Category Archives: IoT

Neutrality Matters

Standard
Net Neutrality CNN dot com

Image:  CNN.com

“WIRED”

“In a time when there are too few companies with too much power – we need net neutrality now more than ever.

Getting rid of Title II would lead to even more centralization, handing more power to the largest Internet companies while stifling competition and innovation.

Next month, Amazon, Netflix, and dozens of other companies and organizations will host a “day of action” aimed at saving net neutrality as we know it. The Federal Communications Commission, meanwhile, is on the verge of revoking its own authority to enforce net neutrality rules, and the country’s biggest telecommunications companies are cheering along. The future of the internet is on the line here, but it’s easy to be cynical about the conflict: What does it matter which set of giant corporations controls the internet?

Under the current net neutrality rules, broadband providers like Comcast and Charter, and wireless providers like AT&T and Verizon, can’t block or slow down your access to lawful content, nor can they create so-called “fast lanes” for content providers who are willing to pay extra. In other words, your internet provider can’t slow your Amazon Prime Video stream to a crawl so you’ll keep your Comcast cable plan, and your mobile carrier can’t stop you from using Microsoft’s Skype instead of your own Verizon cell phone minutes.

If the Trump administration gets its way and abolishes net neutrality, those broadband providers could privilege some content providers over others (for a price, of course). The broadband industry says it supports net neutrality in theory but opposes the FCC’s reclassification of internet providers as utility-like “Title II” providers, and that consumers have nothing to worry about. But it’s hard not to worry given that without Title II classification, the FCC wouldn’t actually be able to enforce its net neutrality rules. It might be less alarming if the internet were a level playing field with free and fair competition. But it’s not. At all.

If you want to search for anything online, you’ve got to go through Google or maybe Microsoft’s Bing. The updates your Facebook friends share are filtered through the company’s algorithms. The mobile apps you can find in your phone’s app store are selected by either Apple or Google. If you’re like most online shoppers, you’re mostly buying products sold by Amazon and its partners. Even with the current net neutrality laws there’s not enough competition—without them, there will be even less, which could stifle the growth and innovation that fuels the digital economy.

Fast lanes or other types of network discrimination could have a big impact on the countless independent websites and apps that already exist, many of which would have to cough up extra money to compete with the bigger competitors to reach audiences. Consider the examples of Netflix, Skype, and YouTube, all of which came of age during the mid-2000s when the FCC’s first net neutrality rules were in place. Had broadband providers been able to block videos streaming and internet-based phone calls in the early days, these companies may have seen their growth blocked by larger companies with deeper pockets. Instead, net neutrality rules allowed them to find their audiences and become the giants they are today, and without net neutrality, they could even potentially become the very start-up-killers that would’ve slowed or stopped their own earlier growth. Getting rid of net neutrality all but ensures that the next generation of internet companies won’t be able to compete with the internet giants.

The end of net neutrality could also have ranging implications for consumers. Amazon, Netflix, YouTube, and a handful of other services may dominate the online video market, but without net neutrality, broadband providers might try to make it more expensive to access popular streaming sites in an attempt to keep customers paying for expensive television packages. “[Net neutrality] protects consumers from having the cost of internet go up because they have to pay for fast lane tolls,” says Chris Lewis, vice president of the advocacy group Public Knowledge.

Lewis also points out that there are a few other consumer friendly protections in the FCC’s net neutrality rules. For example, the FCC rules require internet service providers to disclose information about the speed of their services, helping you find out whether you’re getting your money’s worth. They also force broadband providers to allow you to connect any device you like to your internet connection, so that your provider can’t force you to use a specific type of WiFi router, or tell you which Internet of Things gadgets you can or can’t use.

“The Internet is as awesome and diverse as it is thanks to the basic guiding principle of net neutrality,” says Evan Greer, campaign director for Fight for the Future, one of the main organizers of the net neutrality day of action, which will take place on July 12 and try to raise awareness about net neutrality across the web.”

https://www.wired.com/story/why-net-neutrality-matters-even-in-the-age-of-oligopoly/

Half of Industrial Control Systems Suffered Cyber Attack Last Year

Standard
Cyber Attacks

The National Institute of Standards and Technology’s industrial control security testbed. (Photo Credit: NIST)

“FIFTH DOMAIN CYBER”

“Data gathered comes from 359 industrial cyber security practitioners in 21 countries that completed online surveys between February 2017 and April 2017.

