Tag Archives: encryption

January 27, 2017

Theresa and Trump’s new era: May prepares for historic day at the White House after landmark speech pledging an end to ‘failed’ wars wins her huge plaudits in the US

  • PM flew to Washington to prepare for today’s White House talks over a future UK-US trade deal post-Brexit
  • Earlier tore up 20 years of ‘failed’ liberal interventionist foreign policy when she spoke to politicians 
  • She said she predicted a close relationship with Donald Trump because ‘sometimes opposites attract’
  • But Mrs May also warned the U.K. could limit intelligence sharing if the new president reintroduces torture
  • Warned Trump to beware of Vladimir Putin and called NATO ‘the cornerstone of the West’s defence’
Theresa May arrived in Andrews Air Force base outside Washington DC late Thursday US time ahead of Friday's crucial trade talks with President Trump

Theresa May arrived in Andrews Air Force base outside Washington DC late Thursday US time ahead of Friday’s crucial trade talks with President Trump

Theresa May is preparing for historic talks with Donald Trump after winning huge plaudits for a speech to top Republicans last night.

The PM and the President will lay the groundwork for a wide-ranging post-Brexit trade deal when they meet at the White House later.

Mrs May will also attempt to secure Mr Trump’s commitment to supporting NATO after calling it ‘the cornerstone of the West’s defence’.

The premier has enjoyed a storming start to her visit, with Republicans lavishing praise on her address to their conference in Philadelphia.

http://www.dailymail.co.uk/news/article-4161818/Theresa-rips-decades-Cameron-Blair-policies.html#ixzz4WxwycvOc

Chinese Government Engaged in ‘Holistic’ Cyber Effort to Infiltrate U.S. Industries

Experts call for review of policies to address uptick of Chinese investment in U.S.

Chinese President Xi Jinping

Chinese President Xi Jinping / AP

BY:
January 27, 2017 4:59 am

The Chinese government is engaged in a systematic cyber-economic campaign across industries in the United States, according to expert testimony before a congressional commission.

Jeffrey Johnson, president and CEO of SquirrelWerkz, a company that analyzes these Chinese-affiliated campaigns, described them as a “holistic” attempt by the Chinese government to infiltrate information technology, finance, media, and the entertainment industry.

“These cyber-economic campaigns are persistent, intense, patiently executed and include the simultaneous execution of such a large and diverse set of legal and illegal methods, individuals and organizations, there’s little chance the targeted U.S. competitors can effectively defend or compete in the future without significant support of the U.S. government,” Johnson said in prepared testimony before the U.S.-China Economic and Security Review Commission on Thursday.

http://freebeacon.com/national-security/chinese-government-engaged-in-holistic-cyber-effort-to-infiltrate-u-s-industries/

Iraqi forces discover terrifying arsenal of weapons including mustard gas and dozens of aging rockets in ISIS arms warehouse

  • Iraqi soldiers say they found mustard gas among a huge cache of weapons
  • Pictures show rockets recklessly piled on top of each other by fleeing jihadists
  • Iraqi forces found haul of missiles in a warehouse in Mosul abandoned by ISIS

Iraqi forces say they have uncovered a terrifying arsenal of weapons including mustard gas at an ISIS arms warehouse in Mosul.

The weapons were found among dozens of rockets hidden in a storage unit in the city with Iraqi troops claiming the haul presented a ‘huge chemical threat’.

Pictures show officials examining piles of missiles which had been recklessly dumped on top of each other by fleeing jihadists.

http://www.dailymail.co.uk/news/article-4163946/Iraqi-forces-discover-mustard-gas-ISIS-warehouse.html#ixzz4WyRPVpK2

Mattis orders review of F-35, Air Force One programs

Mattis orders review of F-35, Air Force One programs
© Getty Images

Defense Secretary James Mattis has ordered the Pentagon to review the F-35 fighter jet and Air Force One replacement programs following President Trump’s criticism of the costs, the Pentagon announced Friday.

“Yesterday Secretary Mattis directed separate reviews of the F-35 Joint Strike Fighter program and the Presidential Aircraft Recapitalization program,” Pentagon spokesman Navy Capt. Jeff Davis said in a statement. “The purpose of these reviews is to inform programmatic and budgetary decisions, recognizing the critical importance of each of these acquisition programs.”

Since winning the presidency, Trump has tweeted several times about the costs of the F-35 and the new Air Force One.

http://thehill.com/policy/defense/316535-mattis-orders-review-of-f-35-air-force-one-programs

Russia’s new MiG-35 fighter jet to use laser weapons

Russia's new MiG-35 fighter jet to use laser weapons. 59681.jpeg

The commander of Russian Air Force, Viktor Bondyrev, stated that Russia’s state-of-the-art fighter jet MiG-35 would be able to use advanced weapons, including laser weapons.

“The fighter is designed specifically for combat activities in conflicts of high intensity and under conditions of strong air defence. The strong performance of the fighter jet has been achieved with the help of onboard equipment, new optical radar station and reduced radar visibility. We have increased the number of suspension points from six to eight, which allows to use current and future models of aircraft weapons, including laser weapons,” President of the United Aircraft Corporation Yuri Slusar told TASS.

Earlier, President Vladimir Putin could witness the flight test of the new multipurpose fighter jet MiG-35. Putin observed the flight from the Kremlin, via live video connection.

“The Innovative multifunctional MiG-35 fighter has better performance characteristics. It is equipped with most modern weapons,” Putin said. “The aircraft can follow from 10 to 30 targets at a time. It can operate not only on the ground but also on the sea,” he added.

“This is a very interesting, unique machine indeed,” Putin said, pointing out the export potential of the fighter jet. 

Representatives of Russian Aerospace Forces said on January 27 that the entire fleet of lightweight fighters would be replaced with the latest MiG-35 combat aircraft. The chief of Russia’s Air Force, Viktor Bondarev, said during the presentation of the MiG-35 that the fighter jet will replace all light fighter aircraft.

 

http://www.pravdareport.com/news/russia/kremlin/27-01-2017/136730-mig_35_laser-0/#sthash.94yHREgi.dpuf

 

Democratic Leader Shuts Down
Phones After Pro-Israel Supporters Go on Offense

Durbin deluged with calls urging him to stop blocking pro-Israel initiative

Senate Minority Whip Dick Durbin / AP

BY:

More than a thousand pro-Israel supporters from across the country bombarded the offices of Senate Whip Dick Durbin (Ill.) with phone calls, urging the Democratic leader to stop holding up a key congressional initiative to rebuke the United Nations following its recent action against Israel, according to sources familiar with the situation.

Durbin’s offices in Washington, D.C., and Chicago were so overwhelmed by phone calls that staffers were forced to take the phones off the hook for a short time, sources told the Washington Free Beacon.

http://freebeacon.com/national-security/democratic-leader-shuts-phones-pro-israel-supporters-go-offense/

Kremlin says Putin-Trump call set for Saturday

MOSCOW (AP) — The Kremlin says Russian President Vladimir Putin is set to speak by phone with U.S. President Donald Trump over the weekend.

