching the undressing. Articles and commentary in traditional print media to professional journals and blogs are increasingly critical of not only America's cyber weaknesses but its lack of seriousness in addressing the issue.

The recent Wall Street Journal article "We're Losing the Cyber War" addresses years of Obama administration passivity in the face of repeated digital attacks. The Office of Personnel Management attack, in which 18 million or more federal employee employment records, including security clearances, is a case in point. While the data loss is calamitous in its own right, the lack of responsibility shown by the agency's management can only be viewed as arrogant, and lacking responsibility.

OPM director Katherine Archuleta, in a Senate hearing investigating this loss, stated "I don't believe anyone is personally responsible. If there is anyone to blame it is the perpetrators." This display of self-defiance was offered with a straight face in spite of the fact that the OPM Inspector General's office had warned the agency for more than three years of its widespread cyber defense weakness, warnings that largely went unheeded.

Perhaps feeling pressured by this attack as well as network breaches in the Internal Revenue Service, Department of State, US Army, and others, the White House then issued a directive for agencies to plug their gaping holes in cybersecurity. A "30-day "cyber sprint" was initiated, where agencies were ordered to shore up their defenses. This in spite of the fact that they had largely failed to do so for years.

At least two thoughts come to mind here. The first is the absolute naivete of this exercise, which has been described as everything from a smokescreen to hype to a hail Mary. The second: Where have these priorities been? House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah), stated "The cyber race started fifteen years ago," and that this action was "coming too late" to be effective.

We face a serious national security threat from the cyber realm. When will this be taken seriously? Lee Hamilton, co-author of the 9/11 Commission Report, perhaps stated our problem best. In an update to that report issued on September 11, 2014, he said: "One of the problems in 9/11 was the lack of imagination of the terrorist threat facing us. Let's not make that same mistake in the cyber realm."

Seems as though we did that undressing some time ago.

Friday, June 26, 2015

OPM Data Breach Symptomatic of US Cyber Weaknesses

James D. McFarlin

The list of recent breaches of U.S. government agencies is long and includes organizations such as the Department of Defense, US Army, Securities Exchange Commission, Postal Service, IRS, even the White House.

Reported reasons for the success of these breaches vary but follow repeatable patterns which include unheeded warnings. antiquated legacy software, management denial, lack of accountability and lax cybersecurity operating procedures.

Protecting critical data such as taxpayer records should be a primary priority. Yet in the IRS - which recently had more than 100,000 personal tax returns stolen - employees have been allowed to follow weak security practices, including using passwords such as "password."

Einstein, the Department of Homeland Security cyber defense system, over a decade and $529 million in the making, has been ineffective in stopping breaches and is already considered outdated technology according to former DHS lawyer Gus Colebella.

The government agency cybersecurity failures are widespread. According to Sen. John Boozman (R., Ark.) at a recent hearing, "Office of Personnel Management is just the most recent example of the government's systemic failure to protect itself."

The OPM breach, in which at least 18 million personnel records of former and current government employees, including their security clearance applications, were stolen is a prime example of cyber security gone missing.

According to the New York Times, the OPM inspector general has issued warnings to the agency since 2010 over its lax cybersecurity, even describing the organization's computer security as a "Chinese hacker's dream."

But in a stunning display of bravado, OPM director Katherine Archuleta declined to take any responsibility for the breaches, instead laying the blame totally on China. In spite of calls by congressional committee members for her dismissal, Obama stood behind her, making it clear her job was secure no matter what.

Retired Gen. Michael Hayden, who served both as director of the CIA and of the National Security Agency, knows a thing or two about cybersecurity. Hayden recently said this about the OPM breach: "This is not shame on China. This is shame on us for not protecting that kind of information. This is a tremendously big deal. And my deepest emotion is embarrassment."

In a typical 'lead from behind' response, on June 12th the White House directed all federal agencies to take a series of swift measures to "lock down" government systems against cyberattack. U.S. chief information officer Tony Scott even launched what he is calling a "30-day cybersecurity sprint."

To comply with this directive, agencies will reportedly be undertaking steps that many - including OPM chief Archuleta - have said have not been possible over even a period of years. Such efforts, besides being ludicrous at their very core are merely more administration window dressing and doomed to failure.

Until cybersecurity is taken seriously by this administration, the embarrassment expressed by Gen. Hayden will continue for us all. Except those in the White House, of course, where deniability and lack of accountability reign supreme.