Category Archives: Computer Security

Why Artificial Intelligence (AI) Is Not Like Your Brain Yet

Standard
AI Not LIke Your Brain Yet

Image: ZOHAR LAZAR

“WIRED”

“AI resembles the gray matter in your head about as much as a pull-string doll resembles a rocket scientist.

These systems have only a few million “neurons,” which are really just nodes with some input/output connections. That’s puny compared to the 100 billion genuine neurons in your cranium.”


“Here’s a fun drinking game: Every time someone compares AI to the human brain, take a shot. It’ll dull the pain of such mindless metaphorizing—and serve as a reminder that you, an at-least-semiconscious being, have an actual brain that can make real decisions like “Drink!” in the first place. Contra the hype of marketers (as regurgitated by credulous journalists—for shame!), AI resembles the gray matter in your head about as much as a pull-string doll resembles a rocket scientist. There’s a similarity in shape, ish: So-called neural networks are software programs inspired by neuroscience. But these systems have only a few million “neurons,” which are really just nodes with some input/output connections.

That’s puny compared to the 100 billion genuine neurons in your cranium. Read it and weep, Alexa! We’re talking 100 trillion synapses. Or 200 trillion. (Of course, cognition is still pretty incognita itself—which means we’re “modeling” AIs on something we barely even comprehend.) The truth is, tricks like beating people at Go or diagnosing melanomas owe more to brute-force computing power than to any higher sentience. It’s just basic pattern matching under the hood. Yes, a “deep learning” system running on 16,000 processors taught itself to identify cats—with 75 percent accuracy—after analyzing 10 million images. A toddler can nail that on a walk to the playground. So all this Muskian/Hawkingian/Singularitarian talk of “summoning the demon” and “existential threats” to our “survival”? Eh, let’s just worry about that tomorrow. For now, we’re human, and we’re here to drink.”

https://www.wired.com/story/why-artificial-intelligence-is-not-like-your-brainyet/

 

 

 

Advertisements

Booze Allen Contractor to Plead Guilty in 23-Year-Long Largest Ever Theft of Classified Data

Standard

Booze Allen - Here we go again

“WASHINGTON TECHNOLOGY”

“The saga of a government contractor who allegedly stole more classified data than anyone else in history might be coming to a close.

Harold Martin III, who is accused of stealing terabytes of information, has told the U.S. District Court in Baltimore that he will plead guilty to a single charge of willful retention of national defense information on Jan. 22.”


“A plea agreement has not been filed yet, so it is not clear what punishment is being proposed or what will happen to the other 19 counts that were filed against him.

Court filings state that Martin will not be sentenced until all the other counts are resolved.

That single charge carries a maximum of 10 years in prison and three years of probation. He also could be fined up to $250,000.

Over a 23-year period, Martin worked for a series of contractors serving customers in the intelligence field. His security clearances gave him access to a broad range of information.

During that period, Martin took copies of documents and software programs home. This includes data from the National Security Agency, U.S. Cyber Command, the National Reconnaissance Office and the CIA.

When the FBI searched his home in August 2016, the bureau said they found the biggest stash of classified documents ever uncovered. Computers and storage devices were found in his home, his car and a shed in his yard. There were boxes and boxes of paper documents as well.

Still not clear is what Martin did with the data he allegedly stole. There is no allegation that he sold the information or distributed it.

At the time of his August arrest, Martin worked for Booz Allen Hamilton. But he worked for at least seven companies over the 23 years he had taken government secrets, according to the indictment.”

https://washingtontechnology.com/blogs/editors-notebook/2018/01/harold-martin-guilty-plea.aspx

 

 

 

Pentagon Full Steam Ahead With Major Cloud Acquisition

Standard

Pentagon Cloud Full Steam Ahead

“NEXT GOV”

“The Defense Department is not letting blowback or criticism from industry slow down its emerging cloud strategy, which could see it award an enterprise contract worth billions to a single company by the end of 2018.

The contract would be awarded to a single cloud service provider for up to 10 years “to deliver services for cloud computing and platform services” for “all DOD organizations.”


