Home » Articles posted by Ronald Marks (Page 2)

Author Archives: Ronald Marks

Security and the Illusion of Control

Over the past several days, we have seen a series of events that should remind us all that no matter what we poor humans may do to the contrary, there is no such thing as 100 percent security. And to think we have total control over any situation is but an illusion.

The United States and other nations around the world have spent billions of dollars assuring airliner security. We have collectively purchased metal detectors, security guards with weapons, background checks capabilities and massive crosschecking multinational computer lists. We have hardened cockpit doors and have established ample personnel screening for pilots. Yet, one man from Germany got around the system and in a suicidal rage killed 150 people by flying into a mountain snuffing out his pain and their lives in moments.

News reporters and experts tell us it is different in the United States. We have more systems in place for control over pilots. More screenings and sharing of information about pilot mental health. I believe them. We probably do. I hope we do.

Then, I read our White House computer system has been hacked by the Russians. Unclassified, but sensitive, so were these systems described. Still, despite security measures, they gained access to – among other things — the advance copy of the President’s daily schedule. And, these same hackers who were also behind the State Department hack of a few months back. We know who they are and we are tracking them down, we are told.

And, yesterday, in the quiet Maryland suburbs of DC, a power substation went down. No malice involved. A mechanical failure caused an explosion that tripped circuits. The “tripping” proceeded to take out power in a fair portion of the nation’s capital with lightening speed – including the White House, the FBI, the Capitol, the subway system and a large number of other government buildings in downtown DC. We were even treated to the sight of our First Lady being hustled away from a local blacked out theater to the safety of the White House – where back up generators no doubt had kicked in.

I offer all these events not as a proof of incompetence or malfeasance – just simple fact. There are many good people trying to protect us from the bad guys every day. But there are many bad guys trying to harm us as well. And, sometimes, things happen like power grids going down.

What I do suggest, however, is we move beyond the illusion of total control in our security efforts. We can and need to manage risk. We can and need to mitigate risk. But we can never get rid of risk – however much we plan, spend or hope.

The Cyber Chicago Way

In the movie, The Untouchables, an irascible long time Chicago cop played by Sean Connery explains to a naïve Elliot Ness how to get gangster Al Capone. The Sean Connery character says, “You wanna get Capone? Here’s how you get him. He pulls a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue! That’s the Chicago way, and that’s how you get Capone!”

I was reminded of that speech the other day listening to Cyber Command head Mike Rogers testifying before the Senate Armed Service Committee. Rogers clearly wants to get tougher on cyber attacks. In fact, he wants vastly increased offensive capabilities – military jargon for hitting back at the attackers. Rogers made it clear, and Senate Armed Services Committee chair Senator John McCain agreed, that defensive toughness was simply not enough. We needed – in Untouchable’s parlance – to send one of theirs to the morgue.

The anger and impatience is understandable. Cyber attacks have been building in number and intensity over the last few years – beyond DDOS attacks and stealing credit card information by organized crime and LOL’s. The Chinese have been stealing technical secrets with abandon. The Russians have been willing to use disruptive cyber techniques against Ukraine. Iran attacked Saudi computers and destroyed thousands. But, the final straw for America came with North Korea’s shameless show of cyber bullying and attack against Sony Pictures. We did counterattack Pyongyang– or so it seemed. They were small. And it was easy work.

Still, you have to ask the question in the larger whole: what happens if one of the big guys attacks and we do send “one of theirs to the morgue.” Are we prepared to deal with consequences of a massive counter attack against civilian targets? Do we have capability detection swift and detailed enough to know they are happening and from where?

We should boost our cyber offensive capabilities, no doubt. And, I think a preemptive strike or two might be a reminder of our strength. But, cyber world is not confined to nation-state to nation-state attack. We can barely manage the minimal of coordination between our government and the private sector in cyber world. It is not likely a large nation state like Iran would make any distinctions. In fact, they would sensibly seek out the greatest vulnerabilities. And, for us, that is in the private sector, where about 85 percent of our cyber infrastructure is located.

So, I applaud Brother Rogers for his fortitude. We simply can’t sit around and take it. But, before we send one to the morgue, let’s make sure we can take care not to send one of ours as well.

An Intelligence Cyber Center: A Good Start

It is easy to forget that all success stories usually begin with failure. And, sometimes, they begin with a lot of failures. Anyone looking at America’s space program in the late 1950’s would have seen rockets exploding on launch pads, competing military entities trying to build the rockets and satellites, and a sense of impending doom that the Soviet Union’s ability to do so represented an unstoppable and unspeakable nuclear strike capability against the United States. Yet, out of the chaos, President Eisenhower created NASA and made the Air Force and Intelligence Community coordinate and assemble systems that became the envy of the world. Sometimes, as Mom would say, you simply have to quit talking and begin doing.

