Category Archives: Opinion

China Charts Plan for Tech Self-Sufficiency

China’s policymaking body, the Central Comprehensively Deepening Reforms Commission (I did not make up this name) approved a plan yesterday for developing home grown science and technology with an eye toward self-sufficiency.

According to a press release by the state run news agency, Xi said that while China has made substantial progress in trying to develop its science and technology sectors, they are still struggling. Which means that stealing intellectual property from the west is still critical.

And what are they trying to focus on?

Artificial intelligence and quantum computing.

This comes as Biden continues to tighten the screws on the Chinese tech sector, adding another dozen Chinese companies to the entities list, banning US companies from selling to them.

China’s vice premier wrote an article for the People’s Daily yesterday saying, using a lot of words, that innovation is critical and since Xi said that they were still challenged at doing that, it is pretty clear what the alternative is.

China, of course, is not pleased that more companies have been blacklisted, but my guess is that asking us to un-blacklist them will not produce results for them.

Based on this, expect more espionage – both by breaking into US company networks and by planting insiders inside targeted companies. Also expect them to continue to expand the Thousand Talents program.

All in all, this means that US companies with critical tech need to stay on their toes. If you think your tech is important, so does China and they are very motivated to steal it. Likely they will do it very quietly so that you don’t even know that you have been hacked.

Credit: The Record

US Wired Broadband Ranks Right Behind Moldova

I often say that the US Internet access ranks right up there with many third world countries. Now I have the data to prove it.

Ookla, the company that makes and runs the SPEEDTEST software, reports every month on Internet speed around the world.

This year, in the wired category (the kind you likely have at home and in the office) we rank 14th, right behind Moldova. And behind Hungary. And behind Romania.

By the way, I had to look up Moldova. It is between Romania and Ukraine.

In the mobile wireless category (like you get on your phone), we are curiously also ranked 14th. That puts us behind countries like Bulgaria and Cyprus.

Contrary to those commercials that you see on TV, our average speed was wireless 91 megabits. That is a little different from those gigabit speeds that they claim on TV ads.

On the wired side, our average speed was 195 megabits, or about double the wireless speed.

For the US, we haven’t invested much in fixed broadband infrastructure which is why we rank behind Moldova. It also is because we have very little competition for Internet service, which means providers don’t have to invest in improving service. After decades of being asleep at the wheel, the FCC is starting to wake up about regulating telecom, but you have to remember that the last FCC chairman used to be a lobbyist for one of the large telecoms (the one that starts with a V).

Likely, these numbers are going to get worse.

Overall, the global mobile download speed jumped 60% since last year and the fixed download speed jumped 32%. Did your Internet speed increase by 1/3 or 2/3 last year? Mine did not jump by anything.

We say that we want to compete with countries like China, but China ranked #4 in wireless speed. Their push is all wireless; their wired speed was #17.

I am fine if the US wants to push wireless but that is going to take a huge investment. It probably makes sense for the US to have a hybrid approach where we mix wired and wireless.

Millions of Americans have no access to broadband Internet. I live just outside of Denver and the fastest Internet that is available to me just barely qualifies as broadband Internet under the FCC definition and if they raise the standard then I will have no access to broadband.

83 million Americans have only a single option such as Comcast.

Still millions more only have access to slow DSL-based Internet.

Carriers such as AT&T are abandoning their DSL based Internet service and not replacing it with anything, leaving those users, usually in poor neighborhoods, without Internet.

How does that work in a world of remote learning and work from home?

It is possible that people are not buying the fastest service the carriers offer and that is affecting the result, but that brings us to price where the US is really expensive compared to the rest of the world.

If you really want to get depressed, the US ranked 21st out of 26 countries tracked BY THE FCC in both standalone fixed broadband price and in mobile broadband price. That is, apparently, normal for us. Credit: Vice

DoD Contractor Hit by Ransomware Infection

Electronic Warfare Associates (EWA), a well known defense contractor in DC, was hit by a ransomware attack.  The tagline on the homepage of their website says that they are enabling a more secure future.

A Google search last week for the company brought up these results:

ewa-ransomware.png

The researcher who discovered the problem said it seems to have affected, at least, EWA Government Systems Inc,  EWA Technologies Inc. , Simplickey and Homeland Protection Institute.