One-in-five respondents experienced two incidents within the 12-month window.

Threats to industrial control systems are becoming increasingly widespread, according to a new survey from cyber security firm Kaspersky Lab and Business Advantage that found over half of the companies sampled reporting at least one cyberattack in the last 12 months.

The top observed threat remains conventional malware, which played a part in 53 percent of actual incidents, followed by targeted attacks, such as spear phishing to more sophisticated advanced persistent threats. The top perceived threats are  third-party supply chain/partners and sabotage/intentional damage from other external sources.

This has led three-in-four companies to expect a cyber attack to happen to them, though 83 percent feel prepared to combat an incident.

Organizations might not be as ready as they believe themselves to be, however, considering the fact that the anti-malware solutions already implemented by 67 percent of respondents still allowed for so many incidents.

Increasing the frequency of issuing patches/updates could contribute to protection from incidents like the WannaCry pandemic, but the increased attack surface and access granted to external parties by growing enterprises complicates matters.

Therefore, risk management is being recognized as a growing priority, but finding properly trained staff and reliable external partners to implement cyber security tops the challenges of companies that acknowledge financial loss is shown to decrease in organizations that have security awareness programs for staff, contractors and partners.

Looking at the survey’s findings, the top risk factors appear to be the access of external parties, a lack of compliance with industry/government regulations and the use of wireless connections. This has led companies to express support for some level of mandatory reporting and governance to help bring about more transparency to help develop frameworks to address the risks.

Some factors that appear to help mitigate threats include documented cybersecurity programs being set in place; regular security assessments/audits being conducted; vulnerability scans and patch deployments happening biweekly at minimum; unidirectional gateways being installed between control systems and the rest of the network; anti-malware solutions being installed for industrial endpoints; industrial anomaly detection tools, intrusion detection and intrusion prevention tools being used; and staff and contractors being given regular security awareness training.”

The entire survey can be accessed by filling in a form on the Kaspersky blog.

National Geospatial Intelligence Agency (NGA) To Offer Data to Industry for Partnerships

Standard
NGA Federal News Radio

NGA Headquarters – Image:  “Federal News Radio”

“BREAKING DEFENSE”

“The idea: offer companies chunks of the “wonderland” of unclassified NGA data so they can use them to build new products or to test algorithms key to their products.

It’s a bold and rare move by a large and largely secretive government agency.

The top two leaders of the National Geospatial Intelligence Agency, Robert Cardillo and Susan Gordon, met with Anthony Vinci, now NGA’s director of plans and programs, to discuss ways to get more value from the agency’s incredibly valuable pools of data.

Using The Economist‘s description of data as the oil of today — the most valuable commodity in our economy — Vinci argued the agency must deploy it and help pay the American people back for the investment they have made in building the agency. If data is the new oil, Vinci said companies should “turn it into plastic,” adding value.

Cardillo told reporters would NGA would create a B corporation — in effect a non-profit government company — and hire an outsider to run it.

This, I think it’s fair to say, is not a slam dunk. Culturally, it will be challenging, Vinci admitted. “It’s straightforward, but it sort of breaks every rule we have in the IC (Intelligence Community).” The IC doesn’t share data and it doesn’t partner with outsiders, except for allied and friendly governments when needed.

This process may sidestep the whole process of generating a requirement for an intelligence system. “I don’t think that’s how problems can be solved any more,” Vinci said. The current system, which can be circumvented if an urgent need exists, is generally slow and restrictive, one that the Pentagon and the IC are increasingly trying to amend.

I spoke with three senior industry officials who listened to Vinci’s presentation and they were hopeful but cautious. All three said they thought the new effort could yield unexpected and useful returns on taxpayer’s investments in the data.

The biggest obstacle may be Congress. Although NGA would not be making money from the data sharing and it would not be releasing any data that could help our enemies, they would be sharing a government resource which voting taxpayers paid for and over which lawmakers have oversight. Whether the products resulting from the data would be licensed back to NGA, or allowed to generate profits for companies is all still to be determined.

“That’s part of what were trying to figure out Vinci told me,: “taxpayers paid for this data and how can we get that value back to them.”

http://breakingdefense.com/2017/06/nga-to-offer-data-to-industry-for-partnerships/

 

Army Colonel, Wife and Defense Contractor Accused – $20 Million Bribery and Kickback Scheme

Standard
Gavel and law books

(Photo Credit: BrianAJackson/Getty Images via iStockphoto)

“ARMY TIMES”
“Col. Anthony Roper conspired with his wife and others to seek and accept bribes in exchange for rigging more than $20 million in Army contracts to individuals and companies, prosecutors said Thursday.

