Tag Archives: security

For Defense Contractors New Qualification Cyber Rule Requires Auditable Plan Documents

Standard

Internet security

“NATIONAL DEFENSE MAGAZINE’

“Making a system security plan and plan of actions and mitigations is crucial to winning new business and keeping existing contracts this year and moving forward.

Here are some tips on how to approach creating and utilizing these complex compliance documents.”

_______________________________________________________________________________________

“Contractors and their supply chain with active Defense Department contracts, or those that plan on doing business with it, must assure that any of their data systems that transmit, process or store controlled unclassified information are compliant with National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”

It’s clear that meeting the Defense Federal Acquisition Regulation Supplement 252.204-7012 mandate to comply to the special publication is a required priority for defense contractors, subcontractors and suppliers.

First of all, DFARS compliance includes safeguarding all controlled unclassified information and “covered defense information.” Contractors must report cyber-related incidents to the Defense Department and any deviations or gaps from NIST SP 800-171. They must show progress on a “plan of action with mitigations” and report and maintain a “system security plan.”

The plan of action with mitigations and system security plan are important artifacts to use to demonstrate your adherence to the NIST 800-171 guidance. Defense contractor or suppliers will need to submit these compliance documents to the department or a prime contractor, preferably sooner rather than later. Defense Department documentation calls these type of artifacts “critical inputs to an overall risk management decision to process, store or transmit” controlled unclassified information.

Contractors processing, storing or transmitting controlled unclassified information must meet these security standards at a minimum that were laid out in the Defense Federal Acquisition Regulation Supplement. Those who decide to avoid it, unfortunately risk losing contracts this year and in years moving forward and even risk falling under the False Claims Act. Especially if a company has already received a questionnaire, it’s important that it submit its compliance status truthfully, and prepare compliance documents now if it wants to keep its customers.

Identifying the scope and target of valuation is important here. There are approximately 120 controls included in NIST SP 800-171 and assessing each of these controls for documents, for every component of a system, can be a massive undertaking for an organization. By identifying only those components that are either directly or indirectly in scope, a contractor can reduce the list of areas that need to be assessed.

Having these two documents proving each control status and plan for remediation allows an organization to address the DFARS 252.204-7012 requirement for 2018. The key is showing where the gaps are, a plan for remediation and progress according to that plan.

Here is the direct guidance from the Office of the Under Secretary of Defense: “NIST SP 800-171 was revised (Revision 1) in December 2016 to enable non-federal organizations to demonstrate implementation or planned implementation of the security requirements with a “system security plan” and associated “plans of action.”

The security requirement 3.12.4 — system security plan, added by NIST SP 800-171, Revision 1 — requires the contractor to develop, document and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Security Requirement 3.12.2 — plans of action — requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

The goal is to assess the target of evaluation defined in step one and the components identified in step two of the process against the controls. Both current and target scores should be recorded to enable a gap analysis that will feed the two documents.

A system security plan can be critical to fully documenting compliance. Revision 1 to NIST SP 800-171 added another control to the set that requires the creation of a plan to “describe[s] the boundary of [a contractor’s] information system; the operational environment for the system; how the security requirements are implemented; and the relationships with or connections to other systems.”

In addition to the plan of actions and mitigations, the system security plan “describes how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems.”

That means that the documents must describe the requirements, how a contractor plans to remediate for each of the controls, and a timeline for remediation in the organization.

That is just the bare bones, as there is much more information that can be included for compliance such as team members in charge of controls, deadlines and technology that will be adopted in remediation steps.

A great deal of company resources will have to be allotted to getting these documents ready if requested. Regardless of the method, these documents are key for saving contracts if not yet fully compliant, and will put a company in good standing for primes or contracts against the competition.

In 2018, contractors need to ensure they are working on becoming compliant using these documents, and that they can demonstrate competitiveness and adherence to the regulations if the business relies on defense-related revenue.”

http://www.nationaldefensemagazine.org/articles/2018/3/30/new-cyber-rule-requires-critical-documents

Critical Lack of Trained Experts To Meet Cybersecurity Threat

Standard
cybersecurity-jobs-and-education-villanova-university-dot-com

Image:  Villanova University

” THE DENVER POST”

“Today there are more than 120,000 unfilled cybersecurity positions.

A figure greater than the number currently employed.

Months have passed since the FBI took aim at encryption in the case of the San Bernardino shooter’s iPhone. Once the dust settled, our country began to take a different look at the dangers of unprotected data.

A series of incidents has revealed alarming vulnerabilities in our digital defenses. In the worst of these, we’ve seen a foreign power seek to influence our presidential election through the breach of voter registration databases in Illinois and Arizona, and the theft of sensitive information from national party headquarters. These pose a grave threat to our democracy.

Forty-four years ago, our country suffered through turmoil after a similar break-in at the Democratic National Committee’ headquarters at the Watergate complex in Washington, D.C. Now we face the humiliation of revisiting the same crime, but this time perpetrated online by foreign state actors seeking to undermine public confidence in our elections.

We clearly need to bolster our defenses to maintain the integrity of the electoral process. Companies across the nation must also protect themselves from attackers that exploit security weaknesses. These challenges can only be met by first addressing the critical shortage of cybersecurity experts.

