Six Internet Creepoids To Beware Of

There are a lot of basket cases out there–both in the physical world and in the virtual one.

The New York Times today has an article by Henry Alford about people who act or are mainly just perceived as creepy online.

He gives examples of people who take out their smartphones (with cameras) in the locker room, who show their online photos and whoops there’s an indecent doozie, who mistakenly send a critical email to the wrong person or distribution list, who say the wrong thing online because of autocorrect or autofill, and who act the detective looking up too much information about others.

At the end, Alford calls for “more tolerance toward the gaffe-makers.”

And while we should be good people and forgive genuine mistakes, some things are not accidents and deserve the seal of “ick!”

Here’s the list of 6 Internet Creepoids to seriously beware of:

1) Overly Cyber Friendly or Familiar: People who chat, text, email, or comment in a way that portrays an inappropriate knowing or intimacy with others.

2) Cyber Stalkers: Those who unsolicitedly and unwanted or obsessively follow, friend, monitor, or harass others on the Internet.

3) Internet Trolls: Individuals who giddily sow discord with argumentative, inflammatory or extraneous messages online narcissistically or just to be jerks.

4) Cyber Exhibitionists or Voyeurs: People who inappropriately or compulsively expose themselves or watch others naked or engaged in sexual activity online.

5) Cyber Impersonators or Identity Thieves: Those who falsify their identities by exaggerating or masking their true selves, pretend to be someone else, or otherwise steal someone’s online identity.

6) Cyber Freaks: Individuals who behave online in extreme unusual, unexpected, and frightening ways.

So while some things are innocent or accidentally creepy from otherwise nice and decent people, other actions are genuinely such from the real online creepoids. 😉

(Source Photo: Andy Blumenthal)

Turnkey Cyberwar

Interesting article by Noah Shachtman in Wired about how the Pentagon is gearing up for cyberwar.

It’s called Plan X and it’s being pursued by the Defense Advanced Research Projects Agency (DARPA).

The idea is for cyber warfare to be conducted like traditional kinetic warfare–where “munitions made of 1s and 0s [are] to be as a simple to launch as ones made of metal and explosives.”

Cyberspace is considered a domain of warfare similar to land, sea, air, and space, and it is necessary to be able to craft offensive capabilities where “a military operator can design and deploy a cyber effect, know what it’s going to accomplish…and take the appropriate level of action.”

We can’t fly by the seat of our pants in cyberspace any longer; we’ve got to have turnkey solutions ready to launch in order to defend our people and interests.

To accomplish this, we need:

1) Surveillance: A good map of cyberspace detailing enemy cyber outposts and threats akin to the geographical maps we have identifying physical targets and dangerous movements.

2) Weapons: Reliable cyber weapons ready to take on and take out enemy networks similar to kinetic weapons ready to destroy their military hardware and infrastructure.

3) Launch protocols: The rules of engagement for attack and counterattack and the ability to intuitively and securely unleash those even faster then the turnkey capabilities with which we can respond with traditional military might.

Whether, the cyber weapon looks like Angry Birds or some other point (at the target) and swipe (to launch at them) interface is almost beside the point–what is key is that we are ready to fight like hell in cyberspace, win uncontested, and keep the peace again. 😉

(Source Photo: here with attribution to Great Beyond)

Blackout Nation

We are reaching an exciting but dangerous phase of technology adoption where our dependence is virtually complete.

From mobile to social computing, from telecommunications to transportation, from industrial systems to electronic health records, from banking to eCommerce, from homeland security to national defense–we are dependent on technology.

But while technology proliferates everywhere, so do the risks.

Bloomberg BusinessWeek (16 May 2003) in an article called “The City That Runs On Sensors” talks about how initiatives like IBM’s smart-cities is bringing sensors and technology to everything running our towns–“Smart [city] innovation is improving our economic fabric and the quality of our life.”

