Skip to content

Informal Meetings Encourage Professional Networks

2014 February 22
by Jason Nairn, CPP, CISSP

Several years ago, a building in our jurisdiction received a suspicious package.  The package contained a copper tube with wires and a switch.  When received in a political office, the aid opening the mail dropped the package, screamed, and ran.  The device was on the floor of the lobby, and an emergency was declared.  The call came in as a “credible code B” – bomb.

The response included a unified command consisting of state and local law enforcement authorities.  The bomb squad was called, the package x-rayed, and removed by robot.  During the procedure, the building was partially evacuated with the first two floors evacuating and the remainder of the building sheltering in place due to the fact that upper floor stairwells emptied into the danger zone.  After a couple of hours, the issue resolved.  The device was inert.

Later that day, while everyone was calming down, we received word that the same device had been delivered earlier to another building in the same city, and that the security team there had investigated the source and interviewed the sender. They had all of the information necessary to avoid the extensive response that occurred in our building, what was missing was the urge to communicate.

Immediately following this incident, our team established a group that we call a Regional Security Network.  The purpose of the group was to ensure that all security stakeholders in our area know each other, have each other’s contact information, and therefore have reason and capability of reaching out if something comes up.  This group was to meet quarterly, and originally included representatives from seven (7) law enforcement agencies.

That was in 2005, today the group has over forty (40) members and continues to meet quarterly.  As the purpose of the group is strictly networking, there is no agenda, ever. The meetings are held for the purpose of meeting colleagues new and old, and discussing whatever is on the mind of participants.  Today, the members range from state and local law enforcement to colleges and universities.  Corporate security and risk managers mix freely with police officers, chiefs and sheriffs.  Here are five reasons these meetings are successful:

  1. The Goal is Simple and Straightforward – Keeping the goal simple, to network, ensures that all members understand clearly the purpose of meetings.  There is no question of value or purpose, which, sadly, is not the case for most meetings these people attend.
  2. The Meetings are Kept Informal – The rule is “come if you want, don’t if you can’t, and come as you are”.  The groups members work various shifts.  Some come in plain cloths, some in suits, some in shorts, some even come on their day off!  They know that no matter what, their peers will not question them since it is made clear the meetings are informal and optional.
  3. There is Good Food, Always – Nothing lubricates the talk like good food.  Nothing fancy, Panera Bagel Packs work great for early morning meetings.  Make sure there is coffee and bottled water and you have everything you need to keep your guests comfortable.  When they are comfortable they share and get to know each other.
  4. We End on Time – If everyone has had the chance to talk, and there is nothing more to say, end the meeting.  Don’t keep busy people captive.  When the value is over, so is the meeting.  Always make time for the stragglers though because those tidbits that are mentioned on the way out are sometimes most important.  “Hey, by the way…”
  5. We Use A Big Screen – Often the group discusses things that have happened or things they have seen.  They like to share pictures or news articles and discuss them.  If you can, provide a way for your guests see pictures or news articles on a screen in the room.  It encourages the discussion and helps everyone understand the issues.  You can also put up helpful documents and reports that can be shared.  The next step is to develop easy ways for guests to share from their mobile devices.  We are not there yet but hope to be soon!

That device was not a bomb, yet a notable amount of resources were deployed to respond.  Starting these meetings was a direct result and the reward has more than paid the expense of the original event.  Subsequent incidents have been more efficiently addressed or even avoided thanks to this group.

By the way, the device turned out to be a “healing device” designed to cleanse the blood using the copper and an magnetic current, similar to those golf bracelets.  It sure looked like a pipe bomb, fortunately the only explosion that resulted was in local agency cooperation.

What Has Been Accomplished? – The National Infrastructure Protection Plan

2014 February 18
by Jason Nairn, CPP, CISSP

I am starting a new category on this blog entitled “What has been accomplished?”  It is a question that I don’t believe we ask enough in the homeland security enterprise.  In this series, I intend to ask homeland security leaders and professionals at all levels, as directly as possible, what has been accomplished via the various HLS programs.  To kick off the new series, I asked a question that I have been wanting to ask since last year’s State of the Union when President Obama announced an update to the National Infrastructure Protection Plan (NIPP).  That is, “How has the NIPP made us safer?”  I was recently presented with the opportunity to ask the leadership of DHS’s Office of Infrastructure Protection.

DHS has been rolling out the updated NIPP and kicked off the roll-out with a national conference call.  During the call they had a question and answer session.  I queued up but was not able to ask my question during the live session.  However, they accepted email follow-up questions and I sent in mine.  I received a written response.  Here is a verbatim copy of my email to DHS:

Thank you for the call this morning, and congratulations on the completion of the NIPP 2013 update.