The White House announcement of the creation of a Cyber Threat Intelligence Integration Center (CTIIC) within the Office of the Director of National Intelligence may be that moment for the increasingly nettlesome cyber security issue. The mission is a simple one – “fuse intelligence from around the world when a crisis occurs.” In other words, give the USG, law enforcement and the private sector a place to turn to for information and instruction.

Over the last ten years, we have seen an explosion of cyber space. It has gone from an interesting part of our daily personal, business, and government lives to an essential component. But, it is also an inherently insecure one built to share and never built to handle the sheer massive volume of information with which it is dealing. There are four billion citizens in cyber space. And the number keeps on growing.

The US Government’s reaction to the insecurity of this vital new frontier has been fragmented along 20th century bureaucratic lines. The FBI, the Department of Homeland Security, NSA, Commerce Department, State Department, the Defense Department have all been drawn into the operational fray. Coordinating out of the White House has been difficult with each player needing to deal with their own interests and constituencies in the law enforcement, military and private sectors. Information needs are massive, yet quite scattered in collection.

One place where we can gain some centralized order over an issue covering vast swaths of the USG is in the area of intelligence. A good example of this centralization is the National Counterterrorism Center. Created out of the chaos following 9/11, it represents the one-stop shop for coordination of the huge amounts of terrorist threat information received and also a place where long-term trends can be addressed and analyzed. It also represents a place where the IC can reach out to the private sector and law enforcement in a comprehensive manner.

So, before all the bureaucratic sniping begins, and the negative talk of another bureaucracy rings forth, let’s remember that whatever CTIIC turns out to be, at least with regards to sharing and analyzing threats in cyber space, we’ve quit talking and started to do something.

Your Permanent Email Record

My mother was a retired, disabled Army veteran of World War II and Korea. She ran my father’s business and raised two kids. Mom was a loving parent, but brooked little nonsense and even less bad behavior.

To re-enforce this message, Mom would often intone the phrase “be careful what you say and do, you don’t want that on your permanent record.” As a child, I imagined a large book somewhere with all my deeds and misdeeds printed in black type. Who knew the permanent record would some day be electronic and called the Internet?

As I have been watching the rollout of more and more emails from Sony Corporation – several of whose executives are not getting any Christmas presents from clients this year – I am amazed at what people put in emails. Somewhere along the line, everyone should be forced to read their emails before they hit the send button. One last stop before stupidity reigns. But what is now dawning on our friends in Hollywood – and one would hope throughout the country – email is not safe. And nothing, but nothing, goes away on the Internet.

For those of us who have served in the government or in the legal and financial sectors, we have heard time and again from management and lawyers that email records are “discoverable.” They can be subpoenaed for court and your company can read what you put on the firm’s system.

The 21st Century Internet is the modern, permanent record. Information maybe contained on multiple servers around the world. We have mounting problems of leaked information from either insider threats (read: Snowden) or outsider threat (read: North Korean and the like.) So let me once again recite the refrain – the Internet was not meant to be secure. It was meant to freely exchange information. And, also, that to retrofit the Internet with security is expensive, time consuming and often technically awkward.

Thus, people who use the Internet engage in a form of risk management, like it or not. They say, “I will only spend so much on security because I think that will do the security job.” And so they do. And a fair portion of the time it works though most don’t know exactly how much security they are buying.

However, the bad guys of the world are raising the stakes and we, as a society, need to think about what that means. While I am no fan of government regulation, perhaps, it is time to set minimum standards of security for use of the Internet. Still, it is hard from preventing people from saying stupid things.

In the meantime, let me give you another piece of advice from an old spy. Don’t write down anything you can’t “eat” later. A chat in the hallway or a phone call is still a great way of exchanging information. And, please, think about that message next time before you hit send. It could end up on your permanent record.

Kim Jong Un – Film Critic/Cyber Terrorist

A Hollywood screenwriter friend of mine sent me a note a few months back about a new film he thought I’d like. Called “The Interview,” it is a Seth Rogen and James Franco romp about an unlikely pair trying to assassinate North Korean leader Kim Jong Un during a television interview.

Soon after, I read that Pyongyang was upset about the movie calling it an act of war and vowing some form of revenge. A letter was sent in protest to the UN Secretary General about the film. Typical thin-skinned North Koreans, I thought, they’ll surely be off soon to another incident to gin up.

