Posts Tagged ‘Department of Defense’
Monday, April 29, 2013 @ 04:04 PM gHale
A policy through which federal departments offered prosecutorial immunity to companies that helped the U.S. military monitor Internet traffic on private networks of defense contractors expanded by Executive Order to include other critical infrastructure industries, according to the Electronic Privacy Information Center (EPIC).
EPIC said the pilot-version of the program run with the Departments of Justice (DoJ), Defense (DoD), and Homeland Security (DHS) came to light in June 2011 after The Washington Post published a report detailing the implementation of a new program by National Security Administration that let them monitor traffic flowing from some defense contractors through certain Internet service providers. At the time, The Washington Post quoted Deputy Defense Secretary William J. Lynn III saying the program was to help thwart attacks against defense firms and the government hoped to expand the program moving forward.
The documents obtained in the a Freedom of Information Act (FOIA) request, EPIC said, reveal the DoD advised private industry organizations on the ways in which they circumvent federal wiretap laws in order to aid the DoD and DHS in their surveillance of private Internet networks belonging to defense contractors.
EPIC, digital rights group the Electronic Frontier Foundation, and others fear the program’s expansion would apply to the broad swath of organizations that potentially fall under the vague category of critical infrastructure.
The government has not yet named the program, but EPIC said the NSA has partnered with AT&T, Verizon, and CenturyLink in order to keep tabs on the Internet traffic flowing into and out of some 15 defense contractors, including Lockheed Martin, CSC, SAIC, and Northrop Grumman.
For its part, the NSA said it is not directly monitoring these networks, but is rather filtering their traffic in order to detect the presence of suspicious packets based on a number of malicious code signatures the agency has developed.
EPIC issued a FOIA request in July 2011 requesting the following information: “All contracts and communications with Lockheed Martin, CSC, SAIC, Northrop Grumman, or any other defense contractors regarding the new NSA pilot program; All contracts and communications with AT&T, Verizon, and CenturyLink or any other ISPs regarding the new NSA pilot program; All analyses, legal memoranda, and related records regarding the new NSA pilot program; Any memoranda of understanding between NSA and DHS or any other government agencies or corporations regarding the new NSA pilot program; Any Privacy Impact Assessment performed as part of the development of the new NSA pilot program.”
The government failed to provide any of this information. So, EPIC filed a FOIA lawsuit on March 1, 2012 and eventually gained access to thousands of pages of previously unreleased documents, which they have posted on their website.
Wednesday, January 30, 2013 @ 05:01 PM gHale
Cyber threats are real and abundant and the government is keenly aware it needs to lock in security policies and procedures.
Just look at what is going on. The Senate keeps pushing for legislation to improve information-sharing on threats and attacks. President Barack Obama is looking to issue an executive order on cyber security and the Department of Defense (DoD) is looking for a massive increase in the number of trained cyber security professionals to defend the country’s private and public networks.
Security professionals working on these assignments right now is difficult to narrow down as quite a few work in agencies that don’t discuss their operations. Also, some work in dual-tasked positions and don’t focus on just one assignment. However, officials from the Department of Defense have been pushing for more funding to hire more trained security professionals.
Now, that push seems to be paying dividends. The Pentagon’s goal is to increase the number of security professionals from fewer than 1,000 to 5,000 in the next few years. Those personnel will comprise military and civilian security professionals, and the goal will be to defend the country’s critical infrastructure as well as government and military networks.
This all comes just a few days after Janet Napolitano, secretary of the Department of Homeland Security, warned a nation-level incident of the scale of 9/11 could occur sometime soon as a result of a cyber attack. Napolitano is not the first to warn about the possibility of such an attack, but is rather the latest in a long line of government officials, presidential advisers and security experts to raise that specter. Security researchers also have warned in recent years about serious vulnerabilities in the SCADA and ICS systems that run much of the network infrastructure in utilities, financial systems and other critical areas.
In October, DHS officials warned SCADA system operators about an increase in the level of malicious activity targeting those systems.
“Asset owners should not assume that their control systems are secure or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities,” the alert said.