As a practitioner and professor of homeland security, my question is:

What do you believe is the most significant accomplishment of the NIPP thus far, in the enhancement of our national security?

Thanks in advance.

I felt it was important, rather than to ask what has been accomplished and get any number of broad and nebulous responses, to ask for one significant accomplishment.  I am not sure if that was a better plan or not.  Here is the response:

Thank you for your interest in NIPP 2013.

The most significant accomplishment of the NIPP program thus far has arguably been the establishment of the critical infrastructure public-private partnership and its subsequent activities to secure and strengthen the resilience of critical infrastructure.  The effort to reduce critical infrastructure risk has been a joint voluntary undertaking between critical infrastructure partners in all levels of government and the private sector. The critical infrastructure partnership is the primary mechanism for promoting and facilitating sector and cross-sector planning, coordination, collaboration, and information sharing to manage risks to critical infrastructure. A 2013 evaluation of the critical infrastructure partnership, conducted in response to Presidential Policy Directive 21, validated the current structure of the partnership at the national level and made recommendations to enhance and expand partnership activities at the regional and local levels.

I found this to be a very predictable, canned response, and one that makes little sense to me.  The first sentence basically says “all the meetings we had and all the stuff we did is our most significant accomplishment”.  Then they point out that the partnership “is the primary mechanism for facilitating sector and cross-sector planning, coordination, collaboration, and information sharing to manage risks”.  I understand the value of public-private partnerships, but did any of these things actually get accomplished?  I was hoping for tangible examples of risk reduction that are a direct result of the NIPP?  Surely the mechanism for accomplishing the goals isn’t the goal.  Is the greatest accomplishment of the NIPP the fact that the participants got to know each other?  Perhaps that is an accomplishment, as I am acutely aware of the importance of personal networks.  If so, is the NIPP and all of its associated complexity the best way to forge public-private partnerships?  As I mentioned the response seems scripted, which I should have expected.  But it raises more questions than it answers about the impact that the NIPP is having on our security.

What do you think?  Leave a comment and let me know.

Five Ways Homeland Security is All About Networks…

2014 February 15
by Jason Nairn, CPP, CISSP

I have not been sufficiently active in creating content for this blog, and working and teaching have left little room for blogging lately.  I was sensitive that (both of) my readers were likely giving up on HLSR, so I thought it was high time to get back to blogging, and to redesign the site to reflect what I think is a key to understanding homeland security in today’s world, understanding the importance of networks.

Of course terrorist networks are important in homeland security, but they are just one example of the role of the network in the lives of homeland security professionals.  Here are five ways that homeland security is all about networks:

  1. Informal Personal Networks – If there is one thing I have learned in my years as a homeland security practitioner, it’s that things get done, emergencies are responded to efficiently, and intelligence is shared through informal networks.  Understanding the importance of the informal network is key to the success of any HLS professional.  Find ways to encourage informal networks and it will pay when it counts…
  2. Computer Networks – If you follow the money and energy in homeland security, and I know you do, then you know that both are currently in cyber security.  Terrorists and others are attacking the homeland in many sectors via computer networks.  To stay in the game, every homeland security professional must have at least a basic knowledge of computer networks.
  3. Critical Infrastructure Networks – Everything in the world that matters is now part of a network, linked together via the Internet and controlled remotely via SCADA or other systems.  Understanding the threat and vulnerability of critical infrastructure means understanding the networks that control that infrastructure.  Additionally, many CI/KR are networks themselves.  Homeland security professionals must focus on the critical nodes of these networks, since we don’t have the resources to protect it all.
  4. Social Networks – Homeland security professionals no longer have to wait for a national intelligence estimate to find out what is going on around the world.  Operations centers in the public and private sector now have active social network monitoring capabilities to provide leaders with real time information about issues that matter to them.  Understanding social networks and tapping into them provides the professional with tools we could only have dreamed of even a decade ago.
  5. Criminal and Terrorist Networks – Law enforcement officers now have tools on their smart phones that provide them with real time information about individuals and their network affiliations.  These tools are changing the face of law enforcement.  Intelligence analysis formerly done at headquarters behind closed doors is now being done in the field instantly.   Intelligence and information is readily available in apps downloaded and shared among officers, sometimes informally.  These technologies provide new tools for crime fighters, but also push the envelope in the area of constitutional rights and privacy.  Understanding these trends and the associated legal, moral and civil rights  issues is essential for current and future agency leadership.

Successful homeland security professionals will understand the role of networks, and therefore will study tools to better leverage them.  There are tools available that take advantage of the power of the network.  Homeland security professionals that are students of networks will lead us to a secure future.