Watching the FBI stumble through the encryption debate opened our eyes to the severity of this shortage. Most of the agency’s struggles could have been avoided with personnel trained in the right forensics procedures. Focusing instead on requiring companies to compromise encryption security indicated that a different type of expertise was needed.

The FBI isn’t alone. Breaches at hospitals, retailers and in our own government have shown the dangers of ignoring this threat. Accordingly, the demand for cybersecurity professionals has skyrocketed, particularly since people with these skills are in very short supply.

High salaries are offered to lure these experts. The national average exceeds $93,000, according to the Bureau of Labor Statistics, and in Denver that figure is $98,590. Unfortunately, generous compensation hasn’t come close to attracting the number of applicants needed.

The problem is that our schools aren’t providing necessary education. Only one in eight high schools teach AP computer science. Few universities offer cybersecurity coursework and many graduates face difficulty transitioning into this workforce.

Some companies scramble to plug staffing holes with offshore contractors. That won’t work for critical infrastructure jobs requiring security clearance for which only American citizens qualify.

Our government’s battle against encryption technology was a distraction from more pressing challenges. Instead of fighting U.S. companies in the courtroom, we should be developing talent in the classroom to fight cyber attacks from abroad.

Colorado has taken the lead in this area. Our state has established the National Cybersecurity Center in Colorado Springs, and the Denver area has emerged as a hub for cybersecurity companies. Specialized training facilities have been a key factor in this growth.

The steps we are taking locally offer promise for the future, but the global stakes are immense. Russia-based attackers have already shut down Estonia’s banking system and Ukraine’s electrical grid.

While these events were temporary disruptions, they may have been the proving ground for much larger attacks. Future wars will be waged first in cyberspace where key infrastructure is disabled to aid kinetic, on-the-ground assaults.

The recent cyberattacks against our country demonstrate the grave danger posed by hostile foreign powers. Our country has the ability to combat these threats, but we must allocate resources where urgently needed. Prioritizing skills education — from grade school to job retraining — is essential to build the cybersecurity defenses we need. Only through investment in these capabilities can we be prepared to meet the challenges before us.”

Amid growing U.S. cybersecurity threat, a critical lack of trained experts

 

 

 

Social Media on the Front Lines of War

Standard
New Zealand IsiLTerrorist Accidentally Tweets Location from Syria

New Zealand IsiLTerrorist Accidentally Tweets Location from Syria

“FOREIGN POLICY ASSOCIATION”

“Social media started out as a technological innovation but has become a social phenomenon.

Intelligence agencies appreciate the importance of social media and its role.

In a recent PBS Newshour interview, Nick Rasmussen, of the National Counter-Terrorism Center (NCTC) just outside Washington DC, explained how, in the context of searching for a terrorist threat, “increasingly what ‘connecting the dots’ means to me is dealing with the huge volume of publicly available information. The work we’re doing now often doesn’t involve really sensitive intelligence; it involves looking at Twitter, or some other social media platform, and trying to figure out who that individual is behind the screen name.”

Since the early 2000s Facebook has become indispensable for families and friends to stay in touch, and people and organizations with large numbers of Twitter followers are able to carve out virtual mini-media empires. Clicks and ‘follows’ are the new version of voting with your feet. The more readers or followers one has, goes the logic, the more influence one wields.

To turn it around, people who actively use social media for every day, non-political reasons are also subject to being targeted.

One of the vulnerabilities (or advantages, to a combatant wishing to recruit people) is that social media accounts usually expose users to invasive scrutiny. Facebook and LinkedIn profiles can carry enough information that, shared with the wrong person, can be used to compromise that person or uncover confidential information about his/her job. Many countries’ military members are now routinely required to not specify their location or activities.

As the years passed of the conflicts in Iraq and Afghanistan, jihadi groups increasingly began to recruit through social media. Stories now abound of young adults of Middle Eastern heritage and origin, living in western Europe and the US, who have been contacted by Islamic State through social media and convinced to move to Raqqa, the Islamic State’s purported capital. Some 60 young women from the UK, aged 20 and below, are thought in the past several years to have traveled to Raqqa.

The huge growth in cell phone cameras and the ease of posting pictures to social media has also played a role in tracking and finding various targets. Of recent note, investigative organizations were able to track operatives and military equipment in eastern Ukraine primarily through personal pictures posted to social media and publically available imaging, including open source tracking of the apparent missile launcher used to destroy Malaysian Airlines flight 17 in 2014. This has also been a method to discover the location of various actors in the labyrinthine war in Syria.

Per the previously mentioned PBS Newshour article, many Islamic State fighters simply do not disable the geo-location feature on their phones, which allows those with the right technology to track them.

Intelligence agencies of major world powers now seem to appreciate the importance of social media and its role in ‘information operations,’ a military term that infers the ability of messaging to affect the viewpoints of a target population. Just looking through listings for ‘intelligence analyst’ on several Washington DC—based job boards, foreign language specialists are widely sought for social media and social networking positions.

Of course, it is not only parties to the worlds’ trouble regions that are looking to abuse social media to their advantage. For even a longer time, social engineers and hackers have tried to gather personal information by establishing links online.