The new plan from the Pentagon contemplates the creation of several separate groups of cyber security personnel, each with a different set of responsibilities. One group will defend networks used by critical infrastructure entities like utilities. Another team will be responsible for defensive and offensive military operations in cyberspace, and the third group will work on fortifying the DoD’s networks.
All of the groups will report up to the U.S. Cyber Command, a relatively new arm of the military headed by Gen. Keith Alexander, the director of the National Security Agency.
Monday, September 17, 2012 @ 04:09 PM gHale
U.S. power grids and other civilian infrastructure are not prepared for electromagnetic pulses (EMP) that could result from weapons or violent space weather, according to a congressional subcommittee hearing last week.
There are serious flaws in the nation’s infrastructure that could allow for EMP events to shut down power and communications for extended periods of time, said panelists at the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, headed by Chairman Dan Lungren R-CA.
“Our civilian grid, which the Defense Department relies upon for 99 percent of its electricity needs, is vulnerable to these kinds of dangers,” Rep. Trent Franks, R-AZ, testified during the hearing. Franks, one of the leaders of the Congressional EMP Caucus, sponsored legislation in 2011 to protect U.S. infrastructure in the event of an attack by an EMP weapon.
Michael Aimone, a director of business enterprise integration at Defense, said the Pentagon had pursued a “two-track approach” to mitigate the impact an EMP attack could have on Defense facilities. He said his plan relied on in-house capabilities to maintain power and electronics and a means to communicate and coordinate with outside partners.
“DoD recently adopted an explicit mission assurance strategy, which is focused on ensuring operational continuity in an all-hazard threat environment,” Aimone said.
EMP disruptions and attacks can come from different types of events, including high-altitude or low-altitude nuclear weapons detonations, locally based radio frequency weapons, and solar weather. One of the largest impacts from an EMP-based disruption was in Quebec in 1989, when nearly 6 million people lost power because of a geomagnetic storm.
Brandon Wales, of the Homeland Security Department’s National Protection and Programs Directorate, said DHS was working with federal agencies on contingency plans for an EMP event. He said Federal Emergency Management Agency was establishing lines of communication with key agencies in case an EMP event occurs, and that Homeland Security Secretary Janet Napolitano had commissioned a report in 2011 to study the impact of space-based EMP attacks.
“DHS has pursued a deeper understanding of the EMP threat, as well as its potential impacts, effective mitigation strategies, and a greater level of public awareness and readiness in cooperation with other federal agencies and private equipment and system owners and operators through various communications channels,” Wales said.
Common standards for power grid equipment are a major issue, said Joseph McClelland, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission. He said current standards to protect infrastructure and equipment do not address the many levels within the power grid and should undergo an update.
“Protecting the electric generation, transmission and distribution systems from severe damage due to an EMP-related event would involve vulnerability assessments at every level of electric infrastructure,” McClelland said.
Tuesday, May 15, 2012 @ 07:05 PM gHale
Cyber security is the top issue keeping federal agency CIOs up at night, followed by controlling costs and managing human capital, according a new survey.
Forty CIOs and other federal IT leaders, from agencies including the Department of Defense, Homeland Security, and Veterans Affairs ended up interviewed by TechAmerica, a tech industry group. Twenty percent identified cyber security as their top concern, followed by 15% who pointed to controlling costs, and 12% human capital.
While most of security resources direct toward outside threats, internal threats are a growing concern, respondents said. At the same time, TechAmerica said outside threats are on the rise and becoming more sophisticated.
One CIO said IT security is inconsistent in federal government and quality is “all over the place.” A consequence of such concerns is agencies are unwilling to embrace federal IT goals for centralization and mobility, according to the report. There would be less concern if there was a consistent, high-quality security framework applied across government.
Survey respondents recommended agencies identify which department “owns” security; that they plan ahead and build infrastructure with security in mind; and the government develop sound metrics for security monitoring.
Cost control was the second most-mentioned concern of federal CIOs, a reflection of flat IT budgets over the past three years. Some said budget discipline drove changes such as dropping unused software licenses and adopting thin-client hardware. However, across-the-board budget cuts were the “most feasible and least effective way” to control costs.