On the Need for a New Diplomatic Dimension for Cyberspace

2013 September 15
by Jason Nairn, CPP, CISSP

In the wake of Mandiant’s APT1 report and in the midst of the Edward Snowden affair, it has become increasingly apparent that cyber diplomacy is something different than traditional international statecraft, and that the current diplomatic model is not sufficient.  Countries of the world, including and especially the United States, are attempting to manage cyber-related issues via existing diplomatic fora, using existing diplomatic resources.  The results are predictably disappointing, since cyberspace rarely conforms to the traditional business models of the 20th Century and before.

In June (2013) the State Department issued a press release to announce the United States’ conformation to the findings of the United Nations’ Group of Governmental Experts on Cyber Issues regarding the effective applicability of the UN Charter and international law to cyberspace.  Little attention was paid to the announcement, but its significance should be noted.  The overlay of existing international law and pre-cyber landscape charters is convenient (easy), but will not conquer the wicked problems of today and certainly not tomorrow.  The ability to be engaged in a cyber war with a country in the virtual world while simultaneously maintaining “normal” diplomatic relations in the “real world” cannot be addressed by current standards.  This is the state of affairs today as the Mandiant report illustrates.  Yet, as normal diplomatic procedures require careful rapprochement,
 diplomats dance the dance and each party avoids discussing the issue directly while business interests are drained of their intellectual property like a water park after Labor Day.

The answer is not the United Nations or governments, which is why the problem may never be solved adequately in the current generation.  What matters in the networked world is data and infrastructure, and threats and vulnerabilities.  Nations are data owners (or at least holders), but so are companies, groups and individuals (like Snowden (he’s currently a holder)).  Nations also own infrastructure, but so do the private sector entities which own, for instance, the end user interface and telecommunications infrastructure.  A forum must be established where these stakeholders can operate on more of an equal footing, where countries are considered stakeholders just like the companies that own the networks on which they ply their trade.  The solution lies in a new dimension, one that is not formed in the crucible of the United Nations but is rooted in the networked world in which it must operate.  The management of our global network must be something complex and wonderful like the internet itself.  Where the power is held in the hands of those with the knowledge, information and interest to influence the direction of the global network.  It must be dependent on self-organized criticality.

A continued insistence on the application of current diplomatic technology in cyberspace is likely to diminish the progress of the human race.  The evolution of the networked human will be slowed by the Dickensian chains of nation-based world order.  The so-called “Arab Spring” provides evidence that the youth of the world with access to today’s technology cannot be satisfied when burdened by the constraints of national governments unwilling to free them to take full advantage of a networked Earth.  While the former generation’s power brokers attempt to make these disturbances about political and religious issues (because that is what they know), the heart of the issue is really growing pains.  We are evolving as a species faster than our organizational structure will allow.

A positive first step would be the recognition that national sovereignty is not a major factor in the future paradigm, and that the United Nations, which has failed to act promptly and responsibly to address conventional issues, is simply not equipped to manage the complexity of a networked solar system.

TSA’s Behavioral Profiling Program Takes a Hit

2013 June 6
by Jason Nairn, CPP, CISSP

Screen Shot 2013-06-06 at 10.28.40 PM

Securing the homeland has its challenges, and few agencies are as maligned as the Transportation Security Administration (TSA).  Unfortunately, just as many security programs are judged by the first impression given by a security guard, TSA is often judged by its screening of shoeless airline passengers.  But TSA’s impact on homeland security is significant in many modes of transport.  TSA employs a number of technologies and techniques to ensure that individuals travel safely everyday.  One of the more interesting and controversial is behavioral profiling.

In the media, profiling is often associated with traffic stops and ethnic groups.  But the use of behavioral profiling is a proven technique for early detection of potential bad actors.  Officers trained in the observation and detection of signs of suspicious behavior are deployed to observe patrons and single out suspicious persons for additional screening.  The technique is used in airports and other facilities around the world, and the Israelis are often cited as the experts in this field.  But TSA has, since 2007, been employing behavioral profiling techniques in some of the country’s largest and busiest airports, and thousands of passengers have been selected for additional screening using these methods.

A fascinating report was released this week by the Office of the Inspector General.  It is chocked full of very interesting information about the program, with a few redactions that deal mostly with force levels and screening selection criteria.  The report states that TSA has done a less than stellar job in managing the program.   According to the OIG, TSA has not effectively measured the effectiveness of the program, developed structured training, nor has it created a strategy for further implementation or financial support.  The report got some attention and may hurt the program’s support in Congress.