The scheme began in 2008 and lasted nearly a decade, prosecutors said.

Roper was stationed at Fort Gordon near Augusta, Georgia. His duties included oversight of the Army’s efforts to build and modernize its information and communication networks, an indictment said.

Roper, 55, is charged with conspiracy, bribery, obstruction and making false statements. He faces up to 85 years in prison if convicted.

The colonel’s wife, Audra Roper, 49, is charged with conspiracy, false statements and obstruction.
Dwayne Oswald Fulton, 58, is charged with conspiracy and obstruction. Fulton was an officer for “a large defense contracting company.” The firm is not named in the court records.

Audra Roper operated Quadar Group, which prosecutors said was a shell company used to funnel bribe payments to her husband, the indictment states. It was one of multiple shell companies used to defraud the government, prosecutors said.

Court records filed this week do not list any attorneys for the defendants.

A spokesman at Fort Gordon did not immediately respond Thursday.”

WannaCry: Top 5 lessons learned

Standard

 

Young Asian male confused and headache by WannaCry ransomware attack

Image:  “Fifth Damain Cyber”

“FIFTH DOMAIN CYBER”

“Ransomware infections are growing. There is an estimated 36 percent increase in ransomware strains per year.

Perhaps the lesson we should all learn is that global collaboration, communication and coordination is necessary to get ahead of malware infestations.

The WannaCry ransomware brought with it some unexpected consequences. It spread to an estimated 150-plus countries and impacted more than 300,000 computers. It had a substantial impact.

Recent estimates place the overall range of financial implications from $4 billion to $8 billion. Most of the impact is due to loss of productivity as well as costs associated with recovery, malware removal and re-imaging hard drives.

There were a number of lessons learned from this particular ransomware event. Here are the top five:

1. This event has many national cyber defense leaders calling for closer collaboration among countries.

2.
Rogue nation-states may resort to malware attacks to create disruption of computing capabilities that is nothing more than an annoyance.

3. 
Reuse of previously used malicious code is common, and that alone does not provide insight into who is behind the attack.

4. 
The continued use of unsupported software poses substantial risks and must be addressed in all essential/critical systems.

5. The Un factor (unknown devices and unknown patches) are sitting there waiting to be compromised and used by attackers.

Some might say we learned that paying ransom demands does not mean a system will get unlocked. That is certainly true, but has been known for several years. Maintaining an accurate technology/devices/computer asset inventory is essential to maintaining timely backups and systems’ security.

In looking at all of this, one must realize that we have known all of this for years and yet we still suffer from these attacks! One has to wonder what it will take to correct these well-known shortcomings!”

http://fifthdomain.com/2017/06/06/wannacry-top-5-lessons-learned-commentary/

VA Will Shift Medical Records To DOD’s “In-Process” Electronic Medical Records System

Standard

 

Veterans Gaming the System

Image:  Military Times

Total Investment To Date Now Projected at Nearly $10 Billion

“MILITARY TIMES”

VA has already spent more than $1 billion in recent years in attempts to make its legacy health record systems work better with military systems.

The military’s health record system is still being put in place across that department, more than three years after the acquisition process began. The initial contract topped $4.6 billion, but has risen in cost in recent years.

Shulkin did not announce a potential price tag for the move to a commercial electronic health records system, but said that a price tag of less than $4 billion would likely be “unrealistic.”


“Veterans Affairs administrators on Monday announced plans to shift veterans’ electronic medical records to the same system used by the Defense Department, potentially ending a decades-old problematic rift in sharing information between the two bureaucracies.

VA Secretary David Shulkin announced the decision Monday as a game-changing move, one that will pull his department into the commercial medical record sector and — he hopes — create an easier to navigate system for troops leaving the ranks.

“VA and DoD have worked together for many years to advance (electronic health records) interoperability between their many separate applications, at the cost of several hundred millions of dollars, in an attempt to create a consistent and accurate view of individual medical record information,” Shulkin said.