Wednesday, April 11, 2012 @ 05:04 PM gHale
By Richard Sale
The Stuxnet virus that damaged Iran’s nuclear program was implanted by an Israeli proxy — an Iranian, who used a corrupt “memory stick.32,” former and serving U.S. intelligence officials said.
In the continuing battle to hold off the Iranian nuclear program, Iranian proxies have also been active in assassinating Iran’s nuclear scientists, these sources said.
Cyber Warning: Duqu’s Back
Duqu Still at Work
Duqu Report: Code is Old School
Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Duqu and Rumors of War
A New and Frightening Stuxnet
These sources, who requested anonymity because of their close proximity to investigations, said a saboteur at the Natanz nuclear facility, probably a member of an Iranian dissident group, used a memory stick to infect the machines there. They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility. “Iranian double agents” would have helped to target the most vulnerable spots in the system,” one source said. In October 2010, Iran’s intelligence minister, Heydar Moslehi said an unspecified number of “nuclear spies” were arrested in connection with Stuxnet.33 virus.
Former and senior U.S. officials believe nuclear spies belonged to the Mujahedeen-e-Khalq (MEK), which Israel uses to do targeted killings of Iranian nationals, they said. “The MEK is being used as the assassination arm of Israel’s Mossad intelligence service,” said Vince Cannistraro, former head of the CIA’s Counterterrorism. He said the MEK is in charge of executing “the motor attacks on Iranian targets chosen by Israel. They go to Israel for training, and Israel pays them.” Other former agency officials confirmed this.
As ISSSource reported, Stuxnet was a comprehensive U.S.-Israeli program designed to disrupt Iran’s nuclear technology. This joint program first surfaced in 2009 and worked in concert with an earlier U.S. effort that consistently sabotaged Iran’s purchasing network abroad.
But the United States never indulged in targeting killings of Iran scientists, and former senior U.S. officials said the U.S. public remained unaware of a separate Israeli program, independent of the United States, that has for ten years been assassinating key Iranian nuclear scientists and sabotaging key Iranian facilities using a proxy group of Iranian dissidents. These dissidents have a functioning, effective network inside Iran and they have access to officials in the nuclear program.
The MEK has a shadowy and unsavory history. Founded in the 1970s, the group was stridently anti-shah and allied itself with the dictatorship of Iraq’s Saddam Hussein from which it received most of its supplies. Performing security for Saddam, the MEK assisted Saddam in the slaughter of his domestic opponents and the massacre of Iraqi Shias and Kurds in the 1991 uprising.
As the military wing of the National Council of Resistance of Iran (NCRI), the MEK targeted Iranian officials and government facilities in Iran and abroad. In the 1970s, the group also attacked and killed Americans. According to one former senior CIA official who spoke on background to ISSSource, the MEK is particularly violent. In France, they conducted killings in Paris, including six or seven U.S. Army sergeants.” He added the French “were terrified of them.”
In 2003, the United States listed the NCRI as a terrorist organization and closed its Washington office. U.S. forces in Iraq captured the MEK’s weapons and turned the MEK over for investigation of terrorist acts. Since then, the group has been picking off Iranian nuclear scientists one by one.
When ISSSource asked Paul Pillar, a 28-year CIA veteran whether Israel was killing secondary or tertiary scientists instead of its major ones, he replied, “Israel kills any Iranians it can.” Since 2007, five Iranian nuclear scientists have been killed in Iranian territory, many victims dying from magnetic bombs that terrorists had attached to the exterior of their cars.
The damage caused by the MEK is not confined to killing individuals. On Oct. 12, 2011, just before Iranian President Mahmoud Ahmadinejad was to arrive in Lebanon, a huge blast destroyed an underground site near the town of Khorramabad in western Iran that housed most of Iran’s Shehab-3 medium-range missiles capable of reaching Israel and Iraq. A far right wing Israeli website, Debka, reported Iran suffered a “devastating blow” to its nuclear program. The blast killed 18 and wounded several more.