 “The accelerated approach prompted industry concern and calls for the Pentagon to slow down or change course, but led by a Cloud Executive Steering Group reporting directly to leadership, the Defense Department is doing anything but.

“There has been no change in strategy for the CESG,” Pentagon spokesperson Patrick Evans told Nextgov. “The acquisition will be done as a fair and open competition with an industry day in early 2018.”

The next steps, as outlined in the Joint Enterprise Defense Infrastructure, or JEDI, strategy, will be a draft solicitation for a “single-award, indefinite delivery, indefinite quantity contract using full and open competitive procedures.”

Other contracts, according to the memo, could be issued for additional services, such as migration support, application modernization, change management and training.

The Pentagon’s aggressive timeline calls for initial migrations of data to the new contract by the first quarter of 2019.

Strategically, the Pentagon’s approach shares commonalities with that of the CIA, which ultimately selected Amazon Web Services for a 10-year enterprisewide cloud contract four years ago worth $600 million.”

http://www.nextgov.com/it-modernization/2017/12/pentagon-full-steam-ahead-major-cloud-acquisition/144707/

Government Shutdown Continues to Loom

Standard

Government shutdown

“THE PROJECT ON GOVERNMENT OVERSIGHT”

“Clearly the potential impacts of shutting down the federal government go far beyond federal workers being out of work for a while.

During the 2013 shutdown the government issued more than 10,000 stop-work orders for work and projects being done by contractors, and there were reports of numerous temporary layoffs by contractors.”  [What is a Government Contract Stop Work Order? ]


“We narrowly avoided a government shutdown last week, and may well still face one at the end of this month. Some folks might think that a federal government shutdown won’t affect them. But such thinking fails to consider the full scope of would result if the government did shut down.

Our last government shutdown, in 2013, serves as real guide for what to expect if we face another one. Four years ago the House of Representatives (controlled by the Republicans) tried to use the budget process to eliminate funding for the Patient Protection and Affordable Care Act (ObamaCare). The Senate (controlled by the Democrats) and the President were unwilling to agree to that. Without new budget funds being passed by both chambers of Congress, most of the federal government had to shut down once the old funding legislation expired. The shutdown lasted 16 days and had a tremendous impact.

No pay

One of the obvious and most direct impacts of any shutdown is the fact that hundreds of thousands of federal employees will be furloughed, which means held out of work and not payed. The latest workforce analysis estimates the federal government employed over 2 million people in 2015. Exactly how many go out of work during a shutdown depends on how many are considered essential and how many agencies get separate funding approved by Congress before the shutdown occurs. During the 2013 shutdown an estimated 850,000 federal workers were furloughed and missed a combined 6.6 million work days. Consider how big an impact it would have if close to one million people suddenly stop getting paid with no idea on when work will start again. This will interfere with many families’ ability to pay for their mortgage, groceries, utility bills, tuition, and more.

And it isn’t just agency personnel who are affected. The federal government employs a vast number of contractors and grantees to assist with government offices and programs across almost every agency. That same workforce analysis estimated that the government had more than 5.2 million contract and grant employees more than a decade ago. During the 2013 shutdown the government issued more than 10,000 stop-work orders for work and projects being done by contractors, and there were reports of numerous temporary layoffs by contractors. So there will likely be a significant number of private sector jobs also on hold.

Economic impacts

Beyond the hardship of families with federal employees and federal contractors, that missing pay has ripple effects out into the economy. When people aren’t getting paychecks and don’t know when the next one is coming, they understandably reduce their spending as much as possible—fewer holiday gifts, no movie tickets, cancelled travel, no dinners, and more. And that reduced spending impacts those businesses and their employees.

This impact on spending decisions can start even before the shutdown itself. Just the threat of an impending shutdown could influence spending patterns for federal employees and contractors. We are in the heavy retail period of the holiday season, a period of time that can decide if some retail companies are profitable or not for the whole year. Reduced spending by close to a million households could have a major impact on the bottom line for retail companies.

The Office of Management and Budget estimated that the 2013 shutdown, which occurred in the fall, cost the U.S. economy between $2 billion and $6 billion. An analysis by Standard & Poor’s projected the long-term impact to be a $24 billion loss to the U.S. economy.

