Espionage, Social Media Style

Espionage

You are being watched!

Good guys and bad guys are tracking your movements, rants and raves, photos, and more online.

For example, The Atlantic reported on 4 November 2011 in an article titled How the CIA Uses Social Media to Track How People Feel that “analysts are tracking millions of tweets, blog posts, and Facebook updates around the world.”

Further, in January 2009, “DHS established a Social Networking Monitoring Center (SNMC) to monitor social networking sites for ‘items of interest.'”

And even more recently in August 2011, DARPA invited proposals for “memetracking” to identify themes and sentiments online and potentially use this for predictive analysis.

The thinking is that if you can use online information to predict stock market movements as some have attempted, why not criminal and terrorist activity?

Similarly, The Guardian reported on 16 March 2010 “FBI using Facebook in fight against crime” and cautions that “criminals dumb enough to brag about their exploits on social networking sites have now been warned: the next Facebook ‘friend’ who contacts you may be an FBI agent.”

This is reminescent of the work of private sector,Dateline NBC in using Internet chat rooms to catch sexual predators online by luring them to a house where the predators believed they were going to meet up with a underage girl for a tryst.

While these efforts are notable and even praiseworthy by the good guys–assuming you can get over the privacy implications in favor of the potential to have a safer society to live in–these activities should be carefully safeguarded, so as not to infringe on the rights and freedoms of those who behave legally and ethically.

But the good guys are not the only ones using the tools of the trade for monitoring and analyzing social networking activities–the bad guys too recognize the implicit information treasure trove available and have you in their crosshairs.

For example, in the last years Arab Spring, we have nation states tracking their citizens political activities and using their power over the Internet to shut off access and otherwise surpress democracy and human rights. Further, we have seen their use for cyberspyingand testing offensive cyber attack capabilities–only the most recent of which was the alleged infiltration of a SCADA system for a Illinois water plant.

Moreover, this past week, Forbes (21 November 2011) reported in The Spy Who Liked Me that “your social network friends might not be all that friendly.”

From corporate espionage to market intelligence, there are those online who “steadfastly follows competitors’ executives and employees on Twitter and LinkedIn.”

In fact, the notion of online monitoring is so strong now that the article openly states that “if you’re not monitoring your competitors activity on social media, you may be missing out on delicious tidbits” and warns that “it’s easy to forget that some may not have your best intersts at heart.

Additionally, while you may not think your posts online give that much away, when your information is aggregated with other peoples posts as well as public information, it’s possible to put together a pretty good sketch of what organizations and individuals are doing.

Forbes lists the following sites as examples of the “Web Spy Manual” with lots of information to pull from: Slideshare, Glassdoor.com, Quora, iSpionage, Youtube as well as job postings and customer support forums.

When you are on your computer in what you believe to be the privacy of your own home, office, or wherever,do not be deceived, when you are logged on, you are basically as open book for all the world to see–good guys and bad guys alike.

(Source Photo: here)

9/11 – A Lesson In Risky Business

Twin-towers

Corresponding to the 10th anniversary of 9/11, Bloomberg BusinessWeek (5-11 Sept 2011) has a great article on risk management called The G-d Clause.

When insurers take out insurance–this is called reinsurance, and reinsurers are “on the hook for everything, for all the risks that stretch the limits of the imagination”–that’s referred to as The G-d Clause–whatever the almighty can come up with, the “reinsurers are ultimately responsible for” paying for it.
And obviously, when insurers and reinsurers don’t well imagine, forecast, and price for risky events–they end up losing money and potentially going out of business!
Well when it came to 9/11, insurers lost fairly big financially–to the tune of $23 billion (it is in fact, the 4th costliest disaster since 1970 after Japan’s tsunami, earthquake and Fukushima nuclear disaster ($235B), and hurricanes Katrina ($72B) and Andrew ($25B) in the U.S.)
Even Lloyd’s “that invented the modern profession of insurance [and] publishes a yearly list of what it calls ‘Realistic Disaster Scenarios,'” and while they had imagined 2 airlines colliding over a city, even they failed to anticipate the events of September 11, 2001. 
According to the article, even insurers that make their living forecasting risks, “can get complacent.”
And the psychology of the here and now, where “people measure against the perceived reality around them and not against the possible futures” is the danger we face in terms of being unprepared for the catastrophic events that await, but are not foretold.
In a sense, this is like enterprise architecture on steroids, where we know our “as-is” situation today and we try to project our “to-be” scenario of the future; if our projection is to far off the mark, then we risk either failing at our mission and/or losing money, market share, or competitive advantage.
The ability to envision future scenarios, balancing reality and imagination, is critical to predict, preempt, prepare, and manage the risks we face.
Post 9/11, despite the stand-up of a sizable and impressive Department of Homeland Security, I believe that our achilles heel is that we continue to not be imaginative enough–and that is our greatest risk.
For example, while on one hand, we know of the dangers of weapons of mass destruction–including nuclear, chemical, biological, and radiological devices–as well as new cyber weapons that can threaten us; on the other hand, we have trouble imagining and therefore genuinely preparing for their actual use.  
Perhaps, it is too frightening emotionally or we have trouble coping practically–but in either case, the real question is are we continuing to proceed without adequate risk-loss mitigation strategies for the future scenarios we are up against?
Frankly, living in the suburbs of our nations capital, I am fearful at what may await us, when something as basic as our power regularly goes out, when we get just a moderate rain storm in this area. How would we do in a real catastrophe?
In my mind, I continue to wonder what will happen to us, if we proceed without taking to heart the serious threats against us–then the tragic events of 9/11 will have unfortunately been lost on another generation.
Like with the reinsurers, if we do not open our minds to perceive the catastrophic possibilities and probabilities, then the risky business that we are in, may continue to surprise and cost us. 
(All opinions my own)
(Source Photo: here)

