@National Cybersecurity Center of Excellence

So good today to visit the NIST Cybersecurity Center of Excellence (NCCoE).
The cybersecurity solutions developed are aligned to the well-known Cybersecurity Framework (CSF). 


Got to see some of the laboratories, including demonstrations for securing the Healthcare and Energy Sectors. 


Interesting to hear about examples for securing hospitals records and even things like infusion pumps.  


The medical devices are tricky to secure, because they are built to potentially last decades and are expensive to replace, but the underlying technology changes every couple of years. 


Also, learned more about securing the energy sector and their industrial control systems.  


One scary notable item mentioned was about the “big red button” for shutdown in many of these facilities, but apparently there is malware that can even interfere in this critical function. 


It is imperative that as a nation we focus on critical infrastructure protection (CIP) and continuously enhancing our security.


Time is of the essence as our adversaries improve their game, we need to be urgently upping ours. 😉


(Source Photos: Andy Blumenthal)

Obsolesce Of Nuclear Weapons

This is one incredible video. 


It shows the killing power of micro killer drones. 


With a host of cameras and other sensors including facial recognition and GPS, plus a small amount of explosives, these drones can target individuals or critical infrastructure and take them out!


The drones can work alone or in swarms to get into and kill or destroy anything. 


No VIP (very important person) or CIP (critical infrastructure protected) is safe. 


We can wipe out entire cities or the nuclear infrastructure of our enemies. 


Despite the warning about artificial intelligence at the end of this video, rest assured these killer microdrones are coming. 


Big is the new small, and small is the new big. 


In fact, big things come in small packages–exactly!  


Iran and North Korea are chasing obsolete technology to harm the U.S. and Israel, and within a short time, they will see the error of their malevolent ways 


G-d foretells us all in the Bible and like David and Goliath–a slingshot to the forehead and the fight with the evil is over. 😉


(Thank you to Itzchak for sharing this video with me). 

Deterrence Alone Is Not A Strategy

 

High Wire Act.jpeg

So there is a military doctrine that has been in place for decades. 


– MAD – Mutually Assured Destruction 


If you attack the USA with weapons of mass destruction, you’ll get an overwhelming responses that will totally destroy your country. 


This was what supposedly held the USSR at bay during the cold war. 


And even recently, President Trump threatened North Korea that they would be “totally destroyed” if they try anything on us. 


The problem is that the MAD doctrine of deterrence assumes incorrectly that you are always dealing with rational actors and not with madmen.


Let’s face it, their are plenty of crazies out there, and some of whom may be willing to go down in a “blaze of glory” as long as they stand up to the United States and die a heroes death for their radicalized or “subjected” people. 


Whether it’s Iran or North Korea or others–we may not know what we are really dealing with here until it’s too late. 


Life is not everything to these people–remember many a terrorist has died a martyrs death with the promise of 72 virgins in heaven awaiting them. 


To some, as Prime Minister Gold Meir stated:

“Peace will come when the Arabs will love their children more than they hate us!”


Hate by virtue of perceived injustice, required Jihad or “holy war,” brainwashing or threats and the desire for a “glorious death” standing up to the infidels or the “great Satan…any of all of these can contribute to ignoring the consequences. 


Israel has tried to deter horrible homicide bombers/and other mad terrorists from performing their evil misdeeds on the civilian population by for example, demolishing the terrorist homes as a potent consequence that they know going into it, yet many terrorists still wear the explosive vests and detonate anyway.


Similarly, North Korea despite the President’s threat that they “will be met with fire and fury like the world has never seen,” brushed it off and shot off more volleys of ICBMs and threatened to engulf Guam in fire. 


– The point is that deterrence alone is not a strategy!


If our enemies can hit us with a devastating attack–whether WMD, cyber, EMP, or quantum attack— that can inflict immeasurable harm on us–they may actually choose to take their best shot, rather than wait for us to hit them or continue to feel disrespected, subjected, inferior, and hopeless.


To someone on the radical fringes or the mental edge, maybe–just maybe–they will do the unthinkable and surprise us.


What good will our fire and fury counterstrike do us, when our cities are in ruin and our people dead and dying en masse. 


Revenge isn’t so sweet when your family, homeland, and virtually everything you know and held dear is gone.


The only real military strategy is to be able to defend ourselves and AVOID getting a homeland catastrophe!


We need massive investment and expertise in missile defense, bio defense, cyber defense, quantum computing, and expansive hardening of our critical infrastructure.


Unfortunately, as naysayers to the threats abound, we are no where near where we need to be in protecting the homeland.


If one person falls from the high wire and smashes their head, what good is it that the other person falls and suffers similarly or worse. 


The point is not to fall, not to get hurt, not to die, not to have our country and way of life destroyed.


Deterrence does not guarantee this security to the country–especially when dealing with no shortage of radicalized nuts out there. 


Only a genuine defense that can STOP and counter the threats BEFORE a devastating attack happens and hits us is a strategy worth pursuing …and THEN you can punch the other person squarely in their devil’s face!


Without an adequate defensive strategy, get ready, because every high flying act eventually falls to the ground and hits their head hard. 😉


(Source Photo: Andy Blumenthal)

Cybersecurity Vulnerabilities Database

Cybersecurity.jpeg

There is a very useful article in Bloomberg about how the U.S. is taking too long to publish cybersecurity vulnerabilities. 


And the longer we take to publish the vulnerabilities with the patch/fix, the more time the hackers have to exploit it!


