Critical Lack of Trained Experts To Meet Cybersecurity Threat

Standard
cybersecurity-jobs-and-education-villanova-university-dot-com

Image:  Villanova University

” THE DENVER POST”

“Today there are more than 120,000 unfilled cybersecurity positions.

A figure greater than the number currently employed.

Months have passed since the FBI took aim at encryption in the case of the San Bernardino shooter’s iPhone. Once the dust settled, our country began to take a different look at the dangers of unprotected data.

A series of incidents has revealed alarming vulnerabilities in our digital defenses. In the worst of these, we’ve seen a foreign power seek to influence our presidential election through the breach of voter registration databases in Illinois and Arizona, and the theft of sensitive information from national party headquarters. These pose a grave threat to our democracy.

Forty-four years ago, our country suffered through turmoil after a similar break-in at the Democratic National Committee’ headquarters at the Watergate complex in Washington, D.C. Now we face the humiliation of revisiting the same crime, but this time perpetrated online by foreign state actors seeking to undermine public confidence in our elections.

We clearly need to bolster our defenses to maintain the integrity of the electoral process. Companies across the nation must also protect themselves from attackers that exploit security weaknesses. These challenges can only be met by first addressing the critical shortage of cybersecurity experts.

Watching the FBI stumble through the encryption debate opened our eyes to the severity of this shortage. Most of the agency’s struggles could have been avoided with personnel trained in the right forensics procedures. Focusing instead on requiring companies to compromise encryption security indicated that a different type of expertise was needed.

The FBI isn’t alone. Breaches at hospitals, retailers and in our own government have shown the dangers of ignoring this threat. Accordingly, the demand for cybersecurity professionals has skyrocketed, particularly since people with these skills are in very short supply.

High salaries are offered to lure these experts. The national average exceeds $93,000, according to the Bureau of Labor Statistics, and in Denver that figure is $98,590. Unfortunately, generous compensation hasn’t come close to attracting the number of applicants needed.

The problem is that our schools aren’t providing necessary education. Only one in eight high schools teach AP computer science. Few universities offer cybersecurity coursework and many graduates face difficulty transitioning into this workforce.

Some companies scramble to plug staffing holes with offshore contractors. That won’t work for critical infrastructure jobs requiring security clearance for which only American citizens qualify.

Our government’s battle against encryption technology was a distraction from more pressing challenges. Instead of fighting U.S. companies in the courtroom, we should be developing talent in the classroom to fight cyber attacks from abroad.

Colorado has taken the lead in this area. Our state has established the National Cybersecurity Center in Colorado Springs, and the Denver area has emerged as a hub for cybersecurity companies. Specialized training facilities have been a key factor in this growth.

The steps we are taking locally offer promise for the future, but the global stakes are immense. Russia-based attackers have already shut down Estonia’s banking system and Ukraine’s electrical grid.

While these events were temporary disruptions, they may have been the proving ground for much larger attacks. Future wars will be waged first in cyberspace where key infrastructure is disabled to aid kinetic, on-the-ground assaults.

The recent cyberattacks against our country demonstrate the grave danger posed by hostile foreign powers. Our country has the ability to combat these threats, but we must allocate resources where urgently needed. Prioritizing skills education — from grade school to job retraining — is essential to build the cybersecurity defenses we need. Only through investment in these capabilities can we be prepared to meet the challenges before us.”

Amid growing U.S. cybersecurity threat, a critical lack of trained experts

 

 

 

Fed Year-End Spending Spree Needs to Change

Standard

cutting-dollar-red-1342111744

EDITOR’S NOTE:  We have often discussed the inefficient one year budget cycle of the US Government and recommend changes.   The One Year Budget Cycle Must Go.  Robert F. Hale  was comptroller and chief financial officer at the Defense Department from 2009 until 2014. As you will see in his opinion below, he heartily agrees.

Robert Hale

Robert Hale


“BREAKING DEFENSE”

“WHY DOD’s YEAR-END SPENDING NEEDS TO CHANGE”

“As the end of the fiscal year approaches at the Department of Defense (DoD), organizations are working hard to spend all the funds which are available for use only during the current fiscal year.

The pithy rationale for these actions: “Use it or lose it.”

We need to find practical ways to apply the brakes to year-end spending so that DoD funds only its highest-priority needs.

DoD spending spikes sharply during the final week of the fiscal year.  (To be technically correct, by “spending” I am referring to entering into contracts or otherwise obligating funds.) In a 2010 report researchers from Harvard and Stanford Universities showed that, based on data for the years 2004 to 2009, final-week spending at DoD was more than four times higher than the average weekly spending during the rest of the year.  Similar trends occurred at other federal agencies.

