HomeFeaturesDailyBriefingsRapidReconSpecial ReportsAbout Us

« July 2009 | Return to Commentary | September 2009 »

August 29, 2009

United States of America

From My Cold, Dead Hands

Government 'Net Grab Is Not The Path To Better Security

By Michael Tanji | August 29, 2009

It was recently reported that in the Senate there is a bill, that if signed into law, would give the government control over Internet service providers and commercial computer systems during national emergencies. While I'm sure everyone's heart is in the right place, this is one idea I hope gets sent to the bit bucket.

Normally in such power grabs there is at least some semblance of high ground upon which the claimant stands, so let's looks at the government's foundation:
  • The government has national and service-level cyber commands, a national cyber security center, a JTF-GNO, and a Comprehensive National Cybersecurity Initiative . . . but it can't get a passing grade in security.
  • To oversee governmental efforts in the cyber security arena a "czar" position has been created, but the job has been open and gone begging for months. The usual suspects for such a job have all demurred because it's a job with a lot of responsibility but no authority. Just the sort of situation one should NOT be in if a cyber security emergency were declared.
  • The government doesn't run things that don't lend themselves to the bureaucratic approach well. I won't pick on any specific agency or governmental function, but writ large, when is the last time you had a fast, efficient, effective time with any government agency? The Internet is pretty much the exact opposite of a government bureaucracy, but they would presume to assume even temporary control without adverse results.

On a more basic level however, we don't have any idea of what constitutes a threat sufficient to trigger an emergency declaration. If, as a wide range of officials have noted, Internet-connected systems are being attacked thousands of times a day (or hour, depending on who you listen to), shouldn't an emergency have been declared years ago? If, in a color-coded threat-matrix sort of fashion, 'Red/Severe' is the new 'Yellow/Elevated,' when does the state of emergency end?

The Internet isn't a right, but it is major part of our lives from a personal, commercial, and national security perspective. The government is right to want to keep us safe (and its powers during crisis make this bill look positively tame), but government-as-cyber-security-Shogun doesn't improve security or our collective response to threats. Commercial networks are attacked constantly and major security breaches hit the news every few months. These entities know how to mitigate the effects of such attacks and recover to full operational capability because not doing so means going out of business. The government doesn't have a problem causing a self-inflicted denial-of-service on itself because the bureaucracy drives on with or without the Internet. That's not the sort of mindset you want when the digital balloon goes up.

If the government is truly serious about improving cyber security (and get off the ten-year cycle of caring/not-caring), then it needs to:

  • Set standards for cyber security. NIST is already doing a fine job in that area and they could probably stand additional resources to keep up the good work.
  • Pass laws that require that online entities of national import follow the aforementioned standards. It should rigorously enforce those laws and prosecute those who intentionally endanger systems of national import, just as they would anyone who compromised national security in a physical manner (something that isn't done with anywhere near the intensity as it should).
  • Enable the ability of commercial network owners to share security information with each other and the government without fear of penalty or backlash from an economic perspective. No one shares because no one wants to deal with negative publicity or a lawsuit. There is a way to share meaningful information w/o worrying about privacy, but after a decade+ even I get tired of talking to brick walls.
  • Encourage the development and promulgation of network services at low-levels. Just as communities and even individuals can generate their own electrical power and sell the excess back to the grid, so too should smaller entities be able to provide their own network connectivity and support network traffic other than their own during a crisis. Such a move adds complexity to the system (making it harder for an adversary to understand and thus fully nullify) and increases resilience regardless of the nature of a crisis.

The way to deal with a cyber security emergency on a national level is not consolidation, but distribution. That's kind of the reason the 'Net was invented in the first place: to make sure if one node in a network was taken out, information could flow to its intended destination regardless. Centralized management provides the illusion of control, but it doesn't make things more secure; it just makes things more brittle. When such systems do break - and they will - the damage will be more severe and it will take longer to recover.

I don't think anyone, regardless of their party, wants that.

August 24, 2009

United States of America

The Road to Ruin

To Get Righteous, Get Historical, Not Criminal

By Michael Tanji | August 24, 2009

There are renewed calls for an investigation into allegations of torture and other bad acts by those who where there. Their point is taken, but they're not thinking things through.