The flip side is an editorial in today’s Wall Street Journal by former CIA director James Woolsey and Peter Pry who served on the congressional EMP commission warning how “A single nuke exploded above America could cause a national blackout for months” or years (stated later in article)

They write that “detonating a nuclear weapon high above any part of the U.S. mainland would generate a catastrophic electromagnetic pulse” (EMP)–and that this “would collapse the electric grid and other infrastructure that depends on it.”

This would be a national blackout of epic proportions that would impact all areas for 21st century sustainment of 311 million lives. Think for yourself–what would you be able to do and not do without the computers and telecommunications that you use every day?

Woolsey and Pry call for a preemptive surgical strike, for example, to prevent North Korean development of an ICMB capable of inflicting a nuclear EMP strike, but you can imagine other nations that pose a similar threat.

While be beef up our Cyber Corps and attempt to strengthen our tools, methods, and configurations, this is just the tip of the iceberg when it comes to securing cyberspace.

Cybersecurity is more than just protecting us from malware infiltration and exfiltration–because the whole IT system that our society is built on can be wiped out not by cyber attack alone, but rather by collapsing the very electronic infrastructure that we rely on with a pulse of electromagnetic radiation that will fry the very circuits that run our devices.

While we build firewalls and put up intrusion detection and prevention guards and establish a court system of antivirus and spamware to put away violators and so on, how shall we prepare for a pulse attack that can incapacitate the electronics underpinnings–security and all?

“Star Wars” missile defense, preemptive action, and hardening of critical infrastructure are all security options–it costs money to keep the IT lights on, but better to pay now, then pay catastrophically bigger later. 😉

(Source Photo: Andy Blumenthal)

Fun, The Good ‘ol Fashion Way

This was a funny picture today on the street in downtown D.C.

This guy was getting a cheap ride down the thoroughfare in a bin.

She was pushing and he had his arm raised as the winner of the big race.

It reminded me of when we were kids and used to ride go-karts down the hill–and only after we picked up some speed did we realize that the breaks didn’t work that good.

Oh well, a little flip and some chuckles and no worse for the wear.

Those were the days, young and carefree–nothing to worry about except whose house we were going over to, next, to wreck some havoc.

I remember, one day we were having a huge wet paper towel fight and one kid ran into the garage to escape the barrage, I gave chase and unwittingly pushed against the glass in the door to follow and oops my hand went right through.

Not a pretty sight, but I thank G-d lived to tell my kids about it, and now they got one up on me when they do something a little out of bounds and fun–actually they are a lot better than I was at that age.

And it wasn’t that I was a bad kid, I was actually one the good ones–or so I was told–but before we all had computers, the Internet, social media, and smartphones, we had each other.

It wasn’t the technology that drove us, but rather the evolving web of interactions (today my new best friend is…), the challenges we made up (let’s bike up to Tarrytown in 100+ degree heat), the fun we found ourselves in (from the board game Risk to early gaming on the Atari, or just cleaning out a friends garage for a few bucks)–times were simpler, more innocent, and in a way better.

When we went home at night from work or for the weekend, our time was our own–were weren’t glued to email and always on call.

When we attended an event, we didn’t check our Facebook and Twitter, but paid attention to the company we were in.

When we ate dinner together, maybe the one rabbit-ear TV was going in the background with one of the 3 networks stations, but everyone wasn’t being pulled away for gaming, blogging, or some Internet shopping.

Don’t get me wrong, I love my technology as much or maybe more than the next guy, but I also miss just being me in the physical world with my family and gang of friends, and not just so much TheTotalCIO in the office and in cyberspace. 😉

(Source Photo: Andy Blumenthal)

Catching More Flies With Honey

There’s an old saying that you can catch more flies with honey than with vinegar.

And this is true in cyberspace as well…

Like a honey pot that attracts cyber criminals, organizations are now hiring “ethical hackers” to teach employees a lesson, before the bad guys teach them the hard way.

The Wall Street Journal (27 March 2013) reports that ethical hackers lure employees to click on potentially dangerous email links and websites, get them to provide physical access to data centers and work site computers, or give up passwords or other compromising information through social engineering.