Well, it turns out Kim Jong Un may have a longer attention span than I gave him credit for. And he may be the ultimate film critic, literally trying to destroy the film and the company which produced it, Sony Enterprises. Instead of a thumbs up or down, North Korea may have not only hacked the Sony web site, destroyed Sony computers, but has “advance” released a number of Sony films yet to be premiered. Sony is scrambling to minimize the damage. U.S. law enforcement is being called in to assess the situation. And the self identified (yet unknown) hackers who perpetrated the event – “The Guardians of Peace” – are posting their pleasure with the results around the net.

As silly as it sounds, this case cuts to the quick on a number of cyber issues we increasingly face as the world continues to wrap the Internet in our daily lives. First of all, while North Korea may have complained bitterly about the movie and is the leading suspect, the attribution of the attack is still unclear. It is easy to hide in the Internet through a maze of servers worldwide. And finding out the actual “who dun’ it” is not an easy job for anyone. Maybe it was disgruntled employees recently fired from Sony. Maybe the North Koreans hired one of the ex-employees? The scenarios can go on ad nauseam.

Second, if it is the North Koreans and their well-known large-scale cyber unit, what is our response going to be? What happens when a nation state attacks a private U.S. firm? Is this simply a matter of law enforcement or it is a threat to our border and national security? If they can do this to Sony, whom else might they choose to attack? And, of course, what is Washington’s response? Diplomatic? Arrest warrants? Counter cyber attacks?

Ultimately, the film will be released shortly to greater fanfare than it might have had otherwise. (Kim forgot the first rule of Hollywood – all publicity is good publicity.) Sony will recover its computer systems and take a tax loss on the released films. And maybe Kim Jong Un will learn to use the Rotten Tomatoes film critic web site to make his protests.

All jokes aside, a full decade into the explosion of the Internet for everyday use, we have trouble with attribution of attack and are still debating government responses to external cyber threats. As we dive into the so-called Internet of Things where everyone day to day lives from their home alarms to their cars will be dependent on the Internet, Washington needs to do a lot better.

Closing America’s Internet Frontier

By the fall of 1890, the United States Census Bureau proclaimed the end of the American frontier. In essence, all territories in the Western United States beyond the 105th-degree latitude now had population and had been declared settled. In addition to surprising the quarter million Native Americans who ancestors who had lived there for thousands of years, the 1890 census was the first to use a crude system of “punch cards” to tabulate the count. And thus began a new electronic frontier.

With his declaration last week favoring government regulation of the Internet as a ‘public utility,” President Obama has closed the American Internet frontier. The President, favoring net neutrality and a system of no favoritism for information providers, has also inserted the federal government deeply into the American Internet.

The President’s comments were addressed to the Federal Communication Commission (FCC) as they deal with the possible elimination or “readjustment” of the current policy of Internet neutrality. The FCC was an agency set up in the 1930’s Roosevelt Administration to “regulate interstate communications by radio, television, wire, satellite, and cable in all 50 states, the District of Columbia and U.S. territories.” According to the FCC it “works towards six goals in the areas of: Broadband, competition, broadcast spectrum, the media, public safety and recently added – homeland security.” In the era of cable and satellite, it has become heavily involved in the auctioning of radio spectrum. It is little wonder that the Internet has come under it scrutiny.

The phrase the President used “public utility” is a loaded one. Economists would tell you that it is a “public good” that needs to be provided or regulated by the government due to its importance to the population. We live with regulated public utilities every day – your local power company, natural gas, water and sewage being the best examples. Even cable has been subject to a form of public regulation. With that logic, the Obama Administration wants to extend public utility status to the Internet. For a “free industry,” this is going to be a hard sell and a real reversal of its nature.

The Internet business has been mostly unregulated since its founding. In fact, it has rather reveled in its freedom to exchange information across borders freely and with impunity. However, the last decade has seen the Internet move from a place of information exchange to one of vast usage for business and personal commerce. It has equally faced a rise of concern over its use by terrorists – defined by each country in a different way – and increasing security concerns over the vast and vulnerable amounts of value information being stolen.

China, Russia, Iran, Brazil and many other countries have made no bones about controlling their Internet for political purposes. Other third world countries want it taxed to make up for revenue loss in other communications areas like telephones and the nearly dead telegraph. Even American states greedily eye the potential taxes gained from Internet commerce.

So, like it or not, with the President’s letter to the FCC declaring the Internet a public utility, we stand at the end of the Internet frontier. The fight now will be over how the newly established territory will be regulated. The time of the Free Internet is over.

No Such Thing as a Free Internet

The great political philosopher and Nobel Prize winning economist, Milton Friedman, once bluntly said, “there’s no such thing as a free lunch.” The aphorism was based on the 19th century bar room practice of offering a free lunch – if you bought drinks. And so, we are seeing mounting evidence that the free Internet is going to become subject to “Milton’s Law.”