“While we have established interoperability between VA and DOD for key aspects of the health record … the bottom line is we still don’t have the ability to trade information seamlessly for our veteran patients. Without (improvements), VA and DoD will continue to face significant challenges if the departments remain on two different systems.”

White House officials — including President Donald Trump himself — hailed the announcement as a major step forward in making government services easier for troops and veterans.
Developing implementation plans and potential costs is expected to take three to six months.

But he did say VA leaders will skip standard contract competition processes to more quickly move ahead with Millennium software owned by Missouri-based Cerner Corp., the basis of the Pentagon’s MHS GENESIS records system.

“For the reasons of the health and protection of our veterans, I have decided that we can’t wait years, as DOD did in its EHR acquisition process, to get our next generation EHR in place,” Shulkin said.

Shulkin for months has promised to “get VA out of the software business,” indicating that the department would shift to a customized commercial-sector option for updating the health records.

The VA announcement came within minutes of Trump’s controversial proposal to privatize the nation’s air traffic control system. The president has repeatedly pledged to make government systems work more like a business, and in some cases hand over public responsibilities to the private sector.

Shulkin has worked to assure veterans groups that his efforts to rely on the private sector for expertise and some services will not mean a broader dismantling of VA, but instead will produce a more efficient and responsive agency.

He promised a system that will not only be interoperable with DOD records but also easily transferable to private-sector hospitals and physicians, as VA officials work to expand outside partnerships.

Shulkin is expected to testify before Congress on the fiscal 2018 budget request in coming weeks. As they have in past hearings, lawmakers are expected to request more information on the EHR changes then. ”

http://www.militarytimes.com/articles/va-share-dod-electronic-medical-records-decision

 

 

Female Veteran Business Leaders Share Tips for Success

Standard
Female Veteran Business Leaders

Photo Credit: Master Sgt. Jenifer Calhoun/Air Force

“MILITARY TIMES” By Leo Shane III

“Highlights of last month’s Women Veterans Leadership Summit organized by The Mission Continues was a panel from prominent business leaders on how to navigate the transition from military life to civilian careers.

Below are excerpts from that event, designed to focus on ways women leaving the service can use their experience to succeed in workplaces very different than their military posts:

** Know your mission

Amy Gravitt, executive vice president at HBO Programming, is a Navy veteran who served on board the USS Constellation in Persian Gulf:

“It was quite a change going from the Navy to the entertainment industry. I took an unpaid internship with a production company. So I went from being a lieutenant and having a ton of responsibility and having people who worked for me to being the low man on the totem pole, by far.

“What got me my start in the industry and got me to where I am now is that I was the best intern. I went into this industry that was a mess and had no systems in place, and I started organizing it like my division on the ship …

“The company I worked for was George Clooney and Steven Soderberg’s company, and there were a lot of eager film students there who wanted to talk to them about films and ideas. And I knew they did not want to hear my ideas. They weren’t interested in me pitching them movies.

“So, I did the job that made their lives easier, and I was recognized for that.”

** Appreciate your service

Paula Boggs, founder of Boggs Media, served as an Army attorney and later when on to roles in the U.S. Attorney’s office and various technology firms.

“By the time I got to Dell, there were very few people who had military experience. I was like a unicorn. But because of that, there was heightened awareness of who the military was and what they were doing. And this was pre-9/11.

“A lot of tech companies are heavily male. So I was a unicorn in the sense of being a veteran, and a unicorn in the sense of being a woman. All the greater in figuring out how to capitalize on those two things in a setting like that…

“As a team building exercise, we were doing war games, playing Army … There was a moment when Michael Dell, founder of the company, just stopped and said, ‘Guys, Paula really did this!’ And you’d see this awe, this transformative moment. ‘She did something we can only play at.’

“Never underestimate how special being a veteran is, particularly in this post 9/11 environment … There’s this moment now in the country where veterans are not understood, but there is an elevated awareness of who you are and the specialness of the service you have given.”

** Embrace the civilian workplace

Nana Adae, executive director at JP Morgan Private Bank, spent seven years in the Navy specializing in communications and signals, including assignments in Japan, Greece and Spain.

“One of the things that I stress is that people just need to know you, because if it’s all about whether or not people like you, that’s a very superficial way of thinking about how you’re going to be judged.

“And unfortunately as women, I think a lot of times we put our head down. We just want to work. We don’t want to have any of the noise about who we really are or what’s going on with us because that might complicate things.

“But truthfully, in the work environment, the more successful people are the people who are known.”