Putin’s spokesman Dmitry Peskov said Friday that the conversation is set for Saturday, according to Russian news agencies. Putin congratulated Trump on his victory shortly after his election, but the Kremlin says they haven’t spoken since then.

http://www.washingtontimes.com/news/2017/jan/27/kremlin-says-vladimir-putin-donald-trump-call-set-/

FBI sees bomb threats to JCCs as hate crime, not terrorism

Calls targeted over 30 Jewish community centers in 20 states in January, but in no case was a bomb found

A complex in Wilmington, Del., housing four Jewish organizations was evacuated after receiving a bomb threat. (Courtesy of Siegel JCC in Wilmington)

A complex in Wilmington, Del., housing four Jewish organizations was evacuated after receiving a bomb threat. (Courtesy of Siegel JCC in Wilmington)

WASHINGTON — The FBI is investigating a rash of bomb threats to Jewish community centers as a hate crime and not a terrorist threat.

Agents briefed Jewish community leaders across the country through a call Thursday organized by the Anti-Defamation League.

The agents said the calls targeted over 30 JCCs in 20 states this month and in no case was a bomb found. The FBI does not view the calls as a terrorist threat, the agents said, and they are being investigated by the bureau and the Justice Department as a hate crime.

Classifying the investigation as a hate crime facilitates federal involvement in tracking the offender or offenders through additional funding and technical assistance provided to state and local authorities. The agents did not say which if any federal criminal statutes would apply. There are federal penalties of up to five years for bomb hoaxes, and 20 years if serious injury results because of the hoax.

http://www.timesofisrael.com/fbi-sees-bomb-threats-to-jccs-as-hate-crime-not-terrorism/

Merkel Cabinet Reshuffled as Social Democrats Position for Vote

  • Sigmar Gabriel replaces Steinmeier as foreign minister
  • Zypries, former justice minister, becomes economy chief

Social Democrat Sigmar Gabriel became Germany’s new foreign minister on Friday as Angela Merkel’s junior coalition partner prepares to take on the chancellor in September’s election.

Gabriel this week ceded his party’s candidacy for the September election as well as the SPD party chairmanship to Martin Schulz, the former European Parliament president who polls show has a better chance against Merkel. Gabriel succeeds party colleague Frank-Walter Steinmeier, who is the governing coalition’s choice to be electedGermany’s president in a special election next month.

The reshuffle among Social Democrats comes as the party looks to boost its fortunes against Merkel, whose Christian Democratic-led bloc remains well ahead of the SPD in every poll. Merkel and Schulz were tied at 41 percent in an ARD poll this week that asked who Germans would vote for if the chancellor were to be directly elected rather than appointed by the majority party.

https://www.bloomberg.com/news/articles/2017-01-27/merkel-cabinet-reshuffled-as-social-democrats-position-for-vote

Gambians celebrate new president’s arrival after veteran ruler flees

By Lamin Jahateh

BANJUL (Reuters) – Thousands of people lined the streets of Gambia’s capital Banjul on Thursday to welcome home new President Adama Barrow days after authoritarian leader Yahya Jammeh fled into exile under pressure from regional forces.

Barrow, a former real estate agent, won a Dec. 1 election but Jammeh refused to step down, forcing his opponent to be inaugurated at the Gambian Embassy in neighbouring Senegal.

Clad in a long white African tunic, Barrow smiled as he stepped out of a small plane and walked down a red carpet to greet hundreds of diplomats and officials lined up to greet him. Immediately afterwards, fighter jets from the West African ECOWAS regional force passed overhead.

“A new page in Gambian history is being turned,” said Mohamed Ibn Chambas, U.N. Special Representative for West Africa and the Sahel, who helped negotiate Jammeh’s exit, shortly before accompanying Barrow to Banjul.

https://www.yahoo.com/news/gambians-celebrate-presidents-arrival-veteran-ruler-flees-071045388.html

  • Prioritize two groups from the Middle East: those who have worked for the U.S. military as translators (and their families); and Middle East Christians who, according to then-Secretary of State Kerry, were being subjected to genocide in Syria and Iraq.
  • In 2008, Congress authorized 20,000 special visas for Iraqis who served the U.S. for a year or more; and in 2009, authorized 7,500 visas over seven years for Afghan translators. The idea was to get allies who had risked their lives for American troops out as quickly as possible, but thousands have waited for years.
  • Iraq and Afghanistan are countries in which being tagged as helpful to the U.S. military can be, and has been, a death sentence. And worse, in July 2016, an extension of the visa program failed to make it out of the Senate.
  • Of the 10,801 refugees accepted in fiscal 2016 from Syria, only 56 (0.5 percent) were Christian.
  • Making a concerted effort to bring those two desperately threatened groups to the United States would meet our commitment to the translators, give concrete expression to our revulsion at genocide, protect the interests of the American people, and ensure that America remains hospitable to immigrants and refugees.

    https://www.gatestoneinstitute.org/9848/immigration-translators-genocide

Geneva talks on Syria postponed, Russia says

Russia announces delay in UN-sponsored Syria talks as it hosts opposition politicians in Moscow.

The UN-hosted negotiations on the Syrian conflict planned for February 8 in Geneva have been postponed until the end of that month, Russian Foreign Minister Sergey Lavrov has said.

“The date of February 8 has been put back until the end of next month,” Lavrov said at a meeting on Friday with Syrian opposition groups in Kazakhstan that ended on Tuesday without a major breakthrough.

http://www.aljazeera.com/news/2017/01/geneva-talks-syria-postponed-february-170127074042644.html

 

Tulsi Gabbard’s Fascist Escorts to Syria

The Democratic congresswoman used affiliates of a violent, anti-Semitic political party to take tea with Assad.

Tulsi Gabbard, the self-styled “progressive” Hawaiian congresswoman makes no secret of her recent trip to Damascus to meet Bashar al-Assad. But, as an outspoken opponent of what she presents as America’s pro-terrorist foreign policy, Gabbard certainly accepted some strange companions on what her fellow lawmakers are calling a disgraceful reputation-laundering tour of a bloody dictatorship.

Gabbard, as her own office has disclosed, took her “fact-finding” trip with a delegation of two men who are affiliated with an anti-Semitic political party accused of using female suicide bombers; of beating up Western and Arab journalists; helping U.S.-designated terrorist organization Hezbollah and the U.S.-sanctioned Syrian regime wage war in the Levant.

And did we mention the party’s ideology and flag take their inspiration from Nazism?

Gabbard initially declined to say who financed her trip to Syria. However, in a press release Wednesday Gabbard revealed her delegation (which also included former Democratic Congressman Dennis Kucinich) had been “led and sponsored by” an outfit called the Arab American Community Center for Economic and Social Services (AACCESS—Ohio). Her statement added she and the rest of the delegation had been accompanied by two men, Elie and Bassam Khawam.

http://www.thedailybeast.com/articles/2017/01/26/democratic-congresswoman-used-affiliates-of-a-violent-anti-semitic-political-party-to-take-tea-with-assad.html

What’s Are China’s Stakes in Syria?

