Wednesday, 30 September 2015

If there is liquid water on Mars, no one—not even NASA—can get anywhere near it

NASA claims to have found evidence of liquid water on Mars. If true, you’d expect the US government to scramble to set up a new mission to test the claim. After all, discovering that Mars has life or even that in can support life will be one of the greatest discoveries ever.
But that won’t happen so quick. NASA’s press statement makes it seem that scientists have certain evidence of flowing water. They do not. What they have is chemical evidence that gives a strong suggestion of liquid water mixed with salts. More importantly, however, even if NASA was 100% certain that there is liquid water on Mars, it could not do anything about it.
The world’s space powers are bound by rules agreed to under the 1967 Outer Space Treaty that forbid anyone from sending a mission, robot or human, close to a water source in the fear of contaminating it with life from Earth.
Terrestrial life has been shown to be very resilient. Microbes are found in almost every nook and cranny of this planet, even the driest and hottest parts. Earth’s microbes survived nearly two years stuck on the outside of the International Space Station. All probes that land on Mars are cleaned to be sterilized of life but no one yet knows how strict you need to be to ensure that bacterial life cannot form viable, self-sustaining colonies on Mars.

All space missions to an alien world are bound by planetary protection protocols. On Mars, these protocols determine which areas a mission can and cannot land, and how far it can explore after landing. And the more we learn about Mars, as a 2014 report makes it clear, the more special regions are being found where we can’t send missions.
Areas that are warm or wet enough to support Martian life are out of bounds. Polar ice caps, caves, and regions with volcanic activity are such special regions. Even regions where ice is found as deep as five meters below the surface are on the list.
And even that won’t cover all eventualities. The Mars 2020 Rover, for instance, carries a plutonium-powered heat generator, which can, if it falls on the surface, cause ice deep inside to melt and create liquid water. Its exploration area, then, is further restricted. The irony is that all these restrictions mean NASA has to stay away from the very regions where it may find water or Martian life.
NASA’s hype around the discovery of liquid water on Mars can be explained by its constant need to increase funding for its work. And that attention seems to be helping. But it won’t be eager to tell you that its human mission, currently planned for 2030, will inevitably contaminate Mars with microbes, and break the rules of an international treaty.
Indeed, what’s the guarantee that all those objects and rovers we’ve sent to Mars haven’t already contaminated the red planet?

View the original content and more from this author here:

from cyber war desk

Barry U Adopts Anti-Cyber Attack Measures

Barry University, a 9,000-student Catholic university in Miami, has signed Vectra Networks to protect its data and networks from cyber attacks.

Vectra, which specializes in the detection of in-progress cyber attacks, has installed a series of firewalls, intrusion detection procedures, sandboxing systems and endpoint protection to help Barry secure its systems. Like many higher education institutions, the university is responding to the need for more open access to connectivity, including the desire on the part of students and faculty to connect with their own devices.

“We are embracing mobility everywhere,” said University Associate CIO Hernan Londono, “and there’s a huge amount of risk that comes with mobility.”

Along with the technical procedures in place, Vectra will use a number of automated techniques to detect the potential for cyber attacks to the university’s network, including command-and-control behavior, internal reconnaissance, botnet monetization, lateral movement and data exfiltration. Using a combination of data science, machine learning and behavioral analytics, Vectra officials said they will be able to quickly identify and prioritize active attacks so that security teams can mitigate them.

Londono said Vectra has already stopped one attack while in progress, and identified misconfigured printers that potentially left the university’s network susceptible to attack.

“I was shocked,” Londono said. “Vectra detected a serious threat that that we needed to mitigate right away. I didn’t think it was possible to have visibility into attacks as they were actually happening.”

View the original content and more from this author here:

from cyber war desk

Healthcare industry highly susceptible to cyber attacks

Healthcare industry is becoming highly-targeted and increasingly vulnerable to cyber attacks as the next wave of devices hits an already complex technology environment. According to the Raytheon-Websense Security Labs Report of 2015, the healthcare industry saw 340 percent more security incidents and attacks than the average industry.

The report suggested that healthcare records contain information that is “10 times more valuable on the black market.” Highlighting criminal behavior to approach easy and vulnerable targets, it says that healthcare has become a prime target, since retail and banking are going increasingly secure.

“The rapid digitization of the healthcare industry, when combined with the value of the data at hand, has lead to a massive increase in the number of targeted attacks against the sector,” said Carl Leonard, principal security analyst at Websense. The report says one in every 600 attacks in the healthcare sector involves advanced malware. In fact, the healthcare sector is four times more likely to be impacted by advanced malware than any other industry. Many organizations lack budget and administrative, technical or organizational skills, necessary to detect and prevent cyber-attacks. This results in advanced malware presenting a significant threat to healthcare infrastructure.

It also says the healthcare sector is 74 percent more likely to be impacted by phishing schemes and 4.5 times more likely to be impacted by Cryptowall that encrypts and holds hostage critical healthcare data for ransom. The report says that healthcare records hold Personally Identifiable Information (PII) that can be used in a multitude of different follow-up attacks and various types of fraud. Apart from personal identification like, name and address of individuals, health records are also often linked to financial and insurance information. Like finance and retail industry, data protection is extremely essential for healthcare industry, says Websense Manager Sales Ajay Dubey.

“We are increasingly seeing more healthcare players inclined towards enhanced security,” Dubey said. A recent Gartner report indicated that health care providers in India are expected to spend $1.2 billion USD on IT products and services in 2015, an increase of 7 percent over 2014.

View the original content and more from this author here:

from cyber war desk

The Immorality of Failure in Security Policy

The timing of President Barack Obama’s meetings with Pope Francis and Chinese President Xi Jinping could not have been worse. For an American leader to meet with a left-wing fellow traveler who would give “moral” reinforcement to his own leanings towards appeasement was dreadful before going into a meeting with the hard-line Communist autocrat.

In his remarks at the welcoming ceremony for Pope Francis, President Obama said “You remind us of the costs of war, particularly on the powerless and defenseless, and urge us toward the imperative of peace.” Then, after thanking the Pontiff for helping improve relations with Cuba (without mentioning that the island is still ruled by an unrepentant communist dictatorship left over from the Cold War), Obama returned to the pacifist theme, “We thank you for your passionate voice against the deadly conflicts that ravage the lives of so many men, women and children, and your call for nations to resist the sirens of war and resolve disputes through diplomacy.”

The kind of diplomacy conducted by Obama was clearly on display in the meetings with Xi.

First issue: cyber warfare. It is thought that China’s theft of intellectual property costs the U.S. economy $300 billion a year; almost as much as the trade deficit which sent Beijing $343 billion last year. Much of the theft is done by computer hacking. At the joint press conference with the Chinese leader, President Obama made a statement that was naive even for him:

I can announce that our two countries have reached a common understanding on the way forward. We’ve agreed that neither the U.S. or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.

Can he really believe that the many Chinese military units and other state-sponsored groups who engage in massive cyber-warfare on a daily basis will even pause in their efforts to steal more information on American technology (both commercial and military)? That Beijing will stop a program that has contributed so much to the nation’s new capabilities? For those who distrust the verification/ enforcement terms in the Iran nuclear agreement, the cyber agreement with Beijing offers nothing at all. All it does is let Obama resist calls from his national security experts for sanctions against Chinese entities in retaliation for the raiding of over 20 million government personnel files last summer. That Obama would stay his hand on sanctions was signaled well before the meeting with Xi when the Chinese media reported—with surprise, that the issue was not pressed by national security advisor Susan Rice when she visited Beijing as a prelude to the Obama-Xi summit.

In mid-September, Meng Jianzhu, a member of the Political Bureau of the Central Committee of the Chinese Communist Party, led a delegation to Washington to work out the “consensus” Obama announced. As was reported in China, Meng stressed “China’s firm stand against cyber attacks and commercial cyber espionage, Meng said anyone who conducts such acts in the Chinese territory violates the laws of China and will be subject to legal liability.” This was, however, only a declaration that China would defend itself, not that it would not attack others. Quin An, director of the Strategy Research Institute for China’s Cyber Space at the China Institute for Innovation & Development Strategy, had been defiant when talk of sanctions was still being heard,

China’s new national security law has made clear its goal to safeguard the country’s sovereignty, security and development interests in cyberspace while the draft cyber security law will help put into place a long-lasting mechanism of building national defense force in cyberspace. The US retaliation will result in a powerful Chinese cyber force that will become the pillar in protecting the peace and development of global cyberspace.

Second issue: maritime disputes along the Pacific Rim. President Xi boldly stated at the joint press conference,

Islands in the South China Sea since ancient times are China’s territory.  We have the right to uphold our own territorial sovereignty and lawful and legitimate maritime rights and interests.  We are committed to maintaining peace and stability in the South China Sea, managing differences and disputes through dialogue, and addressing disputes through negotiation, consultation, and peaceful manner, and exploring ways to achieve mutual benefit through cooperation.

We’re committed to respecting and upholding the freedom of navigation and overflight that countries enjoy according to international law.  Relevant construction activities that China are undertaking in the island of South — Nansha Islands do not target or impact any country, and China does not intend to pursue militarization.