** Don’t exaggerate your skills or limitations

Gravitt: “You’ll make a million mistakes along the way … so don’t be too eager to move up quickly. Make sure you’re ready to ride without the training wheels before you take them off.”

“When you make a mistake, apologize once and move on. Nobody else is going to obsess about your mistake, so you shouldn’t. Just figure out what you can learn from it.

“It doesn’t mean you have terrible instincts. It doesn’t mean that you’re bad at your job. It just means that you made a mistake. People do it all the time.”

** Keep looking for mentors

Boggs: “One of the most powerful mentors for me was my last assignment. I worked in the White House on the Iran-Contra investigation. My boss was a civilian, middle-aged white guy. I was a 20-something black female.

“On the surface, not like me at all. But saw something in me that reminded him of himself, and became my champion for the first 15 years of my career.”

“Years later, someone wrote an article where I called him the most significant mentor of my career. He called me and said, ‘Paula, I never considered myself your mentor. You were just my friend.’ But he was that to me.”

“Mentors can be everywhere … keep an active peripheral vision, because you just never know.”

http://www.militarytimes.com/articles/mission-continues-business-advice-women-veterans

Leo Shane III covers Congress, Veterans Affairs and the White House for Military Times. He can be reached at lshane@militarytimes.com.

Tight Government Agency Budgets Bring a Silver Lining

Standard
Risk vs. Opportunitiy - alumni.bm.ust.hk

Image:  http://alumni.bm.ust.hk

“WASHINGTON TECHNOLOGY” By Stan Soloway

“Growing funding pressures and uncertainty place a growing onus on agencies to navigate the turbulence in new and innovative ways.

Thus, far from being a market killer, it actually presents opportunity.

For years, the question of when the government might return to “regular order” –that is, a “normal” process in which appropriations are essentially completed by the end of September—has been a prominent one.

Agency leaders, industry, and others, have continually and appropriately harped on the deleterious impacts of the funding yo-yo that has dominated the scene for far too long.
And if there was one thing many hoped for as a result of having one party in control of both the White House and Congress, it was a return to regular order.

Well, it’s probably not going to happen. As virtually all recent reports have indicated, the budget debate within the parties, let alone between the parties, remains fierce and the chances of getting a full year fiscal 2018 funding bill by Sept. 30th are slim indeed.

President Trump’s budget blueprint – the “skinny budget” — generated plenty of debate; the release of his full proposed budget will only turn up the heat further. No  budget resolutions have yet been proposed, let alone passed, and no spending instructions given to the appropriations committees.

Beyond that, consider what else Congress has to deal with over the next four months: the farm insurance bill; the children’s insurance program (CHIP); health care; possibly tax reform; and, of course, the debt ceiling. In other words, while a complex and many-layered debate is virtually certain, it has not yet really begun and one or more continuing resolutions appear almost certain.

To complicate matters further, the Senate cannot even take up the budget until after it finishes with health care, because as soon as a budget bill is passed the rules change previously instituted by the Democrats (requiring only a majority vote) will revert back to the standard rule under which 60 votes will be needed.

Thus, the betting is that another continuing resolution, or a series of them, will be needed.

And that is never a good thing for smart planning and program execution.

Nonetheless, it would appear that over the years most agencies have actually gotten pretty good at adjusting to the external dynamics and finding a way to do their jobs. Even as agencies struggled with the White House’s early budget instructions, most continued to operate relatively normally. And that has mostly carried over to the market as well.

Unlike what we saw with sequestration—the impacts of which were seen and felt months before it went into effect—the impacts of the potential or expected spending reductions are not reflected in a broad market slow-down. In fact, with the exception of State and EPA,  just the opposite seems to be happening.

Through the first two quarters of fiscal 2017, civilian agency spending on professional services and IT both grew by double digits over the same period last year. At the Defense Department, for which we only have data for the first quarter, the pattern was the same (16 percent for professional services; 10 percent for IT).

And while it may seem counter-intuitive, this is actually consistent with what we’ve seen in recent years. Often, those agencies under the toughest budgetary pressures have also been those in which the market has performed best.

Again, this is in part the result of agencies having learned to operate amidst the chaos. But more importantly, it appears to validate another key market dynamic: as agencies are forced to be more and more selective with their funding, their highest priority missions, and thus those most fully funded, tend to be highly tech-centric (cyber, analytics, automation, etc.).