This is a setback for this passenger screening technique.  Behavioral profiling is a force-multiplier.  It provides early detection, intercepting threats before they reach critical areas of critical infrastructure.  Further, Behavioral Detection Officers ease the burden on screeners, who have to manage long lines of impatient travelers, and cannot be as observant in their production environment.  The wider deployment of this technique could improve airport security without zapping every passenger with more non-ionizing radiation.  Now that all these details of the program are out on the web, and the media is perusing the report, perhaps TSA will commit the appropriate resources to managing the program effectively before Congress loses interest in funding it.

 

The Origin of “Terrorism”

2013 May 5
by Jason Nairn, CPP, CISSP

“Terror is nothing but justice, prompt, severe and inflexible; it is therefore an emanation of virtue.”

Maximilien Robespeirre, Report on the Principles of Political Morality, 5 February 1794

Robespierre made the case that his regime de la terreur of 1793-94 was “virtuous” in its restoration of order after the French Revolution.  And it is from these beginnings, the “Reign of Terror”, that the term, “terrorism” has its roots.  Since that time, the word has become a useful moniker to attach to those individuals, groups, or organizations that use fear and violence for political purposes or that for political reasons need to be vilified.*

Robespierre believed that terror was the most effective method of ensuring virtue, and he would have defended his tactics eloquently and with an argument based in a scholarly study of government.  This is not meant as a defense of the Reign of Terror, but is intended to illustrate that as then, there is today little agreement on the concise definition of the word “terrorism”.  One man’s terrorist is another man’s freedom fighter, as they say.

Similarly, there is little agreement on the definition of “homeland security”.  While the federal act of the same name enacted in 2002 does provide a framework for defining the word in terms of the federal department,  like “terrorism”, “homeland security” can mean different things to different people.  It is important to understand the meanings (or potential meanings) of words used in the homeland security enterprise not because they explain homeland security, but because they expose some of the wicked problems of homeland security.

* – For more on the origins of “terrorism”, I recommend Bruce Hoffman’s book Inside Terrorism, available here.

New Presidential Policy Directive 21 (PPD 21) “Kicks the Can” on Critical Infrastructure Protection

2013 February 20
by Jason Nairn, CPP, CISSP

On February 12th President Obama released Presidential Policy Directive 21 in conjunction with his State of the Union Address.  PPD 21 directs the Department of Homeland Security to work with critical infrastructure owners and operators, federal agencies that oversee critical sectors (SSA’s or sector-specific agencies), and State, Local, Tribal and Territorial governments (SLTT’s) to protect critical infrastructure from attack or disruption.  The new policy recognizes the importance of cybersecurity in critical infrastructure protection, which the 2009 National Infrastructure Protection Plan does not address as vigorously.  It also establishes “national critical infrastructure centers” in the physical and cyber space designed to promote information sharing and collaboration.  Additionally, the policy orders the State Department to be engaged with DHS on issues of international interdependencies and multi-national ownership, growing concerns of the global economy.

But PPD 21 is just as interesting for what it includes that isn’t new, and much of it is not new.  It raises several questions about what progress has been made over the past 5-10 years, and why the Obama Administration feels the need to reset the timer.

For example, PPD 21 requires DHS to “identify and prioritize critical infrastructure” as an “additional role and responsibility”.  But DHS has been doing this for years.  In 2003 I received a phone call from a DHS contractor.  As coordinator of state-owned infrastructure, I must have made some list of contacts given to a (probably Booz Allen) contract DHS employee.  I was asked a series of questions regarding critical infrastructure in my jurisdiction.  The information was needed, according to the contractor, because the Department of Homeland Security was compiling a state-by-state list of critical infrastructure.  In the years since, I have submitted revisions and updates to my “Tier 1 and Tier 2” lists of sites.  The Government Accountability Office (GOA) describes this process this way in a 2010 report:

“The process of identifying these nationally significant assets and systems is conducted on an annual basis and relies heavily on the insights and knowledge of a wide array of public and private sector security partners. CIKR categorized as Tier 1 or Tier 2 as a result of this annual process provide a common basis on which DHS and its security partners can implement important CIKR protection programs and initiatives, such as various grant programs, buffer zone protection efforts, facility assessments and training, and other activities. DHS has other tiered categories of infrastructure whose destruction or disruption would not have a significant national or regional impact, though local impacts could be substantial.”
GAO-10-296 Critical Infrastructure Protection: Update to National Infrastructure Protection Plan Includes Increased Emphasis on Risk Management and Resilience

DHS’ “additional roles and responsibilities” also includes the development of vulnerability assessments on CI/KR, which they have also done for years via their Protective Security Advisors.  These efforts are aimed at meeting the risk management goals of prioritization and the establishment resource allocation priorities via programs such as the Buffer Zone Protection Program.  The list of “additional roles” within PPD 21 for DHS goes on to include providing informational support, coordination with Federal departments on prosecutorial issues, and mapping.  All of which are old news.