National Parks, monuments, museums closed

The federal government oversees hundreds of national parks, monuments, memorials, museums, and historic sites across the country that on average handle more than 700,000 visitors each day. These include the Grand Canyon, the recently reduced Bears Ears and Grand Staircase Escalante, the Liberty Bell in Philadelphia, the Smithsonian, the National Zoo, and many other locations in almost every state. Closing these locations means disrupting many tourists’ plans but also means lost revenue from their spending.

In 2013 the National Park Service estimated that the 16-day closure meant almost $500 million in lost revenue. And that doesn’t include the potential loss to local businesses of an estimated $76 million—the amount spent in communities near these locations—because of fewer travelers or changed plans.

Veterans’ benefits

The government provides lots of benefits to veterans which would be disrupted in the event of a shutdown—processing disability claims, training, support services, and more. Many of these services are important to veterans and their families and time-sensitive. Asking veterans to wait after they have provided their service to the country seems a betrayal. And a government shutdown not only stops these services but can create large backlogs that will delay delivery of the benefits even when government offices reopen.

The 2013 shutdown slowed processing on veteran disability claims and closed services that helped veterans understand and access their benefits including call centers and hotlines. Veterans also lost access to vocational training, education counseling services, and workshops designed to help transition to civilian life and employment.

Helping vulnerable families

There are real concerns that a shutdown, especially a longer one, could threaten federal programs that support mothers, children, and families in need. Programs like Supplemental Nutrition Assistance Program (SNAP), often called food stamps, could be in danger of disruption from a shutdown. The program helps millions of poor families get enough food for their children. In 2013 SNAP was not affected because there were funds already allocated through the Recovery Act to sustain the program. But those funds are no longer available today, so a shutdown could threaten the program.

The Women, Infants and Children (WIC) program helps approximately 9 million mothers and families get nutritional food and health care. In 2013, states had enough money to operate the WIC program during the 16 days, but if the shutdown had lasted longer the states would have run out of money and been forced to halt the program. It is unclear how long states could operate during a new shutdown.

Head Start is a well-known federally funded preschool program that provides support, nutrition, and care to millions of under-privileged kids. During the 2013 shutdown, Head Start programs in various states had to close, until private philanthropists stepped in to provide the needed funds. How much a new shutdown would affect Head Start kids will depend on how much money states have on hand for the program when the shutdown starts and how long it lasts.

Food safety

The Food and Drug Administration (FDA) would almost certainly have to suspend most of the food safety inspections and enforcement programs during a shutdown. Of course that doesn’t mean the food stops getting produced, shipped, bought, and consumed—just that consumers can’t be as confident that the food is safe. During the 2013 shutdown the FDA reportedly halted many inspections and cut back on examination, sampling, and analysis of imported foods.

Medical Research

A federal shutdown will likely require that the National Institute of Health (NIH) and the Centers for Disease Control and Prevention (CDC) suspend many of their operations. During the 2013 shutdown nearly three-quarters of NIH staff and two-thirds of CDC staff were furloughed. Patients wouldn’t be able to enroll in clinical trials run by the NIH, and the CDC would have to discontinue tracking illness patterns such as flu, hepatitis, and Tuberculosis to direct prevention efforts and avoid larger outbreaks. Research grants into medical treatments and other scientific issues would be delayed. Applications to approve new drugs, generic drugs, and medical devices would also get put on hold. It is impossible to predict the exact impact on patients but even short delays could have serious health consequences for some.