Almost by definition, those missions require more private sector support than other, more routine operations. Thus, market growth in a constrained environment is not only possible, it is likely.

Going forward, aside from major reductions in mission or service, agencies’ best hopes and strategies for dealing with the budget realities largely lie in aggressively expanding the degree to which they capitalize on opportunities to substantially reduce costs (and improve service) across the board, driven by the emergence of the digital economy.

It’s happening across the commercial sector; and this budget could well catalyze a similar transition in government.

This is not to say that predictability and stability should not still be a goal. It absolutely should be. Nor is it to suggest that some budget cuts won’t have very real negative impacts on segments of industry. They will.

But as the data and other trends suggest, stability may not be the holy grail it once appeared to be. ”

https://washingtontechnology.com/articles/2017/05/22/insights-soloway-budget-silverlining.aspx

About the Author

Stan Soloway

Stan Soloway is a former deputy undersecretary of Defense and former president and chief executive officer of the Professional Services Council. He is now the CEO of Celero Strategies.

Defense Companies Are Here To Stay

Standard

“DEFENSE NEWS” By Charles Mahoney

“Like it or not, government agencies responsible for national security are dependent on private defense firms.

These companies are primarily responsible to shareholders rather than the American people. How can they be held accountable to the nation’s interests?

What is certain is that for-profit military and intelligence firms will remain an integral part of U.S. national defense. My research focuses on the changing nature of the private defense industry. Military contracting is still big business, although media coverage of private military firms has diminished since the withdrawal of the U.S. from Iraq in 2011. Today, contractors’ work ranges from assisting in drone missions to analyzing signals intelligence to training police forces in fragile countries like Afghanistan.”

top-100-image1

Image: “Defense News”

“New frontiers

In recent years, private military companies have adapted to changing demands from U.S. defense agencies. During the wars in Iraq and Afghanistan, the U.S. military relied heavily on contractors to support counterinsurgency operations. However, high-profile incidents of alleged human rights abuses by the company CACI at Abu Ghraib prison in Iraq and Blackwater at Nisour Square, Iraq brought to light the difficulty the American military faces monitoring private defense companies.

At the same time, Americans have since become averse to nation-building campaigns in failing states. So, private defense firms have shifted away from supporting “boots on the ground.” Instead, they are increasingly assisting military and intelligence agencies with counterterrorism and cybersecurity.

While the American people generally want to avoid deploying troops to conflict zones, they still demand protection from terrorism. The Pentagon, CIA and other defense agencies receive assistance in these areas from private companies with expertise in drone warfare, special forces operations and analysis of electronic surveillance of potential terrorist threats. These traditionally were duties of public employees.

Cybersecurity is another area in which private military companies see increasing demand. Information gleaned from hacking government agencies, world leaders and political campaigns can be used by rogue states like Russia and nonstate actors like WikiLeaks to harm American interests.

Serving the public interest?

Most defense analysts now acknowledge that the question is not whether to privatize, but where to draw the line. If the U.S. government is going to work extensively with contractors, it requires a more robust oversight system. Government agencies and courts also need assurances they can hold defense firms accountable if they break the law overseas.

During the Iraq War, this was a point of serious contention. It was unclear what legal jurisdiction applied to employees of private defense firms. The uncertain legal status of contractors caused significant tension between the U.S. and the government of Iraq and hampered American counterinsurgency efforts.

Here are three ways Congress could increase accountability for private defense firms as the industry becomes more enmeshed in national security.

  • Congress could create an independent regulatory agency to report on contractors’ performance. While major firms in the industry insist they can regulate themselves, an independent oversight agency could more adequately assess how defense contractors perform.
  • As things stand now, the U.S. government often overlooks bad behavior and renews contracts with companies that have less than stellar records. Instead, the government could more severely penalize firms that do not fulfill the terms of their agreements.
  • Government employees often transition from public service into lucrative positions at billion-dollar defense corporations. Stricter rules to limit this “revolving door” would make government employees more willing to penalize firms.

Private defense contractors will likely be a major part of U.S. national defense for the foreseeable future. Diligent oversight and regulation of companies in this rapidly evolving industry, I believe, are necessary to ensure that these firms advance the public good of American security.”

http://www.defensenews.com/articles/private-defense-companies-are-here-to-stay-what-does-that-mean-for-national-security

Charles Mahoney is a professor of political science at California State University, Long Beach. His commentary was originally published on The Conversation .