The spike doesn’t necessarily mean that year-end funds are wasted.  Many year-end funds buy construction-related goods and services, office equipment, and IT equipment and services. These items are needed, but they do not directly support the most critical DoD mission needs, such as training and military readiness.  Moreover, research on federal IT spending suggests that final-week purchases are of lower quality than those made during the rest of the year, and I suspect the same finding applies to other categories of spending.  The surge in spending may also lead overworked contracting officers to push out lower-quality contracts.

Making operating funds available only for one year works against good resource allocation in another way. Resource managers must estimate forthcoming bills for services in the final month of the fiscal year (for example, final bills for electricity and water) and obligate the funds before year’s end. They have to estimate on the high side because, if their estimate is low, they risk violating the federal anti-deficiency laws. High estimates for routine services leave fewer funds available for mission-critical activities such as training and readiness.

Year-end spending worries federal employees, and it should worry taxpayers too.  For several years the Obama Administration conducted a SAVE campaign (Securing Americans’ Value and Efficiency), which asked federal employees to suggest ways to make government more efficient. In my role as DoD comptroller, I reviewed suggestions related to DoD. I was struck by how many employees urged that year-end spending be reduced. A 2007 survey of DoD financial management and contracting professionals showed the same result. Almost all respondents expressed concerns about year-end spending.

The law already has some provisions designed to avoid year-end spending spikes.  For example, only 20 percent of major operating budgets are supposed to be spent during the final two months of the fiscal year. But this provision still leaves room for final-week spikes.

Congress could help by passing DoD appropriations on time – that is, by October 1.  Late appropriations push even more spending toward the end of the year and may exacerbate year-end spending. Unfortunately, Congress has not provided DoD with an on-time appropriation during any of the Obama years, and it will apparently not do so again this year.

But Congress can help by permitting DoD to carry over a small percentage of its operating budgets (perhaps 5 percent) into the next fiscal year. This flexibility would not increase the total funds available to DoD. However, for funds eligible for carry over, managers could decide whether to buy that office furniture for the headquarters at the end of the year or wait and let other needs compete for the funds next year. There is some evidence that carry-over authority helps. Our Harvard and Stanford researchers found that, at one federal agency that had such authority (the Department of Justice), final-week spending spikes were much smaller.

While serving as DoD’s comptroller, I tried to persuade Congress to permit the Department to carry over small amounts of its operating funding into the next fiscal year.  I made a few converts, but not enough to make it happen.

The next administration should try again to secure carry-over authority.”

Why DoD’s Year-End Spending Needs to Change

 

 

 

VA Buying System Archaic & Improvement Slow

Standard

wounded_vet

“FCW”

GAO Report:   ordering interface looks like something from when people “first started using computers.”

The VA procurement policy framework as being “outdated and fragmented,” with different procurement regulations covering different parts of the agency. Revisions and standardization of the VA’s overarching procurement regulation isn’t due until 2018.

The Department of Veterans Affairs embarked on an update of its fragmented, overlapping and out-of-date procurement system in 2011. Capitol Hill critics say implementation could be going faster.

“Companies doing business with the VA don’t know what the rules are, and even the VA contracting officers get confused,” said Rep. Mike Coffman (R-Colo.) at a Sept. 20 House Veterans Affairs Committee hearing.

Rep. Ann Kuster (D-N.H.) said the way the system works right now is “unacceptable” and that she will be “anxiously waiting” any updates to the system.

Greg Giddens, VA’s executive director for acquisition, logistics and construction, said the agency has “strategies in place that align with GAO’s recommendations” in most areas of oversight concern.

Acting Chief Procurement and Logistics Officer Rick Lemmon said the agency is in the process of developing and launching a new Windows-based ordering interface, to replace the aging, text-based legacy system in fiscal year 2017. The current VA system is integrated with the agency’s homegrown VistA health record system, and is coded using the legacy MUMPS computer language.

Giddens noted that VA is in the midst of a financial management IT initiative, and launching plans for a digital healthcare platform. Both of these efforts “will impact legacy and contemporary supply-chain systems and interfaces, as well as influence system-improvement alternatives and investment decisions over the next two to five years,” he said.”

https://fcw.com/articles/2016/09/21/va-procurement-oversight.aspx?admgarea=TC_Management

 

Federal Cyber Incidents Up 1,300% In 10 Years

Standard

federal-cyber-reporting-incidents

“WASHINGTON POST”

“The number of cyber incidents reported by federal agencies jumped more than 1,300 percent, from 5,503 to 77,183, over the 10 years through fiscal 2015.