Beijing has not, however, engaged in dialogue. It has made unilateral declarations backed by shows of force. Its idea of international law regarding these disputes is a mixture of 1) its own interpretation (not held by others) that the economic zones set out under the Law of the Sea convention amount to sovereign control and 2) reliance on claims originating from past Chinese empires. It is doubtful that Vietnam, Philippines and Japan do not feel targeted by Chinese airfield construction and naval exercises which have already militarized the area. The display of ballistic missiles designed to attack U.S. aircraft carriers and the American bases on Guam at the recent parade of armaments in Beijing extend the target list.

Wu Xinbo, director of the Center for American Studies at Fudan University, penned an op-ed in the Communist party newspaper Global Times on September 22 which summed up Beijing’s position and its disregard for American policy: Today, China’s ruling party and the Chinese government have become more confident in the country’s current system and development path……China’s role in promoting regional economy and stability is obvious to all. However, the US, in recent years, is increasingly siding with its allies in tackling regional disputes. For instance, Washington is partial to Tokyo in the Diaoyu Islands dispute and supports the Philippines in the South China Sea disputes. This has weakened Washington’s credibility.” The weakness stems from Obama’s unwillingness to back policy with action; he continues to appease Beijing.

Issue three: climate politics. President Obama welcomed Pope Francis’ plunge into the climate debate, the result of the Pontiff’s socialist leanings and his bias against the materialism produced by capitalism. The Pope’s regard for the poor is genuine, but his belief that poverty can be alleviated by redistribution of existing wealth while the world’s more general economic advance is crippled by climate politics is the nonsense of ideology, not theology.

Yet, a liberal like Obama is buoyed by such notions. When he went on to the summit with Xi, he cited the joint declaration the two presidents made last year about cooperation on limiting emissions. But this was Obama’s interpretation, not Xi’s. Obama has wanted climate change to become a global issue that would transcend national rivalries. Xi has seen it as just another front on which to battle for advantage.

Climate was not been given the same emphasis by China as by Obama. In the list of outcomes at the summit published by the Chinese Foreign Ministry, the 2014  Joint Announcement on Climate Change was mentioned in point 37 as a measure “to support our industries and the environment, and to improve healthcare and quality of life of our citizens.” Beijing has not bought into the climate change sophistry. It does recognize that it needs to clean its air for heath reasons, but that is a different issue entirely. It has also pledged to increase its energy efficiency, something Obama is sending them help to do. China is not, however, going to adopt the radical proposals offered by the Greens to limit economic growth to “save the planet.” Beijing’s view is that if the liberal democracies want to do that, they can—-but they will not impose their silly notions on China. Any treaty Beijing will support will have to maintain the “common but differentiated” standard of past UN agreements. In those documents, there is a “binary distinction”: only the West is required to cut back. China and other developing nations remain free to do as they wish. And what China wishes is to rise, while others (most notably America) decline.

President Obama is desperate to believe China can be seen as a “partner” rather than a rival. He wants to avoid confrontation at all costs, and the Pope has reinforced his liberal view that his path is the moral high ground. Yet, failure is not noble nor the ideal outcome, especially when national security is at stake. It is better that Americans keep faith with their national origins. As James P. Boyd, Asst. Professor of Religious History at Vanderbilt University Divinity School has written (Sacred Scripture, Sacred War: The Bile and the American Revolution, Oxford University Press) about colonial times,

Ministers often quoted Moses’s proclamation that “the Lord is a man of war” [Exodus 15:3] to reinforce God’s endorsement of warfare, and God’s blessing on soldiers who fought in just causes. “The Lord is a man of war” became a prominent text to cite against pacifists.

The world remains a dangerous place, and the United States needs statesmen to safeguard its prosperity and security. Neither President Obama nor Pope Francis offers a philosophy that fits the needs of the nation.

View the original content and more from this author here:

from cyber war desk

James Clapper Not Optimistic About Obama’s Cyber Agreement with China

“We’ve agreed that neither the USA nor the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage”. John McCain, R-Ariz., the committee’s chairman, if he was optimistic the agreement would produce a lasting effect, Clapper took a dramatic pause, leaned into the microphone and very firmly replied, “No”.

What happened in OPM case, “as egregious as it was, ” Clapper said, was not an attack: “Rather, it would be a form of theft or espionage.”And, he said, “we, too, practice cyberespionage and… were not bad at it.” He suggested that the United States would not be wise to seek to punish another country for something its own intelligence services do.

“I think there is a question about the extent to which the (Chinese) government actually orchestrates all of it or not”, he said. The spy chief said that the way the government attributes blame is three-fold, including determining the geographic location of the attack, who conducts the attack, as well as the authority who gives the order for the attack.

The deal is meant to stop state-sponsored cyber attacks on businesses and does not cover all hacks. Establishing a credible deterrent requires agreement on norms of cyber behavior by the worldwide community, he said. Maybe all of the above, ” Work responded.In fact, largely because of the concerns that Clapper outlined, it is unlikely that the administration would impose sanctions or retaliate overtly for the OPM intrusions.During the Cold War, Sen.

One key question, he said, was whether to limit spying activity, such as the incident that compromised personal data of 21 million individuals in a database maintained by the Office Of Personnel Management.

Robert Work, deputy secretary of defense, acknowledged that the Defense Department needs to improve deterrence. He said the Pentagon was finalizing a broad cyber warfare policy that was supposed to have been shared with Congress over a year ago.

“Neither [President] Xi [Jinping] himself nor any other Chinese official said what the US said”, Goldsmith wrote on his blog, Lawfare.

He said the response could involve a variety of tools, including economic sanctions and criminal indictments, as well as potential use of offensive cyber weapons. “So this isn’t a treaty or anything like that – it’s a confidence-building measure for us to find out if China is going to act responsibly”.

This is not the first time Rogers has spoken out about the staggering number of threats facing the cyber realm.

from cyber war desk

Tuesday, 29 September 2015

New federal assessment tool highlights the importance of threat intelligence for financial institutions

By HP Security Strategist Stan Wisseman

In a previous post, I’ve encouraged use of frameworks to help determine a cybersecurity baseline capability and  roadmap to reach the goals for your information security programs. This summer, the Federal Financial Institutions Examination Council (FFIEC) introduced a new tool to assist financial organizations in following this approach.

In 2014, the FFIEC piloted a cybersecurity examination program at over 500 community financial institutions to evaluate their preparedness to mitigate cyber risks. On June 30th of this year, the FFIEC published a Cybersecurity Assessment Tool to provide ALL financial institutions with a repeatable and measureable process to inform leadership of their organization’s cyber risks (Inherent Risk Profile) and cybersecurity preparedness in relation to that risk (Cybersecurity Maturity). If the level of preparedness is inadequate, the organization may take action either to reduce the level of risk or to increase the levels of maturity (a “target” state). The Tool is mapped to both the FFIEC Information Technology Examination Handbook (FFIEC IT Handbook), as well as to the NIST Cybersecurity Framework.  Initially, the Tool will be voluntary but in the long term is expected to be incorporated into the FFIEC IT Handbook and used in regular examinations. The Tool identifies five domains, as shown above.

I’m going to focus on the Threat Intelligence & Collaboration domain in this post. I’m a strong proponent for threat intelligence sharing and am pleased that the FFIEC added this domain to their Assessment Tool. Timely sharing of intel about new or ongoing cyberattacks and threats should help avoid or minimize major breaches from an attack. I recognize that there’s still some controversy around private sector organizations sharing their threat intel with US Government agencies. Some of the potential negative consequences to this sharing was discussed at the 2nd annual Senior Executive Cyber Security Conference I attended in Baltimore earlier this month. Efforts are underway to craft legislation to address some of these concerns (see ICIT brief), though it’s unclear whether the US Congress will finalize these legislative efforts this year. Independent of the legislation, I still think that harnessing the collective wisdom of peer organizations we trust should be a win-win and is necessary to survive within our evolving threat landscape. The bad guys collaborate. We also need to.

Returning to the Assessment Tool, each domain and maturity level has a set of declarative statements (e.g., requirements) organized by the assessment factor. I’ve extracted some of the declarative statements from the Advanced and Innovative maturity levels for the Threat Intelligence & Collaboration domain below:

  • Threat intelligence is automatically received from multiple sources in real time.
  • A threat analysis system automatically correlates threat data to specific risks and then takes risk-based automated actions while alerting management.
  • Emerging internal and external threat intelligence and correlated log analysis are used to predict future attacks.
  • The institution uses multiple sources of intelligence, correlated log analysis, alerts, internal traffic flows, and geopolitical events to predict potential future attacks and attack trends.
  • IT systems automatically detect configuration weaknesses based on threat intelligence and alert management so actions can be prioritized.
  • Relationships exist with employees of peer institutions for sharing cyber threat intelligence.
  • A network of trust relationships (formal and/or informal) has been established to evaluate information about cyber threats.
  • A mechanism is in place for sharing cyber threat intelligence with business units in real time including the potential financial and operational impact of inaction.

