US State Department Objectives for Western Hemisphere

The US State Department recently published their policy objectives and intiatives for the Western Hemishpere for 2010.

Citizen safety tops the list on the security side. The high profile programs include:
1. Merida Initiative and its follow on programs in Mexico and Central America
2. The Caribbean Basin Security Initiative focus on the spill over of violence into the susceptible areas in Caribbean
3. Emergency Mangement Agreements with Candad and Mexico to facilitate cross border assistance in pandemic situtations. The US-Canada agreements now allow for cross border deployment of military forces in civil support roles. First demonstrated with Canadian aircraft providing airlift in Gulf Coast Huricane Felix in 2008.
4. Colombia Strategic Development Initatitive. The folow on to Plan Colombia to build upon the success of that effort.

Key things to watch over the coming year:

1. Does Congress provide the money? And how quickly is it spent? The recent issues with the Merida intiative are key indicators that what is promised is not always delivered in a timely manner
2. What "balloon effects" from increased clamp downs in Central America appear elsewhere in the region>

Cybercrime or Cyberwar?

In the recently published Virtual Criminality Report 2009 McAfee asked if the transition from criminality to war has already happened, citing evidence that countries hostile to industrial democracies are involved in some of the more serious and sustained cybercrime. In response, McAfee said, “nation-states are arming themselves for the cyberspace battlefield.” McAffee CEO is careful to point out that experts disagree on the definitions of cyber war, but it is apparent that attacks are increasing in number and sophistication. Business, as well as government, must take steps to be prepared.

OAS Cyber Security Workshop

This week in Rio de Janiero three entities of the Organization of American States are joined by the Government of Brazil in a workshop on cybersecurity. Representatives from the legal, telecommunications and counter-terrorism units of the OAS (REMJA, CITEL and CICTE) along with representatives from nearly all 34 countries of the OAS are discussing the steps necessary to establihs an implement a national cybersecurity framework.

Tune in and watch. Live meeting link here.

I am moderating panel eight on Wednesday.

Open Source Software and Security

Many of the issues in cyber security, malware, viruses, etc centers on the vulnerability of proprietary software (e.g. Windows and its family of programs) to code flaws that bad guys can exploit. Proprietary software uses a closed development model where the source code (the inner workings) is guarded by the designer. Open Source (see Linux) on the other hand lets anyone see and add to the code. The theory being that the collective intelligence is greater than any one individual and the potential flaws can be detected and corrected by the forum of users. And the code is made available for free!

What then is the drawback? Mostly it is perception. If it is free it can't be as good or as secure as the one I paid a lot of money to get. A recent memorandum from the US Department of Defense's Chief Information Officer is an effort to debunk that idea. The memo implies that software that has undergone a peer review process is often more secure than proprietary models. It encourages agencies to consider open source in future procurements. It goes on to state that open source software may be modified at will as the need changes in the future.

For more info check out this article at Nextgov.com

Call for papers

The Center for Hemispheric Defense Studies (www.ndu.edu/CHDS) is planning its next Sub-Regional Security Conference to be held in June 2010. The conference focuses on security issues affecting Mesoamerica (Colombia, Central America, and Mexico). The Center has issued a call for abstracts based on the conference themes:

1. Area 1: Causes and effects of the insecurity, criminality and violence in the region and its impact on society
2. Area 2: What has been the response and impact of response by individuals. governments, and NGO's?
3. Area 3: What programs, processes, legal changes, etc. could be taken to improve the effectiveness of the fight against violence?

The papers selected will be presented at the conference, with travel funding provided by the Center.

Get more information at http://www.ndu.edu/chds/docUploaded/SRCMexico2010.pdf

Recognizing the risk that weak controls in partner nations present, the European Commission recently proposed a series of recommendations based on the risk of attack and the current structural limitations. This again points to issues of privately owned and controlled infrastructure that is critical to daily life. This article reports on the inquiry being conducted by the political oversight organization. Key questions that the politicians are asking include:

1. How vulnerable is the Internet to widespread technical failures?
2. Is the Internet industry doing enough to ensure the resilience and stability of the Internet, or is regulatory intervention unavoidable?
3. Is the European Commission's concern about cyber attacks justified, and should the military be more involved in protecting the internet?
4. Are government-operated computer emergency response teams an appropriate mechanism for dealing with internet incidents?
5. Is it sensible to develop Europe-centric approaches to response infrastructure or should there be more emphasis on a worldwide approach?

All good questions. Questions that all governments should be asking.

Georgetown University: Cyber Security, Law, and Policy

Georgetown University: Cyber Security, Law, and Policy

Posted using ShareThis

Excellent panel discussion on policy isssues surrounding cybersecurity in the US. Discusses the problem in getting Congress and the public to see cybersecurity as a risk and threat to national security.