This is not just a theoretical warning.

Federal information security has been on the high-risk list of the Government Accountability Office (GAO) since 1997, and the situation has only grown worse.

These statistics, at once sobering and alarming, were included in a GAO report presented to the President’s Commission on Enhancing National Cybersecurity this week. The report was in the form of a statement from Gregory C. Wilshusen, the GAO’s director of information security issues.

“Over the last several years, we have made about 2,500 recommendations to agencies aimed at improving their implementation of information security controls,” Wilshusen said. “These recommendations identify actions for agencies to take in protecting their information and systems. For example, we have made recommendations for agencies to correct weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources. … However, many agencies continue to have weaknesses in implementing these controls, in part because many of these recommendations remain unimplemented. As of September 16, 2016, about 1,000 of our information security–related recommendations have not been implemented.”

Ineffective cyberprotection “can result in significant risk to a broad array of government operations and assets,” he added.

Press secretary Jamal Brown of the Office of Management and Budget (OMB) responded by saying that “cybersecurity is one of the most important challenges we face as a nation. Over the last nearly eight years, federal agencies have made significant progress in strengthening their overall cybersecurity posture. Yet, as cyber threats continue to evolve and grow, we must remain vigilant in our efforts to combat them.”

Among of those efforts was release of a first-ever cybersecurity workforce strategy and implementation of the Cybersecurity National Action Plan, which established the commission that heard Wilshusen’s statement.

“GAO’s recommendations to the commission are important and welcomed,” Brown said.

These examples from Wilshusen show how broad that array can be: “Sensitive information, such as intellectual property and national security data, and personally identifiable information, such as taxpayer data, Social Security records, and medical records, could be inappropriately added to, deleted, read, copied, disclosed, or modified for purposes such as espionage, identity theft, or other types of crime.”

In June 2014, the Office of Personnel Management announced that personal information, including Social Security numbers, belonging to 22 million federal employees and others had been hacked. That is the largest announced cybertheft but far from the only one. The private sector also has been repeatedly hit by cyberthieves.

“These threats come from a variety of sources and vary in terms of the types and capabilities of the actors, their willingness to act, and their motives,” Wilshusen said. “For example, advanced persistent threats — where adversaries possess sophisticated levels of expertise and significant resources to pursue their objectives — pose increasing risks.”

In a March report to Congress, the OMB linked the rising number of cybersecurity incidents to “an increase in total information security events and agencies’ enhanced capabilities to identify, detect, manage, respond to, and recover from these incidents.”

Although the report indicates that about 40 percent of the GAO’s recommendations have not been implemented at any one time, in an interview, Wilshusen said the government’s long-term record is significantly better. Within four years, 88 percent to 90 percent of the recommendations are followed, he said by phone. “Over time,” he added, “the agencies do a pretty good job of implementing our recommendations.”

The GAO offered several recommendations, including strengthening oversight of government contractors that provide information-technology services. That was a lesson learned the hard way through the OPM breach.  In 2014, the GAO found that five of six selected agencies “were inconsistent” in their oversight of contractor cyber controls.”

https://www.washingtonpost.com/news/powerpost/wp/2016/09/22/federal-cyber-incidents-jump-1300-in-10-years/?utm_campaign=EBB%209.23.16&utm_medium=email&utm_source=Sailthru

 

Federal Agencies Challenged in Attracting Tech Startups

Standard

small-business-and-far

“NATIONAL DEFENSE MAGAZINE’

“Entrepreneurs and innovators in commercial industry are just as patriotic as those who work in the traditional defense industry. They’re not comfortable on the long lead time and very long development cycles.

They are not comfortable inside the Federal Acquisition Regulations.

Startup companies and young entrepreneurs were largely absent from the Air Force Association’s air, space and cyber conference this week, an issue that came to a head Sept. 21 during a discussion among the Air Force’s top officers.

To speed the acquisition of commercial technologies and bring new companies into the fold, Defense Department leaders have been reaching out to firms in technology hubs such as Silicon Valley, Boston and Austin. But the AFA conference in National Harbor, Maryland, one of the most prominent annual defense industry expositions, was dominated by traditional contractors that have been doing business with the Pentagon for decades.