I think the Tool encourages the building of effective threat collaboration partnerships through trust. HP has a taken a similar approach with its Threat Central service. Threat Central enables organizations to collaborate via a community-sourced security intelligence platform that incorporates dynamic threat analysis scoring to produce relevant, actionable intelligence to combat advanced cyber threats. Use of Threat Central can help you achieve some of the Advanced and Innovative declarative statements called for in the Assessment Tool.

Learn more about HP Enterprise Security.

Figure source:

View the original content and more from this author here:

from cyber war desk

Liquid Water Exists on Mars, Boosting Hopes for Life There, NASA Says

Potentially life-giving water still flows across the ancient surface of Mars from time to time, NASA scientists said Monday in revealing a potential breakthrough in both the search for life beyond Earth and human hopes to one day travel there.

While the discovery doesn’t by itself offer evidence of life on Mars, either past or present, it does boost hopes that the harsh landscape still offers some refuge for microbes to cling to existence.

“The existence of liquid water, even if it is super salty briny water, gives the possibility that if there’s life on Mars, that we have a way to describe how it might survive,” said John Grunsfeld, associate administrator for the Science Mission Directorate at NASA.

NASA researchers using an imager aboard the Mars Reconnaissance Orbiter confirmed the watery flows by looking at light waves returned from seasonal dark streaks on the surface, long suspected to be associated with liquid water.

The investigation showed the streaks absorb light at specific wavelengths associated with chemicals known to pull water from the Martian atmosphere in a process known as deliquescence, said Georgia Tech doctoral student Lujendra Ojha, who first discovered the streaks while still an undergraduate student at the University of Arizona in 2011.

The chemicals allow the water to remain liquid at lower temperatures but also help keep it from boiling off in the thin atmosphere of Mars, the researchers said.

It remains unclear where the water comes from. Theories include deliquescence, melting subsurface ice or even a liquid-water aquifer that feeds the process. Discovering what precisely is causing the phenomenon is a mystery for the next round of investigations, said Michael Meyer, lead scientist for NASA’s Mars Exploration Program.

The researchers’ findings are in a new paper being presented this week at the European Planetary Science Congress in France.

This is not the first discovery of water on Mars.

Researchers have known for many years that Mars has water frozen at its poles, in its thin atmosphere, and, most recently, in tiny puddles that appear to form at night on the surface.

Nor is it the first potential clue that Mars could have once — or may still — host life. The Mars Curiosity rover, for instance, has detected methane on the surface of Mars, as well as other chemical signatures suggesting the possibility of past or present life.

It remains to be seen whether the new discovery improves the odds of life on Mars, but researcher Mary Beth Wilhelm said the results suggest “more habitable conditions on the near surface of Mars than previously thought.”

How habitable, she said, depends on how salty and how cold the conditions are.

But Alfred McEwen, who heads up NASA’s HiRISE high-resolution camera aboard the Mars orbiter, said he’s fairly confident life will one day be found on Mars.

“It’s very likely, I think, that there’s life somewhere in the crust of Mars, microbes,” he said.

Jim Green, director of planetary science at NASA, said the discovery announced Monday puts NASA in a perfect position to look for that life.

“We haven’t been able to answer the question, ‘Does life exist beyond Earth?’ ” Green said. “But following the water is a critical element of that. We now have, I think, a great opportunity to be in the right locations on Mars to thoroughly investigate that.”

View the original content and more from this author here:

from cyber war desk

A Sino-American Cyber Security Agreement: Crisis Composed of Danger and Opportunity?

It is a longstanding fiction that the Chinese word for “crisis” is composed of elements that signify “danger” and “opportunity.” Nevertheless, in the realm of science fiction writing, author William Gibson coined the term “cyberspace” in his short story, “Burning Chrome,” before most of the public had a concept of, let alone actual experience with, using networked computer systems. Science fiction has given way to cyber reality, with 42.3 percent of the world’s population using the internet on a regular basis, some 741 percent growth between 2000-2014 alone. At the same time, cyber weapons and cyber warfare are among the most dangerous innovations in recent years. Cyber weapons can imperil economic, political and military systems by a single act, or by multifaceted orders of effect, with wide ranging potential consequences. A non-exclusive list of some notable past cyber incidents includes but is not limited to:

· 1994: Chechen rebels use Internet-enabled propaganda [PDF] in the Russo-Chechen war.
· 1999: Serbian hackers try to disrupt NATO military operations that clogged NATO’s e-mail server with 2,000 messages a day.
· 2007: Syrian air defense was reportedly disabled by a cyber attack moments before the Israeli Air Force demolished an alleged Syrian nuclear reactor; massive cyber attacks experienced by Estonia, with most of the compromised and attacking computers located within the US but attributed to Russia.
· 2008: Russo-Georgian war with integrated cyber and conventional operations.
· 2009: the whole of Kyrgyzstan was knocked offline during a time of domestic political crisis.
· 2010: Stuxnet worm attacking Iranian nuclear centrifuges identified as most sophisticated state-sponsored malware.
· 2014: Release of confidential data belonging to Sony Pictures Entertainment, including employee personal information, e-mails, copies of (previously) unreleased Sony films and other information, via a hack believed to be of North Korean origin, and two major breaches reputedly by China of US government databases exposedsensitive information about at least 22.1 million people, including not only federal employees and contractors but their families and friends.
· 2015: A Chinese attack targeted personal emails of “all top [US] national security” officials just days after a “spear-phishing” attack of suspected Russian origin on the Pentagon’s joint staff email system, which exposed some 4,000 civilian and military employees.

The US Director of National Intelligence, James Clapper, recently told the House Intelligence Committee the next phase of escalating online data theft most likely will involve the manipulation of digital information, with a lower likelihood of a “cyber Armageddon” of digitally triggered damage to catastrophically damage physical infrastructure.

On September 25, 2015, during the state visit of Chinese President Xi Jinping, the US and China signed aMemorandum of Understanding [PDF] on a range of global, regional and bilateral subjects. According to astatement from the White House, the two countries now

“agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
Many details are left to be determined, though, in the “common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community,” including, but not limited to, which acts in cyberspace would be tantamount to an act of war.

In this era of great cyber danger and opportunity, my colleagues and co-editors Jens Ohlin from Cornell Law School and Claire Finkelstein from the University of Pennsylvania Law School and I had the privilege of contributing to and editing a book that assembles the timely and insightful writings of renowned technical experts, industrial leaders, philosophers, legal scholars and military officers as presented at a Center for Ethics and the Rule of Law roundtable conference entitled Cyberwar and the Rule of Law.

That work, Cyber War—Law and Ethics for Virtual Conflicts, explores cyber warfare’s moral and legal issues in three categories, pertinent to any cyber security agreement that may be concluded, not just the present Sino-US accord. First, it is critical to address foundational questions regarding cyber attacks. What are they and what does it mean to talk about a cyber war? State sponsored cyber warriors as well as hackers employ ever more sophisticated and persistent means to penetrate government computer systems; in response, governments and industry develop more elaborate and innovative defensive systems. There are valid alternative views concerning whether the laws of war should apply, whether transnational criminal law or some other peacetime framework is more appropriate, or if there is a tipping point that enables the laws of war to be used. Secondly, cyber security challenges traditional conceptualizations of the law of war, or jus in bello, in determining how they might be applied to cyber-conflicts, in particular those of proportionality and necessity. It also investigates the distinction between civilian and combatant in this context and studies the level of causation necessary to elicit a response, looking at the notion of a “proximate cause.” Finally, it is essential to analyze the specific operational realities implicated by cyber warfare technology employed and deployed under existing and potential future regulatory regimes.

On the national and foreign policy front, individual freedom of expression and privacy considerations must be balanced against national sovereignty and security concerns in the enforcement of the Convention on Cybercrime, just as they should be for any future Cyber Weapons Convention or cyber security agreements that China, the US, or any other nations conclude. From a technical perspective, the prospect of increased cyber oversight, regulation and protection appears increasingly challenging but more imperative than any prior time in history, yet as the Brookings Institute has aptly observed [PDF], improved engagement between China and the US on cyber security will likely have a positive impact in establishing global cyber security norms and implementing mechanisms, as well as other shared concerns, like global finance and the environment. For the above reasons and more, any cyber security agreement concluded will be indispensable to prescribing limits, if not proscribing, cyber warfare, and will have dramatic significance to national and homeland security and foreign affairs of each nation.

Professor Govern began his legal career as an Army Judge Advocate, serving 20 years at every echelon during peacetime and war in worldwide assignments involving every legal discipline. In addition to currently teaching at Ave Maria School of Law he has also served as an Assistant Professor of Law at the US Military Academy and teaches at California University of Pennsylvania and John Jay College. He is an coeditor of and contributing author to Cyber War—Law and Ethics for Virtual Conflicts (Oxford University Press, 2015). Unless otherwise attributed, the conclusions and opinions expressed are solely those of the author and do not reflect the official position of the US Government, Department of Defense, or Ave Maria School of Law.