Conclusion

It [a government shutdown] would affect people across the country—veterans, small business owners, families, tourists, patients, consumers. And the above list only covers some of the services that would be impacted; such services as passport processing, federal loans, small business supports, issuing new social security cards, and so much more would grind to a halt during a shutdown. Congress and the administration should make every effort to avoid a future shutdown or even the threat of a shutdown.”

http://www.pogo.org/blog/2017/12/government-shutdown-continues-to-loom.html

 

Q&A Reference Library On Small Business Government Contracting And The Military Industrial Complex

Standard

Quora Questions with Answers by Ken that have undergone 677,000 Views on Small Business Government Contracting and the U.S. Military Industrial Complex Ken Larson Reference Library on Quora

 

Agency Progress Lacking on Federal Information Technology Acquisition Reform Act (FITARA)

Standard

FITARA

“THE PROJECT ON GOVERNMENT OVERSIGHT”

“Only 4 of the 24 federal agencies GAO reviewed (the Departments of Commerce, Energy, Homeland Security, and Transportation) had clearly defined processes and policies for certification by the CIO.

By establishing incremental development as the standard, FITARA increases the likelihood that potential problems in projects will be caught and corrected sooner, ensuring less waste.”


“This week the Government Accountability Office (GAO) released a report on federal agencies’ implementation of information technology (IT) reforms that require closer oversight from Chief Information Officers (CIOs) of their respective agency’s software development projects.

In response to years of major waste and mismanagement of IT investments, about which the Project On Government Oversight has previously reported, the federal government passed the Federal Information Technology Acquisition Reform Act (FITARA) as part of the National Defense Authorization Act for fiscal year 2015.

The bill also calls on the Office of Management and Budget (OMB) to require an agency’s Chief Information Officer (CIO) to certify major investments are being incrementally developed and to clearly report on the certification process.

In the past, agencies have invested years and millions—or even billions—of taxpayer dollars into a project just to cancel it or end up with a system that performs well below projected productivity. The GAO report points to examples such as the 2012 cancelation of the billion-dollar Department of Defense (DoD) Expeditionary Combat Support System after DoD had spent more than five years on the project, and the Farm Service Agency’s endeavor to replace aging hardware and software applications that, ten years and $423 million dollars later, only delivered about 20 percent of planned functionality.

Since 2015 the management of IT acquisitions and operations has been on GAO’s “high-risk list,” a list of agencies and areas that have a higher potential for fraud, waste, abuse, and mismanagement. This “high risk” classification highlights the importance of properly implementing FITARA reporting and certification standards to foster accountability and transparency.

While FITARA is a step in the right direction, there is still a ways to go. This week’s GAO report shed light on the implementation of FITARA reforms: only 4 of the 24 federal agencies GAO reviewed (the Departments of Commerce, Energy, Homeland Security, and Transportation) had clearly defined processes and policies for certification by the CIO. Eleven agencies had policies that were not clear or detailed enough, and 9 had no policy at all. Furthermore, as of August 2016, across the participating agencies only 62 percent of investments were certified by the CIO.

The GAO report implies this outcome is at least partially because of a lack of clarity in OMB guidelines for how agencies should report CIO certifications. GAO emphasizes the “critical” nature of “a clear and consistent approach for agencies to follow.” OMB has responded to GAO’s concerns by issuing a new guidance this year for fiscal year 2019 with more specific guidelines. GAO felt the updated guidance was a “key improvement” and a “positive step.”

For fiscal year 2017, federal agencies were budgeted to spend over $89 billion on IT, including more than $43 billion on major investments. It is important that agencies and OMB work together to effectively implement FITARA reforms to make sure this money is well spent.”

http://www.pogo.org/blog/2017/11/some-agencies-yet-to-implement-it-oversight-reforms-gao-reports.html

 

Pentagon Accidentally Exposes Web Monitoring Operation

Standard

Pentagon Cloud Leaks

“PC MAGAZINE”

“The Department of Defense accidentally exposed an intelligence-gathering operation, thanks to an online storage misconfiguration.

It neglected to make those storage servers private, collecting billions of public internet posts from social media, news sites, and web forums and storing them on Amazon S3 repositories.

‘The data exposed in one of the three buckets is estimated to contain at least 1.8 billion posts of scraped internet content over the past 8 years’, UpGuard said in a Friday report –  So anyone with a free Amazon AWS account could browse and download the data.”


“Much of the data was scraped from news sites, web forums, and social media services such as Facebook and Twitter. The information includes content relating to Iraqi and Pakistani politics and ISIS, but also social media posts made by Americans.