A panel of four-star and three-star general officers was asked by an audience member about the notable absence of the non-traditional companies that defense officials have been courting.

“Why would you expect to see a millennial at the opera?” said Gen. Ellen Pawlikowski, commander of Air Force Materiel Command. “By that I mean the forum that’s here for AFA and the booth concept is not the environment that the entrepreneurial community that … we engage with is one that they come to.”

“It’s not of interest to them,” she added. “That’s not their culture.”

The Defense Department will have to court them, not the other way around, she said. Pentagon officials must make a concerted effort to meet them on their turf, she noted.

“We have to reach out to the forums and to the venues that they go to,” she said. “That will put some of us out of our comfort zone that we’re used to participating in, but that is the way we have to draw them in.”

Secretary of Defense Ashton Carter has made several high-profile trips to Silicon Valley and other centers of innovation. Last week, the Pentagon chief attended a TechCrunch Disrupt conference in San Francisco, where he tried to persuade cyber technologists to work for or do business with the Defense Department

At a venue where a Pentagon official wearing a business suit looked like a fish out of water, Carter fielded tough questions. Some, including one about marijuana use, would be considered way out-of-left-field if they had been asked at a traditional industry conference.

Pawlikowski noted that she attended a venture capitalist conference in Los Angeles focused on space issues, with positive results.

“After I finished, I had about a dozen venture capitalists come up to me wanting [me] to know that they had entrepreneurs that were interested in getting involved in this business and [asking] how could they get involved” with the Defense Department, she said.

But the Pentagon’s acquisition process sometimes causes headaches for those involved in outreach efforts to non-traditional industry and startup companies.

Air Force Materiel Command has made a concerted effort to draw in commercial firms with small business innovative research funding, Pawlikowski said.

“What we found though that is if we just leave it up to our usual devices of going out and putting out, ‘Here’s our topics we’re interested in,’ we will get shall we say the more traditional small business” to respond, she said.

“It doesn’t necessarily attract the entrepreneurial business base as a general rule,” she added. “In fact, sometimes our definition of a small business actually makes it hard for that entrepreneurial business base to participate, because if a venture capitalist invests in an entrepreneur then they no longer qualify as a small business, for example.”

Gen. Paul Selva, vice chairman of the Joint Chiefs of Staff, echoed concerns about the hurdles thrown up by the often cumbersome acquisition process.

The Pentagon has been pursuing different paths of engagement, he noted.

“What we have to do and what we have been doing is trying to nurture relationships with those small companies by placing bets and asking them hard questions and giving them some time to chew on them,” he said.

They’re wiling to give their intellect to the questions we’re willing to ask,” he said. “We just have to find an environment that they’re comfortable operating in.”

http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=2311

 

A Different Path to War

Standard

new-rules

“WAR ON THE ROCKS”

“Americans today enjoy a measure of safety that our ancestors would envy and that our contemporaries do envy.

We generally do not need to wage war to keep it that way.

On the contrary, some recent wars have degraded the U.S. military and undermined our security. Policymakers should therefore be extremely reluctant to risk American lives abroad.

The U.S. military is the finest fighting force in the world; it comprises dedicated professionals who are willing and able to fight almost anywhere, practically on a moment’s notice. Any military large enough to defend our vital national security interests will always be capable of intervening in distant disputes. But that does not mean that it should. Policymakers have an obligation to carefully weigh the most momentous decision that they are ever asked to make. These criteria can help.

Any nation with vast power will be tempted to use it. In this respect, the United States is exceptional because its power is so immense. Small, weak countries avoid fighting in distant disputes; the risk that troops, ships, or planes sent elsewhere will be unavailable for defense of the homeland generally keeps these nations focused on more proximate dangers. The U.S. government, by contrast, doesn’t have to worry that deploying U.S. forces abroad might leave America vulnerable to attack by powerful adversaries.

There is another factor that explains the United States’ propensity to go abroad in search of monsters to destroy: Americans are a generous people, and we like helping others. We have often responded favorably when others appeal to us for assistance. Many Americans look back proudly on the moments in the middle and latter half of the 20th century when the U.S. military provided the crucial margin of victory over Nazi Germany, Imperial Japan, and the Soviet Union.

But, in recent years, Americans have grown more reluctant to send U.S. troops hither and yon. There is a growing appreciation of the fact that Washington’s willingness to intervene abroad – from Somalia and the Balkans in the 1990s, to Iraq and Afghanistan in the 2000s, to Libya and Yemen in the present decades – has often undermined U.S. security. We have become embroiled in disputes that we don’t understand and rarely can control. Thus, public anxiety about becoming sucked into another Middle Eastern civil war effectively blocked overt U.S. intervention in Syria in 2013, notwithstanding President Obama’s ill-considered red line warning to Bashar al Assad.