View the original content and more from this author here:

from cyber war desk

House Homeland Security Committee Will Mark up Cyber Legislation; Obama and Xi Announce Cyber Agreement

House Homeland Security Committee Will Mark up Cyber-Related Legislation

On Wednesday, the House Homeland Security Committee will mark up the Department of Homeland Security Cybersecurity Strategy Act of 2015 (H.R. 3510), which would direct the Department of Homeland Security (DHS) to develop an internal cybersecurity strategy. The bill is in response to DHS’s plans to reorganize the Department and make changes to the cybersecurity divisions within DHS without prior Congressional authorization. Many members of the Committee have expressed their concern about DHS’s attempted reorganization without seeking approval from Congress or the White House. The bill unanimously passed out of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies earlier this month.

In addition, the Committee will also mark up the Strengthening State and Local Cyber Crime Fighting Act (H.R. 3490) and the DHS Science and Technology Reform and Improvements Act (H.R. 3578), which would expand the Science and Technology Division’s cybersecurity research and development initiatives.

This Week’s Hearings:

  • Tuesday, September 29: The House Armed Services Subcommittee on Emerging Threats and Capabilities will hold a hearing titled “Outside Perspectives on the Department of Defense Cyber Strategy.”

  • Tuesday, September 29: The Senate Armed Services Committee will hold a hearing titled “United States Cybersecurity Policy and Threats.”

  • Wednesday, September 30: The House Foreign Affairs Committee will hold a hearing titled “Cyber War: Definitions, Deterrence, and Foreign Policy.”

  • Wednesday, September 30: The House Armed Services Committee will hold a hearing titled “Implementing the Department of Defense Cyber Strategy.” The hearing will feature Admiral Michael Rogers, Commander of U.S. Cyber Command, and other Department of Defense officials.

  • Wednesday, September 30: The House Homeland Security Committee will marked up several DHS-related bills, including the Department of Homeland Security Cybersecurity Strategy Act of 2015 (H.R. 3510).

Executive Branch Activity

Obama Reaches Cyber Deal with China

During Chinese President Xi Jinping’s visit last week, President Obama announced that the U.S. and China had reached a cybersecurity agreement that expressed that neither country would conduct cyber theft of intellectual property, including trade secrets or other confidential business information, against each other with the intent of providing competitive advantage to private sector businesses and industries within their countries. The deal is based on a promise that both heads of state made to address the cyber tensions that have existed between the two countries in recent years, particularly in light of the recent Office of Personnel Management (OPM) data breach. The agreement also includes a commitment that both countries will work closely to respond to law enforcement requests for information investigating cybercrimes. The U.S. and China will also form a working group on cybercrime, which the Departments of Justice and Homeland Security will lead.

While many Members of Congress and outside stakeholders have said that the goals of the agreement are moving the two countries in the right direction, most have expressed doubts that China will live up to its end of the bargain. Prior to President Xi’s visit, many Members of Congress had called for the President to issue sanctions against China in response to the OPM hack but the Administration ultimately decided against it. President Obama reported told President Xi that the U.S. may still impose sanctions or utilize other tools to punish Chinese cyber criminals if the situation does not improve or if China violates the agreement.

NIST Releases Draft Framework for Cyber-Physical Systems

On September 18, the National Institute of Standards and Technology (NIST) released its Draft Framework for Cyber-Physical Systems and is giving the public 45 days to comment on the document. The Cyber-Physical Systems Public Working Group, an open public forum that NIST established, prepared the document after hosting numerous stakeholder discussions that were focused on developing the framework. Cyber-physical systems and other related systems, such as the Internet of Things, are regarded as having great potential to enable innovative applications and impact economic sectors in the future. Given the potential, the document seeks to develop new standards to ensure that these systems can operate safely within compromised conditions if needed.

NIST Considers Updating the Cybersecurity Framework

The original NIST Cybersecurity Framework was released almost two years ago following President Obama’s 2013 Executive Order calling for a voluntary set of standards for critical infrastructure owners and operators to use to improve their cybersecurity. NIST officials have indicated that they may be launching a process soon that would allow stakeholders to discuss further revisions to the Cybersecurity Framework to address needed updates based on the experiences of entities that have used the Framework. For example, NIST is looking at possibly updating the cybersecurity controls references in the document and wants to discuss how companies use their risk management frameworks with the Cybersecurity Framework. They will also likely focus on how organizations are using the Framework in a cost effective manner.

View the original content and more from this author here:

from cyber war desk

Canada’s Defense Minister Talks Fighting the Islamic State, Arming the Kurds, and Cyber Warfare

Canada’s three main political leaders are taking the stage tonight to try and flay each other’s plans on global security, military engagement, and international diplomacy.

Jason Kenney, Canada’s Minister of National Defense, sat down with VICE News to hash out some of the big foreign policy topics of the campaign, and to give us an update on the increasingly complex fight going on in Iraq and Syria.

Canadian election campaigns, unlike their American counterparts, rarely focus on foreign policy issues. But this campaign, a 78-day marathon, by Canadian standards, has thrust international affairs to the forefront.

Both opposition parties have contended that Canada’s position in the world has fallen in recent years, arguing that the governing party has alienated traditional allies and rebuked multinational fora.

One particular point of contention has Ottawa’s decision to help a private military firm sell $15 billion worth of light armored vehicles to Saudi Arabia, despite obvious fears of the country’s human rights record.

Prime Minister Stephen Harper said at a campaign event that the deal with Saudi Arabia, “notwithstanding its human rights violations — which are significant,” is one that any Western nation would have signed.

“It is the largest contract in Canadian history, some 3,000 direct jobs in the London area, and look, we express our outrage and disagreement from time to time with the government of Saudi Arabia for their treatment of human rights, but I don’t think it makes any sense to pull a contract in a way that would only punish Canadian workers, instead of actually expressing our outrage against some of these things in Saudi Arabia,” the prime minister told reporters.

One issue that has seen less attention on the campaign trail is the increasingly serious threat from state-sponsored cyber attacks, especially from China and Iran.

News has emerged in recent years that Canadian systems are under heavy fire from hackers, external and internal, and that they may have compromised government systems more than once.

But the main issue on the docket for Monday night’s debate, held at the University of Toronto’s Munk School of Global Affairs, will be the fight against the so-called Islamic State (IS or ISIL).

Both the centre-left Liberals and the upstart left-wing New Democratic Party have come out hard against Canada’s contribution to the fight. The governing, centre-right Conservative Party brought Canada into the mission and is damned if it’s going to withdraw before the job is done.

Canada’s current commitment is not insignificant by its own standards. Six CF-18 fighter jets, a CC-150 Polaris refueller, two CP-140 Aurora surveillance aircraft, 600 support personnel, and roughly 69 special forces operators.

By international standards, it’s a fraction of the overall commitment. Canada has flown less than 5 percent of the overall sorties in the air campaign against IS. It’s led the contenders to Harper’s throne to lambast the mission as ineffective.

Both NDP leader Thomas Mulcair and Liberal leader Justin Trudeau have said they will end the bombing campaign, instead focusing on training and humanitarian aid.

Kenney recognized that things are, in his words, at a “stalemate.”

The defense minister says that, unless the Iraqi army can begin a successful counter-offensive targeting IS, little progress will be made.

While that isn’t exactly a revelation, Kenney’s comments on the state of the Iraqi army offers some insight into the coalition’s frustration over the state of affairs.

Kenney told VICE News that the Canadian government had debated expanding its training program in the area, which is currently limited to helping the Kurds train for combat in Northern Iraq, to the Iraqis, only to kibosh the idea.

“We concluded that, quite frankly, the Americans were already doing that on a huge scale,” Kenney said. “They have been for 10 years, and the effectiveness of that has been disappointing.”

Instead, Kenney said that Ottawa is, should his government be re-elected, looking at preparing and equipping smaller militias throughout Iraq to help them defend themselves against IS — and even after the militants are defeated, if that ever occurs.

VICE spoke to the chairperson of a major Yazidi organization in March, when they made a direct appeal to Kenney and others for military aid.

“We want Canada to supply direct arms,” Yazidi Human Rights Organization International chairperson Mirza Ismail said at an event in Ottawa. “If you don’t have ammunition, what can you do?”

Canada’s training mission in Kurdistan is being run by a contingent from the Canadian Special Operations Regiment and the Joint Task Force 2 — the country’s two most elite special forces regiments that usually operate under absolute secrecy.

That training mission could be expanded in the near future under a re-elected Conservative government. Kenney promised on the weekend that, should they win the Oct. 19 vote, he will contribute an additional $75 million to the secretive military units, boosting the number of operators in the units by more than a third.


VICE News sat down with Kenney to ask about IS, what role Canadian special forces play in the region, and what Ottawa is doing to defend itself against cyber attacks.

VICE News: If there is a stalemate with IS, have we lost?