In late January, the Chinese government received important news from Syria. Pentagon Spokesman Captain Jeff Davis said “U.S. manned and unmanned aircraft conducted a precision air strike Jan. 19 against an al-Qaeda training camp in Idlib Province, Syria. More than 100 al-Qaeda fighters were killed in the strike.‎”

Many of those killed were Uighurs of the Turkestan Islamic Party, who fought under the wing of Jabhat Fateh-al-Sham (JFS). According to Thomas Joscelyn, a senior fellow at the Foundation for Defense of Democracies, during the U.S. bombing of an al-Qaeda training camp in Syria a Uighur jihadist known as Abu Omar al-Turkistani was killed. …

http://thediplomat.com/2017/01/whats-are-chinas-stakes-in-syria/

 

Kurds Pleased to See Syria Drop ‘Arab’ From Official Title in Draft Constitution

A member of the Democratic Union Party said that Syrian Kurds welcome the exclusion of the word “Arab” from the “Syrian Arab Republic” title in the Russian draft of the Syrian constitution.

MOSCOW (Sputnik) – Syrian Kurds welcome the exclusion of the word “Arab” from the “Syrian Arab Republic” title in the Russian draft of the Syrian constitution, a member of the Democratic Union Party (PYD) said Friday.

“There are some very positive suggestions among those made by Russia. It includes the removal of the word ‘Arab’ from the Syrian title, so that it reads ‘Syrian Republic’ instead of ‘Syrian Arab Republic’,” Khaled Issa told Sputnik.

https://sputniknews.com/middleeast/201701271050061255-syria-kurds-constitution/

Translators who worked for the US military in Iraq wonder if their American dream is slipping away

President Donald Trump’s talk about suspending the flow of refugees into the US hit Farah Marcolla hard.

The Iraqi linguist who worked side by side with US troops in Baghdad put her life on the line for America’s war effort.

Now her family is in danger back in Iraq, and she fears her efforts to get them to safety in America are all but doomed.

 

“I’m scared. The chance to see my family reunited again is very slim now,” she says.

“People like me and my family who helped and supported America, I believe we should be reunited. The history of the United States is to support people and help them, not to separate the families.”

https://www.pri.org/stories/2017-01-26/translators-who-worked-us-military-iraq-wonder-if-their-american-dream-slipping

  • The German experience with jihadists posing as migrants serves as a case study on errors for other countries to avoid. German authorities allowed hundreds of thousands of migrants, many lacking documentation, to enter Germany without a security check. German authorities admitted they lost track of some 130,000 migrants who entered the country in 2015.
  • German authorities knew in early 2015 that Walid Salihi, an 18-year-old Syrian who applied for asylum in Germany in 2014, was recruiting for the Islamic State at his asylum shelter in Recklinghausen, but they did nothing.
  • Anis Amri, the Tunisian jihadist who attacked the Christmas market in Berlin, used at least 14 different identities, which he used to obtain social welfare benefits under different names in different municipalities.
  • “We have probably forgotten to take into account what political opponents such as the Islamic State are capable of doing and how they think.” — Rudolf van Hüllen, political scientist.

https://www.gatestoneinstitute.org/9837/germany-migrants-jihadistsHillary Clinton is estimated to have collected 81 percent of noncitizen votes, which may have helped her carry a state, a researcher says. (Associated Press) more >

Trump argument bolstered: Clinton received 800,000 votes from noncitizens, study finds

– The Washington Times
Hillary Clinton garnered more than 800,000 votes from noncitizens on Nov. 8, an approximation far short of President Trump’s estimate of up to 5 million illegal voters but supportive of his charges of fraud.

Political scientist Jesse Richman of Old Dominion University in Norfolk, Virginia, has worked with colleagues to produce groundbreaking research on noncitizen voting, and this week he posted a blog in response to Mr. Trump’s assertion.

Based on national polling by a consortium of universities, a report by Mr. Richman said 6.4 percent of the estimated 20 million adult noncitizens in the U.S. voted in November. He extrapolated that that percentage would have added 834,381 net votes for Mrs. Clinton, who received about 2.8 million more votes than Mr. Trump.

http://www.washingtontimes.com/news/2017/jan/26/hillary-clinton-received-800000-votes-from-nonciti/

Political World Embraces Encrypted-Messaging App Signal Amid Fears of Hacking

Aides close to President Donald Trump, Hillary Clinton use app as memory of Wikileaks scandal lingers

Former New York City Mayor Rudy Giuliani says he has had the Signal app for a few weeks. The app, which lets users send encrypted messages, is gaining popularity in the political world amid fears about hacking and surveillance.

Former New York City Mayor Rudy Giuliani says he has had the Signal app for a few weeks. The app, which lets users send encrypted messages, is gaining popularity in the political world amid fears about hacking and surveillance. PHOTO: EUROPEAN PRESSPHOTO

MARA GAY

Signal, a smartphone app that allows users to send encrypted messages, is gaining popularity in the political world amid rising fears about hacking and surveillance in the wake of a tumultuous election year.

Political aides close to President Donald Trump, former President Barack Obama and former Secretary of State Hillary Clinton are users. So are some close to New York Gov. Andrew Cuomo and New York City Mayor Bill de Blasio.

Some say the legion of political types has a singular goal to avoid a repeat of the WikiLeaks scandal, in which the emails of Mrs. Clinton and her closest allies were dumped onto the internet.

http://www.wsj.com/articles/political-world-embraces-encrypted-messaging-app-amid-fears-of-hacking-1485492485

 

Iraqi troops find over 100 priceless Assyrian artifacts plundered from ancient ruins hidden under the home of an ISIS leader in Mosul

  • Assyrian artifacts have reportedly been found under the home of an ISIS leader
  • It is believed they were plundered from ancient city of Nimrud and ruins there
  • The ancient artifacts including clay pots and pottery are said to be priceless 
  • City of Nimrud had been under control of ISIS but was liberated late last year 

The ancient clay pots and vases are believed to have come from the Nineveh ruins as well as Nimrud, which has been reduced to ruins by the terror group.

Nimrud had been under the control of ISIS from 2014 but it was recaptured by Iraqi forces in the battle for Mosul in November.

More than 100 priceless Assyrian artefacts , pictured, that were snatched from ancient ruins in Iraq have reportedly been found hidden under the home of an ISIS leader in Mosul.

More than 100 priceless Assyrian artifacts , pictured, that were snatched from ancient ruins in Iraq have reportedly been found hidden under the home of an ISIS leader in Mosul.

Among the artefacts found were said to be a dozen clay pots, large vases, pottery, a hand mill and other small pieces

Among the artifacts found were said to be a dozen clay pots, large vases, pottery, a hand mill and other small pieces

Now, the Telegraph has reported that Iraqi authorities have stumbled upon the priceless items while searching a house in the Az-Zirai neighbourhood in the east of Mosul after the ISIS commander claimed he was a civilian.

http://www.dailymail.co.uk/news/article-4163556/Priceless-artefacts-home-ISIS-leader.html#ixzz4WygmqCDB

There’s Something Very Weird Happening Inside Russia’s Cybersecurity World

Sheera Frenkel

A series of surprising arrests of some of Russia‘s top cyber security figures has left the international cybersecurity officials and analysts wondering whether Russia is cleaning house of suspected spies, or going through an internal shakeup of the FSB, Russia’s national security service.