But while the American people are unenthusiastic about armed intervention, especially when it might involve U.S. ground troops, most Washington-based policy elites retain their activist instincts. They believe that U.S. military intervention generally advances global security and that the absence of U.S. leadership invites chaos. The essays in this series, “Course Correction,” have documented the many reasons why these assumptions might not be true. The authors have urged policymakers to consider other ways for the United States to remain engaged globally – ways that do not obligate the American people to bear all the costs and that do not obligate U.S. troops to bear all the risks.

But the authors do not presume that the United States must never wage war. There are indeed times when it should. Policymakers should, however, keep five specific guidelines in mind before supporting military intervention, especially the use of ground troops. Doing so would discipline our choices, would clearly signal when the U.S. military is likely to be deployed abroad, and could empower others to act when the United States does not.

Vital U.S. National Security Interest at Stake

The United States should not send U.S. troops into harm’s way unless a vital U.S. national security interest is at stake. Unfortunately, the consensus in Washington defines U.S. national security interests too broadly. Protecting the physical security of the territory of the United States and ensuring the safety of its people are vital national security interests. Advancing U.S. prosperity is an important goal, but it is best achieved by peaceful means, most importantly through trade and other forms of voluntary exchange. Similarly, the U.S. military should generally not be used to spread U.S. values, such as liberal democracy and human rights. It should be focused on defending this country from physical threats. The military should be poised to deter attacks and to fight and win the nation’s wars if deterrence fails.

The criterion offered here is more stringent, for example, than the Weinberger-Powell Doctrine, which held that U.S. troops should not be sent overseas “unless the particular engagement or occasion is deemed vital to our national interest or that of our allies.” By effectively equating U.S. national interests with those of our allies, it allowed for a range of interventions that would not be considered automatically valid under the guidelines spelled out here.  Policymakers should not risk the lives of U.S. troops to protect others’ interests as though those interests were our own.

Clear National Consensus

The American people must understand why they are being asked to risk blood and treasure and, crucially, they must have a say in whether to do so. The U.S. military should not be engaged in combat operations overseas unless there is a clear national consensus behind the mission.

Although modern technology allows constituents to communicate their policy preferences easily, traditional methods are just as effective in ascertaining whether the American people support the use of force. We should rely on the tool written into the Constitution: the stipulation that Congress alone, not the president, possesses the power to take the country to war.

As Gene Healy notes in this series, Congress has regularly evaded its obligations. Although the U.S. military has been in a continuous state of war over the past 15 years, few in Congress have ever weighed in publicly on the wisdom or folly of any particular foreign conflict. Some now interpret Article 5 of the North Atlantic Treaty or United Nations Security Council resolutions as obligating the United States to wage war without explicit authorization from Congress. This is unacceptable. The president may repel attacks against the United States, but the authority to deploy U.S. forces abroad, and to engage in preemptive or preventative wars of choice, resides with Congress — and by extension the people — of the United States.

Understanding of the Costs—and How to Pay Them

We must also understand the costs of war and know how we will pay them before we choose to go down that path. We cannot accurately gauge popular support for a given military intervention overseas if the case for war is built on unrealistic expectations and best-case scenarios. There is no such thing as a free lunch, and there is certainly no such thing as a free war.

Deficit spending allows the federal government to pretend otherwise. Politicians make promises, with bills coming due long after they’ve left office. But we should expect more when it comes to the use of force. Advocates for a military intervention should be forced to frame their solution in relation to costs and benefits. The debit side of the ledger includes the long-term costs of care for the veterans of the conflict. Hawks must also explain what government expenditures should be cut – or taxes increased – to pay for their war. The American people should have the final say in choosing whether additional military spending to prosecute minor, distant conflicts is worth the cost, including the opportunity costs: the crucial domestic priorities that must be forgone or future taxes paid.

Clear and Obtainable Military Objectives

We cannot compare the costs or wisdom of going to war if we do not know what our troops will be asked to do. The U.S. military should never be sent into harm’s way without a set of clear and obtainable military objectives.

Such considerations do not apply when a country’s survival is at stake. But wars of choice — the types of wars that the United States has fought in Iraq, Afghanistan, Libya, and elsewhere — are different. Advocates for such wars must demonstrate not only that the fight is necessary to secure vital U.S. interests, that it has public support, and that it has funding, but also that the military’s mission is defined and attainable.