The point of this is not to make people feel stupid when they fall for the hack–although they probably do–but rather to show the dangers out there in cyberspace and to impress on them to be more careful in the future.

One ethical hacker company sends an email with a Turkish Angora cat (code-named Dr. Zaius) promising more feline photos if people just click on the link. After sending this to 2 million unsuspecting recipients, 48% actually fell for the trick and ended up with a stern warning coming up on their screen from the cyber security folks.

Another dupe is to send an faux email seemingly from the CEO or another colleague so that they feel safe, but with a unsafe web link, and see how many fall for it.

While I think it is good to play devil’s advocate and teach employees by letting them make mistakes in a safe way–I do not think that the people should be named or reported as to who feel for it–it should be a private learning experience, not a shameful one!

The best part of the article was the ending from a cyber security expert at BT Group who said that rather than “waste” money on awareness training, we should be building systems that don’t let users choose weak passwords and doesn’t care what links they click–they are protected!

I think this is a really interesting notion–not that we can ever assume that any system is ever 100% secure or that situational awareness and being careful should ever be taken for granted, but rather that we need to build a safer cyberspace–where every misstep or mistake doesn’t cost you dearly in terms of compromised systems and privacy. 😉

(Source Photo: Dannielle Blumenthal)

Balancing Cybersecurity And Citizen Freedom

There is a very interesting discussion of the protection of Federal Networks and the Fourth Amendment in “Cybersecurity, Selected Legal Issues,” Congressional Research Service (CRS) Report for Congress (3 May 2012).

The Department of Homeland Security (DHS) in conjunction with the National Security Agency (NSA) rolled out EINSTEIN, an intrusion detection system (IDS) in early iterations, and later an intrusion prevention system (IPS) at all Internet points of presence (POPs) for the government.

The system works through copying, storage, and deep packet inspection of not only the metadata for addressing information, but also the actual contents of the flow. This handling is necessary in order to identify suspicious malware signatures and behavior and alert the United States Computer Emergency Response Team (US-CERT) in order to block, quarantine, clean, and respond to the attacks and share information about these.

However, the civil liberties and privacy issue with EINSTEIN is that according to the Fourth Amendment, we are protected from unreasonable search and seizures. Thus, there are concerns about the violation of the Fourth Amendment, when DHS monitors and inspects addressing and content of all email and Internet communications to and from federal agency employees and the public–including not only from government email accounts and systems, but also from private email accounts such as Yahoo and Gmail and social media sites like Facebook and Twitter.

The justification for the use of EINSTEIN includes:

1. The government cannot reasonably get warrants in real time in order to safeguard the federal network and systems at the speed that the attacks are occurring.

2. The government places banners and user agreements on all Federal networks notifying users of monitoring, so there is no expectation of privacy in the communications.

3. The monitoring is conducted only for malicious computer activity and not for other unlawful activities—so “clean” traffic is promptly removed the system.

4. Privacy protections are ensured though review mechanisms, including Attorney General and Director of National Intelligence (DNI) reporting to Congress every six months and a sunset provision requiring monitoring reauthorization every four years.

This tension between monitoring of Federal networks and traffic and civil liberties and privacy is a re-occurring issue when it comes to cybersecurity. On one hand, we want cybersecurity, but on the other hand, we are anxious about this security infringing on our freedoms—whether freedom of expression, from search and seizure, from surveillance, or from potentially costly regulation, stifling innovation, and so forth. It is this tension that has stalled many cybersecurity bills such as the Stop Online Privacy Act (SOPA), Cyber Intelligence Sharing and Protection Act (CISPA), The Computer Security Act of 2012 and more.

In the absence of a clear way forward with legislation to regulate and enforce, or incentivize, standards and best practices for cybersecurity, particularly for critical infrastructure protection, as well as information sharing, the White House released Presidential Policy Directive/PDD-21 on Critical Infrastructure Security and Resilience to establish DHS and other federal agency roles in cybersecurity and to manage these on a risk-based model, so that critical infrastructure is identified, prioritized, assessed, and secured accordingly.