Policy efforts have lagged in recent months as the White House and Congress are focused on healthcare and other issues.

Factual vice inflamatory. Pentagon leads the way as others stand and wait.

Healthcare info at risk

A recent survey of US Healthcare Industry ICT professionals conducted by the Ponemon Institute again points out that electronic information is a target for criminals. The operators know the risks but cite lack of management support as the major impediment to security.

The benefits of electronic records are many. The ability to quickly inform providers of a patient's medical history, medications, and family risk factors is essential to providing proper treatment (and at lower cost and risk!) This explains the recent emphasis on electronic medical records in economic stimulus efforts and the health care insurance reform debate on going in the US.

Policy makers and industry leaders must kept patient confidence if the savings are to be realized.

Lessons to be learned from the private sector

In an article on Risk Center author Tami Casey reports on a survey of computer professionals for large companies about how difficult it can be to convince executive management of the need to invest in security of web based applications.

The keys to laying out the case have applications in the government world as well. Lets look at the recommendations:

• Effectively communicate the issue and build application security awareness. Executive management might not understand the impact or urgency of fixing security defects. Explain the importance of preventing a data breach, identity theft, unauthorized access and downed websites. Be sure to stay clear of jargon and use real world examples highlighting damages to companies. It's important to provide training on Web security issues to all functions and not just developers. For Governments this translates to teaching your leadership and explaining the political implications of failure.
  
• Align your security strategy with business objectives. Discuss specific management goals and point out how a security breach could stand in the way of meeting these objectives, be they revenue or corporate reputation goals. Government version: focus on political risk and failure to meet citizens' needs
• Calculate the ROI. The cost of a breach can be $500K or more per incident. For example the Heartland Payment Systems breach is estimated to have cost the company $12.6 million along with damage to their reputation and a dramatic drop in the company's stock price. For government it is not ROI but rather cost avoidance and funds that can be used for more productive work/services. When governments fail to protect citizen information direct costs can also be incurred.
• Cite laws and compliance issues. Be sure to point out penalties for non-compliance with regulatory standards, which can pile up quickly. It is bad form for government officials to fail to obey their own regulations!
  
• Emphasize Web app security as part of the software development process. Include stakeholders from the development team through QA and production. This is the key. Government is a very large player in the IT services and procurement industry. It must demand quality products for its investments.
  

Pirated software source may carry unwanted surprise

A recent report from the Business Software Alliance (BSA)states that 41% of the software on PCs is pirated. Not only is this illegal, it is a serious security threat. Cyber criminals, taking advantage of the opportunity leverage the desire of individuals to "get something for nothing" use the pirated software packages to insert malware into gullible hosts.

Pirated software is most likely not patched (software vendors use technology to determine if you have a valid copy of the software before doing updates). Thus know vulnerabilities are left open for exploit.

The BSA report also indicates that areas with geographies with high levels of software piracy also have high levels of malware infections. Mexico and Brazil are nations with high piracy and infection rates. See below

Insider threat and cyber security

A well known vulnerability in cyber security is the threat posed by an insider, i.e. an employee/former employee who for some reason decides to turn to the dark side. Using knowledge gained on the job, and access often not terminated at departure, the isider is able to steal data, divert funds, or manipulate systems to cause damage/loss. There can be severe financial losses as in the Société Générale case. A recent Foreign Policy article discusses the case of a California contractor who was not offered a full time position taking control of an offshore oil rig via its communication link. As more systems move to automated and unmanned control systems, the risk increases.

Sobering thought as Brazil moves to expolit its newly discovered deep water reserves. Automations saves signfigant costs but its not a free lunch.

Cyber Storm III, practicing the policy

The US Dept of Homeland Security recently announced the date for Cyber Storm III. This third in the series event will be the first chance to test the Obama Adminstration's cyber security strategy.

As pointed out in the linked article it is a chance to test the policy issues of coordination between Federal and State/local government and between the public and private sectors.

An old dictum states that the the scene of a disaster is not the place to exchange business cards for the first time.

This will be an interesting project to follow, especially if the open it to international players.

Aerial Surviellence backs up surface assets

Predator drones have provenn their worth in the ongoing wars in the Middle East. They are now being used to supplement the US Customs and Border Patrol efforts along the northern and southern borders of the US. In an article on Federal News Radio, Dorothy Ramienski cites CBP sources with: Since 2004 Customs and Border Protection unmanned aircraft have flown more than 4,500 hours, adding to the close to 5,000 arrests and they are extremely useful for classifying a contact: The Predator is also used for quick follow up if and when a stationary sensor on the ground goes off and has eliminated some false alarms.
"The Predator is usually the first to aircraft to arrive. From its kind of covert vantage point, it's able to detect what happened -- what cause the sensor to go off. It could be . . . wildlife, for example. In that kind of a case, we're able to package the right response forces.