Military victory is rarely sufficient, however, as our recent wars and interventions demonstrate. In the case of regime-change wars, ensuring that a successful transition to a stable, friendly government occurs can take a considerable amount of time and resources. Whatever replaces the defeated forces must represent a marked improvement in order for the war to advance U.S. vital interests. U.S. leaders, therefore, must not only define the military objective, but also detail what the resultant peace will look like, and how we will know the mission is complete.

It is easy for Washington to start wars, but we cannot leave U.S. troops on the hook for ending them. Policymakers must account for the tendency of war to drag on for years or more, and they must plan for an acceptable exit strategy before committing troops.

Use of Force as a Last Resort

The four criteria above are not enough to establish a war’s legitimacy, or the wisdom of waging it. After all, modern nation-states have the ability to wreak unimaginable horror on a massive scale. That obviously doesn’t imply that they should. Thus, the fifth and final rule concerning military intervention is force should be used only as a last resort, after we have exhausted other means for resolving a foreign policy challenge that threatens vital U.S. national security interests.

This point is informed by centuries-old concepts of justice. Civilized societies abhor war, even those waged for the right reasons while adhering to widely respected norms, such as proportionality and reasonable protections for noncombatants. War, given its uncertainty and destructiveness, should never be entered into lightly or for trivial reasons.

America has an exceptional capacity for waging war. U.S. policymakers therefore have a particular obligation to remember that war is a last resort. Precisely because no one else is likely to constrain them, they must constrain themselves.

Conclusion

U.S. foreign policy should contain a built-in presumption against the use of force. That does not mean that war is never the answer, but rather that it is rarely the best answer. Americans today enjoy a measure of safety that our ancestors would envy and that our contemporaries do envy. We generally do not need to wage war to keep it that way. On the contrary, some recent wars have degraded the U.S. military and undermined our security. Policymakers should therefore be extremely reluctant to risk American lives abroad.

The U.S. military is the finest fighting force in the world; it comprises dedicated professionals who are willing and able to fight almost anywhere, practically on a moment’s notice. Any military large enough to defend our vital national security interests will always be capable of intervening in distant disputes. But that does not mean that it should.”

New Rules for U.S. Military Intervention

Social Media on the Front Lines of War

Standard
New Zealand IsiLTerrorist Accidentally Tweets Location from Syria

New Zealand IsiLTerrorist Accidentally Tweets Location from Syria

“FOREIGN POLICY ASSOCIATION”

“Social media started out as a technological innovation but has become a social phenomenon.

Intelligence agencies appreciate the importance of social media and its role.

In a recent PBS Newshour interview, Nick Rasmussen, of the National Counter-Terrorism Center (NCTC) just outside Washington DC, explained how, in the context of searching for a terrorist threat, “increasingly what ‘connecting the dots’ means to me is dealing with the huge volume of publicly available information. The work we’re doing now often doesn’t involve really sensitive intelligence; it involves looking at Twitter, or some other social media platform, and trying to figure out who that individual is behind the screen name.”

Since the early 2000s Facebook has become indispensable for families and friends to stay in touch, and people and organizations with large numbers of Twitter followers are able to carve out virtual mini-media empires. Clicks and ‘follows’ are the new version of voting with your feet. The more readers or followers one has, goes the logic, the more influence one wields.

To turn it around, people who actively use social media for every day, non-political reasons are also subject to being targeted.

One of the vulnerabilities (or advantages, to a combatant wishing to recruit people) is that social media accounts usually expose users to invasive scrutiny. Facebook and LinkedIn profiles can carry enough information that, shared with the wrong person, can be used to compromise that person or uncover confidential information about his/her job. Many countries’ military members are now routinely required to not specify their location or activities.

As the years passed of the conflicts in Iraq and Afghanistan, jihadi groups increasingly began to recruit through social media. Stories now abound of young adults of Middle Eastern heritage and origin, living in western Europe and the US, who have been contacted by Islamic State through social media and convinced to move to Raqqa, the Islamic State’s purported capital. Some 60 young women from the UK, aged 20 and below, are thought in the past several years to have traveled to Raqqa.

The huge growth in cell phone cameras and the ease of posting pictures to social media has also played a role in tracking and finding various targets. Of recent note, investigative organizations were able to track operatives and military equipment in eastern Ukraine primarily through personal pictures posted to social media and publically available imaging, including open source tracking of the apparent missile launcher used to destroy Malaysian Airlines flight 17 in 2014. This has also been a method to discover the location of various actors in the labyrinthine war in Syria.

