Tag Archives: cybersecurity

DoD Still Can’t Get its Security Ducks in a Row

Five years after the Pentagon demanded that every weapon system include the requirement that it be able to function in the face of Russian and Chinese cyber attacks, many major weapons systems don’t even include cybersecurity as a key performance parameter, never mind actually working under those conditions.

This means that all our adversaries need to do in order to win a war is to hack our weapons, which, it appears, may not be that hard.

Of the three major services, the Air Force is the worst, with inconsistent cybersecurity practices across 85 weapon systems worth over $1.5 trillion.

Even though the Pentagon updated its Joint Capabilities Integration and Development System Manual (JCIDS) in 2015 to include a requirement to be able to function in a degraded cyber environment, at the end of 2019 the GAO found that 25 out of 42 major weapons systems did not even include cybersecurity as a Key Performance Parameter (KPP) and even more did not include it as a Key System Attribute (KSA).

It used to be that you pointed your gun in a particular direction and pulled the trigger. It was pretty hard to hack. Now weapons systems are smart. They include software and many are networked.

WHAT. COULD. POSSIBLY. GO. WRONG?

The 2019 report “looked at DOD’s progress with developing:”

  • (1) strategies that help ensure that programs are planning for and documenting cybersecurity risk management efforts (cybersecurity strategies),
  • (2) evaluations that allow testers to identify systems’ weaknesses that are susceptible to cybersecurity attacks and that could potentially jeopardize mission execution (cybersecurity vulnerability evaluations), and
  • (3) assessments that evaluate the ability of a unit equipped with a system to support assigned missions (cybersecurity assessments).”

Most of the 38 MDAPs (Major Defense Acquisition Programs) reviewed had created a cybersecurity strategy but of the 19 programs that required a cybersecurity vulnerability evaluation, 11 have not completed them or failed to complete them on time. Another three said that they didn’t have a schedule for completing it and one Air Force program said it didn’t know if it had completed an evaluation.

Of 42 programs, 14 told the GAO that they had not finished their cybersecurity assessment.

The GAO report continues discussing the problem. Apparently the Pentagon just has not made this a priority.

If Ellen Lord says that no program will be funded during the next physical year if it doesn’t comply with Pentagon policy, I BET that every program will be funded. It is about priorities.

It is also about servicemember’s lives. We should not forget this. If their weapon systems don’t work because the enemy hacked them or jammed them or somehow compromised them, it could not only cost servicemember’s lives, but also civilian lives.

Credit: Breaking Defense

Navy Trying to Fix Their Cybersecurity Mess and Congress is Not Helping

After a horrifying independent review of the Navy’s current cybersecurity posture,  the Navy asked Congress to approve a new position of Assistant Secretary of the Navy to handle  cyber.  This comes after the Navy eliminated the role of CIO last year.

Congress turned them down, so now they are going around Congress to create a Special Assistant to the Secretary for Information Management/Chief Information Officer, which does not require Congressional approval.  They are also going to assign about 15-20 people to a team to work on the task.  Since there is no new money for this, many of these people will be getting additional jobs.  That, of course, will make them less effective, but at least the Navy is trying.

The Navy will also be hiring four senior leaders to run directorates inside this new office: a chief technology officer, a chief data officer, a chief digital strategy officer and a chief information security officer.  Congress has authorized special pay in certain areas like this at the rate of 1.5 times that of the Vice President of the US or about $300,000 a year per person.  They hope to attract folks from industry with numbers like this.

Their objective is to improve security across the Defense Industrial Base in light of the Chinese (and others) threat.  A key priority is to get second, third and fourth tier suppliers to implement strict cybersecurity regulations, specifically NIST SP 800-171.

Many contractors have ignored the requirements of 800-171, in part because of the cost and in part because the DoD has not been enforcing it.  In combination with the new proposed third party cybersecurity certification requirement (CMMC) that the DoD is talking about implementing next year, contractors who ignore these requirements may effectively eliminate themselves from getting any DoD contracts.  A good strategy would be to up your cybersecurity program effort in advance of these new rules going into effect, because it will take a while to get your program up to speed.

Source: Federal Computer Weekly.

 

Who *IS* Going to Rescue Us

It is old news that Jeff Bezos was caught cheating on his (soon to be ex-) wife.  That isn’t terribly unique news.  Powerful men seem to do that a lot.  At this point it is still somewhat murky as to how AMI, parent of the National Enquirer, obtained pictures that Jeff shared with his girlfriend.

It is certainly possible, as AMI claims, that they got them from the brother of Bezos’ girlfriend, Lauren Sanchez.  It is not clear why he might have done that.  Possibly he didn’t like the situation.  Possibly, they offered him a suitcase full of cash.  Surely he must have known that would not enhance his relationship with his sister.  Maybe he didn’t care.  Maybe he didn’t even like her.  Who knows.

That gossip is not terribly interesting in the big picture.