In a Twitter direct message, Vickery told PCMag he “made sure the [storage] buckets we discovered were secured before anything was brought to media attention.” However, he has no idea if anyone else, like malicious parties, ever accessed the data.

DOD didn’t immediately respond to a request for comment. But the Pentagon confirmed the accidental leak to CNN.

Why the Defense Department was collecting this information isn’t clear. But it certainly raises eyebrows at a time when concerns persist about US surveillance programs. It also comes as US agencies are struggling on the cybersecurity front. The National Security Agency, for instance, failed to stop breaches of its own classified hacking tools.

“Even the most sensitive intelligence organizations are not immune to sizable cyber risk,” UpGuard said in its Friday report.

The Defense Department isn’t the only one to commit the security slip-up with AWS cloud storage. Earlier this year, UpGuard found that Verizon and Dow Jones made the same mistake, effectively exposing their private customer data to the public.

Update: In an email, US Central Command commented on the accidental leak.

“Once alerted to the unauthorized access, CENTCOM implemented additional security measures to prevent unauthorized access,” said Major Josh Jacques, a spokesman for US Central Command.

The purpose of the data collection still wasn’t made clear. But Jacques told PCMag: “The information you are asking about is not sensitive information. It is not collected nor processed for any intelligence purposes.”

The data was actually provided by a contractor using “commercial off-the-shelf programs,” according to Jacques.

“U.S. Central Command has used commercial off-the-shelf and web-based programs to support public information gathering, measurement and engagement activities of our online programs on public sites,” he added. “The information is widely available to anyone who conducts similar online activities.”

https://www.pcmag.com/news/357465/pentagon-accidentally-exposes-web-monitoring-operation

 

 

 

Do Young Humans + Artificial Intelligence = Cybersecurity?

Standard
Young Humans plus AI

West Point cadets conduct a cyber exercise.

“BREAKING DEFENSE”

“The Army is recruiting smart young soldiers to wage cyber war. But human talent is not enough.

Ultimately, say experts, cyberspace is so vast, so complex, so constantly changing that only artificial intelligence can keep up.”


“America can’t prevail in cyberspace through superior numbers. We could never match China hacker for hacker. So our best shot might be an elite corps of genius hackers whose impact is multiplied by automation.

Army photo

Talent definitely matters – and it is not distributed equally. “Our best (coders) are 50 to 100 times better than their peers,” Lt. Gen. Paul Nakasone, head of Army Cyber Command (ARCYBER), said. There’s no other military profession, from snipers to pilots to submariners, that has such a divide between the best and the rest, he told last week’s International Conference on Cyber Conflict(CyberCon), co-sponsored by the US Army and NATO. One of the major lessons learned from the last 18 months standing up elite Cyber Protection Teams, he said, is the importance of this kind of “super-empowered individual.”

Such super-hackers, of course, exist in the civilian world as well. One young man who goes by the handle Loki “over the course of a weekend…found zero-day vulnerabilities, vulnerabilities no one else had found in Google Chrome, Internet Explorer and Apple Safari,” Carnegie Melon CyLab director David Brumley said. “This guy could own 80 percent of all browsers running today.” Fortunately, Loki’s one of the good guys, so he reported the vulnerabilities – and got paid for it – instead of exploiting them.

courtesy David Brumley

The strategic problem with relying on human beings, however, is simple. We don’t have enough of them. “We don’t want to be in a person-on-person battle because, you know what, it just doesn’t scale,” Brumley told CyCon. “The US has six percent of the world’s population (actually 4.4). Other countries, other coalitions of countries are going to have more people, (including) more people like Loki.”

That creates a strategic imperative for automation: software programs that can detect vulnerabilities and ideally even patch them without human intervention. Brumley’s startup, ForAllSecure, created just such a program, called Mayhem, that won DARPA’s 2016 Cyber Grand Challenge against other automated cyber-attack and defense software. However, that contest was held under artificial conditions, Brumley said, and Mayhem lost against skilled humanhackers – although it found some kinds of bugs better and faster. So automation may not be entirely ready for the real world yet.