If you are uncertain about that LinkedIn invitation you just got, try to verify the person through a known contact. If you are doubtful, ‘ignore’ or ‘delete’ works just fine. If he or she happens to be a colleague whom you meet at the next social, you can safely add them, and actually have a face-to-face conversation, something social media, unfortunately, seems to increasingly discourage.”

Social Media Now on Conflicts’ Front Lines

 

 

 

Military Tech Matchmaker Getting Ready to Open Wallet

Standard
diux-mayoradler-dot-com

Image: mayoradler.com

“DEFENSE ONE”

“The Defense Innovation Unit Experimental, or DIUX  DIUx connects smallish companies with potential customers inside the Defense Department. It has plans to fund another 22 projects to the tune of $65 million.

For every dollar DIUx puts toward a new  company, a  military branch contributes $3.

The 2017 National Defense Authorization Act charged “outreach is proceeding without sufficient attention being paid to breaking down the barriers that have traditionally prevented nontraditional contractors from supporting defense needs, like lengthy contracting processes and the inability to transition technologies.”

Folks close to [Defense Secretary] Carter have said that he remains deeply, personally committed to the effort, and would open a DIUx cell in every city in America if he could.

“I created DIUx last year because one of my core goals as secretary of defense has been to build, and in some cases rebuild, the bridges between our national security endeavor at the Pentagon and America’s wonderfully innovative and open technology community,” Carter said.”

http://www.defenseone.com/technology/2016/09/militarys-tech-matchmaker-getting-ready-open-its-wallet/131554/?oref=defenseone_today_nl

 

 

Uncle Sam Wants You

Standard

uncle-sam-wants-you

“BREAKING DEFENSE”

Defense Secretary Ash Carter told a skeptical tech community.

It’s part of an all-out effort by the military’s civilian leader to get the technologically best and brightest to work with or even for the often-hidebound Pentagon.

Carter has created the Defense Innovation Unit Experimental (DIUX) and the Defense Digital Service, both of which report directly to him.

The outbound lane on Carter’s new bridge is the DIUX, the much-publicized project to put Pentagon reps in Silicon Valley, Boston, Austin and (soon) other high-tech hotspots around the country. The inbound lane is the Defense Digital Service, which brings civilian techies into the Pentagon.

“A SWAT Team Of Nerds”

The Defense Digital Service is “a SWAT team of nerds,” said Chris Lynch, the DDS director. They spend a year or more at the Defense Department helping with particularly knotty and important problems. “On this particular trip,” explained to reporters on Secretary Carter’s plane en route to the TechCrunch conference, “we’re going to meet with some high-profile engineers to try to convince them to come out for at least a year to serve their country.”

To ease that transition, Lynch’s outfit is consciously counter-cultural. He’s made a point of wearing jeans and sneakers from day one. His team call themselves and any friends they find in the bureaucracy “the Rebel Alliance.”

The “service” is also awfully small. “We have about 18 people today,” Lynch said, and they are working on half-a-dozen projects.

“Our goal is to stay small and be very selective about the projects that we’re engaged in,” Lynch said. Defense agencies, services, and commands come to him to pitch their projects, but which ones DDS ultimately takes on is in large part guided by the personal interests, expertise, and passion of the individuals who join the service. The service doesn’t try replace the people already working on a problem for the Defense Department. Instead, DDS aims to help defense insiders over crucial hurdles with a well-timed infusion of outsider knowledge, then move on.

But how can less than 20 people make an impact on the two million-strong Department of Defense? “This model has been proven out many, many times over history, in particular at DoD,” Lynch said. “Small, highly empowered teams can actually make history and can change things.”

“The Department of Defense got to pull off the first ever federal bug bounty,” Lynch said. “It’s probably the last place that a lot of people would have thought it would have happened.”

Now the effects are “cascading “across the federal government, , said D.J. Patil, the Chief Data Scientist at the White House, speaking alongside Lynch. Just as the Defense Digital Service was the catalyst to get the Defense Department to move, the Defense Department’s example is the catalyst getting other agencies to move.

“Since the Department of Defense launched this first-ever Hack the Pentagon bug bounty program, we have seen a number of other departments who have said, ‘oh, that was really good, we’re going to go do that too,’” said Patil.

Marijuana? Maybe. Treason? No.

The audience at TechCrunch seemed more than a little skeptical of Carter’s pitch. Their questions ranged from the National Security Agency to digital privacy, Edward Snowden — a traitor to many in the Pentagon but a hero to many here — and even drug use.

What if a really good engineer went to Burning Man and decided to “partake in some goodies,” the moderator asked. Would that disqualify them from working for the Pentagon?

“Times change,” Carter said. “The laws change respecting marijuana…. Yes, we can be flexible in that regard.”

The call to serve their country “animates a lot of people,” the secretary said, “but they want to know if it can be done in a way that’s consistent with their lifestyle, their values, with everything else that’s important in their lives.” The Pentagon needs to meet them halfway.

But some things cannot change. Asked if the president should pardon Edward Snowden, the NSA contractor who illegally disclosed vast archives of highly classified material, Carter refused to comment on individual cases but came down emphatically against leaks.

“All of us who enjoy the public trust and handle classified information have the responsibility” to safeguard it, Carter said. That does not mean we have the right to tell the world secrets that we personally feel uncomfortable keeping. “To arrogate to oneself the authority to (disclose) something that’s been trusted to you,” he said, “that is something we can’t condone.”