While PDD-21 is a step in the right direction, it is an ongoing challenge to mediate a balance between maintaining our values and constitutional freedoms, while at the same time securing cyberspace.

One thought is that perhaps we can model cybersecurity after the Posse Comitatus Act of 1878 that separated federal military from domestic national guard and law enforcement powers. Using this model, we can create in cyberspace a separation of cybersecurity from our borders outward by the federal government, and within the domestic private networks by our national guard and law enforcement.

Thus, we can create stronger security radiating out at the national periphery, while maintaining our important freedoms within, but always working together to identify and neutralize any and all threats to cyberspace. 😉

(Source Photo: Andy Blumenthal)

Analyzing The Law

So I am back in school AGAIN (I’m a life-long learner), augmenting my not so slow-paced job.

Let’s just say that at this point, I recognize that the more I know, the more I don’t know anything.

The class that I am taking now is Cyberlaw, and while I did take law in business school–many moons ago–that was more focused on contracts and business organizations.

This class looks interesting from the perspective of the legal and regulatory structure to deal with and fight cybercrime, -terrorism, and -war.

One interesting thing that I already learned was a technique for evaluating legal cases called IRAC, which stands for:

– Issues–the underlying legal matters that the case is addressing.

– Rules–what legal precedents can be applied.

– Analysis–whether those rules apply or not, in this case.

– Conclusion–rendering an opinion on the case.

This is a structured way to analyze any legal case.

Of course, before you do these, you have to look at the facts–so that is the very first section.

The problem with that is then you have F-IRAC and that can definitely be taken the wrong way. 😉

(Source Photo: Andy Blumenthal)

Securing Transport To The Cloud

A new article by Andy Blumenthal on cyber security and cloud computing in Public CIO Magazine (June 2012) called Securing Cloud Data Means Recognizing Vulnerabilities.“It’s the principle of inertia: An object in motion stays in motion unless disturbed. Just like a car on a highway, everything zips along just fine until there’s a crash. This is similar with information on the superhighway.”Let’s all do our part to secure cyberspace.Hope you enjoy!

(Source Photo: here with attribution to Kenny Holston 21)

Cyberwar, You’re On

There was significant news this week about the U.S. and Israel making major inroads with cyberwar capabilities.

First, the New York Times today (1 June 2011) writes about alleged Bush and Obama administrations’ “increasingly sophisticated [cyber] attacks on the computer systems that run Iran’s main nuclear enrichment facilities”–sabotaging as many as a 1000 centrifuges, delaying their deadly program by as much as 2 years, as well as conducting cyber espionage to strengthen our negotiating hand.

The cyber offensive program code-named Olympic Games allegedly involved cyber weapons codeveloped by the United States’ National Security Agency and Israel’s advanced cyber corps, Unit 8200.

The malware included such programs such as Stuxnet, Duqu, and The Flame and according to Bloomberg BusinessWeek (30 May 2012) may date as far back to 2007.

These cyber attacks have been viewed as the best hope of slowing the Iranian’s sinister nuclear program while economic sanctions have a chance to bite.

Additionally cyber attacks were viewed preferentially over using traditional kinetic military options and potentially causing a regional war in the Middle-east.

At the same time, the use of cyber weapons is a double-edged sword–if we use it on others, this may encourage cyber proliferation and it’s eventual use on us–and as the NYT writes, “no country’s infrastructure is more dependent on computer systems and thus, more vulnerable to attack than the United States.”

Therefore, it was good to see in The Washington Post yesterday (30 May 2012) that the Pentagon’s Defense Advanced Research Projects Agency (DARPA) is pursuing Plan X–“ambitious efforts to develop technologies to improve its cyberwarfare capabilities, launch effective attacks, and withstand likely retaliation.”

“If they achieve it, they’re talking about being able to dominate the digital battlefield just like they do the traditional battlefield.”
The “five-year $110 million research program” is seeking to accomplish three major goals in arming U.S. Cyber Command at Fort Meade for cyber war:

1) Mapping Cyberspace–create realtime mapping of the entire cyberspace and all its devices for commanders to use in identifying targets and disabling them and seeing enemy attacks.