At some point in December, Ruslan Stoyanov, a well-respected researcher with the Moscow-based Kaspersky Lab, and Sergei Mikhailov, head of the FSB’s Center of information Security, were arrested by Russian police as part of what Russia’s Kommersant newspaper described as a probe into possible treason. No date of arrest has been made public, though Kommersant reported that Stoyanov last logged into his private social media account on December 4, and Mikhailov on December 5. The Moscow-based Novaya Gazeta newspaper cited sources as saying Mikhailov was arrested during a meeting with other FSB officers in Moscow, and was taken from the room with a sack over his head.

On Thursday, REN-TV, a privately-owned TV channel in Russia, said a second FSB officer had also been arrested in December. They identified the man as Major Dmitry Dokuchayev, and reported he had served under Mikhailov in the the Center for Information Security. In another indication that Russia was seeing a high-level shakedown at the FSB, Kommersant reported that on January 13, the director of the Center for Information Security, Andrei Gerasimov, was fired. He was described as having close ties to cybersecurity companies, including Kaspersky Lab.

Kaspersky Lab confirmed that Stoyanov was under investigation for activity during a period predating his employment at the company, and added, in a public statement, “We do not possess details of the investigation. The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments.”

Stoyanov’s LinkedIn page lists his previous employer as the Ministry of the Interior’s Cyber Crime Unit.

http://www.cnbc.com/2017/01/27/theres-something-very-weird-happening-inside-russias-cybersecurity-world.html

Alleged hacker held in Prague at center of ‘intense’ US-Russia tug of war

Yevgeniy Nikulin faces extradition requests from both countries amid lingering disquiet over Moscow’s alleged interference in the US presidential election

Yevgeniy Nikulin was charged with offences relating to the hacking of computer networks belonging to LinkedIn, Dropbox and Formspring.
Yevgeniy Nikulin was charged with offences relating to the hacking of computer networks belonging to LinkedIn, Dropbox and Formspring. Photograph: YouTube
Tagged , , , , , , , , , , ,

An American Solution to Cyber Insecurity

If Donald Trump wants to take one important, indeed, vital step he will create a well-funded new Cyber Security Agency that is free of NSA and other deeply compromised interests.

by Stephen Bryen

The possible solution to escalating cyber insecurity has been staring us in the face for a long time.  But the road has not been taken because most companies that manufacture electronics today build the stuff in Asia, primarily in China.  This has created an unprecedented risk, because China is not at all adverse to bugging just about any product they can get their hands on.  Consequently everything from computers, cameras, routers, flash memories and smart TVs are potential targets for the Chinese government to exploit.

But, as any half decent cyber expert can tell you, when you put a backdoor, or a bot, or just a hole in the code, once discovered it can be exploited by almost anyone smart enough to find it.

This is exactly what NSA has been doing for years, as leaks by Edward Snowden have shown in a conclusive manner, by presenting NSA’s Power Point presentation of how it has bugged just about everything.

But what may be good for the spying community is not good for national security. It leaves the entire critical infrastructure of the United States –power systems, communications, military, government, transportation, water and food supply– vulnerable to attack.  It is well known that foreign entities have been targeting the critical infrastructure, carrying out many “dry runs” and also stealing sensitive information of all kinds –personnel records, medical information, law enforcement data, designs for vital defense systems, nuclear secrets –the list has no end.

Because cyber policy is made by NSA and that is a big problem.  NSA cannot be the guarantor of security and insecurity at the same time.  If Donald Trump wants to take one important, indeed, vital step he will create a well-funded new Cyber Security Agency that is free of NSA and other deeply compromised interests.

So let’s say President Elect Trump agrees to support a new Cyber Security Agency.  What will it do?

Security is only possible with trusted systems; it is impossible if the systems are made up of commercial off the shelf products (COTS).

Starting in the mid-1980’s the Pentagon began shifting procurement wherever possible in favor of COTS.  There were immediate benefits: better technology, more rapid product evolution and lower procurement cost.  The US government followed the Pentagon model, and today virtually every department and agency, from the CIA to Agriculture, from Homeland Security to the Army, from Health and Human Services to Social Security, all use COTS.  That is why all of them have been targets for hackers.

The threat is in two major dimensions: the ability to shut down and kill systems, or fill them with false information; and the ability to steal just about all the information   the government holds, from tax returns to the design of stealth aircraft.

No one has yet been able to make any government or critical infrastructure system secure or safe.  In fact, all the evidence points exactly in the opposite direction: attacks on systems have grown exponentially and the time it takes to know a system has been compromised as grown from a few minutes to months, even years.  Thus the free bonanza of sensitive information and American technology is stolen with brazen ease.  In short, cyber security is a total failure.

The new Cyber Security Agency needs to change the paradigm to have any chance to fix the problem.

The first thing to know is that COTS cannot be the source of any solution.

COTS today is

  1. designed through a globalized process where the work can be done on any continent and by teams of designers who speak different languages and have different interests and pressures;
  2. even when developed on US soil, there is considerable risk because the employees are recruited from all over the world and many are here on special visas and are not citizens
  3. there is considerable use of so-called open source solutions because most of them are free; but open source is done by international groups with no accountability, one of the reasons the infamous heart bleed bug ravaged US systems
  4. hardware is manufactured abroad with a majority of the equipment and parts produced in China;
  5. even reliable Asian producers such as Taiwan, Japan and South Korea outsource much of their product manufacturing to China and use low-cost Chinese engineers and technicians for design work and production

A Cyber Security Agency needs to develop and support a new approach that would

  1.  Develop a new generation of product –hardware, firmware, software– for use by the US government, military and trusted parts of the critical infrastructure;
  2. Use only vetted Americans to execute the designs
  3. Manufacture only in the United States in secure facilities owned by Americans
  4. Build a system that works on recognized security principles, is compartmented, and is available to users only on a need to know basis (no Snowdens)
  5. Use multilayers encryption throughout the system and for all kinds of information, not just so-called classified or sensitive information
  6. Apply the new technology to computers, computer networks and SCADA controllers

Obviously the new systems would not use any open source code.  The system would be triple redundant to guard against any failure (today’s systems are generally not redundant).  The government will have to estimate the risk of using cloud-based computing and any cloud system authorized has to be under US government control and not shared with any cloud users who are not authorized  and not part of the government, military or critical infrastructure.

The above steps would move quickly so that in as little as 5 years the entire government and critical infrastructure cyber systems can be replaced.

The Cyber Security Agency will be responsible for creating the hardware, firmware and software.  Funding needed is anticipated to be in the $3 to $5 billion range (not counting procurement of new platforms and ancillary equipment by agencies).  The development cost is thought to be less than what today is being spent by the government on failed cyber security solutions.