The cultural divide is very real. The day after his talk at TechCrunch, Carter went to Austin to announce a new DIUX outpost to be hosted by the Capital Factory there. A poster on the wall quoted Buckminster Fuller on the need to “reorient world production away from weaponry,” and a local reporter asked whether techies working with DIUX should be worried their technology would be “militarized” or “misused.”

“We’re actually looking to reach out and build bridges to people who have not worked with us before — and yes, that includes people who have reservations,” Carter replied, “because I think when they get to know us, they’ll learn two things. The first is the United States military conducts itself in a way that I think makes people proud,” Carter said. “We’re extremely careful in what we do that we don’t harm civilians. No other military is as scrupulous.”

“The other thing they’ll discover,” Carter continued, “is the great satisfaction that comes from knowing, when you go to bed at night, that you spent your day doing something that contributes to the security of the country and a better world.”

SecDef Carter Wants YOU For The Defense Digital Service

 

 

“Jig Saw” – Google’s Plan to Stop Aspiring ISIS Recruits

Standard

education

“WIRED”

“Perhaps one of world’s most dangerous problems of ignorance and indoctrination can be solved in part by doing what Google does best:

Helping people find what they most need to see.

Google has built a half-trillion-dollar business out of divining what people want based on a few words they type into a search field. In the process, it’s stumbled on a powerful tool for getting inside the minds of some of the least understood and most dangerous people on the Internet: potential ISIS recruits. Now one subsidiary of Google is trying not just to understand those would-be jihadis’ intentions, but to change them.

Jigsaw, the Google-owned tech incubator and think tank—until recently known as Google Ideas—has been working over the past year to develop a new program it hopes can use a combination of Google’s search advertising algorithms and YouTube’s video platform to target aspiring ISIS recruits and ultimately dissuade them from joining the group’s cult of apocalyptic violence. The program, which Jigsaw calls the Redirect Method and plans to launch in a new phase this month, places advertising alongside results for any keywords and phrases that Jigsaw has determined people attracted to ISIS commonly search for. Those ads link to Arabic- and English-language YouTube channels that pull together preexisting videos Jigsaw believes can effectively undo ISIS’s brainwashing—clips like testimonials from former extremists, imams denouncing ISIS’s corruption of Islam, and surreptitiously filmed clips inside the group’s dysfunctional caliphate in Northern Syria and Iraq.

“This came out of an observation that there’s a lot of online demand for ISIS material, but there are also a lot of credible organic voices online debunking their narratives,” says Yasmin Green, Jigsaw’s head of research and development. “The Redirect Method is at its heart a targeted advertising campaign: Let’s take these individuals who are vulnerable to ISIS’ recruitment messaging and instead show them information that refutes it.”

The results, in a pilot project Jigsaw ran early this year, were surprisingly effective: Over the course of about two months, more than 300,000 people were drawn to the anti-ISIS YouTube channels. Searchers actually clicked on Jigsaw’s three or four times more often than a typical ad campaign. Those who clicked spent more than twice as long viewing the most effective playlists than the best estimates of how long people view YouTube as a whole. And this month, along with the London-based startup Moonshot Countering Violent Extremism and the US-based Gen Next Foundation, Jigsaw plans to relaunch the program in a second phase that will focus its method on North American extremists, applying the method to both potential ISIS recruits and violent white supremacists.

An Antidote to Extremism’s Infection

While tech firms have been struggling for years to find countermeasures to extremist content, ISIS’ digital propaganda machine has set a new standard for aggressive online recruitment. Twitter has banned hundreds of thousands of accounts only to see them arise again—manymigrating to the more private service Telegram—while other services like YouTube and Facebook have fought an endless war of content removal to keep the group’s vile beheading and immolation videos offline. But attempts to intercept the disaffected young Muslims attracted to that propaganda and offer them a counternarrative—actual protection against the group’s siren song—have mostly amounted to public service announcements. Those PSA series have included the U.S. State Department’s campaign called Think Again, Turn Away and the blunt messaging of the cartoon series Average Mohammed.

Those campaigns are likely only effective for dissuading the audience least indoctrinated by ISIS’s messages, argues Green, who’s interviewed jailed ISIS recruits in Britain and defectors in an Iraqi prison. “Further down the funnel are the people who are sympathetic, maybe ideologically committed, maybe even already in the caliphate,” says Green. “That’s Jigsaw’s focus.”

To capture the people already drawn into ISIS’ orbit, Jigsaw took a less direct approach. Rather than create anti-ISIS messages, the team curates them from YouTube. “We thought, what if the content exists already?” says Green. “We knew if it wasn’t created explicitly for this purpose, it would be more authentic and therefore more compelling.”

Testing the Theory

Jigsaw and two partners on the pilot project, Moonshot CVE and the Lebanese firm Quantum Communications, assembled two playlists of videos they found in both Arabic and English, ranging from moderate Muslim clerics pointing out ISIS’s hypocrisy to footage of long food lines in the ISIS’s Syrian stronghold Raqqa.