Generally, the U.S. is lagging China in publishing the vulnerabilities by a whopping 20-days!


Additionally, China’s database has thousands of vulnerabilities identified that don’t appear in the U.S. version. 


Hence, hackers can find the vulnerabilities on the Chinese database and then have almost three weeks or more to target our unpatched systems before we can potentially catch up in not only publishing but also remediating them. 


Why the lag and disparity in reporting between their systems and ours?


China uses a “wider variety of sources and methods” for reporting, while the U.S. process focuses more on ensuring the reliability of reporting sources–hence, it’s a “trade-off between speed and accuracy.”


For reference: 


The Department of Commerce’s National Institute of Standards and Technology publishes the vulnerabilities in the National Vulnerability Database (NVD).


And the NCD is built off of a “catalog of Common Vulnerabilities and Exposures (CVEs) maintained by the nonprofit Mitre Corp.”


Unfortunately, when it comes to cybersecurity, speed is critical.


If we don’t do vastly better, we can be cyber “dead right” before we even get the information that we were vulnerable and wrong in our cyber posture to begin with.  😉


(Source Photo: Andy Blumenthal)

Never Ever More Vulnerable

Vulnerable.jpeg

So we have never been more technology advanced. And at the same time, we have never been more vulnerable


As we all know, our cybersecurity have not kept near pace with our ever growing reliance on everything technology.


There is virtually nothing we do now-a-days that does not involve networks, chips, and bits and bytes. 


Energy

Transportation

Agriculture

Banking

Commerce

Health

Defense

Manufacturing

Telecommunications


If ANYTHING serious happens to cripple our technology base, we are toast!


From a crippling cyberattack that disables or hijacks our systems, steals or locks down our data, or creates massive chaotic misinformation flow to a EMP blast that simply fries all our electronic circuitry–we are at the mercy of our technology underpinnings. 


Don’t think it cannot happen!


Whether it’s Wannacry ransonware or the Equifax breach of our privacy data or the Kaspersky Labs hidden backdoor to our top secret files or North Korea threatening to hit us with an EMP–these are just a few of the recent cyber events of 2017!


Technology is both a blessing and a curse–we have more capability, more speed, more convenience, more cost-effectiveness than ever before, but also there is greater vulnerability to complete and utter death and destruction!


This is not just a risk that life could become more difficult or inconvenient–it is literally an existential threat, but who wants to think of it that way?


People, property, and our very society is at risk when our cybersecurity is not what it must be.


It’s a race of defensive against offensive capability. 


And we can’t just play defense, we had better actually win at this! 😉


(Source Photo: Andy Blumenthal)

Preventing Cyber Disaster

prevention

So I liked this ad from Palo Alto Networks on the side of the bus, over the windows:

“Dinosaurs react.
Professionals prevent.”

That’s some very good marketing for a cyber security company.


It’s almost a daily occurrence now to hear about the infiltrations into our networks and exfiltrations or manipulations of data that is taking place across government and industry.


Just today again, another NSA contractor accused of stealing highly classified computer code.


The day before Guccifer 2.0 and Wikileaks releases trove of stolen documents from the Clinton Foundation


And again, J&J reveals that it’s insulin pump is vulnerable to hacking following allegations in August that St. Jude heart devices were subject to life-threatening hacking. 


Certainly, we can’t afford to sit back and wait to react to the next attack…damage control and remediation is much harder than getting out in front of the problem in the first place. 


Prevention and deterrence is really the only solution…keep the hackers out and make sure they know that if they mess with us and our systems that we can identify who they are, find them, and take them out. 


These are the capabilities we need and must employ to dominate the cyber realm. 


In the presidential debates, candidates struggled to articulate how to deal with cybersecurity


But this is not a game of cyberopoly, rather national security, critical infrastructure, vital intellectual property, and our economy is at risk. 


Giving away Internet control and trying to plug leaks after the fact on a sinking cyber ship is no way to manage our vital technology resources.


It’s high time for the equivalent Cold War determination and investment that ensures we win a free and safe cyberspace with all our networks and data intact. 


This is the only way that we don’t go the way of the dinosaurs. 😉


(Source Photo: Andy Blumenthal)

USA Surrendering The Internet

Cutting Off Limb.jpeg.JPG

So here we go again, we cut off the hand (and arm) despite the face.


We are recklessly giving up control of the Internet, specifically of the Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the Domain Names Servers (including all the DNS root zones like .com, .net, .gov, etc.) that handle all the addressing of our Internet traffic.


Despite repeated cautions from many in industry, academia, and government not to do this, we are moving ahead anyway with tomorrow being the transition date!


Why would we give away anything, let alone control over the awesome technological power of the Internet that we depend on in some way for virtually every activity we do these days?


Aside from non-explanations of “fulfilling historic promises” to cede control (i.e surrender the Internet out of fear that other countries will challenge us and set up their own alternate DNS’s) and nonsensical talk of “protecting Internet freedom” by giving it away to authoritarian regimes and despots–there seems to be no REAL reason to do this drastic action that weakens our country and puts our technology, commerce, critical infrastructure, and national security at risk!


Rather than defend the Internet that the USA invented (specifically DARPA), here we go again in fear and weakness going in the wrong direction–surrendering and giving up control of the web.


If you love the Internet and recognize how important this asset is to us, then like an FCC Commissioner said this week, you should be worried about what the h*ck we are doing to the freedom (vice censorship) of the Internet and to ourselves . 😉


(Source Photo: Andy Blumenthal)