 

 

 

WannaCry Worm Highlights Federal & Industry Failures

Standard
uscybercom - Department of Defense

Image:  Department of Defense

“BREAKING DEFENSE”

” The WannaCry worm proves that our collective response to cyber threat continues to churn ineffectively in the same futile rut while threats multiply and grow increasingly serious by the day.

A new approach is needed to enable innovation in the way security is encouraged and delivered with both carrot and stick.

The worm’s success is yet another clear signal that today’s security model isn’t working. Institutional failure to address security risks have/will continue to have the same pervasive impacts in government, industry, and at home with no respite in sight, no one in charge, and no one accountable for fixing the mess.

The ubiquity of such attacks challenges our internal/international legal framework. (The military and Intelligence Community should not be operating within the United States.) And it crosses our traditional fault lines (ensconced in US law) between corporate, military, legal, and law enforcement organizations. Senior leaders in each of these government fiefdoms tell me that the pan-government table top exercises held to understand and clear the fog around the “who’s in charge” questions assume away all the relevant risk. This is done in order to arrive at prearranged conclusions that won’t rock the boat between all the various stakeholders. The cyber problem is so much greater than a traditional geographical battlespace because it requires a complete strategic rethink of warfare as these kinetic, civil, intelligence, and international equities collide.

Microsoft has declared WannaCry “is a wakeup call.” Add the concomitant coverage in the press, and people being put at risk in hospitals and it makes you think that this incident marks a new chapter in cyber risk. Add in the second Wikileaks dump of the Vault 7 attack files and we have a perfect media storm of NSA toolkits, CIA attack techniques, likely North Korean mischief, chronic government underspending here and abroad, and the resulting health care service outages and outrage to feed the news cycle. The political, fiscal, and productivity impacts of the WannaCry worm highlight that the cyber risks currently accepted by corporate and government risk officials are not tenable.

This malware is particularly lively in large organizations whose legacy systems and limited security budgets provide clear skies for exploit and it could have been worse if not for an enterprising 22 year-old who helped save the world by finding and sharing its Kill Switch. Unfortunately, nastier and more effective worms and viruses and other tools are likely on their way and will wreak greater havoc. So let’s step back and ask what makes this crisis different?

The answer, sadly, is — NOTHING.

A quick review:

  • Ransomware (whereby software encrypts your computer and demands you pay a ransom for a decryption key) has been on the rise for several years. Everyone from Grandma to your insurance company has been hit and they have often (quietly) paid up to get back the family album or their health records.
  • Sure, WannaCry is linked to the purloined NSA toolkit. It is a variant of the WeCry exploit from February of this year and a patch has been available from Microsoft since mid-March.
  • Organizations with older equipment or legacy software often have a, “don’t fix what ain’t broke” culture of accepting risk because implementing a patch can be expensive and disruptive (trying to figure out why your 15 year-old patient scheduling system stopped working, for instance) and the potential real world impact outweighs the perceived risk.
  • The (allegedly) North Korea-linked team (the people behind the Sony hack, South Korean Banking attack, etc…) seeks to foment misery again,
  • The cure of installing up-to-date systems is perceived to be more expensive than compliance until the bill comes due — just ask the UK government as it reels under the revelations that the government funded NHS deemed that using post end-of-life (and hence unfixable) Windows XP machines.

The next question is: what are we doing about it? The answer for most large organizations is largely tactical – patch, update, scan, repeat. The strategic gaps induced by relying on individual organizations providing security for key services cannot be addressed by existing methods.

The institutional security risks highlighted again by WannaCry were mirrored in previous “wake up calls” such as the OPM hacks, Wikileaks — heck, just take your pick of Anthem/Blue Cross, the French election, etc… And these risks will only increase as vulnerable infrastructure increasingly underpins our daily lives. Our military is racing to understand and dominate the military aspects of the cyberspace domain. However, the seemingly endless policy churn around Cyber Command, Strategic Command, NSA, DHS etc. means that lines of authority, funding and staffing clouds the likelihood of anyone actually taking charge and solving the problem.

We must get behind a strategic embrace of computer security or the Internet will keep breaking. It will take international public/private partnerships that we haven’t seen since the Marshall Plan.”

http://breakingdefense.com/2017/05/wannacry-worm-highlights-federal-industry-failures/