Another video in Jigsaw’s playlist shows an elderly woman excoriating members of ISIS and quoting the Koran to them:

Jigsaw chose more than 1,700 keywords that triggered ads leading to their anti-ISIS playlists. Green and her team focused on terms they believed the most committed ISIS recruits would search for: names of waypoints on travel routes to ISIS territory, phrases like “Fatwa [edict] for jihad in Syria” and names of extremist leaders who had preached ISIS recruitment. The actual text of the search ads, however, took a light-touch approach, with phrases like “Is ISIS Legitimate?” or “Want to Join ISIS?” rather than explicit anti-ISIS messages.

Measuring the actual effects of the campaign in dissuading ISIS recruits isn’t easy. But Jigsaw and its partners found that they at least captured searchers’ attention. The clickthrough rates on some of the ads were more than 9 percent, they say, compared with averages around 2 or 3 percent in the average Google keyword advertising campaign. They also discovered that the hundreds of thousands of searchers spent a total of half a million minutes watching the videos they collected, with the most effective videos getting as much as 8 minutes and 20 seconds average viewing time.

But Could It Work?

Jigsaw’s program is far from a comprehensive solution to ISIS’s online recruitment, says Humera Khan, the executive director of the Islamic deradicalization group Muflehun. She points out that both Google and Facebook have trained anti-extremism non-profits in the past on how to use their keyword advertising, though perhaps without the deep involvement in targeting, curating and promoting video Jigsaw is trying. More importantly, she argues, attracting ISIS sympathizers to a video playlist is only the first step. “If they can hook people in, can they keep them coming back with new and relevant content? That’ll be important,” says Khan. Eventually, any successful deradicalization effort also needs human interaction, too, and a supportive community backing up the person’s decision to turn away from extremism. “This sounds like a good piece of the solution. But it’s not all of it.”

From a national security perspective, Jigsaw’s work raises another glaring question: Why not target would-be ISIS recruits for surveillance and even arrest instead? After all, intercepting ISIS sympathizers could not only rescue those recruits themselves, but the future victims of their violence in terrorist attacks or genocidal massacres in ISIS’s bloody sphere of influence. On that question, Jigsaw’s Green answers carefully that “social media platforms including YouTube have a responsibility to cooperate [with] the governments’ lawful requests, and there are processes in place to do that.” Translation? Google likely already helps get some of these people arrested. The company, after all, handed over some data in 64 percent of the more than 40,000 government requests for its users’ data in the second half of last year.

But Green says that the Redirect Method, beyond guiding ISIS admirers to its videos, doesn’t seek to track them further or identify them, and isn’t designed to lead to arrests or surveillance, so much as education.  “These are people making decisions based on partial, bad information,” says Green. “We can affect the problem of foreign fighters joining the Islamic State by arming individuals with more and better information.” She describes the campaign’s work as a kind of extension of Google’s core mission “to make the world’s information accessible and useful.”

Google’s Clever Plan to Stop Aspiring ISIS Recruits

 

 

Millions To Find Cyber Flaws in Weapon Systems

Standard

DOD Weapons Systems Flaws

“DEFENSE NEWS”

“The highly networked nature of two key military systems, the F-35 Lightning II and Distributed Common Ground System-Army, the service’s intelligence dissemination system, illustrate how digitally dependent the US military has become.

Nearly all of DoD’s major weapons systems were vulnerable to cyber attacks.

Amid a growing focus on the Pentagon’s cyber vulnerabilities, it plans to reprogram $100 million toward uncovering such flaws in major weapon systems, according to budget documents posted this week.
Defense Department Comptroller Mike McCord notified Congress Aug. 29 of plans to move the money from a technology analysis account to a research, test and evaluation account—described as classified in the DoD’s 2016 budget justification. The notice was first reported by Inside Defense.

The Defense Department is bound by law to evaluate the cyber vulnerabilities of major weapons systems and report to Congress by the end of 2019, with $200 million authorized for the project. The mandate was the marquee provision in military cybersecurity legislation the president signed last year as part of the 2016 defense policy bill.

Weapons systems developed over the past 20 years are “highly effective on the battlefield and yet also highly vulnerable to network attack,” as they are increasingly dependent on “network targeting information, digital satellite communication to GPS networks, and digital command operating pictures/blue force trackers,” Jacquelyn Schneider, a scholar at George Washington University warns in a report published this week by the Center for New American Security.

The highly networked nature of two key military systems, the the F-35 Lightning II and Distributed Common Ground System-Army, the service’s intelligence dissemination system, illustrate how digitally dependent the US military has become.

Indeed, the Pentagon’s Director of Operations, Test and Evaluation (DOT&E), Michael Gilmore announced last year he found that nearly all of DoD’s major weapons systems were vulnerable to cyber attacks. Forty systems in 2014 needed to fix cyber vulnerabilities, including the Army’s Warfighter Information Network-Tactical, the Navy’s Joint High Speed Vessel and the Freedom class of Littoral Combat Ship.

A 2013 Defense Science Board study warned that while DoD takes care to secure the use and operation of its weapons systems, it neglects the information technology systems used to operate and support them, or the cyber capabilities embedded within them. As a result, a foe could cut communication links and inactivate, redirect or destroy US weapon systems.

“In today’s world of hyper-connectivity and automation, any device with electronic processing, storage, or software is a potential attack point and every system is a potential victim–including our own weapons systems,” the report reads.