Even when cybersecurity automation does come of age, Brumley said, we’ll still need those elite humans. “What these top hackers are able to do… is come up with new ways of attacking problems that the computer wasn’t programmed to do,” he said. ” I don’t think computers or autonomous systems are going to replace humans; I think they’re going to augment them. They’re going to allow the human to be free to explore these creative pursuits.”

Sydney J. Freedberg Jr. photo

Young Humans

“For those of you who are in the military who are 25 years old or younger, captains and below…you’re going to have to lead the way. People my age do not have the answers,” the Army’s Chief of Staff said at CyberCon. After his speech, Gen. Mark Milley called up to the stage lieutenants and West Point cadets – but not captains, he joked, “you’re getting too old.” (He let the captains come too).

“It’s very interesting to command an organization where the true talent and brainpower is certainly not at the top, but is at the beginning stages,” said Lt. Gen. Nakasone at the same event. “It’s the lieutenants. It’s the sergeants. It’s the young captains.”

Sydney J. Freedberg Jr. graphic

The Army has rapidly grown its cyber force. It now has 8,920 uniformed cyber soldiers, almost a ninefold increase since a year ago (and cyber only became an official branch three years ago, when it had just six officers). There are also 5,231 Army civilians, 3,814 US contractors, and 788 local nationals around the world. All told, “there’s 19,000 of them,” Milley said. “I suspect it’s gonna get a lot bigger.”

At the most elite level, US Cyber Command officially certified the Army’s 41 active-component Cyber Protection Teams and the Navy’s 40 teams as reaching Full Operational Capability this fall, a year ahead of schedule. (We’re awaiting word on the Air Force’s 39). At full strength, the teams will total about 6,200 people, a mix of troops, government civilians, and contractors.

To speed up recruiting, Gen. Milley wants to bring in cyber experts at a higher rank than fresh-out-of-ROTC second lieutenants – say, as captains. Such “direct commissioning” is used today for doctors, lawyers, and chaplains, but Milley notes it was used much more extensively in World War II, notably to staff the famous Office of Strategic Services (OSS). Why not revive that model? “There’s some bonafide brilliant dudes out there. We ought to try to get them, even if it’s only 24 months, 36 months,” he said. “They’re so rich we won’t even have to pay ’em.”

(That last line got a big laugh, as intended, but “dollar-a-year men” have served their country before, including during the World Wars.)

No matter how much the military improves recruiting, however, it will probably have enough talent in-house. (Neither will business, which is short an estimated two million cyber professionals short worldwide). So how does the military tap into outside talent?

Defense Department graphicOne method widely used in the commercial world is bug bounties: paying freelance hackers like Loki for every unique vulnerability they report. (Note that the Chinese military runs much of its hacking this way.) The Defense Department has run three bounty programs in the last year – Hack the Pentagon, Hack the Army, and Hack the Air Force – that found roughly 500 bugs and paid out $300,000. That’s “millions” less than traditional security approaches, says HackerOne, which ran the programs.

What’s really striking, though, is the almost 3,000 bugs that people have reported for free. Historically, the Pentagon made it almost impossible for white-hack hackers to report bugs they find, but a Vulnerability Disclosure Policy created alongside the bug bounties “has been widely successful beyond anyone’s best expectation,” said HackerOne co-founder Alex Rice, “without any actual monetary component.”

So what’s motivating people to report? For some it’s patriotism, Rice told me, but participating hackers come from more than 50 countries. In many cases, he said, hackers are motivated by the thrill of the challenge, the delight of solving a puzzle, the prestige of saying they “hacked the Pentagon,” or just a genuine desire to do good.

The other big advantage of outsourcing security this way, said Rice, is the volunteer hackers test your system in many more different ways than any one security contractor could afford to do. “Every single model, every single tool, every single scanner has slightly different strengths, but also slightly different blind spots,” Rice said. “One of the things that is so incredibly powerful about this model is that every researcher brings a slightly different methodology and a slightly different toolset to the problem.”

Those toolsets increasingly include automation and artificial intelligence.