Kenney: No. Look, our first objective is to stop the growth of this organization. Let’s take a step back and ask why is that important. Why is ISIL particularly pernicious, why do we have an interest in fighting it? In my view it’s because when organizations like that exploit a failed, or failing state, to create their own quasi-state or terror state — in their own words, a caliphate — in which they can plan and project violence, where they can control their own taxation revenues, their own oil revenues, that’s when it can pose a very credible threat to international security. When this organization appears to be on the winning side of history, it appears to be a confirmation in the minds of young people that are susceptible to radicalization that it is the real deal. It is actually the caliphate. Some of these young people believe that they have a religious, moral obligation to go and join that particular so-called jihad. By putting it on the wrong side of history, by demonstrating that it is not actually winning — that it is not the fulfillment of history, that it is just a gang of thugs, criminals and rapists — if we can convey that message to young people who might be susceptible to radicalization, fewer Canadians, fewer Westerners will be radicalized, and that means less of a security risk to us here at home.

Your government has made the case about why Canada should be part of the bombing campaign against IS. In reality, between us and our allies, we’re not dropping that many bombs. Maybe 10 to 20 a day. Is that enough to break this stalemate?

No, it’s not. As I’ve always said, the air campaign, which is the primary Canadian contribution, is necessary but not sufficient. The stalemate will not be broken and ISIL will not be rolled back out of Iraq — and it certainly will not be degraded to ineffectiveness or destroyed — unless, and until, there is an effective ground campaign, and that requires an effective Iraqi ground counteroffensive … We did consider participating in a larger-scale training program with the Iraqi army, not just the kurdish militias. We concluded that, quite frankly, the Americans were already doing that on a huge scale. They have been for 10 years, and the effectiveness of that has been disappointing. We’re going to continue to focus our efforts on the Kurds. I would like, if we have the opportunity, for us to assist with the training of some of the militias in the North that are affiliated with the minority communities in the Nineveh plains, like the Yazidis and the Assyrians. Because, post-ISIL, I hope that we can help them maintain the security of their minority communities in their ancient homeland of the Nineveh plains.

So Russia has moved serious assets into Syria to back the Assad government, which is only going to help them go after moderate groups that are actually fighting IS, and the Turkish government against the Kurds. Between both of those things, doesn’t that spell something even worse for the region?

There’s no doubt that it’s an extremely complicated, multidimensional fight on the Syrian side. There are no white hats in that fight. Our immediate interest in Syria, we can’t resolve or intervene in the Syrian civil war, it would be radically imprudent for us to do so — and when I say ‘we’ I mean Canada and the West in general — but we can, at least, ensure that ISIS does not have a safe haven in the Eastern regions in Syria that it claims to be the centre of its caliphate, like Ar Raqqa. So we will continue to strike those targets as they become available. As you know, the United States, with the support of some of its allies, has tried with limited success to train and develop a moderate militia in Eastern Syrian that can bring the fight to ISIL on the ground. So far, that has not proven to be successful.

Changing gears: when it comes to Canada’s cyber security capabilities, is this entirely defensive, or is there an offensive component here? Would the Canadian military get in a position where it would launch a pre-emptive or offensive cyber attack?

I think you can reasonably assume that when the military develops a command, it has to have the capability to be both offensive and defensive. Potentially hostile countries need to know that, if they are going to launch cyber attacks against our critical systems, Canada and its allies have the capacity to retaliate.

View the original content and more from this author here:

from cyber war desk

Teaching the law of war

Room G349, an unassuming office on the third floor of Gambrell Hall at Emory Law, may seem a world away from a concertina wire–topped prison block at Guantanamo Bay Detention Camp (“Gitmo”) in Cuba. But the two places are deeply connected.

In this office, occupied by Professor Laurie Blank, students have been assigned research about whether detention at Gitmo is constitutional, how detainees are treated, and whether particular detainees should be imprisoned there at all. Working under Blank’s supervision, the students worked directly for lawyers representing detainees at Gitmo. They researched and drafted habeas corpus briefs to ascertain and challenge the lawfulness of a particular detention. And they wrote letters to detainees to keep them apprised of their cases and share news from their home countries.

This clearly wasn’t just an academic exercise. This work, done as part of Emory’s International Humanitarian Law (IHL) Clinic, gave students the chance to get hands-on experience working on real cases, research projects, and training programs for courts, militaries, NGOs, and other groups that focus on understanding, applying, and upholding the law of war. Blank, previously a program officer in the Rule of Law Program at the United States Institute of Peace, is a clinical professor of law and director of the clinic since 2008. She describes the clinic’s mission as twofold: It gives students the opportunity to see what it’s like to work in the real world of international law while providing support to the staff-strapped organizations that work on issues of humanitarian law around the world.

“As any quick glance at a newspaper will tell you, there is plenty to do with regard to accountability, advocacy, and training for implementation of the law and the protection of civilians,” Blank says. “For the organizations working in this area, there’s never enough manpower or resources or time to do all the work that needs to be done. The clinic marries these two goals.

“This is the only place in the country where students can do this kind of work,” Blank says. “It’s a pretty unusual opportunity. Students come to Emory because they want to do this.” When she first started the IHL Clinic, the students worked primarily with law firms in Atlanta that represented detainees at Gitmo. Now, the clinic partners with as many as a dozen organizations, with one student assigned to an organization each semester. Students have worked with international tribunals, such as the Special Tribunal for Lebanon, set up by the United Nations to investigate the assassination of the prime minister of Lebanon 10 years ago, and NGOs in the US and abroad working to prosecute perpetrators of atrocities in international and national courts.

Real-world impact

Ben Farley 11L is one of those students. He came to Emory Law armed with a master’s degree in international affairs and a strong interest in foreign policy and international law. But it wasn’t until he started working in the clinic that he really began to understand how national security laws actually work.

“I did not go to law school with the intent of ending up where I am, but the clinic really piqued my interest,” says Farley, who is now the US State Department’s Senior Advisor to the Special Envoy for Guantanamo Closure, the senior official responsible for closing the prison. “It seemed like a fascinating opportunity to learn about how national security law really functions. I quickly became enamored with the subject matter.”

Farley’s assignment in the clinic was to survey, for Amnesty International, the legal frameworks for accountability for atrocities, including genocide, crimes against humanity, war crimes, and other international crimes. “We were looking at foreign law for African countries and helping to fill out research that Amnesty was doing,” he says. “I assisted Laurie with a Supreme Court amicus brief on the role of accountability for torture and other abuses of POWs and detainees throughout American history, in a case on foreign sovereign immunity. The brief was filed on behalf of retired military officers in the US.”

Though Farley initially thought he’d end up at a big firm, he’s glad to be working in government, where he can put into practice what he learned in the clinic. “What I do on a day-to-day basis may not be legal analysis, but all of it is informed by international humanitarian law and domestic national security law. Both topics were subject matter that I was exposed to for the first time in the clinic,” he says. “It was such an interesting experience, doubly so because it has a real impact on the course of action that the US chooses to take on a daily basis.”

Building partnerships

The Geneva-based International Committee of the Red Cross (ICRC) provides assistance to victims of war and armed violence and promotes respect for international humanitarian law. And now it pursues those goals with the help of Emory’s IHL Clinic.

The clinic works with the ICRC’s delegation in Washington, DC, providing research each year on United States practice for the ICRC’s Customary International Humanitarian Law Database. Students in the IHL Clinic research and analyze US cases, legislation, military manuals, and official statements to help understand how the law is interpreted and applied, Blank says.

At Marine Corps University (MCU) in Quantico, Virginia, clinic students are building relationships as well as databases. When US Marine four-star General John F. Kelly visited Emory in 2009 at the invitation of John M. Dowd 65L, Blank suggested the IHL Clinic could be a natural partner, providing research, writing, and curriculum support to members of the military.

“He spoke with my students, and we talked about ways to enhance relationships between the military and civilian academic institutions, and how it’s so important to understand what the other is doing because that can enhance the way we think about the issues,” Blank says. “He was really instrumental in helping us build this relationship with MCU, which has flourished over the last several years.” Kelly visited Emory again in 2015 at Dowd’s invitation.

The IHL Clinic and MCU are the perfect fit, says Dr. Rebecca Johnson, associate professor of national security affairs at MCU. “So much of what we do hinges on the law of armed conflict. To have another expert was fantastic,” she says. “There are legal restraints on what service members can do, but we had no one on staff to put those restraints into the exercises we do with the students.”

Professor Blank and an IHL Clinic student visit MCU at the start of each semester, meeting with course directors to brainstorm about how the clinic student can contribute to MCU’s curriculum, for example, by creating ethical-decision-making games and scenarios — with many focusing on overlapping treaty obligations — that allow MCU students to weigh the legal implications of their actions in the field.

“Our students aren’t legal experts; it’s just one element of a 10-month curriculum,” Johnson says. “But the students are starting to ask more legal questions about what they can do to figure things out and whom to talk to. There’s now more of an awareness.”

This is particularly important in today’s world of armed conflict, where it’s difficult to tell the difference between civilians and soldiers and the fighting isn’t confined to a battlefield. “These issues are not going away; they’re going to continue to be important,” Johnson says.

Among the clinic’s partners is the United Nations  Committee Against Torture, which monitors countries’ compliance with the UN Convention Against Torture. Audrey Patten 12L, who received a graduate degree in East Asian studies before attending Emory Law, jumped at the chance to work with the US expert member of the committee. In 2010, she conducted research for the committee’s review of Turkey, including during its hearings in Geneva, Switzerland.