The report stressed the difficulty of predicting the cyber security of any system, noting, “A few critical bits manipulated in a weapon fire control system can render that weapon ineffectual.”
The Defense Department has been focusing on fixing cyber vulnerabilities beyond its weapons systems. In June, white-hat hackers found 138 vulnerabilities in a DoD sponsored bug bounty event. That came a year after intruders — suspected to be Russian — hacked into an unclassified email system used by the Joint Chiefs of Staff, forcing the military to take it off line temporarily.”

Homeland Security Must Manage Risk – Not Events

Standard

homeland_security

“THE HILL”

“The department’s mitigation programs, relationships with states and localities, and emerging analytic capability make it the ideal hub for a risk management mission.

The DHS isn’t doing its job because it doesn’t know what its job is.

Rather than combating terrorism, the department should refocus its mission around combating risks of all kinds.

It was created as a mishmash of 22 disparate agencies in the rush to respond to the Sept. 11 attacks. Congress and the president created the department with the explicit mission of preventing terrorism, but they included unrelated agencies that needed a home, while other important terrorism- or disaster-related agencies were left out.

Today, the department’s management spends much of its precious time responding to the headline of the day across multiple missions of protecting the border, preparing for natural disasters, and managing airport screeners. Its frontline employees don’t fare any better — the agency routinely tops the list of worst places to work in government. Fortunately, the department can do better. Public administration scholars have found that one of the best ways to improve job satisfaction is to make missions and goals more clear and less ambiguous.

Fixing the department requires jettisoning the holding company model and leaving the job of curbing terrorist threats to the Department of Justice, which houses the FBI. Without terrorism at the center, the agency can refocus on assessing and reducing an array of risks for natural and technological disasters. For any particular threat, such as terrorism or hurricanes, risk is a function of the probability of the threat multiplied by the potential consequences.  That sounds simple enough, but if done correctly it could transform how we prepare for disasters and make the country safer.

Right now, the DHS manages siloed programs to prepare for many different kinds of threats. But it is difficult to prioritize investments across different threats over time. A reformed department would compare the risks posed by hurricanes, forest fires, tornadoes, radiological “dirty bombs,” and cyber attack. Some defenses, such as concrete barriers, can reduce the damage caused by both floods and terrorism. The department could also assess risks over time. Investing in mitigation, or reducing the damage caused by disasters before they happen, is cheaper than coming to the rescue after a disaster. A report from the Multihazard Mitigation Council found that mitigation saves society an average of $4 saved for every $1 spent. It is difficult to convince politicians and department leaders to spend  money on mitigation, however, because they cannot easily take credit for helping to prevent a disaster that never happened, or that might not happen on their watch.

The DHS’ disaster management arm, FEMA, already offers grants to states and localities to build mitigation programs. But these programs are modest, and FEMA employees make up less than two percent of the department. Extending the mission of FEMA’s modest mitigation directorate would reorient the department around illustrating what risks society faces and what investments would reduce them. There is much work to be done. Convincing cash-strapped jurisdictions to spend money on mitigation requires evidence that the cost is worth it.

Some department officials say that they are already doing risk management. When compared with the careful forecasts of the National Oceanic and Atmospheric Administration or the exhaustive reports of the General Accountability Office, however, DHS products come up short. Building on analytic capacity from other agencies and the privacy sector could make the DHS the government face for information about risk.

For all the complaints that cities make about the department, the DHS has closer ties to cities and states than do most of the expert science agencies in the federal government. DHS border agents work closely with state and local police, and FEMA operates grant programs with every state and many counties. The department’s connections to the street level could be significantly enhanced with a sharper focus on risk management that leverages these existing relationships.

A reinvigorated DHS would leave chasing terrorists to better equipped agencies, jettisoning the ostensible reason for the department’s creation. Its new and expanded mission of assessing, illustrating, and reducing risks of disasters of all kinds is better suited for the 21st century. The world may not be more dangerous than it was in the last century, but it is more complex.”

http://thehill.com/blogs/congress-blog/homeland-security/294132-a-new-mission-for-homeland-security-managing-risk?utm_source=Sailthru&utm_medium=email&utm_campaign=EBB%2009.02.16&utm_term=Editorial%20-%20Early%20Bird%20Brief

How the Pentagon Became Walmart

Standard
Aerial View From Over Arlington Va

(Photo By USAf/Getty Images)

“FOREIGN POLICY”

“Asking warriors to do everything poses great dangers for our country — and the military.

Our armed services have become the one-stop shop for America’s policymakers.

Here’s the vicious circle in which we’ve trapped ourselves: As we face novel security threats from novel quarters — emanating from nonstate terrorist networks, from cyberspace, and from the impact of poverty, genocide, or political repression, for instance — we’ve gotten into the habit of viewing every new threat through the lens of “war,” thus asking our military to take on an ever-expanding range of nontraditional tasks. But viewing more and more threats as “war” brings more and more spheres of human activity into the ambit of the law of war, with its greater tolerance of secrecy, violence, and coercion — and its reduced protections for basic rights.

Meanwhile, asking the military to take on more and more new tasks requires higher military budgets, forcing us to look for savings elsewhere, so we freeze or cut spending on civilian diplomacy and development programs. As budget cuts cripple civilian agencies, their capabilities dwindle, and we look to the military to pick up the slack, further expanding its role.