DARPA photo

Automation & AI

“I’m the bad news guy,” Vinton Cerf, co-inventor of the Internet, told the audience at CyCon. “We’re losing this battle (for) safety, privacy, and security in cyberspace.”

Why? “The fundamental reason we have this problem is we have really bad programming tools,” Cerf said. “We don’t have software that helps us identify mistakes that we make…..What I want is a piece of software that’s watching what I’m doing while I’m programming. Imagine it’s sitting on my shoulder, and I’m typing away, and it says ‘you just created a buffer overflow.’” (That’s a common mistake that lets hackers see data beyond the buffer zones they’re authorized for, as in the Heartbleed hack.)

courtesy Wikimedia Commons

Such an automated code-checker doesn’t require some far-future artificial intelligence. Cerf says there are new programming languages such as TLA+ and COQ that address at least parts of the problem already. Both use what are called “formal methods” or “formal analysis” to define and test software rigorously and mathematically. There are also semi-automated ways to check a system’s cybersecurity, such as “fuzzing” – essentially, automatically generating random inputs to see if they can make a program crash.

Artificial intelligence doesn’t have to be cutting-edge to be useful. The Mayhem program that won DARPA’s Cyber Grand Challenge, for instance, “did require some amount of AI, but we did not use a huge machine learning (system),” Brumley said. “In fact, NVIDIA called us up and offered their latest GPUs, but we had no use for them.” Mayhem’s main weapon, he said, was “hardcore formal analysis.”

“There is a lot of potential in this area, but we are in the very, very early stages of true artificial intelligence and machine learning,” HackerOne’s Rice told me. “Our tools for detection have gotten very, very good at flagging things that might be a problem. All of the existing automation today lags pretty significantly today on assessing if it’s actually a problem. Almost all of them are plagued with false positives that still require a human to go through and assess (if) it’s actually a vulnerability.”

So automation can increasingly take on the grunt work, replacing legions of human workers – but we still need highly skilled humans to see problems and solutions that computers can’t.”

https://breakingdefense.com/2017/11/do-young-humans-artificial-intelligence-cybersecurity/

The Cyber Paradox: Reliance On New Tech Can Quickly Become A Weakness

Standard
Reliance on Technology - crainsnewyork dot com

Image:  CrainesNewYork.com

“FIFTH DOMAIN”

“As connecting devices has created awareness and speed, denial to those processes can create chaos.

The Navy is trying to educate commanders to think about courses of action in the event their access to networks or infrastructure ― such as supervisory control and data acquisition or industrial control systems ― are denied by adversaries.

Famously, after Sony was sacked with a massive cyberattack in 2014 attributed to North Korea that created physical damage to their computing infrastructure, employees were forced to do business with pen and paper again.

The Naval Academy has even begun reteaching celestial navigation using tools like sextants.


“We look to segment and protect in various defense in depth ways, that involves three things; people, processes and technology,” Rear Adm. Danelle Barrett, Navy Cyber Security Division Director, said during an Oct. 27 panel hosted by AFCEA’s DC chapter. “It’s not all technology … You focus on the leadership first and foremost; how does a leader understand if I have to ask you to do without, what is my plan for execution.”

Barrett noted that the Navy is trying to educate commanders to think about courses of action in the event their access to networks or infrastructure ― such as supervisory control and data acquisition or industrial control systems ― are denied by adversaries.

“I’m not talking do without for a couple hours in a power outage, I’m talking Puerto Rico-level do without. What if you were without for a month, how are you going to execute your no-fail mission,” she said.

Commanders, she added, need to understand that is possibility and have a plan ready to execute.

How can the Navy fight through the hurt, she said is their mantra.

“You have to understand what are my no-fail missions ― and I don’t mean my cyber missions, it might be [ballistic missile defense] today, it may be humanitarian, disaster relief … tomorrow,” she said. “What is the critical cyber terrain that supports those missions that cannot fail. That includes the control systems and ICS.”

“A lot of times [commanders will] think about it in terms of I don’t have my network for a couple of hours or I may have portions of it,” Barrett told Fifth Domain following the panel. “The message I’m trying to relay is you may have none of it and it may be for longer than you originally anticipated … If you haven’t worked out those processes of what you’re going to do what and if that happens, and think of Puerto Rico, no power for a month, think of that. That’s not adversary driven but what if it was and what do you do about that.”