Former and serving U.S. officials both fingered the MEK as the killers. One such official said “computer manipulations,” caused the blast. They said the spies inside Iran had the access, the contacts, the positions and technical skill to do the job. “Given the seriousness of the impact on Iran’s (nuclear) program, we believe it took a human agent to spread the virus,” said one former U.S. intelligence source.
Meanwhile, going back to Stuxnet, once the memory stick was infected, the virus was able to infiltrate the network and take over the system. U.S. officials said they believe the infection commenced when the user simply clicked on the associated icon in Windows. Several reports pointed out this was a direct application of one of the zero-day vulnerabilities Stuxnet leveraged.
Building and deploying Stuxnet required extremely detailed intelligence about the systems it was supposed to compromise, and has made reprogramming highly specific installations on legacy systems more complex, not less. According to reports, the Stuxnet mystery was unveiled in June 2010, when a small company called VirusBlokAda in Minsk, the capital of Belarus was emailed by a dealer in Tehran about an irritating problem some of his clients were having with their computers.
The company analyst saw the computers were constantly turning off and restarting. At first the analyst thought it was just a problem with the hardware. But when they said several computers were affected, not just one, VirusBlokAda understood it was a problem with the software the computers were running.
U.S. officials confirmed Stuxnet takes advantage of zero-day vulnerabilities. This type of virus had been previously undetected, and remained unidentified by anti-virus software. According to public reports, early versions of Stuxnet used certificates by Realtek Semiconductor systems – later versions used certificates from JMicron Technology Corp. The use of these certificates gives the worm the appearance of legitimate software to Microsoft Windows.
In a report, Symantec said yes, Stuxnet was “splattered” far and wide, but it only executed its damaging payload where it was supposed to. The virus was so efficient that it could deliver its payload only to the designated target, and would not damage adjacent machines. Another expert, a former CIA official, likened it to a flu virus that only makes one family sick. Stuxnet was designed for sabotage, not crime.
It is interesting to note Stuxnet was not the first virus used by the U.S. military intelligence to try and disable opponents. In the 1980s, the United States had considerable success at planting viruses inside Soviet military-industrial structure that could be activated in time of war, a process still continuing with China. “We put in bugs inside the Soviet computers to feed back satellite information that had been ‘leeched’ off hard drives, in the Soviet Defense Ministry and others,” said a former U.S. intelligence official.
In December 1991, just before Desert Storm, the CIA and the British Government Communication Headquarters (GCHQ) had experimented with all sorts of viruses to inject into Iraq’s computers. In December, CIA operatives, working in Jordan, infiltrated bugs into hardware smuggled across the border and into Baghdad.
Once in place, NSA and GCHQ believed the virus would spread like a virulent cancer through the Iraqi Command and Control system, infecting every computer system it came across. But before the virus had reached its target, the air war began. U.S. planes destroyed Saddam’s command and control network, including the buildings where the infected computer hardware had been so successfully inserted. As a result, one of the most successful intelligence operations of the war was buried beneath the rubble. “The intelligence people were very pissed — all that work for nothing,” said a former senior DoD official.
Richard Sale was United Press International’s Intelligence Correspondent for 10 years and the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.
Tuesday, March 27, 2012 @ 06:03 PM gHale
Foreign spies continue to penetrate federal networks and current perimeter-based defenses that attempt to curb intrusions remain outdated and futile, network security experts said last week.
Speaking before the Senate Armed Services Subcommittee on Emerging Threats and Capabilities the experts told Senators the U.S. government needed to abandon the notion that it could keep outsiders off its computer networks.
“We’ve got the wrong mental model here,” said Dr. James S. Peery, director of the Information Systems Analysis Center at Sandia National Laboratories. “I don’t think that we would think that we could keep spies out of our country. And I think we’ve got this model for cyber that says, ‘We’re going to develop a system where we’re not attacked.’ I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway. We have to protect the data anyway.”
The situation is “an environment of measures and countermeasures,” said Zachary J. Lemnios, the assistant secretary of defense for research and engineering at the Department of Defense.