PPD 21 does little to enhance the CI/KR resilience programs already in existence.  And while movement toward cybersecurity and a nod to the national continuity directives are helpful, they are also kind of obvious.  These are simple adjustments not grand new (State of the Union announcement!) plans.  It will be interesting to see what comes of the “national critical infrastructure centers”, and we look forward to reading the annual reports.  But in the end, PPD 21’s most significant contribution to improving the National Infrastructure Protection Plan might be the removal of the National Monuments and Icons and Postal and Shipping sectors.  No one was quite sure what to do with those.  Make Mount Rushmore more resilient or teach UPS how to manage emergencies?

New Congressional Report: Homeland Security Still Not Defined

2013 January 28
by Jason Nairn, CPP, CISSP

cover
We have said here that we are not quite sure what “Homeland Security” is, particularly at the local level.  Now a new report from the Congressional Research Service (CRS) says that ten years after the 9/11 attacks the federal government still does not have a concise definition for homeland security. The brief report is unambiguous as it points out the strategic repercussions of the lack of agreement on the scope and function of homeland security. Consider this passage from the report’s summary:

“Varied homeland security definitions and missions may impede the development of a coherent national homeland security strategy, and may hamper the effectiveness of congressional oversight. Definitions and missions are part of strategy development. Policymakers develop strategy by identifying national interests, prioritizing goals to achieve those national interests, and arraying instruments of national power to achieve the national interests. Developing an effective homeland security strategy, however, may be complicated if the key concept of homeland security is not defined and its missions are not aligned and synchronized among different federal entities with homeland security responsibilities.” (p. 2)

The report discusses the evolution of the homeland security enterprise in the various strategies and reports that have been published since 2001 and discusses the implications of the lack of consistency on the nation’s overall homeland security strategy. A highlight of the report is a useful table on page 8 entitled “Summary of Homeland Security Definitions”. It provides an overview of the pertinent homeland security strategic plans and their associated definitions for “homeland security”. This table should be required reading in every Introduction to Homeland Security course.

An opportunity exists to augment this report by discussing the implications of homeland security ambiguity to state and local governments, universities and the private sector. States and local governments must implement programs related to homeland security in support of the national effort. State and local government officials need a thorough understanding of the stated goals of homeland security in order to provide that support. Further, colleges and universities are developing programs that provide degrees in homeland security. Without a clear understanding of what homeland security means, it will be difficult to fully prepare the next generation to fill strategically important roles in the enterprise. And businesses across the country are developing products and services to serve a discipline that could stimulate the economy. But to be successful these businesses need clarity of the mission.

The essential problem is summarized very concisely in the following passage from the analysis section of the report:

“Homeland security is essentially about managing risks. The purpose of a strategic process is to develop missions to achieve that end. Before risk management can be accurate and adequate, policymakers must ideally coordinate and communicate. That work to some degree depends on developing a foundation of common definitions of key terms and concepts. It is also necessary, in order to coordinate and communicate, to ensure stakeholders are aware of, trained for, and prepared to meet assigned missions. At the national level, there does not appear to be an attempt to align definitions and missions among disparate federal entities. DHS is, however, attempting to align its definition and missions, but does not prioritize its missions; there is no clarity in the national strategies of federal, state, and local roles and responsibilities; and, potentially, funding is driving priorities rather than priorities driving the funding.” (p. 13)

Our compliments to the CRS and analyst Shawn Reese for a hard-hitting report that doesn’t mince words. We at Homeland Security Roundtable hope it gets the attention it deserves.

“Cybersecurity Is the New Homeland Security”

2012 November 4
by Jason Nairn, CPP, CISSP

MS-ISAC Dashboard (http://msisac.cisecurity.org/apps/dashboard/)

In a recent conversation with a state/local homeland security professional, a discussion about the relationship between cybersecurity and homeland security began with a compelling story about the early days, when homeland security was just emerging from the ashes of 9/11.  Tom Ridge was, like William “Wild Bill” Donovan in the early days of WWII, building a new government agency to defend the country.  White powder near the coffee maker or on the table where the powdered donuts were eaten yesterday was resulting in calls to 911.  And concepts like “critical infrastructure protection” and “public-private partnerships” were becoming popular priorities…