“I was helping them in real time and, later, assisting in writing the committee’s concluding observations,” she says. “When it was over, I was able to follow reactions to the committee observations in the Turkish press, thereby seeing an immediate connection between the clinic project and the real world.”

In 2011, Patten returned to the clinic, researching the legal framework for reparations for human rights and law of war violations for an NGO based in Washington, DC. “While our projects were for outside organizations, Professor Blank was there as the point person to help students problem-solve, to bounce research ideas off of, and find creative ways to present their research,” says Patten. “It was exciting to feel linked to the wider world of international law while still a student.”

Recently, Patten was selected to serve as a clinical fellow at Harvard Law School, where she now teaches in a legal services clinic. “My belief in the importance of clinical legal education and the desire to work with students as a lawyer grew, in large part, from my positive experiences in the IHL Clinic,” she says.

The clinic has been able to partner with so many organizations as a result of Blank’s own networking and expertise. As the co-author of International Law and Armed Conflict: Fundamental Principles and Contemporary Challenges in the Law of War and Law of War Training: Resources for Military and Civilian  Leaders, Blank has become an authority on international humanitarian law and regularly attends workshops and presents at national and international conferences and expert workshops.

“I’m always out and about,” she says. “I speak with colleagues and say, ‘This is what we do; do you want some assistance?’ And they tell me their needs, and we come up with a way that we can help. We’ve got great students at Emory doing great work, so the IHL Clinic has a strong reputation. That certainly encourages organizations to seek us out when they need assistance as well.”

Continuing the work

Ryan Light 15L’s first assignment during his time with the IHL Clinic focused on a major international project on cyber warfare, researching international law and helping to draft rules for a manual on how it applies to cyber operations, even before conflict sparks.

“It was a pretty unique opportunity being able to do that as a second-year law student,” he says.

Light did a second tour with the clinic in his third year, this time working with military defense counsel at the Office of Military Commissions, researching legal issues for pretrial motions for the attorneys representing Khalid Sheikh Mohammed. Mohammed, who has been referred to as the principal architect of the 9/11 attacks, is currently being held in US custody at Gitmo. “They used the information I researched and wrote,” he says. “It was an incredible experience to make a direct legal impact in the real world.”

His work with the clinic will likely serve him well in his postgraduate career as a judge advocate for the US Marine Corps. “My first tour will most likely be in criminal litigation, which does not sound like it has a lot to do with the clinic. However, my second clinic assignment was on a defense team,” says Light. “I got to work directly with defense lawyers and write defense motions.”

Light recently met with a prospective student who had just joined the Marines and was planning to go to law school.

“I brought him to the class,” Light says. “I told him, ‘We don’t just have a professor who focuses on this stuff and teaches the class. We have a clinic set up, where you’re going to get real-world experience. If you want to be an attorney and a Marine, you should come to Emory.’” Getting a sense of what it’s really like to practice law on the global stage is an invaluable experience, Blank says, and one which sticks with students long after graduation.

“They’re getting the opportunity to work on the front-page, cutting-edge issues in the areas of international law and armed conflict,” she says. “They can see what this world is really about and make a difference.”

View the original content and more from this author here:

from cyber war desk

Monday, 28 September 2015

Cyber whistleblowing pivotal in ensuring corporate transparency and accountability in the IoT era

Whistleblowing isn’t a new phenomenon, and has been recognized and protected under SOX, GLBA, Federal and State laws, as well as industry-specific regulatory frameworks. The Dodd-Frank Act has ensured additional protections for corporate officers who come forward with evidence of misconduct or wrongdoing, and created financial incentives for whistleblowers to report securities violations and fraud.

You may be aware of a recent decision by the Third Circuit Court of Appeals in FTC v. Wyndham Resorts, which affirmed FTC’s standing as a Federal cyber enforcer under the Court’s intentionally broad – and unanimous – interpretation of the “fair trade” doctrine. What this means is that the FTC will increase its scrutiny of cyber security issues which affect US commerce and involve US consumers, surely to add to its list of approximately 50 recent enforcement actions taken against a variety of firms thus far.

However, FTC can only act upon known issues. A breach affecting millions of consumers, such as the Wyndham case or the Target and Home Depot incidents, comes into FTC’s view only after the proverbial horse has left the barn. While FTC seeks to encourage responsible behavior through punitive action meant to act as a deterrent for the rest of the field, the retroactive nature of its action leaves much to be desired on the preventive side of the equation.

Despite a positive step in the right direction, the Commission’s post hoc enforcement scope creates a potential incentive for firms to conceal information security breaches at all costs in a bid to prevent additional scrutiny and likely punishment for failure to do adequately secure their information operations. In many cases, the firms are successful. As reported in the New York Times, a massive breach of a major industrial automation firm shortly after its $2-billion acquisition went unreported to the markets and regulators, remaining under wraps until a confidential customer memo was leaked to a well-known security blogger.

Wrapped in non-disclosure agreements and contract confidentiality clauses, manufacturers get to operate in secrecy, largely making the public disclosure of a breach a choice rather than an obligation (in cases not involving regulated consumer data such as credit cards and PII).

Transparency is difficult to come by in a field cloaked in what I call the “Three M’s” of cyber security: myth, mystique, and mystery. Confidentiality for confidentiality’s sake prevails throughout corporate organizations, stifling information sharing, discovery, and open debate – internal or external, – on cyber deficiencies and vulnerabilities.

CEO’s don’t want to hear about problems which they would be compelled to solve – if they actually heard about them. Integrity of internal controls, after all, is a serious matter well within the regulatory purview of the SEC. The logical answer, in the unscrupulous organizations at least, becomes rather obvious: keep the CEO and the Board from hearing about cyber issues they’d be forced to fix. With information security, that’s all too easy given the inherent complexity and difficulty in assessing the true state of cyber posture and maturity in global organizations.

This obfuscation doesn’t have to appear all that malicious, either. A simple omission, a confused statistic, an “honest mistake” in reporting threat or vulnerability data – all plausible enough to filter the information about known or suspected deficiencies in the enterprise security program.

How do we pierce this veil of corporate secrecy and obfuscation, designed to immunize and absolve the power structure while allowing cyber negligence to remain the accepted status quo? If internal reporting is suppressed, and those who speak out find themselves ostracized – or worse, – what channels are available for communicating internal issues tantamount to corporate misconduct and malfeasance?

The answer: Whistleblowing.

Encouraging and protecting those who come forward is essential to the functioning of markets and societies. Transparency, Integrity, and trust are non-negotiable. As our world continues to become “smarter”, more connected, more integrated, as our transactions become more distributed and rapid, as machine learning and automation become more mainstream by the day – it is fundamental we as consumers, and the regulators on our behalf, insist on total integrity and trustworthiness on the part of those who seek to populate our world with “smart” machines.

The manufacturers and suppliers competing for the lucrative space on our wrists, in our pockets, our kitchens, cars, and office buildings, must prove to us their technologies are safe, secure, and resilient before we allow them to take over our lives to the tune of 50 billion connected devices projected to surround us by the year 2020 (Gartner).

Whistleblowers are crucial in ensuring that no matter how complex an organization, how powerful or aloof the management, or how lucrative the business venture – consumers get to know the truth, and to make their choice in the marketplace based not only on the features of a product or service, but its maker’s trustworthiness and integrity.

Cyber whistleblowers have a pivotal role to play in the upcoming battle to connect our world. Let us encourage them and protect them.

In a recent article in CIO Magazine, the nation’s premier whistleblower attorney Debra S. Katz of Katz Marshall Banks provides an overview of the unique challenges faced by cyber whistleblowers, and the dangers for companies who retaliate against them:

View the original content and more from this author here:

from cyber war desk

Wondering about NASA’s Mars mystery? We may have found the answer

(CNN)NASA says it has big news for us Monday. “Mars Mystery Solved,” the agency’s news release touts without offering even a hint as to what mystery they mean.

For those who just can’t wait, a little Googling may solve the puzzle — and it’s not Matt Damon, little green people, or any other clear indication of life. It appears to be a confirmation of periodically flowing water on the planet’s surface.

Three of the scientists slated for the news conference are listed as authors of a new paper to be delivered at this week’s European Planetary Science Congress.

In it, the researchers say analysis of imaging from the Mars Reconnaissance Orbiter proves that seasonal dark streaks on the Martian surface are the result of briny water periodically flowing across the planet’s surface.

The confirmation of water on the surface of Mars would be important and would raise a host of questions, chief among them: Where is the water coming from, and what does it mean for the prospect of life, past or present?

The paper doesn’t answer those questions, and NASA isn’t talking ahead of its Monday morning news conference. Neither the agency nor the paper’s authors responded to requests for comment Sunday.

If Monday’s announcement isn’t about this specific paper, it’s still likely to have something to do with water: in the soil, underground or in the atmosphere. Not only is the question of water there a hot topic for research, at least two of the authors have been heavily involved in the hunt: Alfred McEwen and Lujendra Ojha.

Both were in on the initial discovery of the dark streaks back in 2011.

