Home » Articles posted by Frank Cilluffo

Author Archives: Frank Cilluffo

A Game of Drones: the implications of the White House breach

Earlier today it was announced that a small drone had landed on the White House lawn, inside the supposedly secure perimeter.  Today’s incident is, unfortunately, the latest in what seems to have been a series of White House security breaches lately.

While little is known about the details at this stage, and while it is likely that the incident in itself did not pose an immediate security risk, it is not premature to point out that the use of unmanned aerial vehicles (UAVs) and unmanned aircraft systems (UAS) domestically do raise significant implications for safety, policy, privacy, and law.

Keep in mind that UAVs serve multiple purposes, both militarily and commercially.  To name a few: they can be used for surveillance and they can carry weapons’ payloads or from a commercial perspective they can be utilized for aerial photography, whether for relators assessing commercial property or farmers monitoring crops or livestock.

That said, it is important to recognize that not all drones are created equal. Clearly, the Predator or Reaper stands in a completely separate class from the UAVs that anybody can buy by the handful at their local convenience store or electronic store. Comparing the two is to liken a BB-gun to an AR-15. In other words, there really is no comparison at all.

Yet it would be wishful thinking to believe that advances in technology will rest ultimately only in the hands of responsible countries like the United States.  The reality is that many other countries are turning to and developing sophisticated UAVs already; and clearly,  terrorist groups are going to be looking at the implications as well.  In fact, the FBI disrupted a terrorist plot by Rezwan Ferdaus to use remote-controlled aircraft armed with explosives to target the Pentagon and U.S Capitol.

Although the White House incident today should not be conflated with the prospect of Predator drones in US airspace, I would hope that US strategists inside and outside government are thinking through the fact that, at some point, sophisticated actors will turn to UAVs for purposes such as surveillance and payload delivery.

In my view, safety is still the number one consideration for now. A drone could take down a plane and, while FAA regulations on the subject may be in development, enforcement of these rules is where the rubber will truly meet the road.

Cheaper oil: time to double down on energy security?

Amidst the torrent of seemingly endless negative geo-political and security events overseas, comes a glimmer of good news…now I am admittedly outside my comfort zone when evaluating commodities such as oil prices, nor am I an economist, but a recent piece by CNN did make me sit up and take notice (and admittedly, smile).

In an article entitled “These countries are getting killed by cheap oil”, Jesse Solomon at CNN maps out the price point per barrel for oil producing countries to balance their budgets.  The article includes a chart that plots the break-even price. For example, at the high end, Iran has oil budgeted at $135 per barrel. Venezuela at $120; Russia $100; and Saudi Arabia $95. Based on their chart, which pegged the price of oil at $83 per barrel, only Kuwait can balance their budget at current prices. It is worth noting that the price of oil fell even further earlier this week, to under $80 a barrel – hitting 3 year lows – before rebounding back to $83.33 when the markets closed on Wednesday.

The implications of cheaper oil undoubtedly have significant geo-political ramifications. Should prices remain at current levels, there will be clear winners and losers. For starters, Russia, Venezuela and Iran will suffer. To what extent and for how long is unclear. But the CNN article cites a former commissioner of the Federal Energy Regulatory Commission (FERC), Branko Terzic: “that depressed prices might bring Russia to the negotiating table over its actions in Ukraine.” Perhaps a bit optimistic, but coupled with sustained US/EU sanctions, it will undoubtedly sting and potentially blunt the impact of the Kremlin’s heavy-handed strategy to use energy as a political weapon.

Moreover, in addition to the countries listed above (and not mentioned in the article) is another big loser: ISIS. As David Cohen, Undersecretary for Terrorism and Financial Intelligence at the Department of Treasury, underscored in a recent speech, ISIS hauls in $1 million per day from oil smuggling and sales on the black market. While it is doubtful that ISIS spends too much time worrying about balancing budgets or maximizing the production of anything other than hate and terrorism, they do have real costs – especially running a terrorist enterprise that spans such vast territory. There are terrorists to feed, train, equip and recruit. In addition to other means of combating their finances and denying them sources of and access to the international financial system and revenue, cheap oil hurts ISIS. Buyers are less likely to purchase oil from ISIS’ criminal networks and risk sanctions – or worse – when cheap oil is available elsewhere. Perhaps a recent alleged help wanted ad placed by ISIS, seeking an ideologically suitable candidate (with a $225,000 salary) to run an oil refinery is an indicator that the heat is on.