“We can do things to make it more costly for them to hack into our systems…,” Senator Rob Portman (R-OH), ranking member of the Emerging Threats and Capabilities subcommittee said as a point of clarification, “but you didn’t say we can stop them.”
Dr. Kaigham J. Gabriel acting director of DARPA likened the situation to treading water in the middle of the ocean as a metaphor to describe the state of security on federal networks. Treading water is a great way to stay alive, to buy breathing room, he said, but treading water in the middle of the ocean inevitably leads to drowning.
“It’s not that we’re doing wrong things, it’s just the nature of playing defense in cyber,” Gabriel said.
All the experts called for better offensive capacities, but opted to wait for a closed-door session to go into specifics.
Dr. Michael A. Wertheimer, director of research and development at the NSA, told the Senators the federal government also faces a dire shortage of talent exacerbated by a sclerotic hiring and promotion system within the government.
The average annual salary increase for computer scientists in the private sector is 4 percent. The government norm is pay-freezes and DoD enforced pay-caps, Wertheimer said. He noted individuals with a PhD in computer science can enter the DoD at pay-grade 12, making, at most, $90,000 a year, and then stays at that pay grade an average of 12 years before winning any sort of promotion. Even with those obstacles, agencies are limited in the amount 13, 14, and 15-grade employees they may have on payroll.
Finally, staffing ends up complicated by the fast-revolving door between the government and its private contractors, which lure away top talent, then hire it back to the government at inflated rates. Historically, the government has lost about one percent of their IT talent annually; this year the government is set to lose 10 percent of that workforce, the experts claimed. Wertheimer said 44 percent of the NSA resigns from their position as opposed to retiring. Within the NSA’s IT staff, that figure is 77 percent resigning as opposed to retiring.
Peery pointed out Sandia National Laboratories, which operates under the DoE, pays starting salaries of $115,000 and $95,000 to persons with PhDs and Master’s in computer science respectively. Gabriel argued a focus on candidates with advanced degrees may be misguided, and a model with the expectancy of high turnover rates may not be such a bad thing. He explained he has a group of “cyber-punk” program managers that developed their skills in the hacking community. He says their skill sets have a 4-5 year shelf-life before DARPA needs to go out and hire newer white hats.
Friday, February 24, 2012 @ 02:02 PM gHale
Critical infrastructures are dependent on information technology systems and computer networks for essential operations.
Reliability and resiliency of the systems that interconnect these infrastructures is vital. The National Cyber Security Division (NCSD) collaborates across public, private, and international communities to advance this goal by developing and implementing coordinated security measures to protect against cyber threats.
Cyber Security Evaluation Tool (CSET) version 4.0.1, a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets, is now ready to help users start protecting their systems.
Developed under the direction of the DHS’ NCSD by cyber security experts and with assistance from the National Institute of Standards and Technology (NIST), this tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes high-level and detailed questions related to all industrial control and IT systems.
CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards.
The output from CSET ends up as a prioritized list of recommendations for improving the cyber security posture of the organization’s enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cyber security standards, guidelines, and practices. Each recommendation links to a set of actions that can apply to enhance cyber security controls.
Designed for easy installation and use on a stand-alone laptop or workstation, CSET incorporates a variety of available standards from organizations such as NIST, North American Electric Reliability Corporation (NERC), International Organization for Standardization (ISO), U.S. Department of Defense (DoD), and others. When the tool user selects one or more of the standards, CSET will open a set of questions to answer.
The answers to these questions will the compare against a selected security assurance level, and a detailed report will show areas for potential improvement. CSET provides a means to perform a self-assessment of the security posture of your control system environment.
Some of the benefits include:
• CSET contributes to an organization’s risk management and decision-making process
• Raises awareness and facilitates discussion on cyber security within the organization
• Highlights vulnerabilities in the organization’s systems and provides recommendations on ways to address the vulnerability
• Identifies areas of strength and best practices followed in the organization
• Provides a method to systematically compare and monitor improvement in the cyber systems
• Provides a common industry-wide tool for assessing cyber systems
CSET is available for download right here.