One fine example was shown by the protests last week in Hungary over Budapest’s attempt to place a tax on internet interactions. The protestors, who have had relatively cost free internet since its beginning, were outraged. The government, trying to recover some of the lost revenues from its now languishing telecom services and disappeared telegraph services, was trying to figure how to squeeze some dollars or florins out of the net.

Hungary is not alone. The users of the Internet around the world are beginning to figure out that the days of free or cheap internet are on their way out. They may live in international cyber world, but the governments of nation states in which they live control the lines and the servers and they see a new source of revenue.

Combined with the general political clampdowns in China, Russia and elsewhere among less freedom loving nations around the world, the “costing” of the Internet is not going away. Even the United States is not immune as the net neutrality issue continues to bubble away and states are finding ways of imposing internet sales taxes. And even the poor old beleaguered news industry is finding ways of charging for “special services.”

So, like it or not, the hippy days of the free internet and open exchange of information are gone. The most social changing invention since Gutenberg’s press is finding out that 19th century logic still rules. Ultimately, there ain’t no such thing as a free lunch.

The Ebola Jet Set

In a recent Vanity Fair magazine, there was an article about the early “Jet Set” who traveled the world on the new Boeing 707 jetliner. In those days, the jet was a miracle knocking off nearly 5 hours of transit time from America to Europe. It was expensive to take and only the rich and glamorous could afford it. People wore their best clothes and were served five course meals, says the author of the article. Oh those were the better days – if you were rich.

As anyone who has flown in the past few years can tell you, that era is but a dream. On the other hand, we can now travel the world in less than 24 hours. The Taj Mahal or Monrovia, Liberia can replace the site of my cat sitting in my window in front of my desk in McLean, Virginia in a day. A miracle and a problem. Welcome to the age of the Ebola Jet Set.

In this world, people and their problems can also move around in 24 hours. Terrorist can move about with relative ease. We know that and have taken actions to deal with the problem.

But, diseases, like Ebola, can also spread world wide in a matter of days. So, we have seen in recent weeks that what happens in West Africa can arrive in Dallas, Texas in no time flat. And, thus again, the definition of Homeland Security expands.

Whatever the missed opportunities from the World Health Organization (WHO) and the Centers for Disease Control (CDC) and whatever other health related initials there are out; rarely does a small fever stop anyone from traveling. Being prepared to deal with type of thing is going to take some getting used to by Americans who are already irritated by long and intrusive TSA lines. The Japanese do health screens on the way in to their country. Maybe we need to do the same.

The news media hype and distortion for ratings is not helping inform the public to say the least. And watching the Administration struggle with a response is hardly awe-inspiring. What is really upsetting, however, is after both SARS and H1N1 influenza, our medical establishment is not prepared around the country to deal with mass infectious disease.

Simply put, while international cooperation is nice as is a competent WHO, we need to boost that capability within the U.S. regionally to deal with infectious disease – not just as NIH headquarters in DC. Hospitals and medical centers have not been at the forefront of homeland security efforts and it is now showing.

The early warning reporting system also needs to be strengthened recognizing that people being people do not go wandering into a medical facility unless they think they are sick. The earlier detection among doctors and public awareness is crucial.

So, welcome to the Ebola Jet Set. The nature of travel time today makes it near impossible to stop. And Americans must understand and be prepared as part of our total homeland security effort to deal with it.

Vigilantes and the Internet

One of the many pithy quotes attributed to Mark Twain is that “history does not repeat itself, but it does rhyme. So, as I sipped my coffee reading the paper this morning, I noticed an article in Washington Post that reminded me of just that – companies are no longer waiting for law enforcement to deal with hacking. They are “dealing with it” themselves.

Now, if you are from my generation, this conjures up movie visions of the lawless 19th century Wild West where the townsfolk are fighting off the merciless bandits with “vigilance” groups. No law enforcement to be found. The wrong guys, sometimes, get hung. There is always a regretful scene at the bar and someone speaks the awful truth of what happened. Film ends. You go home justified in your safe feeling that the bad old days is gone and we how have reasonably effective law enforcement.

In the 21st century world of the Internet, this vigilance movement strikes me as a very dangerous game. Not only does it appear that private citizens or corporations are taking the law into their own hands, but equally they may not have a clue at whom they are shooting. Even with the most sophisticated tools, it is hard to tell from where a hack is coming. An attack gone awry and hurting some innocent is just not acceptable.