The Cyber Security Agency will also be responsible to recommend to the President retaliation against malefactors at home and abroad.  In the case of hacking attempts in the United States, it is proposed that the criminal part of the law be substantially strengthened and the Justice Department and FBI encouraged to prosecute those attempting to hack US systems.  In every case, the charges against wrong doers would be Federal charges, and the punishment would be served in Federal prisons.

In regard to foreign-generated attacks on the government, military or critical infrastructure there are two important principles: (1) without exception the government of a foreign country where a cyber attack originates will be held responsible for the attack and the US will demand that the perpetrators be arrested and extradited to the United States; (2) where a foreign country refuses to cooperate, the full range of retaliation against the institutions of that government can be recommended by the Cyber Security Agency to the President.

This is superior to the current system which apparently relies on a Pentagon-created approach called Plan X.  There is little or no public evidence that Plan X has been useful or effective.  The Pentagon should certainly have the capability to execute orders to retaliate from the White House, but the recommendation should initially come from the Cyber Security Agency and be agreed by the National Security Council and the President.

__________________________________

VISIT BRYEN’S BLOG

We will soon be phasing out Technology and Security.  

Join us, instead, at Bryen’s Blog.

Thank you!

 

 

 

 

 

 

 

 

 

 

 

Tagged , , ,

Regulating Encryption: Can it be done? Yes.

by Stephen Bryen

NIST Scanner

The Director of the FBI in a warning to Congress points out that ISIS is now using encryption to mask messages it is sending to thousands of Americans favorable to the ISIS cause, exhorting them to kill military and police and other hated targets. He, along with others in the Obama administration are urging “Silicon Valley” to consider building backdoors into encryption products they sell so that law enforcement can tap encrypted phones or computers and properly “do its job.”

But the question is, is there a practical solution?

I have been in the encryption business, or more clearly I have built commercial products that use encryption. In the early 1990’s I founded a company called SECOM (for Secure Communications). We developed a computer chat program that provided a secure, encrypted chat. In those days the Internet was only just getting underway and everyone was using modems (there was no WIFI or data connections except for big business and banks). Nor were there smartphones. The PC, however, was very popular and we built our product to run on PC’s running MSDOS or Windows. And because computers were slow, we built a little plug in computer card which did the actual encryption and decryption work.

Then the fun began. NSA did not like our solution because it was too hard to crack, so they “recommended” reducing the key size. It got to the point where the key size was too small to assure security, and after thinking it over (and investing a lot of development money), we decided we could not sell a product that failed in its critical mission: to protect the users from intercepts. We closed the company.

It was a bad outcome for us. And, as we pointed out at the time, because we used hardware and software we could have controlled who the end users were and assured that only bona fide users, not criminals or terrorists, would have access to the product.

What we went through was nothing new. A few years before IBM had proposed building encryption into all PCs so that all the data stored by them would be secure. NSA again objected, and despite IBM bringing rather heavy guns to bear on the problem, in the person of a direct appeal from the chairman of IBM to the head of the NSA, IBM had to stand down. No encryption chips would live on the IBM circuit board.

NSA and its counterpart the National Institute of Science and Technology (NIST) wear two different hats: on the one hand NSA is charged with carrying out spying in support of its US government “customers”; on the other NSA and NIST produce guidelines for security and even sponsor encryption solutions such as the Advanced Encryption Standard (AES) which has replaced the old Data Encryption Standard (or DES). These sponsored products can be used without any licenses and can be exported abroad.

It may seem odd, therefore, that the government is worried about encryption if it is also facilitating its development and export.

We can add to that known efforts by NIST to actually publish a random number generator for so-called elliptical curve encryption was found to be buggered. The buggered product found its way into corporate security systems in the US and around the world.

The latest alarm in our government is more a consequence of the embarrassing and dangerous leaks by Edward Snowden then anything directly to do with ISIS. Terrorists have been using encryption for a number of years, and they easily get it on the open market. The Russians, Chinese, Europeans, Israelis as well as many companies in the United States develop and sell a wide range of security products that use encryption. And the “Dark Web” on the Internet is also a source of supply for covert type programs and applications.

My own thought is that the government is trying very hard to cut a deal with Snowden so that he will serve a little jail time and then shut up. It seems he still has a large bagful of information that exposes US spying activities. In fact that is the only logical way to interpret statements by our former attorney general Eric Holder who says a deal is possible with Snowden. He should know.

Whatever the case, the availability of encryption on a global scale seems to suggest that trying to control it is a furtive exercise. But that is what the government is saying. So the question is what can the government actually do to mitigate the situation?

Many in Silicon Valley (and here we are talking about most of the really big high tech computer and mobile players in the United States) worry that the government will insist on putting a back door into their encryption schemes, or some other way where the government can get into encrypted communications and data transfers. Clearly this is a scheme the government has pursued for a long time, but it brings with it two risks: either the “security” is so weak as to be meaningless, pushing users to outside solutions or the backdoor or hole in the system is uncovered, as Snowden has already proven. But there is even a third risk: that the backdoor or hole is uncovered by a professional adversary such as China or Russia, meaning that everything you thought was safe is out the window. Given the plethora of escalating exponential cyber attacks on our government and on corporate America, this “solution” is far more dangerous than abandoning encryption altogether, largely because it creates a false expectation of security.

An alternative solution the government could pursue is simply to make the use of encryption in the United States illegal. Such a thing would be very hard to enforce, but in the mobile world it can be done basically by shutting down any encrypted communication that is unauthorized. The technology for this certainly exists today in the form of network sniffers and scanners.

A modified form of the no encryption approach is to allow encryption only on authorized devices that US industry and licensed political and social organizations can use. To me this makes a lot of sense, and in fact I proposed an alternative idea back in the 1980’s when I dealt with export controls.

The idea propounded then was a sort of Gold Card for industry allowing them to get around the red tape and delays that hurt their business performance.

The idea has merit. We are using it today at American airports, either to have more rapid treatment in security processing (the so called “PRE” benefit) or as part of the Global Access Program to allow Americans who travel a lot to get past long lines at border crossings, especially airports.

Such a scheme would make sense in protecting America and allowing us to secure our communications and data. Naturally it would not stop terrorists from using encryption, but they would not be able to use it with their clients and wannabes in the United States. Such communications would be taken down by scanners.

I think this is an excellent solution for law enforcement because it forces the bad guys out into the open. Then it is law enforcement’s job to put them out of business here. And it is the job of the DOD and CIA to shut them down beyond our borders.

Above all else it is vastly important to make America safe, and it is vital that our communications can be secure and our data repositories free from exploitation. This the government itself should understand from its gross mishandling of sensitive but unclassified information, like the millions of non-encrypted records recently stolen by the Chinese.

Let’s hope we can arrive at a sensible solution to security for America.

Tagged , , ,

What Happened to Snowden’s Files

The London Sunday Times reports that Britain and the US have pulled agents out of China and Russia because information contained in encrypted files stolen by Edward Snowden have been decrypted.

“”His documents were encrypted but they weren’t completely secure and we have now seen our agents and assets being targeted,” a source told the Sunday Times.

What can we understand from this disclosure?