First, there is the scale problem. No one that I am aware of is alleging that abuses - real or perceived - were widespread or commonplace. As you would expect when danger and fear hangs in the air like pea-soup and confusion and conflict reigns: some people went nuts. Some people thought that adopting certain training techniques would work against an entirely different audience than American pilots or operators. Let's face it: we hadn't had to run an interrogation activity on this scale and against this set of bad actors ever. That's not an excuse, but it explains a lot. Go "wide-ranging" and "criminal" and you're going to sweep up a lot of good people with the bad. I don't care how good your intentions are, that's usually how it works. Insert your own two-wrongs and a right analogy here.

Second, you can't on the one hand berate or otherwise harangue intelligence officers, especially collectors, for not taking risks and leaning forward in the foxhole and then drop the hammer on those who did what you asked (flawed and well-intentioned as they may have been) and not expect everyone with a modicum of perception to not take the hint: Its time to shut up an color. Anyone working around the IC immediately after the downfall of Saddam knows how it works: 'No weapons of mass destruction. You analysts are all idiots. From now on you're just going to re-package reporting and leave the thinking to someone else.'

Third, there is no such thing as a non-partisan inquiry or investigation. If it's associated with Congress, even if the split is 50/50, it's going to be political and biased. They don't know any other way to operate. Especially these days, anything war or intelligence related is a witch hunt and intelligence officers are cheap, easy fodder for the stake. The gentlemen in the referenced article and their colleagues arguing for an investigation are right to do so, but they are naïve to believe that only malfeasants will pay a price and that the after-effects of any investigation won't reinforce a culture of faint-heartedness where only the timid thrive.

Finally, I agree that we need to look back to see what went wrong, document it, promulgate that document, and make sure we don't do it again, but there is a difference between an after-action report and an indictment.

I submit that what we need is a penetrating, authoritative and comprehensive investigation that is historical and not criminal in nature. If we are truly interested learning from our mistakes and making sure future operations are not tainted by abuse and scandal - as unpopular as it might be - a handful of people now are going to have to receive get-out-of-jail-free cards so that the generations that come after us don't repeat our mistakes.

This isn't going to be a popular option, but for all the reasons stated above (and probably several more) there is no other course of action between pretending it didn't happen and hauling everyone up in front of a truth commission, that will keep our intelligence apparatus effective and at the same time get us back on the path of righteousness.

August 19, 2009

United States of America

More Reasons For A Matchmaker, Not A Czar

They can't stop poverty or drugs; they're not stopping cyber threats

By Michael Tanji | August 19, 2009

It is almost an annual occurrence now, the 'biggest hack ever.' Unlike other major events of a malicious nature though, cyber-based mayhem brings with it decreasing levels of interest and concern. The hubbub of the Heartland Payment Systems compromise in 2007 was less an event than the TJX compromise of 2005. I would not count on 2010's "biggest hack ever" to even make the Drudge Report.

Would the "biggest hack ever" have been thwarted had we been addressing cyber threats at the national-level with a cyber czar? "Czars" head our national efforts against poverty - a 40+ year effort - and drugs - a 40 year effort - is anyone foolish enough to argue that there are no poor people or drug addicts in this country?

One look at the nature of this latest compromise explains why a cyber czar - in the model of governmental czars before them - is doomed to failure. It took the full force of the government, and probably no small amount of effort by the compromised institutions, to arrest one whole individual. This is as close to superempowerment as you're going to see outside of a movie theater. Gonzales' cohorts are safely out of reach of US authorities, and for those who can remember that far back, the only reason Ivanov and Gorshkov were arrested was because they were foolish enough to set foot on US soil. The cyber czar could have a cyber army and he'd still lose to three guys in their respective basements.

You don't fight a network with an org chart; you fight it with a competing network. That's why a cyber czar is a non-starter (I point to the long list of usual suspects who won't take the job as a supporting evidence). What this nation needs is someone who understands government's problems (both at a national an agency level) and industry's solutions and can make sure the right people are working together (government-to-government, government-to-industry, industry-to-industry). The more networks, or at least the more effective networks we build that are designed to combat cyber threats, the more effective we will be at stopping or mitigating the effects of said threats.

We need someone at the national-level addressing the security of cyber space; we just need to make sure the job requisition is written properly.