Some people have even suggested the US Government rely on an 18th century concept addressed in the Constitution – letters of marque and reprisal. This quaint practice was essentially used to recruit “sanctioned” pirates to fill out the rank of navies. Blackbeard was a pirate sanction by the British to fight Spain and keep his treasure as reward. The new letters of marque advocates suggest we give companies a right to “counter hack” those who attack them under such an approval system. I can hardly wait to see the Department of Homeland Security and Congress dealing with that concept.

So what does this counter-hacking mean? It means people do not have faith that their government cannot do its job – protect them in their homes and businesses from Internet predators. Despite well-intentioned efforts by the Federal government, we have yet to fully crack the issue of security on an Internet never built to be secure. The days of open sharing are long gone. The days of security are yet here.

So, the solutions are hard coming from government tangled in privacy laws and the like. Still, a vast majority of Internet security problems boil down to individual cyber hygiene and cyber citizenship. Most hacks come from internal threat (your own people) and/or sloppy security done on the cheap. On the former, speaking as an old spy, this will always be a problem no matter. Increased internal monitoring is the best you can do.

As for cyber citizenship, you need to change your passwords, be careful how you store them and stop skimping on security. Like it or not, when you get out of bed in the morning, you are engaging in risk management. Am I going to get hit by a truck if I go outside? I’ll take the chance.

What people do when they skimp on security is take a calculated risk – whether they are deliberately calculating it or not. Having weak systems leaves you more vulnerable. Period. Do your job as a cyber citizen and try to decrease your risk with better protection.

The government has shown it can’t be everywhere on the vast and expanding Internet. Ultimately, it is up to us to defend our systems as best we can. However, resorting to the ancient solutions of vigilantism and marques of reprisal are hardly the way of the 21st century. They belong in the movies and the history books. Well thought out and responsible security measures must be the order of the day.

Homeland Insecurity

Reading and watching the news in the last few weeks has required a strong stomach. We are told in breathless news coverage that the deadly Ebola virus is spreading through West Africa and has landed on our shores. ISIS fighters are winning in northern Iraq and will soon be focusing on the American homeland. Our borders are porous and crossed at will. Internet security is a joke. Thank God for a low hurricane season, I can at least bail out to the Weather Channel for some relief – overlooking the droughts brought on by global warming, etc.

We have, I believe, lost our perspective on what truly constitutes a threat to America’s homeland and are telling ourselves ghost stories that are scaring people needlessly. There is no such thing as 100 percent security. The Federal Government can only do much. But, they do a helluva lot and that is a success story that needs to be told.

I realize that I do not have a “modern” view on these threats. My idea of threats was framed in a time long ago. For nearly 50 years, we had the potential of losing 150 million of our fellow citizens in less than 1 hour. One thousand five hundred intercontinental ballistic missiles with multiple warheads were aimed at America. There were some tetchy moments to say the least yet we survived.

The threats of the post 9/11 world are considerable, but far less existential. And, to its credit, Washington has done a lot since then to strengthen its homeland security with all the problems of trying to cover everything. The coalition of government, business and private citizen exists – in its usual loose American style. But, it does exist.

Since 2001, there have been no mass hijackings or a single hijacking of American planes. With the exception of Boston and Fort Hood, no terrorist has successfully carried out a mass causality attack. Some of this success was luck. Much of it was due to the flawed, yet large-scale exchange of information between the Federal government, state and local authorities and an enlightened public who get that if they see something, they really should say something.

As for disease control, such as the current Ebola scare, that is going to be tested over the next few months. Still, there are no mass outbreaks in the U.S. We have mechanisms set in place now through our alphabet soup of homeland security at DHS, TSA and CDC that has quickly locked in to address the issue. America’s doctors and hospitals have been made aware of the problem and what needs to be done if spotted.

As for our Internet and “physical” borders, the story is a little less sanguine. We seem to be handed the hack of the day. And our southern border with Mexico is still relatively easy to penetrate. Still, we have lined up considerable resources against both issues. The FBI, CBP, and our nation’s intelligence services are doing their best to collect information, pass it to local authorities and intercede when they are able. Hackers are being caught. Illegal aliens and those who pray upon them are being arrested. Despite it all, our “borders” threat has yet to either close the Internet or stop border traffic between US and Mexico.

The United States is a 3.8 million square mile, 320-million person nation with the largest economy in the world. We are a resilient people who respond to threats and get it right most of the time.

Our Federal Government has done a decent job of organizing us against these threats and getting the people to understand that they exist. However, the media’s constant telling us ghost stories about our imminent doom serves no purpose but to sell “news” and scare people needlessly. I appreciate their efforts at informing and trying to make some money. But, a little perspective is needed.