Per the previously mentioned PBS Newshour article, many Islamic State fighters simply do not disable the geo-location feature on their phones, which allows those with the right technology to track them.

Intelligence agencies of major world powers now seem to appreciate the importance of social media and its role in ‘information operations,’ a military term that infers the ability of messaging to affect the viewpoints of a target population. Just looking through listings for ‘intelligence analyst’ on several Washington DC—based job boards, foreign language specialists are widely sought for social media and social networking positions.

Of course, it is not only parties to the worlds’ trouble regions that are looking to abuse social media to their advantage. For even a longer time, social engineers and hackers have tried to gather personal information by establishing links online.

If you are uncertain about that LinkedIn invitation you just got, try to verify the person through a known contact. If you are doubtful, ‘ignore’ or ‘delete’ works just fine. If he or she happens to be a colleague whom you meet at the next social, you can safely add them, and actually have a face-to-face conversation, something social media, unfortunately, seems to increasingly discourage.”

Social Media Now on Conflicts’ Front Lines

 

 

 

Feds Will Soon Be Able to Legally Hack Almost Anyone

Standard
feds-hack-gizmodo-dot-com

Image:  “Gizmodo.com”

“WIRED”

“Under a new set of rules, the FBI would have the authority to secretly use malware to hack into thousands or hundreds of thousands of computers that belong to innocent third parties and even crime victims.

The unintended consequences could be staggering.

Digital devices and  software programs are complicated. Behind the pointing and clicking on screen are thousands of processes and routines that make everything work. So when malicious software—malware—invades a system, even seemingly small changes to the system can have unpredictable impacts.

That’s why it’s so concerning that the Justice Department is planning a vast expansion of government hacking.

The new plan to drastically expand the government’s hacking and surveillance authorities is known formally as amendments to Rule 41 of the Federal Rules of Criminal Procedure, and the proposal would allow the government to hack a million computers or more with a single warrant. If Congress doesn’t pass legislation blocking this proposal, the new rules go into effect on December 1. With just six work weeks remaining on the Senate schedule and a long Congressional to-do list, time is running out.

The government says it needs this power to investigate a network of devices infected with malware and controlled by a criminal—what’s known as a “botnet.” But the Justice Department has given the public far too little information about its hacking tools and how it plans to use them. And the amendments to Rule 41 are woefully short on protections for the security of hospitals, life-saving computer systems, or the phones and electronic devices of innocent Americans.

Without rigorous and periodic evaluation of hacking software by independent experts, it would be nothing short of reckless to allow this massive expansion of government hacking.

If malware crashes your personal computer or phone, it can mean a loss of photos, documents and records—a major inconvenience. But if a hospital’s computer system or other critical infrastructure crashes, it puts lives at risk. Surgical directives are lost. Medical histories are inaccessible. Patients can wait hours for care. If critical information isn’t available to doctors, people could die. Without new safeguards on the government’s hacking authority, the FBI could very well be responsible for this kind of tragedy in the future.

No one believes the government is setting out to damage victims’ computers. But history shows just how hard it is to get hacking tools right. Indeed, recent experience shows that tools developed by law enforcement have actually been co-opted and used by criminals and miscreants. For example, the FBI digital wiretapping tool Carnivore, later renamed DCS 3000, had weaknesses (which were eventually publicly identified) that made it vulnerable to spoofing by unauthorized parties, allowing criminals to hijack legitimate government searches. Cisco’s Law Enforcement access standards, the guidelines for allowing government wiretaps through Cisco’s routers, had similar weaknesses that security researchers discovered.

The government will likely argue that its tools for going after large botnets have yet to cause the kind of unintended damage we describe. But it is impossible to verify that claim without more transparency from the agencies about their operations. Even if the claim is true, today’s botnets are simple, and their commands can easily be found online. So even if the FBI’s investigative techniques are effective today, in the future that might not be the case. Damage to devices or files can happen when a software program searches and finds pieces of the botnet hidden on a victim’s computer. Indeed, damage happens even when changes are straightforward: recently an anti-virus scan shut down a device in the middle of heart surgery.

Compounding the problem is that the FBI keeps its hacking techniques shrouded in secrecy. The FBI’s statements to date do not inspire confidence that it will take the necessary precautions to test malware before deploying them in the field. One FBI special agent recently testified that a tool was safe because he tested it on his home computer, and it “did not make any changes to the security settings on my computer.” This obviously falls far short of the testing needed to vet a complicated hacking tool that could be unleashed on millions of devices.