Here are a few thoughts:

  1. There is little doubt that the damage caused by Edward Snowden’s disclosure of highly classified information has been immensely damaging to US and British intelligence gathering, setting aside the latest allegation.  Techniques of modern spying have been extensively exposed making intelligence gathering much more difficult if not impossible in some cases.  The bottom line is that Snowden caused harm to the national security of both countries and also to the friends and allies of the US and Britain.
  2. Snowden’s access to such a wide range of sensitive intelligence while he worked as a contractor to the US government makes clear that most of the standard rules of protecting classified information were not followed and that this sloppiness and poor administration made possible the bulk of Snowden’s criminal activity.  Above all, compartmentalization of classified information, essential to minimize an insider threat, was not properly implemented.
  3. If government files contain the names of spies and agents then our intelligence collection system is badly broken (notwithstanding Snowden), since putting this information into accessible files revealing sources and methods is an incredible systemic blunder.
  4. The idea that a contractor would have access to files containing lists of agents and spies is unimaginable.  It is impossible to be sure that it truly happened, but the statements by highly placed “sources” that this occurred is truly frightening. By now anyone connected with assisting Western intelligence has to be on the run.
  5. Cracking encryption codes takes super computers and a lot of effort especially if files are encrypted with large key sizes and use advanced secret encryption algorithms. The chance of breaking such code is very small even if a potential adversary has unlimited resources to go against the problem.
  6. A related possibility is that key materials were handed over by Snowden or by others to the Russians, Chinese or both.  This is what happened in the John Anthony Walker, Jr.case. He was a United States Navy Chief Warrant Officer and communications specialist convicted of spying for the Soviet Union from 1968 to 1985.  Walker gave the Russians key material enabling them to descramble US Navy coded messages.  Walker exposed a lot of sensitive information because many State Department and DOD messages were passed on through to the Navy and hence were exposed.
  7. There is also the possibility, not to be discounted, that no such compromise of encrypted information has happened but that the story has been leaked to cover up other spying operations that may have been compromised.  The evidence?  It seems a little far fetched that the government would keep any list of its spies and agents in one place, or even put such information into digital files in the first place.  But if there was a mole in one of the spy agencies, the mole could have got this information.  Saying it was Snowden’s fault could have been a motive on either side of the fence: that is, it could have been the Russians or Chinese putting out a false story to hide their mole or moles; it could have been the British or U.S. intelligence putting out a story to cover revealing an inside threat they have fingered.  At the moment the best that can be said is that there is a state of alarm in US and British intelligence and they are deeply concerned about their assets (agents) being rolled up by the Chinese and/or Russians.
  8. Finally there is the possibility that the reports about pulling agents out of harms way are false and that all of this is an attempt to do more damage to Snowden.  I don’t believe this to be the case, however, because putting out an alarm of this kind would automatically damage all the secret relationships the intelligence community has with its operatives.
  9. If encrypted files were compromised then it is vital to find out how. There are a number of serious cryptographers in the United States and the UK who need to be brought in to determine whether US and UK secret encryption is properly implemented.  It would be an error to rely solely on the suppliers of encryption materials or in-house experts.  An objective evaluation is an urgent task.
  10. While we should assume that the glaring mistakes of managing secret intelligence have already been fixed, procedures and methods need another look by qualified experts who are independent and objective. It is frightening to think that our national security is still at risk.
Tagged , , ,

Encryption is Only Half the Story

By Stephen Bryen

There is growing enthusiasm and interest in encryption for smartphones and tablets in order to protect privacy.  But encryption is only half the story, and probably not the most important half.  What really matters is platform security.

A smartphone is a powerful computer and communications tool harnessed to a number of radios that link to the outside world.  Those radio links can be compromised fairly easily.  People worry about how they can keep their phone calls secure and private and are looking at alternatives such as secure phone APPS.

A secure phone APP encrypts the connection between one phone and another. In some cases the encryption works in a phone to phone scheme; in others the encryption and connections are managed by a server.  Either scheme can deliver some security for phone calls.  In elaborate set ups with servers, they can try and protect emails and text messages.  While encryption folks promise a lot, there are two main pitfalls to using encryption that are not so well understood.

The first pitfall is that a determined adversary, such as a competitor or enemy or government agency, can bypass your encryption without too much effort.  That is to say, any of these intruders can install spyware on your phone.  Spyware can record your conversation or transmit it no matter if you are using encryption or not.  That’s because your microphone and cameras are accessible to programs that might be secretly running on your phone being put there by the intruder. In these circumstances you may think that you are protected, but you are not and your risk is even greater since you are unlikely to be cautious and circumspect in what you say on your phone.

The second pitfall is that the platform’s vulnerability will be there with encryption installed, meaning that offline conversations can be “overheard” by an intruder without you knowing it.  This kind of malware is generally sophisticated and difficult to detect, making matters worse.  Think about it: you are in a meeting in your office and every word is being recorded secretly and will be sent over the internet to an intruder without you knowing it.  This can give a spy or competitor a tremendous amount of sensitive information.  He can use it for commercial advantage, or to bribe you or your colleagues, or sell it to other parties.

Encryption does not help against either Pitfall #1 or Pitfall #2.

Some people think the best thing to do is to turn off one’s phone when serious conversations take place.  To be sure, there are few people who actually do this, because they are always waiting for some phone call or text message to arrive. They “need” the information fix that the smartphone promises to give them on a minute by minute basis.

Even worse, turning off a phone does not really mean that it is safe. There are good quality spyware tools that can turn your phone back on without you knowing it.  The screen won’t illuminate, but the phone’s microphones will be on and the phone can record and stream out information.  One tip off that the phone might be so infected is that it seems oddly warm, even hot when you pick it up.

Are there solutions that can protect a phone’s platform and avoid the two pitfalls?

I will be talking about that in my next column.

Tagged , , ,

Intelligence Agencies Are Happy As Clams Thanks to Heartbleed “Bug”

The Heartbleed “bug” which has affected millions of computer systems and countless hardware devices ranging from telephones, to video conferencing systems, to routers and firewalls –was the result of work done by a German software developer named Robin Seggelmann. Seggelman says it was a coding error that caused Heartbleed, and the error was not “caught” by an auditor inside the Open SSL Project. Open SSL is the security code that is widely used by industry to support encrypted connections on the Web, and to manage encryption on everything from wireless telephones to Cisco routers.

At the time of this writing, we do not know the full “team” who produces the Open SSL software.

The Open SSL Project works on a voluntary basis. Its headquarters is in Maryland but, according to their own description, the participants are on three continents and cover 15 time zones. If there are “rules” regarding membership in the Open SSL project, they are not transparent to the outsider.

The theory behind Open SSL is that if you gather together the “best” community of programmers to tackle a hard problem, you will get the best result that benefits everyone. Underlying is a sort of philosophical notion thatpeople in the “community” join together out of good will, and everything they contribute will be based on pure altruism. The Open SSL project is, by far, not the only community based programming project.

In his interview with the London-based Telegraph newspaper, Seggelmann admits “it was possible that the US National Security Agency (NSA) and other intelligence agencies had used the flaw over the past two years to spy on citizens.”