EWA has not made any public announcement of the issue.  As I write this, the EWATech web site does not respond.

The current information suggests this is the Ryuk ransomware.  It is used for high value targets and is known to exfiltrate data.  Exfiltrate is a big word for steal.  Source: ZDNet

One more thing we know.  When ZDNet called the company and spoke to their spokesperson asking for a comment on the story, he or she hung up on the reporter.

So what might we speculate?

You may remember that another Navy contractor lost over 600 gigabytes of very sensitive electronic warfare data (from project Seadragon) to the Chinese in 2018.  Were the Chinese looking for more EW data?  Certainly could be.  That data is very valuable in building better offensive weapons (figuring out how to defeat our weapons) and building better defensive weapons (it is cheaper to steal it than to invent it).

The Navy went crazy after the Seadragon breach.  This makes them look even more incompetent.

DoD contractors are required to notify the Pentagon within 72 hours of a breach.  Assuming they followed the law, the Pentagon’s people (NSA, for example) could be all over this.

Much of the information that the government eventually classifies starts out as commercial research and isn’t classified until later.  Which COULD mean that whoever hacked them was after high value, not-yet classified information.

All of this is speculation, but reasonable speculation.

Which brings us up to the Pentagon’s efforts to require defense contractors to get an independent, third party cybersecurity certification called CMMC.  Would a certifier have discovered a problem which allowed this to happen?   Assuming the Pentagon is in the middle of this investigation, we may never hear.  But I bet folks are looking at the forensics right now.

But this certainly bolsters the logic behind the CMMC certification requirement.  And it is on track for starting later this year.

For those of you who sell to the government – both civilian and military, this is just one more warning to protect your ass.ets.

And more ammunition for Katie Arrington (who runs the CMMC project).

Oh.  One last thing.

The spokesperson who hung up on the media.  That is a GREAT way to get even more media attention on the worst day of your career.

There is something called an Incident Response Plan.  Part of an IRP is a Crisis Communications Plan.

Perhaps they should think about writing one.  And training people.

PS – It is probably required by CMMC.

 

Survey Says: Americans Concerned About Data Collection Practices

Well maybe not concerned enough to change their practices, but concerned.

When asked if their data is more secure, less secure or about the same as compared to five years ago, 70 percent said their data was less secure.  6 percent said it was more secure.

On the side of “gee, you mean I have to do something about it?”, 97 percent say they are asked to approve privacy policy notices, but only 9 percent say that they always read it and another 13 percent say they often read it.  That means that three-quarters of the users don’t read what they are agreeing to.  38 percent say they sometimes read the polices and 36 percent say they never read them.

Of those people who say that they at least sometimes read the privacy policies, on 22 percent say they read it to the end.

On top of that 63 percent said that they know very little or nothing about the privacy laws that protect them.

When it comes to being tracked, 72 percent said that all, almost all, or most of what they do on their phone is being tracked with an additional 19% saying that some of what they do is being tracked.  That leaves 9 percent who think that they are not being tracked. Hmm?

47 percent think the government is tracking them.

69 percent feel that their offline behavior including where they are and whom they are talking with – OFFLINE – is being tracked by the government.

84 percent say that they feel that they have little to no control over the information that the government collects and 81 percent feel the same way about information companies collect about them.

81 percent of the people think that the risks of data collection about them outweigh the benefits and 66 percent say the same thing about government data collection.

72 percent say they personally benefit very little or none from the collection of their data by companies and even ore surprisingly, 76 percent say that they don’t get much benefit from government data collection.

Certainly an interesting set of information, which could explain why there was so much support for privacy legislation in a variety of states.

You can find more information about the Pew report here.

 

 

 

 

 

 

 

 

The Security Implications of the Federal Shutdown

O P I N I O N

The President says that the shutdown is about security and I think he is right, but not in the way he is thinking.

We have to take this agency by agency, but just look at the numbers.  The EPA, probably no one’s favorite agency for different reasons, says it is furloughing 13,000 out of its 14,000 employees.  Is it likely that some of those employees serve cybersecurity (or even physical security) functions?  Maybe the 1,000 people are all of the folks managing cybersecurity, but I doubt it.