“If your only tool is a hammer, everything looks like a nail.” The old adage applies here as well. If your only functioning government institution is the military, everything looks like a war, and “war rules” appear to apply everywhere, displacing peacetime laws and norms. When everything looks like war, everything looks like a military mission, displacing civilian institutions and undermining their credibility while overloading the military.

More is at stake than most of us realize. Recall Shakespeare’s Henry V:

In peace there’s nothing so becomes a man

As modest stillness and humility:

But when the blast of war blows in our ears,

Then imitate the action of the tiger;

Stiffen the sinews, summon up the blood,

Disguise fair nature with hard-favour’d rage 

In war, we expect warriors to act in ways that would be immoral and illegal in peacetime. But when the boundaries around war and the military expand and blur, we lose our ability to determine which actions should be praised and which should be condemned.

For precisely this reason, humans have sought throughout history to draw sharp lines between war and peace — and between the role of the warrior and the role of the civilian. Until less than a century ago, for instance, most Western societies maintained that wars should be formally declared, take place upon clearly delineated battlefields, and be fought by uniformed soldiers operating within specialized, hierarchical military organizations. In different societies and earlier times, humans developed other rituals to delineate war’s boundaries, from war drums and war sorcery to war paint and complex initiation rites for warriors.

Like a thousand other human tribes before us, we modern Americans also engage in elaborate rituals to distinguish between warriors and civilians: Our soldiers shear off their hair, display special symbols on their chests, engage in carefully choreographed drill ceremonies, and name their weapons for fearsome spirits and totem animals (the Hornet, the Black Hawk, the Reaper). And despite the changes ushered in by the 9/11 attacks, most of us view war as a distinct and separate sphere, one that shouldn’t intrude into our everyday world of offices, shopping malls, schools, and soccer games. Likewise, we relegate war to the military, a distinct social institution that we simultaneously lionize and ignore. War, we like to think, is an easily recognizable exception to the normal state of affairs and the military an institution that can be easily, if tautologically, defined by its specialized, war-related functions.

But in a world rife with transnational terrorist networks, cyberwarriors, and disruptive nonstate actors, this is no longer true. Our traditional categories — war and peace, military and civilian — are becoming almost useless.

In a cyberwar or a war on terrorism, there can be no boundaries in time or space: We can’t point to the battlefield on a map or articulate circumstances in which such a war might end. We’re no longer sure what counts as a weapon, either: A hijacked passenger plane? A line of computer code? We can’t even define the enemy: Though the United States has been dropping bombs in Syria for almost two years, for instance, no one seems sure if our enemy is a terrorist organization, an insurgent group, a loose-knit collection of individuals, a Russian or Iranian proxy army, or perhaps just chaos itself.

We’ve also lost any coherent basis for distinguishing between combatants and civilians: Is a Chinese hacker a combatant? What about a financier for Somalia’s al-Shabab, or a Pakistani teen who shares extremist propaganda on Facebook, or a Russian engineer paid by the Islamic State to maintain captured Syrian oil fields?

When there’s a war, the law of war applies, and states and their agents have great latitude in using lethal force and other forms of coercion. Peacetime law is the opposite, emphasizing individual rights, due process, and accountability.

When we lose the ability to draw clear, consistent distinctions between war and not-war, we lose any principled basis for making the most vital decisions a democracy can make: Which matters, if any, should be beyond the scope of judicial review? When can a government have “secret laws”? When can the state monitor its citizens’ phone calls and email? Who can be imprisoned and with what degree, if any, of due process? Where, when, and against whom can lethal force be used? Should we consider U.S. drone strikes in Yemen or Libya the lawful wartime targeting of enemy combatants or nothing more than simple murder?

When we heedlessly expand what we label “war,” we also lose our ability to make sound decisions about which tasks we should assign to the military and which should be left to civilians.

Today, American military personnel operate in nearly every country on Earth — and do nearly every job on the planet. They launch raids and agricultural reform projects, plan airstrikes and small-business development initiatives, train parliamentarians and produce TV soap operas. They patrol for pirates, vaccinate cows, monitor global email communications, and design programs to prevent human trafficking.

Many years ago, when I was in law school, I applied for a management consulting job at McKinsey & Co. During one of the interviews, I was given a hypothetical business scenario: “Imagine you run a small family-owned general store. Business is good, but one day you learn that Walmart is about to open a store a block away. What do you do?”

“Roll over and die,” I said immediately.

The interviewer’s pursed lips suggested that this was the wrong answer, and no doubt a plucky mom-and-pop operation wouldn’t go down without a fight: They’d look for a niche, appeal to neighborhood sentiment, or maybe get artisanal and start serving hand-roasted chicory soy lattes. But we all know the odds would be against them: When Walmart shows up, the writing is on the wall.

Like Walmart, today’s military can marshal vast resources and exploit economies of scale in ways impossible for small mom-and-pop operations. And like Walmart, the tempting one-stop-shopping convenience it offers has a devastating effect on smaller, more traditional enterprises — in this case, the State Department and other U.S. civilian foreign-policy agencies, which are steadily shrinking into irrelevance in our ever-more militarized world. The Pentagon isn’t as good at promoting agricultural or economic reform as the State Department or the U.S. Agency for International Development — but unlike our civilian government agencies, the Pentagon has millions of employees willing to work insane hours in terrible conditions, and it’s open 24/7.