But whatever NASA appears ready to announce, it looks to fall short of the breathless headlines in some media outlets suggesting the NASA may have found life on the red planet, or the endless, often absurd, speculation on social media — home of the the Mars bunny, lizard, and myriad other claims based on photos sent back from the planet.

Social reaction to NASA’s Mars announcement

Researchers have known Mars has water for many years, based on everything from photographic evidence of structures that look like riverbeds to results of scientific experiments performed aboard landers sent to the red planet.

And some have theorized for years that dark streaks — formally called recurring slope linae — that show up on the surface when it’s warmer and fade when it’s cooler suggest the presence of flowing water. In fact Ojha suggested that very mechanism in explaining his 2011 discovery but said it could be tough to prove.

Ojha is the primary author on the new paper, in which the researchers say analysis of spectral imaging from a tool aboard the Mars Reconnaissance Orbiter proves the streaks are in fact caused by salty water flowing downhill.

The salt content of the water is important because without it, the water would freeze in Mars’ bone-chilling temperatures.

The water could be coming from subsurface ice, from salts attracting water from the thin Martian atmosphere or possibly bubbling up from an aquifer, the researchers say.

In April, McEwan announced research showing that salts in the Martian soil have the ability to grab enough water out of the air to form tiny puddles at night. And in March, NASA said Mars may once have had a sea similar to the Atlantic Ocean on Earth. About 87% of that water has been lost to space, researchers said.

View the original content and more from this author here:

from cyber war desk

The Pentagon has already paid over $318 million for cyber contracts this year

The cyber industrial complex is growing.

The need to boost the Pentagon’s cyberwar-fighting abilities is “so dire,” Lt. Gen. Kevin McLaughlin, deputy commander of dedicated cyberwar unit CYBERCOM, argued this month, that Department of Defense has already paid over $318 million in cybersecurity contracts to private defense firms in 2015 alone.

Chinese President Xi Jinping is now visiting Washington to discuss the sustained cyber conflict between the U.S. and China. The American government and its military has been increasingly focused on building up their own capabilities to compete with what has been described as China’s 100,000 “code warriors.”

The U.S. military’s own recruitment drive for cyberwarriors is not a part of the tally here, which includes only money paid to private firms published publicly by the Pentagon. In fact, the $318 million number is only a baseline, as the Defense Department’s records only show individual contracts awarded over $6.5 million.

The biggest cyber contract of the year by far was the $133.2 million paid to Identity Theft Guard Solutions in the wake of the massive data breach at the Office of Personnel Management, which affected an estimated 21.5 million people. The money pays for services like identity theft insurance, identity restoration, and identity monitoring.

Extending over three years, the contract could rise to $329.8 million. But it’s been criticized by security experts for missing crucial protection, like credit freezes, despite the giant price tag.

Industry giant Northrop Grumman’s Information and Technology division got the contract to provide cybersecurity for the Marine Corps Enterprise Network, a task that earned the firm $7.1 million this year, in addition to contracts from previous years.

The Pentagon paid unfortunately named firm Isis Defense $7 million for a threat intelligence and cyber analytics platform, which will work with the military’s cutting edge big data research “with novel approaches to high-performance computing and data storage hardware” from the Defense Advanced Research Projects Agency, which is tasked with the U.S. government’s foremost research and development.

Multiple contracts in the $7 million range were paid out this year for research and development  of transparent computing, which has the goal of making the inner workings of computers easily visible.

The most recent contract is a $9.5 million payment to Sierra Nevada Corp. to build the software and hardware for new systems the optimize information sharingwithin the intelligence community while maintaining cybersecurity throughout.

View the original content and more from this author here:

from cyber war desk

Naval Academy, UMBC partner to develop cyber security defenses

How to block a thief from accessing your iPhone? How to shield cloud storage from hackers?

How to defend the Facebook network?

Naval Academy professors and midshipmen are working to answer these questions with a three-year, $2 million research partnership with the University of Maryland, Baltimore County.

The research on five federally funded cyber security projects is underway as investigators continue to reveal the extent of data breaches beginning last year at the U.S. Office of Personnel Management.

The office on Wednesday raised its estimate of government employees whose fingerprints were stolen to 5.6 million — about five times more than estimated when the hacking was disclosed this summer.

Some 21.5 million federal employees — including civilians at the Naval Academy — are believed to have been affected by the theft of background investigation records, according to the Office of Personnel Management. Social Security numbers, birth dates and addresses were stolen. More than 900 civilians work at the academy.

The Office of Personnel Management continues to mail notices to those affected. And the government is offering free identity-theft and fraud-protection service to them.

The first breach happened in December but wasn’t detected for four months — until April, officials said.

In one of their five research projects, the Naval Academy and UMBC professors are developing methods to more quickly detect a cyber security breach. They aim to build a check-engine light for networks.

“How do we put controllers and sensors in place to enhance systems to monitor themselves and detect when there is an anomaly?” said Karl Steiner, vice president for research at UMBC.

The research partnership was announced in spring with the signing of a legal agreement by Naval Academy Superintendent Vice Adm. Walter “Ted” Carter Jr. and UMBC President Freeman Hrabowski.

The agreement took about six months to craft and sets guidelines for rights to inventions during the three-year partnership, Steiner said.

The five projects are funded with about $2 million from the Office of Naval Research, Steiner said. The money runs out in three years.

The agreement was announced in April, but officials declined to discuss the research projects until the grant money was secured and work began.

Steiner at UMBC and Naval Academy Academic Dean Andrew Phillips agreed last week to discuss the projects.

A handful of students and professors from both schools will work on each. And the partnership is the latest move by the Naval Academy to expand programs in cyber security, academy officials have said.

About 30 midshipmen are expected to graduate this spring with a major in cyber operations, Phillips said. That major was introduced two years ago, and midshipmen in the Class of 2016 will be the first to graduate with it.

Civilian colleges may offer cyber security majors, but the academy’s program addresses the ethics of cyber warfare, Phillips said.

“What would it take for such an action to be an act of war? Could it simply be a denial of service? Could it be infiltrating the system? At what point do you cross the boundary?” Phillips said. “That’s where policy lags the technology.”

The academy is also building a $120 million cyber security center with about 10,000 square feet of secure classrooms, labs and a small lecture hall. It’s expected to be completed by late 2018. It will include the academy’s first room for the discussion of classified operations — a Sensitive Compartmented Information Facility, or SCIF.

Windows may be omitted from the room for security. And it may be designed with thicker walls, alarm systems, surveillance cameras and a safe for storing classified documents.

A routine visit by the Naval Inspector General last year found lapses in how computer data are stored and accessed at the academy. Additional details, however, were redacted from an investigation report released toThe Capital under a Freedom of Information Act request.

To accommodate the SCIF, the academy plans to establish internal measures to grant select midshipmen clearance to top-secret information. Previously, the academy had no means to grant the clearance. Between 100 and 200 midshipmen are expected to receive clearance each year.

Cyber skills are increasingly in demand in the private sector, too.

Last year, Maryland ranked sixth in the country for cyber security jobs, with 11,406 postings, according to Boston-based Burning Glass Technologies, which analyzes job markets. California was first with 28,744, according to the report released in July.

“Maryland has the potential and is really well positioned to be a Silicon Valley in cyber security,” Steiner said.

Among the five projects included in the Naval Academy-UMBC partnership is research to detect hacks, and also to protect cellphones without burdening users.

“You don’t want to spend five minutes getting into your phone,” Steiner said.

A third project aims to strengthen the security of cloud-storage systems. A fourth includes building hardware to detect anomalies and signal a breach.

A fifth project seeks to fortify defenses of social-media systems, so one hacker can’t access millions of accounts.

Students and professors participating in the projects will travel between campuses.

“I hope it turns into something bigger with UMBC,” Phillips said. “Sometimes projects wrap up and sometimes they discover new avenues. The whole point of this will be that UMBC and the Naval Academy continue to partner.”

View the original content and more from this author here:

from cyber war desk

China, US Agree To Not Conduct Cyberespionage For Economic Gain

Pledge applies to stealing trade secrets but stops short of banning traditional espionage via hacking.

In a historic move, Chinese president Xi Jinping and US President Barack Obama on Friday came to an agreement promising that neither nation would engage in cyber espionage for economic gain.

Cyberspying has been a notoriously prolific US strategy for China, with the US among its top targets. But China has vehemently denied any such hacking activity. In a press briefing, Obama reportedly called it a first step and “common understanding,” but appeared cautiously optimistic about the final agreement. “The question now is, are words followed by actions?” he said of China’s cooperation.

The US has maintained that it does not conduct cyberspying for economic gain for US companies. Xi and Obama’s meeting of the minds comes at a time when the administration has promised sanctions for foreign or other hackers that hack into US companies or organizations for economic gain and stealing intellectual property. Sanctions are still a tool the administration plans to keep in its toolkit.

Security experst are skeptical that any official deal can ultimately be struck. “There will be no cybersecurity deal, due to a number of factors. The key one being that in order to even agree not to attack critical infrastructure they would have to admit they have the capability to do so, as well as possibly disclose some of those capabilities. This process could reveal attacks and reconnaissance already conducted, which is a particular challenge for China as they have taken a stance of complete innocence when it comes to cyber war and espionage to the point of claiming naivety,” says Ken Westin, senior security analyst with Tripwire.