On the positive side of the ledger, the beneficiaries of lower oil prices include India, China, the United States, Europe and pretty much every other net importer with a little more money in hand to boost spending and economic growth.

Closer to home, it seems to me that now is a good time to double down on policies and actions to spur energy independence and security. While there is a lot of discussion swirling around about new mandates post-elections, this should be near the top of the list – and it should have bi-partisan appeal — as the solutions will require a combination of approaches ranging from continued exploration and development of domestic energy to increased investment in alternative and renewable forms of energy. After all, in addition to stimulating the American economy and generating jobs, it has the added benefit of shortening the purse strings of the Kremlin and the Ayatollahs. Sounds like a win-win to me.

A barrage of new reports on cyber risks and governance

A number of significant reports and surveys have been released this week pertaining to cyber risk and corporate governance. To help separate the signal from the noise, I have parsed out a few key findings below.

First, on the threat side, the company FireEye has released “APT 28: A Window into Russia’s Cyber Espionage Operations?” This study identifies a range of Russian activities aimed at stealing political and state secrets, rather than financial profit. Of particular note here, as a New York Times piece on the report notes, is the 2009 Russian hacker attack on Kyrgyzstan to pressure the country to remove a U.S. military base.  Given Russia’s demonstrated level of capability and intent, both from a Computer Network Exploit (CNE) and Computer Network Attack (CNA) perspective, the U.S. would do well to inoculate itself against Russia cyber-wise, especially in light of U.S. (and E.U.) sanctions imposed on Russia for its behavior in the conflict with Ukraine. 

Also this week, the Cyber Security Coalition, composed of Novetta and other large private sector companies including Cisco and Microsoft, released a report on Chinese state-sponsored cyber espionage, titled “Operation SMN: Axiom Threat Actor Group Report.” Again, the focus is on CNE: theft of political and military secrets along with intellectual property and industrial espionage. In addition to threat reporting, the Cyber Security Coalition announced “the teaming of security industry leaders to execute coordinated, effective remediation and disruption of activities tied to several families of malware used by advanced threat actor groups across the globe.”
In other words, enough talk, time to act. Let’s hope this leads others to translate the nouns into verbs and kick-starts an important discussion around “active defense”.

All of this comes on the heels of the reportedly imminent cybersecurity treaty between Russia and China, which generated next to no news, but has significant implications. The pact would pave the way for joint cyber operations between the two countries.

Turning from CNE to corporate governance, Zurich Insurance and Advisen Ltd. released a Special Report this week, titled “Information Security and Cyber Liability Risk Management.” What’s interesting here is the growing recognition among corporate boards of the importance of cybersecurity: “Of the 507 respondents surveyed in August, 64% said their board of directors views cyber risks as a significant threat to their organizations…” At the same time however, the Report finds that “only 62% of respondents…[are] certain that their companies had a breach plan in place…”. And “only 52% have a multidepartmental information security risk management team…”.  For more on corporate governance and the role of boards of directors with respect to oversight and cybersecurity, see my recent op-ed with Governor Tim Pawlenty here. 

Next, there is the Deloitte Survey which “reveals a confidence gap among America’s top executives.” Specifically, the Survey found that “nearly three-quarters (72 percent) of the CXOs who say ‘cyber risk’ is an obstacle growth do not prioritize investments in both technology and incident response.” Not a very comforting juxtaposition.

Also released was the “Cyber Insurance Survey” prepared by Hanover Research, which gauges “insurance industry interest in cyber security and the prevalence of cyber security policies.” Among the key findings: “Less than half (46 percent) of respondent companies currently offer cyber security insurance coverage, but a majority will in the next year”; “Data breaches are considered the most serious cyber risk facing businesses today with 79 percent of insurers offering coverage for data breach expenses”; “Only 18 percent of insurers offer coverage for cyber extortion”; and “Many (40 percent) believe the greatest challenge in selling cyber insurance is that many companies simply don’t think they need it.”