It’s fashionable to despise Walmart — for its cheap, tawdry goods, for its sheer vastness and mindless ubiquity, and for the human pain we suspect lies at the heart of the enterprise. Most of the time, we prefer not to see it and use zoning laws to exile its big-box stores to the commercial hinterlands away from the center of town. But as much as we resent Walmart, most of us would be hard-pressed to live without it.

As the U.S. military struggles to define its role and mission, it evokes similarly contradictory emotions in the civilian population. Civilian government officials want a military that costs less but provides more, a military that stays deferentially out of strategy discussions but remains eternally available to ride to the rescue. We want a military that will prosecute our ever-expanding wars but never ask us to face the difficult moral and legal questions created by the eroding boundaries between war and peace.

We want a military that can solve every global problem but is content to remain safely quarantined on isolated bases, separated from the rest of us by barbed wire fences, anachronistic rituals, and acres of cultural misunderstanding. Indeed, even as the boundaries around war have blurred and the military’s activities have expanded, the U.S. military itself — as a human institution — has grown more and more sharply delineated from the broader society it is charged with protecting, leaving fewer and fewer civilians with the knowledge or confidence to raise questions about how we define war or how the military operates.

It’s not too late to change all this.

No divine power proclaimed that calling something “war” should free us from the constraints of morality or common sense or that only certain tasks should be the proper province of those wearing uniforms. We came up with the concepts, definitions, laws, and institutions that now trap and confound us — and they’re no more eternal than the rituals and categories used by any of the human tribes that have gone before us.

We don’t have to accept a world full of boundary-less wars that can never end, in which the military has lost any coherent sense of purpose or limits. If the moral and legal ambiguity of U.S.-targeted killings bothers us, or we worry about government secrecy or indefinite detention, we can mandate new checks and balances that transcend the traditional distinctions between war and peace. If we don’t like the simultaneous isolation and Walmartization of our military, we can change the way we recruit, train, deploy, and treat those who serve, change the way we define the military’s role, and reinvigorate our civilian foreign-policy institutions.

After all, few generals actually want to preside over the military’s remorseless Walmartization: They too fear that, in the end, the nation’s over-reliance on an expanding military risks destroying not only the civilian competition but the military itself. They worry that the armed services, under constant pressure to be all things to all people, could eventually find themselves able to offer little of enduring value to anyone.

Ultimately, they fear that the U.S. military could come to resemble a Walmart on the day after a Black Friday sale: stripped almost bare by a society both greedy for what it can provide and resentful of its dominance, with nothing left behind but demoralized employees and some shoddy mass-produced items strewn haphazardly around the aisles.”

How the Pentagon Became Walmart

 

California Law Now Requires Registration of 3D-Printed Guns

Standard

3D Printing Gun Law

“MOTHERBOARD”

“California Governor Jerry Brown signed into law legislation requiring anyone who makes or assembles a homemade firearm to apply for a serial number or “other mark of identification” from the state Department of Justice.

This means passing a background check.

Said measure, one of several new gun restrictions signed by Brown, mandates that said identification be permanently affixed to the weapon, and, moreover, forbids the sale or transfer of self-assembled firearms.

The new law is an overt response to the 3D printing boom as well as the increasing sale of “unfinished” lower receivers. These are somewhat modular gun components encompassing trigger, firing pin, and ammunition feeding mechanisms. While the finished versions of lower receivers have historically been subject to the same laws as regular old long guns, unfinished versions requiring only a few small tweaks have offered a gun buyers a fudge. The new law aims to close this loophole.

A bit more subtly, the bill goes after would-be undetectable plastic guns, mandating that in order to pass California state muster, the are required to have a piece of stainless steel embedded somewhere such that they’ll register in a metal detector.

As for the no sale/transfer clause, an argument put forth on the state Senate floor back in may by the California Chapters for the Brady Campaign to Prevent Gun Violence states: “Homemade guns may be of very poor quality and extremely unsafe and should therefore only be for personal use. At this point, many 3-D printed guns explode when they are fired. The technology will, no doubt, improve but it is unlikely that these guns would ever meet basic firing or drop tests and such unsafe guns should not be transferable.” (ATF testing in 2013 found that some popular models do indeed have a habit of exploding.)

Naturally, the NRA and gun rights groups are furious. The president of the Firearms Policy Coalition offered the totally hyperbole-free declaration that “Today’s action by Governor Brown shows how craven California’s despotic ruling class has become. The Legislature has abandoned the Constitution, representative government, and the People of California. I fully expect the People to respond in kind.”

A Field Poll conducted in January found that most California voters, including Republicans, support increased gun control measures, including requiring background checks for purchasing ammunition and outlawing possession of large-capacity magazines, among others.”

http://motherboard.vice.com/read/california-passes-law-requiring-registration-of-homemade-guns?utm_source=Sailthru&utm_medium=email&utm_campaign=Defense%20EBB%2007-26-16&utm_term=Editorial%20-%20Early%20Bird%20Brief