August 18, 2009


It's The Terrorism, Stupid

About That "Without Preconditions" Caveat On Talks With Iran...

By Steve Schippert | August 18, 2009

A funny thing happened (and keeps happening) along that road to meeting with the Iranian regime "without preconditions." Seems we keep finding such bothersome things as dead American soldiers and Iranian-made weapons on various battlefields. The Associated Press offers Exhibit 1,347b of An Inconvenient Truth: Iraqis find Iranian-made rockets after US attacked.

U.S.-backed Iraqi troops seized a launcher loaded with more than a dozen Iranian-made rockets and detained three suspected militants after an attack against the American base outside the southern city of Basra, officials said Tuesday.

Col. Karim al-Zaidi said the missiles were found in an eastern section of Iraq's second largest city after rockets targeted the U.S. base Monday evening.

The U.S. military confirmed that 16 rockets were found and three suspects detained by Iraqi troops who responded to the attack. It said no casualties were reported.

At some level, surely the Obama administration wishes the Iranian regime would stop putting such speed bumps of inconvenience along the path to the inevitable Dog & Pony Show that will be "talks without preconditions." It makes it quite difficult to craft the pseudo-intellectual language required explain away rubbing elbows with a thuggish theocratic regime which draws as much pleasure from murdering, beating and torturing its own dissenting citizens as it does servicing the killing of American soldiers deployed overseas.

The Iranian citizens can apparently pound sand, as the leader of the free world, widely touted as the best communicator in the Office in decades, failed to find the words to offer them support. Fearful was he that he would alienate the nasty regime beating down its own population, his would-be high-profile negotiating partner.

Can it be extrapolated that the American Armed Forces can pound sand, too? They have this habit of dying at the hands of Iranian EFP's (Explosively Formed Penetrators) and coming under attack from other Iranian weapons, as the story above clearly reminds. This must be quite annoying.

The President of the United States and Commander in Chief of her Armed Forces has an overriding responsibility to the security of those under his ultimate charge. Unfortunately, President Obama chooses to continue to focus on the Iranian nuclear program, even while clumsily nodding that the Iranian regime has the right to nuclear technology.

It's the terrorism, stupid.

General Petraeus understood this and made a point of highlighting quite publicly all of the Iranian weapons, networks and Quds Force terrorists busy killing and facilitating the killing of the men and women under his Iraqi command. If only the President of the United States took such personal ownership of the responsibility to those brave men and women serving both Americans and Iraqis.

It's the terrorism, stupid.

Why don't we fear the Indian nuclear arsenal? Or even the Pakistani nuclear arsenal for that matter, presuming the Pakistani government's positive control over these weapons? Why do we fear Iran with nuclear weapons exponentially more so than any - any - other nation with the same?

It's the terrorism, stupid.

It seems "Stop killing Americans" would be a reasonable precondition, nay a responsible precondition, to any talks with the Iranian mullah regime on any subject at all. Such wouldn't even require the intellectual energy of nuanced language.

But instead, the grand international stage is being set. The actors and props are taking their proper places. President Obama said he would decide whether his "open hand" policy toward Iran was working by the G20 Summit in Italy in September. Right on time, as usual, the Iranians had their envoy to the IAEA signal that, yes indeed, Iran is ready now to begin talks (about talks) with the West on its nuclear program, provided there are "no preconditions." The Iranian regime's violent put-down of its own population, which continues still, is largely and conveniently out of the US and international media spotlight. So, too, the continued Iranian arming of Hizballah and Hamas terrorists.

Iranian Katyusha rockets and launchers used against US forces in Iraq? Not so much. Pesky little thing, that. But it will be long forgotten by the time President Obama's self-declared Italian G20 deadline gets here. After all, there's a non-negotiable nuclear program for White House wordsmiths to attempt to negotiate away upon a grand and prestigious international stage, with cameras, writers and perhaps the making of a legacy. So enticing.

But it's not the potential for nuclear weapons that is at the heart of the threat, real or imagined. It's the nature of the regime.

It's the terrorism, stupid.

  • AudioFebruary 2, 2010
    [Listen Here]
    What on Earth can Usama bin Laden, the mystical calculus of climate change and US Homeland Security have in common? Does bin Laden really agree with the President of the United States on matters weather? How is it that the...

Special Reports

Recent Features