There is no reason to suppose that intelligence organizations would not have discovered the bug in their routine scanning of the Internet.*** Today the Internet carries much more than data traffic; it is increasingly how telecommunications are managed. The fact that we now know that some of the top VOIP (Voice Over Internet Protocol) telephone systems made by Cisco are infected with the “Bug” makes this crystal clear. You can add to this a large number of Cisco routers (the world’s most popular router system), video conferencing systems, multiple servers used to manage communications traffic, and even firewalls that protect internal networks.

While a good deal of focus has been put on the NSA, thanks mainly to the leaks and revelations coming from Edward Snowden, the truth is that intelligence agencies around the world try to spy on just about everything they can. The British, French, Germans, Italians, Russians, Chinese, Israelis, Iranians and many others have built massive capabilities. It would be foolish to think they are not taking advantage of damaged encryption systems such as Open SSL.

In short, there is big possibility that, aside from causing untold computer damage, people may have lost their lives because of the Open SSL “Bug.” Say you were an Iranian dissident and you send what you thought was a secret message to your compatriots. The knock on the door comes, and the Iranian government arrests you and accuses you of being an Israeli spy. You know the rest.

There is also clearly a link between some foreign intelligence organizations and general criminal activity. Anytime money is involved in spying, as is the case with the Open SSL breach (which affects credit card transactions, banking and other forms of trading information), some intelligence agencies and their criminal colleagues exploit the opening to make money, lots of money. For years we have been watching the Russian mafia carry out these exploits and attack banks in the U.S. and elsewhere in the world. How much they have stolen is anyone’s guess, because banks don’t like to let on about their security failures.

A critical question is why anyone would rely on a misty group of international volunteers for security? Keep in mind that one of the sponsors of the Open SSL is the U.S. Department of Homeland Security! (Whoever in DHS supported this endeavor ought to find work elsewhere.)

An additional problem today is that the agencies we rely on domestically for security, NSA and NIST (the National Institute for Standards and Technology) have, themselves, been caught bugging security codes so they could exploit computers and communications globally, including the PC’s, tablets and phones of Americans. NSA’s and NIST’s bugging activity has compromised them fatally.

Today in the United States we lack an independent security agency that can provide guidance on security for Americans, public and private. Thanks to NSA and NIST the U.S. government has thoroughly bugged itself, as well as everyone else. A critical task for Congress, aside from investigating the various NSA escapades, is to come up with a new, independent government organization that supports security for Americans.  The Agency should have nothing to do with spying and should be prevented by law from cooperating with spy agencies.

 

***Bloomberg is now reporting that NSA exploited the Open SSL bug for two years.

Tagged , , , ,

Bitcoins, Privacy and Democracy

By Stephen Bryen

[NEW UPDATE MARCH 1, 2014: The AP reported today as follows: “The Mt. Gox bitcoin exchange in Tokyo filed for bankruptcy protection Friday and its chief executive said 850,000 bitcoins, worth several hundred million dollars, are unaccounted for.”  This follows the mysterious end of the British Bitcoin exchange which seems to have stopped functioning.  Bitcoin investors have no recourse.]

[Update: Norway and China say that Bitcoins are not a legal currency.  In addition,  now the largest Bitcoin exchange in China will no longer allow customers to use the Yuan to buy Bitcoins because of pressure from the Chinese government and from the Central Bank of China.  The Wall Street Journal says that Bitcoins have lost half their value in the past few weeks.]

Bitcoins are much in the news these days.  Described as a “virtual currency” the value of Bitcoins has risen precipitously, and dropped in value as abruptly as the Bitcoin has earned value.  Bitcoins are the subject of a number of books and tons of articles.   The “virtual currency” has been described as an alternative currency that, because it is based on computer networks and secrecy achieved through heavy encryption, protects privacy and offers an alternative “libertarian”  currency solution.

While the Bitcoin may be a “virtual currency” its main characteristic is that it is a non-state currency.  In this connection, the Bitcoin shares some characteristics with gold, silver, diamonds and other fairly portable commodities that can be used for exchange.  The difference is that while gold and silver are often manipulated by governments who hoard these materials, Bitcoins are not, so far at least, under any government control.

Bitcoin

Bitcoin

Bitcoins appear on the scene at an unusual moment in time.  The currencies of democratic countries are in decline and significant value has been lost over the last decade or two.  This has happened because governments, who issue these currencies, have been spending far more than they have in income and have used methods such as “quantitative easing” to temporarily keep them solvent.  Quantitative easing is just a semi-sophisticated way of printing more money.

Complicating the picture is the unique situation involving the Euro, which is the European currency that replaced the national currencies of France, Germany, Spain, Italy, Greece, Portugal, Luxembourg, Austria, Finland, the Republic of Ireland, Belgium, and the Netherlands in 2002.  The Euro temporarily “solved” the currency problem in the weaker European countries (e.g., Italy, Greece, Portugal, Spain etc.) by putting in place a strong currency dominated by Germany and by European banking and lending institutions and organizations. Weaker states, without the ability to print more of their own currency, still were able to keep spending by floating loans to cover some of their deficits.   Today these countries, foremost among them Greece and Spain, face the precipice because the lenders now want fiscal discipline in exchange for loan relief. The social, economic and political costs of the previous ten year Euro-ride are spawning a deep reaction including the rise of neo-fascist, sometimes violent, political groups.

The Bitcoin, which works through networks of computers and uses encryption, was designed to get around state-run currencies and to avoid state demands, especially taxation.  Transactions in Bitcoins are anonymous and it is said to be nearly impossible to discover who owns Bitcoins and how many Bitcoins are held by Bitcoin buyers, many of whom are investor-speculators.

Most certainly there will be political problems with Bitcoins as nation states fight to get some control over Bitcoins.  China has banned its financial institutions from handling Bitcoin transactions, the first major move to regulate Bitcoins which is becoming popular with Chinese entrepreneurs seeking to get out from under the control of the Communist state. For Chinese Bitcoin investors, the Bitcoin represents portability and anonymity, both of which are in short supply on the mainland.

A big question for Bitcoins is its privacy claim.  Experts who have looked at the algorithms and computer methodology see the structure of the Bitcoin system as credible and technically strong; but modern computers and networks are incredibly weak in security, meaning that big government probably has the ability to penetrate the Bitcoin system and the capability to disrupt or pervert the Bitcoin network.

Inherently the Bitcoin system is not based on any democratic standard.  One could say that it is an anarchistic system, but if this is true as it may seem, it is anarchism with a hidden hand.  The problem is the identity and location of the hidden hand is not known to the players (investors, buyers, miners etc.), and some claim it may not matter as the currency has a life of its own that goes beyond the significance of any hidden hand.  On this latter point, the jury is still out because the system is dark, and therefore non-discoverable except to powerful players with resources for intervention, such as governments or large criminal organizations.

Privacy is an important issue these days as the protected space of most modern democracies has been deeply compromised by electronic surveillance and manipulation of personal and institutional information. The problem is extreme in the U.S. because the “checks and balances” system no longer is functional in protecting privacy, as the establishment simply preserves its wealth and prestige by stealing from the broader population.  “Checking” institutions, such as the Congress and the courts, including the Supreme Court, are enmeshed in the establishment and despite some ineffective and worthless inquiries, generally have supported the surveillance system.  To some degree the Bitcoin popularity is a reaction to the surveillance state.