Getting To Swift Cyber Justice

Destroyed_computer

The first Department of Defense Strategy for Operating in Cyberspace is out (July 2011).

Of course, like the plans that came before (e.g. Cyberspace Policy Review), it emphasizes the imperative for cyberspace protection. Some highlights:
  • DoD is particularly concerned with three areas of potential adversarial activity: theft or exploitation of data; disruption or denial or service of access or service…, and the destructive action–including corruption, manipulation, or direct activity that threatens to destroy or degrade network or connected systems.”
  • Cyber threats to U.S. national security go well beyond military targets and affects all aspects of society.  Hackers and foreign governments are increasingly able to launch sophisticated intrusions into the networks and systems that control civilian infrastructure.”
  • Every year, an amount of intellectual property larger than that contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government departments and agencies.”
The strategies for cyberspace protection in the DoD plan include treating cyberspace as an operational domain; innovation; partnership; and so on. But we need to leverage our strengths even more. 
As the Wall Street Journal pointed out on 15 July 2011: “The plan as described fails to engage on the hard issues, such as offense and attribution.”  If we can’t even identify who’s attacking us, and fight back with precision, then we’re flailing.
Some may express the concern that we would have all-out war by attacking those who attack us. However, what is the alternative besides confronting our aggressors? 
The concept of operations is straightforward: Any computer device that is used to attack us, would immediately be blocked and countered with equivalent or greater force and taken out of play.
This would mean that we are able to get past cyber-bot armies to the root computers that are initiating and controlling them, and dealing with them decisively. This would hold regardless of the source of the attack–individual or nation-state.
The DoD plan acknowledges our own unpreparedness: Our reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity.”
As in the Cold War, there must be no doubt with Cyber Warfare (as with nuclear) of our ability to inflict devastating second-strike or preemptive attacks with deadly precision. 
Until we have unambiguous hunter-killer capability to identify and locate perpetrators of cyber attacks against us and the ability to impose swift justice, we are at the mercy of our aggressors. 
We can only have peace in cyberspace when we have the strength to stand up and defend it.  
Now we must move with cyber speed to build this capability and stand ready to execute our defenses.
Admiral Mike Mullen was quoted this week (18 July 2011) in Federal Times as saying: “The single biggest existential threat that’s out there is cyber...It’s a space that has no boundaries. It has no rules.”
We must become even better–much better!
(Source Photo: here)

>Who Needs Airport Body Scanners? An Alternative Approach

>

Not sure if this is serious or a joke, but I received an email for an alternative to body scanners at the airports — may seem a bit crude, but then again we need to look for an effective security solution that is less invasive.

This particular idea, attributed to Israeli security, is for a booth that rather than take potentially invasive body scans, will safely (but not for you, if you are a terrorist) “detonate any explosive device that you may have on you.” Poof!

Advantages: deterrence, speed, privacy, justice, and the objective of safe air transport is achieved.

>No Real Solution Without Integration

>

Emergency Management Magazine (July/August 2010) has an article called “Life Savers” that describes how a convergence of new technologies will help protect and save first responder lives. These new technologies can track first responders’ location (“inside buildings, under rubble, and even below ground”) and monitor their vital signs and send alerts when their health is in danger.

There are numerous technologies involved in protecting our first responders and knowing where they are and that their vitals are holding up:

  • For locating them—“It will likely take some combination of pedometers, altimeters, and Doppler velocimeters…along with the kinds of inertial measurement tools used in the aerospace industry.”
  • For monitoring health—“We’ve got a heart monitor; we can measure respiration, temperature. We can measure how much work is being done, how much movement.”

The key is that none of the individual technologies alone can solve the problem of first responder safety. Instead, “All of those have to be pulled together in some form. It will have to be a cocktail solution,” according to the Department of Homeland Security (DHS), Science and Technology (S&T) Directorate that is leading the effort.

Aside from the number of technologies involved in protecting first responders, there is also the need to integrate the technologies so they work flawlessly together in “extreme real world conditions,” so for example, we are not just monitoring health and location at the scene of an emergency, but also providing vital alerts to those managing the first responders. This involves the need to integrate the ability to collect inputs from multiple sensors, transmit it, interpret it, and make it readily accessible to those monitoring the scene—and this is happening all under crisis situations.