TSA screeners are considered essential, so they are supposed to work even though they are not being paid.  Some number of them (TSA isn’t saying how many) have been calling in sick.  Given the horrible stats regarding TSA agents detecting contraband and the fact that TSA turnover is 80% or more a year in some cities, there is no way that this is not negatively impacting your security.  It is affecting my security less because I haven’t had to fly lately, but if I did, it would affect my security too.

Even if the TSA attrition rate is not climbing during the shutdown, they are not hiring anyone right now. That alone puts security at a disadvantage.  The TSA has 50,000 agents.  If you assume they have to replace only 25,000 every year, if the shutdown lasts a month and the stats don’t go up, they will have to replace about 2,000 people.  How easy will that be given that the government is/was shut down.  The TSA says that standards won’t suffer, but you can do your own math.

Many so called government employees are actually contractors.  It is possible that some companies are choosing to pay their employees to work at federal jobs even though they are not and likely will not be paid (historically, federal employees got back pay after they returned to work but contractors did not), but some companies do not have the resources to do that.  Combine that with the government issuing what they call “stop work” orders to contractors and you have to believe that there is an impact.  One stat I read tonight said that 40% of the federal labor force is contractors.  Assuming that is close to true, surely some of those people are not working as a result of the shutdown and probably some of them perform security functions.

Other parts of Homeland Security includes 187 departments and several hundred thousand employees.  At least some of them have been furloughed; others are working without pay, while others are looking for other jobs.

Who are the most likely to find other jobs?   Certainly it is not those with the least skills.  When it comes to cybersecurity, it is the ones with the most skills and likely, if they leave, they will get a pay raise.  And, they won’t come back.

So while the government will never admit how much the shutdown affected security, the longer it goes on, the greater the effect is.

Just my two cents.

 

 

Cybersecurity is not an IT Problem

O P I N I O  N

People sometimes ask why IT can’t fix the cybersecurity problem.  The reason is pretty simple.  Cybersecurity is not an IT problem.

IT can make systems very secure.  Only problem is that employees won’t be able to get their job done.  No mobile.  No WiFi.  No personally owned computers.  Really long complex passwords.  You get the idea.

Several British companies have decided that the way to improve security is to implant a microchip in the hand of several hundred thousand employees instead of giving them a badge.

After all, what could go wrong?

Kind of like your cat.  After all, the pet door that is supposed to open with your cat’s chip always works, right?

If an employee wants to go to the bathroom, wave your hand in front of the bathroom door.  If you have already taken a bathroom break this morning maybe the door won’t open.

What happens when your “badge” stops working (I am sure that those of you who have a work badge or have gone to a hotel have never experienced that)?

Who pays for the medical bills if there are complications?

What happens when you change employers?

And, of course, you can’t turn it off on the weekends or at night.

Can you opt out?  Your cat didn’t have a choice.

Now the PR Spin.

KPMG said it was not considering microchipping it’s employees and would, under no circumstances, consider doing so.

So while, apparently, some employers ARE considering microchipping their employees, think about this:

  • Equifax couldn’t patch all of their servers
  • Target didn’t isolate a server that a refrigeration vendor used to find out what cooler needed repair from their credit card system
  • Home Depot wasn’t PCI compliant when they were hacked;  their lead security engineer was a convicted felon (Ricky Joe Mitchell was convicted of sabotaging his former employer) and it has been widely reported that when the security team asked for more funding to improve security they were told that Home Depot was in the business of selling hammers – how does this help us sell more hammers.
  • It seems that every week we hear about another company that “accidentally” allows anyone on the planet to download the content of their Amazon S3 storage buckets containing userids, passwords and all kinds of confidential information.

If businesses cannot handle the security basics, microchipping their employees is not going to help.

99% of the time, security is about the basics.  Every now and then it requires heroic efforts, but those times are relatively few.

This issue is gonna be with us for a while.  A long while.  Anyone who is hoping for a silver bullet solution – I have a bridge in Brooklyn for sale cheap.

SORRY!

Information for this post came from Slate and The Guardian.