“…I was appointed my agency’s representative on our states “homeland security task force”, so I was doing that plus my regular job which at that time hadn’t changed much.  I remember clearly getting an email (back in those days I didn’t get as many so I could actually remember them).  The email said that my agency was being awarded a grant of $100,000.00 for homeland security projects.  Just like that.  Here’s a hundred grand.  Spend it.  A few years later I applied for and was awarded over $2 Million in one year for my agency’s projects.  Then we had a process but it was manageable.  A couple of years after that, the process started getting heavy.  Lots of red tape, lots of detailed submittals.  And there was more competition and a rigorous application and selection process.  Around 2008 it began to get downright difficult to find time to get the regular job done.  Now, the money is almost non-existent, but the hassle remains and then some.  So if you want to know what is keeping us from pulling out of the homeland security enterprise all together, I’ll tell you.  First, we want to remain at the table and have access to collaborative opportunities and information.  Second, cybersecurity.  Our networks are being attacked all day everyday and our systems are vulnerable.  Cybersecurity is the new homeland security and we are afraid of missing out on opportunities to get help.”

The phrase “cybersecurity is the new homeland security” was the impetus for a brainstorming session that resulted in the following five ideas or concepts associated with the relationship between cybersecurity and homeland security.  We did not necessarily set out to answer any questions or decide on any outcomes, but we found the conceptual discussion provided great opportunities for research and discussion:

  1. Cybersecurity is a Part of Homeland Security – Cybersecurity may be a part of one sector of the homeland security enterprise.  In the National Infrastructure Protection Plan it would likely fall somewhere within the Information Technology sector.  However if that is true, it may be currently the only sector that matters.  Toss out the sectors that haven’t been attacked today, or this week, or this month, and you are left with IT.  And with all of the other sectors relying on IT systems to operate, why do we need the rest of the plan?  (It’s a conceptual question.)
  2. The Bad Guys Are in Cyberspace – With drones buzzing overhead waiting for the bad guys to look up or worse, make a phone call, what better way to keep up the attack on the US then staying underground and anonymous.  No need to go to the airport with a thousand cameras watching your every move.  The Israelis have you profiled before your bags are out of the trunk.  Just pick a cool online handle and bounce your IP through Iran.  You’ll be probing US drinking water systems or the power grid by lunch.
  3. Cyberspace is All-Hazards – A few years into the homeland security enterprise “all-hazards” became a buzzword.  It was followed by “resilience” and the current “whole community“.  But homeland security should be an “all-hazards” enterprise, and cybersecurity certainly fits the bill.  Cyberspace is rife with not just terrorists but, more abundantly, everyday criminals.  Cybersecurity offers an unparalleled opportunity for the all hazards approach, and any agency involved in cybersecurity operations must operate to root out crime and terrorism.  That’s worth funding with grants.  And that’s why Director Mueller is focused on cyber.
  4. Homeland Security is Still Vague and Nebulous, Cybersecurity is Not -We know it is a recurring theme here at HLSR but we still don’t completely understand what “homeland security” really entails or how well most homeland security degrees prepare students to enter the workforce.  However give me a BS in Network Security from an accredited school and I’ll give you a job.
  5. The Energy and Excitement Factor – The energy and excitement is in the Cybersecurity area today just as it was in the homeland security area in 2002.  However the trends all point to a longer and more drawn out fight in cyber as computers become more and more a part of everything we do –  cybersecurity may outlive homeland security.  One litmus test is,  “What is Congress currently unable to agree upon?”  They have been most recently unable to pass some much needed cyber legislation, so states are getting more involved.  That means that whether Congress acts or not lots of energy, excitement, money and jobs are in the field of cybersecurity, while the Homeland Security Grant Program fizzles and the Urban Area Security Initiative downsizes.

We’re not giving up on homeland security, and an “all-hazards”, “resilient”, “whole-community” approach is necessary in the long term.  Tactics will evolve and too much focus in one sector will surely leave us vulnerable.  But there is no denying the fact that thousands, probably millions of attacks occur daily on US infrastructure via the computer networks.  If the Department of Homeland Security truly focuses on risk, there will be a laser focus on cybersecurity for years to come.

The Next War

2012 September 21
by Scott Winegar
“This is the way the world ends. Not with a bang but a whimper.”
~ T.S. Eliot, The Hollow Men

_________________________________________________

“Portland Tower, NW flight 337 heavy”

“Flight 337, Portland Tower”

“Portland Tower, flight 337, we are experiencing instrument inconsistencies. Could you give us your read on our altitude and location?”

“Flight 337, are you declaring an inflight emergency?”

“Negative Portland, we just want to validate what are instruments are telling us.”

“Flight 337, we have you at 4-7-thousand about 100 miles west of Boise, at 490 knots.”