There is, however, an aspect of the story that we should all be concerned with.

Bezos, having a few billion here and there, even after going 50/50 with his soon to be ex, hired an investigator to figure out how AMI got those compromising pics.  In case you don’t keep up with the gossip, the pictures included parts of Jeff’s body that most people do not expose to the sun.

The investigator wrote an opinion piece for the Daily Beast saying it was the work of the Saudis.  I certainly don’t know if this is true or not.  Certainly the Saudis don’t like Bezos must since the newspaper he owns, the Washington Post, said that the Saudi Crown Prince was responsible for killing and dismembering a journalist, Jamal Khashoggi.  Whether you think that Khashoggi was innocent or not, people generally don’t like the idea of ordering hits on people and then cutting those people up and stuffing their body parts into diplomatic pouches to get them out of the country.

We could debate for a long time the merits of all of the above, that is not the point of this piece.

Lets assume for the moment that we reliably believe that the Saudis did hack either Bezos’ or Sanchez’ cell phones, steal the photos and give them to AMI.  This is an assumption, not a fact, but something we need to agree for the moment is possible.

Lets assume as an alternate, that some other government that we have a love-hate relationship hacked into some U.S. company for reasons of their own and either stole stuff or did some damage.  An example of this is Sony and North Korea, but that is not a good example because we have a hate-hate relationship with them and not a love-hate relationship.

All of the above is just a setup for what follows.

What should we expect the U.S. government to do about it?

After all, we hack the crap out of anyone that we can – right? – NSA, CIA and other TLAs (three letter agencies).

Should the government retaliate?  Lets assume for the moment that Trump and Bezos didn’t have one of those hate-hate relationships that they do have.  Should the White House launch an attack on another nation?

This is a real question that Trump has had to deal with and the supposed reason for the China Tariffs.  It is possible that the tariffs may have some long term effect on China’s hacking of us. Short term, it seems to have increased their hacking, but long term – who knows.

We do know in the short term it is costing U.S. companies billions, most of which will be passed on to U.S, consumers in the form of higher prices and slower growth.  The auto industry says that it is causing them to lay off tens of thousands of employees.

But still, stay tuned.

China is not a good example either because what China is doing is very widespread, not targeted like going after one person or one company.

So what should we expect our government to do in cases like this?

In the aggregate, hacking is costing companies more than a half trillion dollars a year globally.  That is real money.  It is bigger than the GDP of many countries.

Realistically, individual companies do not  have the ability to keep out a determined nation state actor.  Not if they are targeted and motivated (that represents, maybe, one tenth of one percent of all of the attacks, probably much less than that).

What is also true that many small companies may become collateral damage from attacks – either by regular hackers or nation states, but not the target.  A perfect example of that is WannaCry that devastated companies across Europe who were not the target of the attackers.

Here is the bad news.

My opinion is (which along with about $4.95 will buy you an average cup of coffee at a well known coffee chain – probably a small cup) that 99+% of the time – unless you are a Sony and go up in flames – the government is not only not going to do anything to protect you or retaliate, but they are not even going to notice that you have been attacked.

The FBI gets thousands of reports of attacks a week.  In 2017, the FBI got more than 300,000 reports.  That is more than 800 reports a day, including Saturdays and Sundays.  The FBI has, as I recall, around 14,000 actual agents who are responsible for all manner of crimes including murder, kidnapping and terrorism.  How many of those 800 reports a day do you think they can respond to?

In fairness, they will cherry pick a few.   Maybe 5 out of 800 a day.  I don’t know.  Probably less.

Bottom line – you are going to be responsible for yourself.

Realistically, this means that you have to do your best to keep the bad guys out and be ready to deal with it when the bad guys win a particular battle.

You are not going to like this analogy, but after 9-11, we stood up the TSA.  Whether you think they are wonderful or buffoons, we spend almost $8 BILLION dollars a year in that one agency just trying to keep the bad guys at bay.  Based on published reports, something like 50% of guns screened by TSA get through the checkpoints, more at some airports, less at others.  Luckily, those guns do not appear to be owned by active terrorists.

From the TSA’s standpoint, while they would like to prevent another 9-11, and the director of the TSA would likely be fired if there was another one, for the rank and file, they are just doing their job.  There is not much financial consequence to the 40,000 plus employees of the TSA if another 9-11 happens.  In fact, it is likely to reinforce their job prospects unless we decide to shut down all of the airlines permanently.  Or make you travel naked with no luggage.

From your standpoint, if you suffer an attack – ransomware, theft of intellectual property, destruction of your factory like happened recently with a German steel mill, that is costing you real money, real business, real jobs.  It is very personal for you.  Norsk Hydro lost $40 million in the first week after their ransomware attack.

This means that you need to actively work to make it harder for the bad guys damage you.

For you, this means, time, energy, people and yes, money.  Sorry.

This is one case where the government can’t fix it, even if they try.

Source: The Cybersecurity 202.