But the Information Technology Industry Council (ITIC) lauded the agreement between the two presidents. “This agreement finally starts a sustained dialogue where there was very little communication. It illustrates a spirit of cooperation on a sensitive issue, which is a positive signal to technology companies,” said Dean Garfield, president and CEO of the Information Technology Industry Council, which has been involved with talks between the US and China on the topic. “We will work to ensure this cooperation on cybersecurity will be a bridge to improved market access for global technology companies. ITI and its members, which include the world’s most innovative companies, will continue to work with both governments to further mutual understanding and ensure implementation of these commitments.”

View the original content and more from this author here:

from cyber war desk

Booting Up: Truce talk nice, but cyberwar is here to stay

President Obama’s lavish White House welcome for Chinese President Xi Jinping was the first time the United States has hosted an “Official State Visit” for a country with whom we are at war.

But this time it’s cyberwarfare, with potential worldwide economic implications if the Chinese decide to ban U.S. software and hardware from their borders, which is a distinct possibility given their recent launch of nearly exact replicas of everything from Apple devices to Windows XP.

It’s almost certain that Beijing is waging large-scale, government-directed, cyberattacks at us: from our stock exchanges to our publicly exposed energy infrastructure to the recent hack of highly sensitive information on millions of U.S. government employees.

This is not just a matter of trying to topple infrastructure, but rather a national security catastrophe that has given the Chinese the ability to target individuals who work in our government in any myriad of ways.

Yet, we can’t say with 100 percent certainty what we know to be true. If a country launches missiles, you have satellite evidence of their origin. If a fleet of ships attacks our shores, the culprit wants to be known. But when an opponent uses means of indirection to attack publicly exposed infrastructure, it’s difficult to name that opponent with certainty.

That leaves the United States with one option: launching our own cyberattacks.

Cyberwarfare is nothing new, but in the past it’s been the weapon, not the war itself.

The sudden destruction of a Soviet natural gas pipeline going through Siberia in 1982 was allegedly a huge contributor to the nation’s bankruptcy and ultimate destruction, reportedly the result of us booby-trapping microchips to cause a massive explosion.

More recently the Stuxnet virus — almost certainly a NSA cyber-weapon — rigged centrifuges in Iran to self-destruct when they tried to enrich uranium. In fact, President Obama may be much more a fan of pre-emptive war than many believe, if you consider cyber attacks the modern-day equivalent.

The Chinese have long believed that U.S. software contained back doors enabling us to snoop, and their fears were likely confirmed by former NSA contractor Edward Snowden’s leak of the PRISM program.

The program is likely the reason that sitting at Obama’s state dinner table with the Chinese president were Microsoft CEO Satya Nadella, Apple CEO Tim Cook, Facebook CEO Mark Zuckerberg and Marc Benioff, CEO of

Those four had one job: to reassure the Chinese that their software contained no back doors for enabling American spying.

At this point, that may well be true. Silicon Valley leaders have pushed back hard against PRISM, and there would be no good business reason to facilitate American spying at this point — unless they were forced to do so.

Obama and Xi put on a good show, answering press questions in tandem and proclaiming they had reached “an understanding” about cyber-warfare coming to a close.

I don’t believe it for a second.

The “Great Firewall” of China is here to stay until we find a way to bring Beijing to its knees — until we find their version of a trans-Siberian natural gas pipeline.

View the original content and more from this author here:

from cyber war desk

Friday, 25 September 2015

How did you get that job: deputy administrator of NASA

‘Our government has become paranoid and insane’ – US Cyber Party presidential hopeful

Our government was founded on the principle of service, but now it is based on power. That has to stop, John McAfee, a computer security pioneer and US presidential hopeful told RT. Government should serve the people, he added.

Legendary computer wizard John McAfee wants to run for the White House in 2016 with his newly created Cyber Party.

RT: What’s the main reason you want to run for the US Presidency?

John McAfee: I think the American government is dysfunctional, corrupt and ineffective. It has created far more problems than it has solved in the past 50 years and it continues to spiral downward. We are almost last in the field of education and cyber security as is evidenced by the fact that the Chinese walked away with over 14 million records of our government employees – all of our government employees for the past 30 years – including all of our embedded agents in foreign countries. This is a coup of warfare the likes of which have never been seen before. If something is not done and done soon, I’m afraid that America will just spiral out of existence. And what’s needed more than anything else, I think, is competent leadership in the area of technology. Our congressmen, senators and president can barely spell the word ‘cyber science’, let alone, know how to program a computer. In China, try to find any leader that is not cyber aware.

RT: You want to focus your campaign on cyber security and government surveillance issues so important to you. Do you expect the American people to support these issues?

JM: Well, absolutely. Forty percent of the American workforce is technical. It is only within our government that we have the ‘non-techies’, the people who are incompetent in technology. But 40 percent of the workforce – right there are 19 million people.  It is not just the technologists; I think it is a wide band of Americans that are dissatisfied with the incompetence, disfunctionality and corruption that exists in America. And I am one of the few people who will actually say that we are a corrupt country. And we are. We interfere with the internal affairs of other nations thinking we would get off with the impunity. Terrorism. There is nothing in life that is not connected in some way to something else. We are trying to solve the problem of terrorism, the previous gentleman was talking about ISIL – we call it ISIS here in the US – and how do we deal with it. We deal with it by stopping the interference of other countries. America has deemed itself to be the policemen of the world for over 50 years. We can no longer do that. I mean, we are a bankrupt nation. And we’re considering lending money to other nations. In real life we don’t get to do that – if I don’t have money in the bank I can’t lend my friends money. But our government does by merely printing more, and by doing so, it is cheating the American public because every time you print money it devalues everything that we, the workers, have worked for. So, this has to stop else we will disappear.

John McAfee: “We are in a cyber-war. It was declared on America by China two years ago but nobody noticed…They have attacked Homeland Security, the FBI and the CIA…They can push a button any moment and shut off our electricity, bring down our planes, take control of our automobiles and we’ll be back in the Stone Age.”

RT:There are plenty of other candidates running for the US top job. Who’s the hardest person to beat?

JM: I don’t think I have any real competition. We have two parties here in America – the Republicans and Democrats. They are machines, machines without heart and soul. And no matter who you are, if you are part of those parties, you become part of the machine. And nothing will change. We have a government today that is based on power. But our government was founded on the principle of service – the government of the people, by the people and for the people. That was why our government was formed by some very smart men a few hundred years ago. We don’t have that anymore. Now it is the government of the powerful, for the powerful and by the powerful. That has to stop. Government should serve the people, else why do we need government. I don’t need a mother or a father telling me what to do. I am 70 years old. But the government wants to tell us what to do, it wants to protect us. But how can it do that? We have to take security on as our own problem. We are responsible adults, we can’t expect the government to take care of us and protect us. Life is full of risk. We have to accept that as adults and just live with it.

RT:The US government has been accused of cyber-attacks and mass surveillance all around the globe. Should the US be pointing fingers at, for example, China?

JM: I have to admit that America does a great deal of cyber espionage, but most of that is done against the American people. Our government has become paranoid and insane. Homeland Security which is the organization that was established to protect us from foreign people, governments and enemies, instead has turned inward. It now asks me and every other American citizen to remove the kimono and let them dig into the most private parts of our lives so that they can protect me from the enemy by saying “we need to look at you, to make sure that you are not the enemy we are trying to protect you from.” Do you see how insane this is? I do; many people do. And I think any American citizen who does see that insanity will see the truth in my words and hopefully get behind me.

© Jim Urquhart
© Jim Urquhart / Reuters

RT:Another businessman Donald Trump is running for the White House. What’s your take on business people going to politics?  Is the American public tired of politicians or should one keep business out of politics as much as possible?

JM: First of all, look at the word ‘politics’. ‘Politics’ is defined as the principles and practices necessary to gain and hold power within the government. Inherently, that is an ugly definition. Do we want to elect people who want power? I don’t. I want to elect someone who is willing to sacrifice himself to serve the American public. So, Donald Trump is an excellent businessman, I cannot compete with him in business; although I have created multi-billion dollar companies but not as great as him. He ought to be going back into private business and creating jobs for the American people like he has been doing. I think he is ill-prepared for the problems of this government. He is technologically incompetent, I’m sorry to say that Mr. Trump, but you are.

You have already stated that you have never written an email even. How can you then run a country that is already in a cyber-war? And you’ve mentioned China – China has declared war on us. Not openly, they didn’t say ‘we are now at war with you’, but they have committed acts of war to take 14 million files of our government employees, including tens of thousands of embedded agents whose lives are now at risk, who may have families and children here in America. How are you going to find them, Mr. Trump, if you do not understand the technology that the Chinese are using to do this with? This is the problem, and there are no other candidates, I’m afraid, that do have any knowledge whatsoever about the fundamental glue that is holding the world together now: the technology of cyber science, communication and cyber security. I‘ve lived that my whole life; that’s all I know. And I know how to run businesses.

View the original content and more from this author here:

from cyber war desk