The long loiter time for RPV's allows for extensive coverage of an area and its relative speed allows for quick target discrimination. Look for great use of this technology in the years to come elsewhere in the region.

Conficker and Cyber War

Two recent articles from the NY Times on Conflicker and the limitations of cyberwarfare point out the risks and paucity of tools to combat cyber threats.

Conflicker is complex and soundly designed worm program that has infected more than 6 million computers worldwide. Over 200 countries have compromised computers. Buenos Aires is thought to be one of the initial infection points. Even though fixes have been available since January 09, the worm continues to spread and even takes measures to protect itself!

The big problem is that no one (besides the maker/controller) really knows what it was designed to do. Someone controls more than 6 million computers that can be unleashed at will.

This brings us to the second article which discusses the limitations and controls on military (and by extension law enforcement) forces to take action. The same abilities that the hackers/malware types possess, the good guys have but they have to operate under rules of engagement and the norms of law and war. Is an attack via computer on a country's critical infrastructure and act of war? Dropping a bomb or launching a missile certainly is. A nation's power grid is a legitimate target for aircraft and missiles in a shooting war, wouldn't it be in a cyber war? What can be done in self-defense? The UN Charter permits self-defense under Article 52. Are we ready for wars fought with electrons?

Lots to ponder.

Smarter Malware

In an article on Dark Reading Kelly Jackson Higgins talks about the new threat in malware. These subtle, targeted pieces of code are designed to obtain specific information from the victim organization. When combined with "spear phishing" attacks, the door to a company's or government's secrets are thrown wide open.

And it isn't only big guys who need to be worried. Small companies are now being targeted. Criminals go where the money is.

Cyber security: an essential part of national security?

As I sit here blogging away, I am pondering the relationship between cyber security and the larger framework of national security. Each day trillions of dollars circle the globe in electronic transactions. Criminals probe networks looking for items to steal. Others use malware to gain access to government secrets or to gain control of critical infrastructure. The economy and critical infrastructure are key to the functioning of government and the security of its people.

Traditionally in Latin America, security is seen a a domestic (inside the borders) issue, addressed foremost by law enforcement agencies. Defense is the realm of the military and looks at threats from outside the border. Where does the threat come from in the virtual world? Where ever there is a computer plugged into the Internet.

The United States as early as before 9-11went on record with the international dimension of the threat. The problem has only gotten worse and the risk greater. Why rob a bank in person when you can sit behind a computer and do it from a safe distance?

The United States recently established USCYBERCOMM to take the lead from the Department of Defense perspective on this threat to national security. It compliments several law enforcement agency efforts like the http://online.wsj.com/article/SB124632958157771629.html, FBI, and Dept of Justice.

It is time for governments and militaries in the Americas to get serious as well.

Mexico Replaces Customs Force

Over the weekend, Mexico replaced its entire force of customs officers. They also doubled the number of officers. See the article here:

Although couched as a means to increase compliance for revenue purposes, the move clearly has security implications in Mexico's ongoing fight with its drug cartels. Better trainined and equiped customs agents are better able to detect illicit shipments of all types.

The new agents are more highly educated than their predecessors (70% with college degrees vice 10% of the previous force.) Hopefully their pay will match the newly desired level of professionalism.

Virtual Borders

Here is an interesting piece from the BBC on electronic borders. It discusses the EADS deal with Saudi Arabia to install an electronic system for monitoring of its land and sea borders. Systems such as SBInet use advanced electronic systems such as cameras, radars, motion sensors, etc. to detect individuals, groups or vehicles crossing a border between recognized check points. In theory, these detections can then be passed to law enforcement to conduct the interecpt and apprehension. It is analogous to air intercept with an AWACS and fighters.

The challenges come with integration of mutiple sensor systems. Determining if the motion detector picked up a person or an animal is a non-trivial problem. Likewise finding people in a sandstorm.

Then you have to communicate with your interceptors.

Lots of promise, but lots of risk.

Where to start?

After considering the landscape and out of curiosity, I have decided to blog. The thoughts on this blog are my own and will reflect my eclectic experiences and interests. Trained as an engineer, I decided that I should study international affairs and then business administration as a grad student. Really it all made sense at the time. My recent professional efforts have placed me in an academic position interacting with defense and security professionals from across the Americas. It is from this vantage point I will comment.

My current academic interests focus on homeland defense and security issues. I believe that there is an under-appreciation of the risks of the threats to the cyber and critical infrastructure in the region.

In a virtual world, your border is wherever someone can plug into the net.