While some of the answers might not be ideal, such as paper spreadsheets, at least they’ll have a plan and be prepared to execute their mission if denied. “Mission assurance is the key,” she said.

This is true across the military as well as the private sector. As adversaries seek to jam and block U.S. signals, the military is trying to develop redundant systems in cyber- or GPS-degraded or denied environments.

[Celestial Navigation]  “That’s a perfect example,” Barrett said. “They took off celestial navigation as a training requirement for ROTC units and Naval Academy. It’s back on now because you’ve got to be able to shoot the sextant … and operate. Again it’s mission assurance.

“What are those elements you can’t fail on, whether it’s navigation, launching weapons, medical, whatever it happens to be for your readiness and then figure out how you have to workaround,” she told Fifth Domain.

In terms of how this manifests itself, Barrett said the Navy is doing some educational trainings, noting she briefed new flag officers in a training on this on Oct. 26. They do it for people going to commanding officer school, as well.

“It’s not just the operations mission afloat, it’s whatever your operational mission is; you may be medical, you maybe [Naval Facilities Engineering Command]. All of those contribute to our readiness so they’re all equally critical,” she said.

The hope is that eventually, commanders will incorporate these contingencies into their campaign plans.

They’re beginning with the commanders because they will implement orders down from the highest levels to the local ships and installations, but, Barrett added, “basic training for surface warfare officer, for Navy leaders, for everybody is starting to include more cyber elements.”

https://www.fifthdomain.com/dod/navy/2017/10/27/the-cyber-paradox-reliance-on-new-tech-can-quickly-become-a-weakness/

When Domestic Cyber Becomes a Military Problem

Standard
Cyber Security Without Borders

 (ninjaMonkeyStudio/Getty Images)

“FIFTH DOMAIN” By Jill Aitoro

“Laws intended to establish roles and responsibilities within the government did not necessarily account for the prospect of global networks. Or cyber war. And yet, here we are.

Should the DoD be called in when Russia hacks into systems in an effort to disrupt elections, as McCain [has] insinuated?  But if terrorist groups hacked into the power grid, is that not a military operation in some capacity? An act of war?”


“Progress in cyber security has long been stilted by bureaucracy. We all talk in circles about how the threat evolves faster than our ability to protect our own systems and data, thanks to a slow procurement process, for example. And we often point to this fuzzy line of cyber “ownership” — typically private sector versus government — which long complicated a productive and cohesive response.

But what we saw on the Hill last week presented another fascinating complication to the cybersecurity dilemma that focuses squarely on jurisdiction.

Defense News’ sister publication Fifth Domain reported about a rather heated exchange before the Senate Armed Services Committee on Oct. 19, with Chairman John McCain and the Department of Defense’s principle cyber adviser sparring over the Pentagon’s roles in protecting the nation in cyberspace.

Here were the perspectives: Kenneth Rapuano, assistant secretary of defense for homeland defense and global security and a principle cyber adviser, cautioned against “ending the current framework and against reassigning more responsibility for incident response to the Department of Defense.”

McCain argued otherwise: “It’s the Department of Defense’s job to defend this nation; that’s why it’s called the Department of Defense.”

Both are right, which is exactly the problem when one kicks off a philosophical dialogue about cyber response.

Rapuano pointed to “a long normative and legal tradition” of limiting the role of the military in domestic affairs. He likely was referring technically to Title X, which outlines the role of the armed forces — providing the legal basis for the roles, missions and organization of each of the services and the department. He pointed frequently to the Department of Homeland Security, which generally owns the cybersecurity challenge for civilian agencies.

But whether you consider the current Title X, which resulted from a 1956 overhaul of the previous version, or you harken all the way back to the Posse Comitatus Act, a law signed in 1878 to limit the use of military personnel to enforce domestic policies in the U.S., cybersecurity didn’t exist at the time.

By definition, cyber extends beyond any individual domain. So must the response. And that response has no borders.”