“Portland, be advised, we will need your assistance until otherwise notified. Instruments have us at mach 3 entering Canadian airspace.”

Not the only problem noted, but one of the first recorded.  Aircraft throughout the west coast begin reporting similar instrument failures.  The Air Traffic Controllers quickly push the issue up the chain, and the FAA, in consultation with the DHS and the President, grounded all flights over California, Oregon, Washington, Idaho, Montana, Utah, Arizona, Nevada, Alaska and Colorado.

Verizon, AT&T, and Sprint, became flooded with notices that cellular phones were inoperative.  All carriers receive similar reports.  The same collection of western states is now plagued with lack of wireless service, and land-based communications are soon overwhelmed.

Many hospitals began reporting that their medical paging systems were no longer operational.  ATM’s all over the west coast were no longer amenable to giving you your hard earned cash.  The ports of Los Angeles, Long Beach, San Diego, Seattle/Tacoma, and San Francisco lose the ability to track ship traffic, and cargo had to stay ocean bound while a low tech solution was used to allow ships to safely enter and leave the ports.  On ship gyroscopes were giving ship’s navigators inaccurate readings, as the gyros are calibrated using GPS. Many cargo ship captains choose to stay far out at sea for fear of hitting other vessels.   Anti-collision digressed to visual spotters and binoculars.

Rail traffic slowed to 10% of capacity, as the presidentially mandated Positive Train Control (PTS) caused collisions and near collisions by reporting train location data incorrectly.

Rolling blackouts began to occur as electrical grid operators were no longer able to synchronize power with other grid dwellers.  To make matters worse, some of the smaller electrical suppliers began suffering Aurora Vulnerability failures.

Likewise, water and sewer operators began suffering catastrophic failures of large electric pumps, again from Aurora Vulnerability.  Domestic water service was spotty, and waste water began exploiting emergency overflow plans, causing contamination and potential disease issues.

Industry officials reported that the software addressing Rockwell International Programmable Logic Circuits (PLC), the most common PLC in use in America and commonly used in SCADA (supervisory control and data acquisition) controls had malfunctioned. The result was physical destruction of the pumps and generators.

Social media spreads the word about inaccessible ATM machines. By the time banking hours rolled around, people fearing their lack of ATM access to their cash began drawing out large sums. Retailers start moving towards cash only transactions. Civil disturbance became a potential issue for local law enforcement.

The military began a flurry of activity to mitigate the impact of these occurrences on their Power Projection capabilities. A Power Projection Platform (PPP) is “an Army installations that strategically deploy one or more high priority active component brigades or larger and/or mobilize and deploy high priority Army reserve component units.”  This disruption has taken out PPP for three key locations: San Diego, Tacoma, and Colorado Springs. Even the remaining 12 platforms were degraded, as the cascading effect of crippled west coast rail traffic slowed rail traffic to east coast sea ports.

The Air Force was concerned about air sovereignty for a significant portion of the US land and sea border. The Navy was repositioning ships, but cautiously due to the increase of directionless cargo ships.  As the military scrambled to find answers, they discovered that five (5) GPS satellites had been “spoofed” which alters the satellite’s transmission from their internal atomic clocks.  The result is inaccurate positioning data.  Much worse, the GPS clock data is used for cell phone tower coordination, electrical grid synchronization, gyroscopic system validation, stock market fraud prevention, and many other infrastructure systems. Just knowing you are being spoofed does not provide immediate relief. Since the GPS signal is spoofed after it leaves the satellite, the fix is not at the satellite. The spoofing has to be stopped.

Once the news of the spoofing leaked out, unscrupulous stock traders tried to exploit the time inaccuracy to leverage advantageous stock purchases.  If you know in advance a stock is going up, and you can use the time inaccuracy to “back date” your purchase, you can win every time.  The New York Stock Exchange closes until the vulnerability can no longer be exploited.

The net result is economic crisis, transportation gridlock, much of the west coast population is challenged by a lack of water, power and sewer, degraded military capability, crippled supply chain, disrupted crop cycles (irrigation), and lack of capacity for just-in-time perishable commodity delivery.

___________________________________________________________________________________________________________

In designing this scenario, I limited myself to existing technology, capabilities, and conditions.  I have cited references for those who disbelieve or want more information. An attack of this magnitude would require the sophistication and resources of a nation state. I assert this is the same formula that describes the STUXNET attack on the Iranian nuclear centrifuges.  The technology in the scenario already exists, and is, generally speaking, readily available. One of the additional advantages of a cyber-based attack is that none of the cited technologies allows for easy attribution. Against whom do we retaliate?