While the first responder technology “for ruggedized vital-sign sensors could begin in two years and location tracking in less than a year,” the following lessons are clear:

  • The most substantial progress to the end-user is not made from lone, isolated developments of technology and science, but rather from a convergence of multiple advances and findings that produce a greater synergistic effect. For example, it clearly takes the maturity of numerous technologies to enable the life saving first responder solution envisioned.
  • Moreover, distinct technical advances from the R&D laboratory must be integrated into a solution set that performs in the real world for the end-user; this is when product commercialization becomes practical. In the case of the first responder, equipment must function in emergency, all hazard conditions.
  • And finally, to bring the multiple technologies together into a coherent end-user solution, someone must lead and many parties must collaborate (often taking the form of a project sponsor and an integrated project team) to advance and harmonize the technologies, so that they can perform as required and work together seamlessly. In the case of the first responder technology, DHS S&T took the lead to come up with the vision and make it viable and that will save lives in the future.

>DHS OIG Report on My User-centric EA Implementation at the Coast Guard

>Just learned of new Department of Homeland Security (DHS) Office of Inspector General (OIG) Report documenting the significant progress of Enterprise Architecture and IT Governance program at the U.S. Coast Guard, which I led up to and during the majority of the audit.

I am pleased at the recognized progress and at the terrific work that my team accomplished there–I am very proud of all of them!

Of course, there is more work to be done, but the right EA infrastructure has been put in place to accomplish the goals and objectives set out.

Here is the link to the report: http://sites.google.com/site/thetotalcio/Home/links/EAOIGReport-July2009.pdf?attredirects=0

“The Coast Guard has made progress in developing its enterprise architecture by defining its enterprise architecture framework [User-centric EA] in alignment with both federal and DHS architectures. In addition, its enterprise architecture is aligned with the Coast Guard’s IT strategy. These achievements have been possible because of executive support for the enterprise architecture effort.”

>Secure Border Initiative and Enterprise Architecture

>

The enterprise architecture change process starts with requirements generation and management. Requirements become business cases and business cases become decision requests for new or changes to IT projects, products, and standards that go before the enterprise architecture board (EAB) and ultimately to the IT investment review board (IRB). The decision requests get vetted against the architecture for business alignment and technical compliance by the EAB. The IRB takes the findings of the EAB and also looks at return on investment and risk management. Approved changes to the IT environment get added to the enterprise architecture.

So mission-business requirements from the program sponser/end user are the starting point for changes to the EA.

What happens though when requirements are unclear?

Obviously, if the requirements are unclear, then proposed changes to the enterprise are sort of like shooting in the dark, and the ability to develop viable technical solutions is a guessing game.

An article on Secure Border Initiative in National Defense Magazine, July 2008, demonstrated how the architecture does not add up, when the “Border Calculus” is a big question mark.

After 9/11, securing the border became a more publicized issue. With the formation of DHS, the Secure Boarder Initiative (SBI) was set up in 2005.

SBI is supposed to secure the border, okay. But secure it against what is the question. What are the requirements for securing it?

  1. Illegal immigrants—“For many Americans—especially these who don’t live near the border—illegal immigration is what prompts their calls for a beefed up border.” While some say that “the U.S. economy depends on cheap labor…others claim illegal immigrants are a drain on the economy.”
  2. Terrorism—“For the Department of Homeland Security, charged with protecting the nation, keeping weapons of mass destruction out of the United States is the priority.”
  3. Drugs—“for many who live north and south of the four states that border Mexico, the real threat is narcotics.”

Each of these purposes, changes the equation. If the primary purpose you are securing the border is to protect against a genuine threat of weapons of mass destruction, then some may argue for highly secure border, one that is truly non-porous, without regard to cost. However, if the goals are more for controlling illegal immigration, perhaps a less perfect and less costly border security solution is acceptable. And if drugs are the issue, then maybe the money is better spent going after the source, rather than building fences that can be circumvented.

So understanding and building consensus on the true requirements are critical to developing a business case and a technical solution.

As it stands now, SBI is going in two directions:

  1. Physical fence—“to stop those on foot or on vehicles.” Estimates by the Congressional Research Service “say that maintaining those fences may cost up to $49 billion.” While critics say that these physical barriers “only delay an illegal crosser three to four minutes,” so is this worth it?”
  2. Virtual fence—“Sensors, cameras, improved communication systems and unmanned aerial vehicles.” According to the article, “no one seems know how much it will cost to set up and maintain these high-tech systems throughout their lifespan.”

Additionally, “plans call for doubling the number of border patrol agents.”

I guess without a clear consensus on what we’re trying to accomplish, any solution will get us there or not. Isn’t this what an enterprise architecture is supposed to help with—establishing a clear roadmap or blueprint? Of course, but it’s got to start with the requirements generation process and with the business owners.