Why would Congress approve such a short-sighted proposal? It didn’t. Congress had no role in writing or approving these changes, which were developed by the US court system through an obscure procedural process. This process was intended for updating minor procedural rules, not for making major policy decisions.

This kind of vast expansion of government mass hacking and surveillance is clearly a policy decision. This is a job for Congress, not a little-known court process.

If Congress had to pass a bill to enact these changes, it almost surely would not pass as written. The Justice Department may need new authorities to identify and search anonymous computers linked to digital crimes. But this package of changes is far too broad, with far too little oversight or protections against collateral damage.

Congress should block these rule changes from going into effect by passing the bipartisan, bicameral Stopping Mass Hacking Act. Americans deserve a real debate about the best way to update our laws to address online threats.”

The Feds Will Soon Be Able to Legally Hack Almost Anyone

 

Military Tech Matchmaker Getting Ready to Open Wallet

Standard
diux-mayoradler-dot-com

Image: mayoradler.com

“DEFENSE ONE”

“The Defense Innovation Unit Experimental, or DIUX  DIUx connects smallish companies with potential customers inside the Defense Department. It has plans to fund another 22 projects to the tune of $65 million.

For every dollar DIUx puts toward a new  company, a  military branch contributes $3.

The 2017 National Defense Authorization Act charged “outreach is proceeding without sufficient attention being paid to breaking down the barriers that have traditionally prevented nontraditional contractors from supporting defense needs, like lengthy contracting processes and the inability to transition technologies.”

Folks close to [Defense Secretary] Carter have said that he remains deeply, personally committed to the effort, and would open a DIUx cell in every city in America if he could.

“I created DIUx last year because one of my core goals as secretary of defense has been to build, and in some cases rebuild, the bridges between our national security endeavor at the Pentagon and America’s wonderfully innovative and open technology community,” Carter said.”

http://www.defenseone.com/technology/2016/09/militarys-tech-matchmaker-getting-ready-open-its-wallet/131554/?oref=defenseone_today_nl

 

 

Corruption Lessons from US Experience in Afghanistan

Standard
afghan-corruption-politifact-dot-com

Image:  Politifact.com

“POGO”

“The Special Inspector General for Afghanistan Reconstruction (SIGAR) released the first in a series of reports imparting lessons from the 15-year, $115 billion Afghanistan reconstruction effort.

The core lesson:  establish an anti-corruption strategy before plunging into nation-rebuilding.

The report, Corruption in Conflict: Lessons from the U.S. Experience in Afghanistan, is a review of how effectively the US government—primarily the Departments of Defense (DoD), State, Treasury, and Justice, and the US Agency for International Development—responded to corruption in Afghanistan reconstruction spending. SIGAR identifies six key lessons that will hopefully inform future contingency operations, and makes recommendations for executive and legislative action.

The report defines corruption as “the abuse of entrusted authority for private gain,” as exemplified by such acts as bribery, embezzlement, extortion, fraud, and nepotism. It asserts that, while certain forms of corruption have been a part of Afghan culture for centuries, the problem grew to epic proportions after 2001. SIGAR faults the US-led reconstruction effort in three respects: by rapidly injecting billions of dollars into the Afghan economy without adequate oversight, by failing to recognize the scope and severity of corruption, and by subordinating anticorruption efforts to short-term security and political goals.

The recommendation that seems most sensible (to provide the most bang for the buck, if you will) is for the agencies to establish a “joint vendor vetting unit” to more carefully screen contingency operation contractors and grantees. For reconstruction missions to succeed, international aid money must be kept out of the hands of what SIGAR calls “malign powerbrokers”—those who thrive off corruption, such as local warlords, crooked government officials, and insurgents. Robust screening of recipients will also help ensure reconstruction funds aren’t lost to fraud, waste, and abuse.

The United States will remain engaged in Afghanistan for several more years, and it will likely embark on relief efforts in other war-torn countries as well. It is therefore critical that the government heed the lessons collected over the years by its watchdogs: the Commission on Wartime Contracting, which ceased operations in September 2011, the Special Inspector General for Iraq Reconstruction, which closed its doors in October 2013, and SIGAR, which will carry on until appropriated funding for the reconstruction drops below $250 million.”

http://www.pogo.org/blog/2016/09/government-watchdog-identifies-lessons-from-afghanistan-reconstruction.html