GPS spoofing has already occurred, both intentionally and unintentionally.  Allegations were made that North Korea jammed the GPS signals near the North/South border.  Although denied by the North, the following advisory came out to pilots operating in the area:

CAUTIONARY INFORMATION FOR AIRCRAFT OPERATING IN INCHEON FIR:

PILOTS HAVE REPORTED THAT GPS SIGNALS ARE UNRELIABLE OR LOST INTERMITTENTLY IN INCHEON FIR.

EXERCISE EXTREME CAUTION WHEN USING GPS. 28 APR 00:32 2012 UNTIL 03 MAY 15:00 2012 ESTIMATED.

CREATED: 28 APR 00:34 2012. 

Of course the criminal element would not want to miss out.  Here is a quote describing the economics GPS spoofing: “Criminals could also spoof GPS timing for profit. The US National Association of Securities Dealers requires financial traders to time-stamp transactions with an accuracy of within 3 seconds. The bad guys would spoof the timing at their preferred site and, watching an upward trend, buy stock a few seconds in arrears,’ says Humpreys. ‘Those three seconds could be worth a lot of money.”

Another GPS disruption impacted the San Diego areaTraced to a US Naval exercise, it impacted GPS navigation, ship tracking, ATMs, cell phones, and emergency medical paging.  GPS jamming on a smaller scale is both cheap and easy, thanks to internet retailers.  Truck drivers who don’t want their bosses to know where they are can jam the signal coming from their truck.  Some toll roads use GPS as part of the toll system.  Jammers can provide a free pass through the toll gate.

We have become very reliant on GPS, not just for navigation, but for that precise internal atomic clock that is necessary for GPS to work.  The technologies that rely on that clock are varied. For example, the ability of electrical grid operators to synchronize the electricity on the grid from multiple generation sources is essential for inter-system electricity distribution.  This synchronization is done with GPS.

There is a system that provided an alternative to GPS navigation.  Called eLORAN, it is still used in many countries, but is being abandoned in the US, leaving us no alternative to GPS.

GPS is also an essential part of the Positive Train Control system (PTC). The Rail Safety Improvement Act of 2008 (RSIA) (signed by the President on October 16, 2008, as Public Law 110-432) has mandated the widespread installation of PTC systems by December 2015.

Let us not forget that many of the precision weapons the military now uses rely upon GPS to insure they hit the right target.  These include several of our rockets, bombs, and torpedo systems.  Spoofing the GPS would render these weapons inaccurate, thereby mostly unusable. Viewed from a cost benefit perspective, the US spends about $18,000 for each of a particular kind of GPS guided bomb. Imagine how many cyber hackers can be trained for that same $18,000. Multiply that by an order of magnitude in the thousands, and you can see the advantage for the developing nation. Buy one bomb versus train and employ a team of hackers.

And finally, the scenario’s PLC attack is an echo of what was seen with the Stuxnet worm.  After Stuxnet was isolated and identified, the rest of the world (i.e. those not responsible for its creation) was able to learn of its etiology.  Stuxnet was designed to find a specific type of Siemens controller that the Stuxnet creators knew was being used in Iran to control their nuclear centrifuges.  Although Siemens has much of the market worldwide, Rockwell International is very common in the US market. Now that Stuxnet is out in the wild, it would be easier for an antagonist nation to reverse engineer the capabilities of Stuxnet, and point them at the programming for a Rockwell control.  If this worm could be used to knock the power out of phase for a larger electric motor or generator, then you get an Aurora Vulnerability.  Like the Stuxnet attack in Iran, an Aurora Vulnerability causes physical destruction of the asset, not just destruction in the virtual world.

Although there is nothing available that specifically tells the story of how Stuxnet got into the Iranian centrifuge control system, it might be relevant to point out that the Iranian system is “air gapped” which means that it is not directly connected to any external network, including the internet. Using an air gap is a common method of foiling internet based intrusions.  To illustrate vulnerability, refer to an experiment conducted by DHS. This experiment was designed to see what government employees would do if they found a disc or USB memory stick in their parking lot. 60% of employees plugged the found device into their work computer.  If the device had an official seal on it, that number rose to 90%.  Keeping this study in mind, how hard would it be to infect the host network (i.e. the municipal network, the company network)? Once the common network is infected, how long would it take before someone crossed the air gap with a now infected USB device, or how long before the laptop used on the common network is later used on the control network?  Before you know it, the worm is in the control, awaiting action.

America is the only remaining super power in the world.  As a result, it would be fool hardy to attack the US with traditional tools of war.  Our enemies already recognize this, and are planning accordingly. The scenario outlined here does not require jet fighters, destroyers, helicopters, technological superiority, or even rifles. The war begins without firing a single shot.