And finally, today The Pew Research Center released a report entitled “Cyber Attacks Likely to Increase” wherein they canvassed a large number of experts who play active roles in Internet evolution as technology builders, researchers, managers, policymakers, marketers, and analysts.

Overall, 1,642 respondents weighed in on the following question:

Major cyber attacks: By 2025, will a major cyber attack have caused widespread harm to a nation’s security and capacity to defend itself and its people? (By “widespread harm,” we mean significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars.)

Some 61% of these respondents said “yes” that a major attack causing widespread harm would occur by 2025 and 39% said “no.”

Plenty of food for thought here — and it’s only Wednesday.

JPMorgan and cybersecurity: A potential tipping point?

The disclosure late last week of the JPMorgan Chase hack this summer would be just another chapter in the book on cyber intrusions – except for the scope and scale of this breach: roughly two-thirds of households in the United States, meaning 76 million households in addition to 7 million small businesses were affected. Think about it. This means that 2 out of every 3 parents on the sidelines of the soccer field this past weekend will have been impacted. Add to that the ‘Point of Sale’ intrusions of Home Depot and Target (putting 56 and 40 million credit and debit cards respectively at risk) and that pretty much covers the rest.

While we don’t yet know all the facts, it is troubling to think of the apparent implications of this case. After all, as JPMorgan Chase’s chairman and CEO, Jamie Dimon, highlighted in his April letter to shareholders, the company spends over $250 million annually and has approximately 1,000 people focused on cybersecurity. If they remain vulnerable, who can stay safe?

Truth is, it’s all about risk management, and a committed and sophisticated adversary – such as a state actor – will eventually succeed in penetrating its intended target. Sadly there are no silver bullets. But, that’s no reason to be numb, simply throw our hands in the air, shirk all personal responsibility and leave the onus on others to address the problem.

Instead, each of us needs to own this problem. We can all be responsible for implementing basic cyber hygiene. No one expects the soccer moms and dads to go it alone against an advanced persistent threat (APT) – but we should all take the time and effort to do what we can, as well as demand more from those who are in a position to deliver it.

Every hacker has a different motive. Criminals seek to profit. States seek strategic advantage. Whatever the motive at play in the case of JP Morgan, it should encourage each of us to do what we can to keep out cyber intruders.

For some practical steps one can take, ranging from protecting home networks and decreasing the likelihood of becoming a victim of phishing attacks (of particular concern when personally identifiable information has been compromised), visit the National Cyber Security Alliance.

HSPI event today: UNCTED Director on ISIS, foreign fighters, social media & CT

This morning, HSPI is convening a Strategy and Leadership Forum featuring Jean-Paul Laborde who is the Executive Director of the United Nations Security Council Counter-Terrrorism Committee Executive Directorate (CTED).

Mr. Laborde will discuss the conflict in Iraq and Syria; national and international security challenges and emerging threats, including those posed by foreign terrorist fighters; and the role of social media in the context of terrorism and counterterrorism. The discussion will be timely — he joins us in the immediate aftermath of the 69th regular session of the UN General Assembly and the unanimous adoption of Security Council Resolution 2178 condemning violent extremism and underscoring the need to prevent travel, support for foreign terrorist fighters. For more on SCR 2178, see this ABC News explainer.

As further background and context for our conversation today, see our 2010 report on foreign fighter trends, trajectories, and conflict zones, which HSPI produced jointly with the Swedish National Defence College. Also see our 2013 commentaries on the foreign fighter challenge in Syria, published by France’s Fondation pour la Recherche Strategique; and on the role of social media in the context of counterterrorism, published by The National Interest; plus, my 2013 remarks before the UN Security Council’s Counter-Terrorism Committee, on countering use of the Internet for terrorist purposes.

Stark findings in new data breach study

In a report released today, the Ponemon Institute noted that 43% of companies were hit with a data breach resulting in the loss or theft of more than 1,000 records in the last year.

And if that’s not striking enough, consider the report’s further finding: 27% of companies had no response plan and/or team in place in the event of such breach.

Corporate governance, from a cybersecurity perspective, must be a priority. Frankly, it’s disturbing that it isn’t top of mind for everyone already.

Read the full report and also see USA Today’s coverage of it: “43% of companies had a data breach in the past year” — though in my view, the headline buries part of the lede.