2) Building A Survivable O/S–Just like DARPA invented the Internet as a survivable messaging and communication system, so too, they want to develop a battle-ready operating system for our computers (like a tank) “capable of launching attacks and surviving counterattacks.”

3) Develop (Semi-)Autonomous Cyber Weapons–so cyber commanders can engage in “speed-of-light attacks and counterattacks using preplanned scenarios that do not involve human operators manually typing in code.”

Just to be clear, with cyber warfare, we are not just talking about computers taking out other computers–and end there, but rather this is where computers take out computers that are controlling critical infrastructure such as the power grid, transportation systems, financial systems, supply chain, command, control, and communications, weapons systems, and more.

“Cyberwar could be more humane than pulverizing [targets]…with bombs,” but I doubt it will be.

Imagine, virtually everything you know coming to a complete halt–utter disruption and pandemonium–as well as the physical effects of that which would ensue–that’s what cyber war is all about–and it is already on the way.

So as, Richard M. George, a former NSA cyberdefense official stated: “Other countries are preparing for a cyberwar. If we’re not pushing the envelope in cyber, somebody else will.”

It is good to see us getting out in front of this cyber security monster–let’s hope, pray, and do everything we can to stay on top as the cyberspace superpower.

(Source Photo: Andy Blumenthal taken of mural at National Defense University, Washington D.C.)

Cyber War – The Art of The Doable

CBS 60 Minutes had a great episode this past June called Cyber War: Sabotaging The System.

The host Steve Kroft lays the groundwork when he describes information or cyber warfare as computers and the Internet that is used as weapons and says that “the next big war is less likely to begin with a bang than with a blackout.”

This news segment was hosted with amazing folks like Retired Admiral Mike McConnell (former Director of National Intelligence), Special Agent Sean Henry (Assistant Director of the FBI’s Cyber Division), Jim Gosler (Founding Director of CIA’s Clandestine Information Technology Office), and Jim Lewis (Director, Center for Strategic and International Studies).

For those who think that cyber war is a virtual fantasy and that we are safe in cyberspace, it’s high time that we think again.

Here are some highlights:

– When Retired Admiral McConnel is asked “Do you believe our adversaries have the capability of bringing down a power grid?”  McConnell responds “I do.” And when asked if the U.S. is prepared for such an attack, McConnell responds, “No.”

– Jim Gosler describes how microchips made abroad are susceptible to tampering and could “alter the functionality” of let’s say a nuclear weapon that needed to go operational, as well as how they “found microelectronics and electronics embedded in applications that shouldn’t be there.”

– Special Agent Henry talks about how thieves were able to steal more than a $100 million from banks in less than half a year, not by holdups but through hacking.

– Jim Lewis tells of the “electronic Pearl Harbor” that happened to us back in 2007, when terabytes of information were downloaded/stolen from our major government agencies–“so we probably lost the equivalent of a Library of Congress worth of government information” that year and “we don’t know who it is” who broke in.

The point is that our computers and communications and all the critical infrastructure that they support–including our defense, energy, water, transportation, banking, and more are all vulnerable to potentially lengthy disruption.

What seems most difficult for people to grasp is that the bits of bytes of cyberspace are not just ephemeral things, but that thy have real impact to our physical universe.

Jim Lewis says that “it doesn’t seem to be sinking in. And some of us call it ‘the death of a thousand cuts.’ Every day a little bit more of our intellectual property, our innovative skills, our military technology is stolen by somebody. And it’s like little drops.  Eventually we’ll drown. But every day we don’t notice.”

Our computer systems are vulnerable and they control virtually all facets of lives, and if the enemy strikes at our cyber heart, it is going to hurt more than most of us realize.

We are taking steps with cyber security, but we need to quickly shift from a reactive stance (watching and warning) to a proactive posture (of prevention and protection) and make cyber warfare a true national priority.