A possible outcome of all this is that states will find a way, either overtly or covertly, to control the Bitcoin or blow it out of the water. The rise of the Bitcoin is only a symptom of a much bigger and unresolved problem, which is how freedom and privacy can be sustained against oppressive governments that were once democratic.

Bitcoin
Tagged , , , , , , , , , , , , ,

Was the NSA Backdoor Worth It?

by Stephen Bryen

[Update: We  can now add to our October 7th story the following: RSA was paid $10 million by NSA to produce an encryption algorithm in their products with a backdoor.  See the Reuters’ article “Exclusive: Secret contract tied NSA and security industry pioneer.”   One wonders about the intent behind the RSA compromise. RSA security products are used primarily by industry, so it would seem the primary purpose would be to have access to industry computers.]

The National Security Agency has three distinct hats –first its job is to collect national security intelligence primarily through signals collection.  The second is to support both the government and the private sector by helping in what NSA calls “information assurance.”  This assignment includes coming up with encryption techniques and codes that can be used by government agencies and by the public. And NSA’s third hat, a relatively recent one, is to take action against malefactors who attempt to harm computer networks or pose other national security threats –a cyber attack command to put the bad guys out of business or harm their operations (something like “Stuxnet” against Iraq’s nuclear program, for those who follow these things).
 
Each of NSA’s “hats” impinges on the other “hats” so that the job of spying intrudes on the job of information assurance, and the job of attacking malefactors impinges on both other hats.  On top of that each of the “hats” has lots of internal risks.  If you destroy an adversary’s computer network, will that stop the adversary or just cut off your source of information?  If you build a better crypto mousetrap will the bad guys use it against you?
 
No one has yet suggested any good way to disentangle NSA’s conflicting responsibilities.  Nor do we yet know if there is a practical manner in which spying can be confined only to foreign targets in a highly globalized world.
 
Just last month one of the nation’s most respected security development companies, RSA, decided to remove an important crypto tool from its products. The tool was developed by NSA and there is an interesting history surrounding it.
 
Called a “Dual_EC_DRBG” for Dual Elliptical Curve Deterministic Random Number Generator, elliptical curve cryptography is a popular public key methodology that improves on earlier generation systems. It was introduced in the middle 1980’s and was approved by the National Institute of Standards and Technology (NIST) in 2006. RSA used Dual_EC_DBRG in a wide range of its products, which are sold to governments and to private companies for information security protection.
 
All modern encryption algorithms requires a mathematical technique called “seeding” to assure no pattern is inadvertently introduced that would make it easy to untangle the encryption.  This is achieved by using a pseudo random number generator.  In 2006 when the elliptical curve approach was approved, the Dual_EC_DRBG random number generator was pushed by NSA and made part of the library of encryption tools adopted at that time.
 
In November 2007, Bruce Schneier, an important American cryptographer and computer security specialist, published an article called “The Strange Story of Dual_EC_DRBG.”   In that article Schneier took a look at the NSA-championed DBRG and quoted from an informal presentation at the Crypto 2007 Conference by two other cryptographers, Dan Shumrow and Niels Ferguson.  They showed that the Dual_EC_DRBG had a weakness that could “only be described as a backdoor.”
 
The backdoor is thought to be a kind of skeleton key that makes it easy to break the encryption.  
 
Despite the fact the Schneier, Shumrow and Ferguson (among others) believed there was a back door in the encryption, companies around the world, particularly RSA, went ahead anyway and used the tool.
 
It was not until this past September, with new revelations as part of the Snowden leaks, that the matter again came up.  The documents showed that NSA, acting in concert with the National Institute of Standards and Technology, had inserted a backdoor in its crypto suites.  This confirmed exactly what Schneier et al had said six years before.  Here was something approaching proof of what Dual_EC_DRBG was all about.
 
Naturally this is an earthquake in the crypto business world and it makes it clear that NSA “information assurance” program also might be an information spying operation, but aimed at whom?
 
Foreign governments tend not to use U.S. encryption tools because they don’t trust them.  But foreign companies do use them because the U.S. “system” (government, banking, health care) require the use of the U.S. crypto.  Was the backdoor needed to spy on the private sector?
 
But there is an even greater risk when a backdoor is put into an encryption system.  An adversarial government with significant resources might also figure out how to exploit the backdoor, or if they cannot they will find other ways to get “behind” the encryption engine.
 
NSA had one interesting, though now transitory, triumph with its backdoor, or at least one can surmise that is the case.  Al Qaeda used American encryption libraries to build its own encryption tool for use by its Jihadist terrorists.  Their product is called “Mujahideen Secrets 2″ and it is just a repackaging of NSA/NIST approved material.  We can all hope Al Qaeda keeps on using the product.
 
Tagged , , , , , ,

Finding a Cure for China’s Technology Theft

by Stephen Bryen with Rebecca Abrahams

The news is out –semi-officially– thanks to a report by the Defense Science Board. The Board, which was established in 1956, is made up of civilians who advise the Pentagon on a variety of technology-related subjects. It has released a report, Resilient Military Systems and the Advanced Cyber Threat, which makes it clear that the Pentagon’s cyber “hygiene” is weak and U.S. defense technology has been effectively targeted by foreign governments. The result is that most advanced U.S. weapons systems, from the F-35 stealth fighter to the most advanced underwater torpedoes, and everything in-between, has been stolen. While the word “China” is not mentioned, everyone knows that it is China that is systematically purloining our technology.

PLA Insignia

Department of Defense

The fact is, we can say we have two defense budgets –one for us and one for them. Indeed, as things stand today, the technology pipeline to China is wide open, and we are losing billions and billions of dollars of investment and seriously compromising our security.

While the Report of the DSB is serious and important, unfortunately it is not “news.” The fact of the matter is that China’s rip off of America’s defense technology assets has been going on for a number of years. There are numerous public reports about it, and the intelligence community has been watching this happen for an even longer period.

It is fair to ask a straightforward question. Why have we let this go on?

We believe the answer is that we have approached the problem with a fundamentally flawed concept on how to stop Chinese cyber theft.

The Pentagon’s idea, which is more or less shared across the government, is that the answer is to build better cyber defenses. While cyber defenses are certainly important, so far implementation of effective cyber defenses remains incomplete and, to some degree, elusive. Technology is moving so fast, and hacking has become so extreme, that keeping up is nearly impossible. The DSB is pushing for more and better cyber defense measures, but the jury remains out whether this tactic can succeed.

Defense technology is shared between government organizations and the military on one side, and industry on the other. Millions upon millions of pages of documentation are associated with every defense program, and much of this documentation is not classified.

The reason for this is operational. It is probably impossible to classify all defense department documents since doing so would limit the number of engineers and technicians who can work on defense programs, make sharing with allies and friends extremely difficult, and create a massive supervisory burden that today’s system cannot manage.

If information is not classified, typically it is stored on computers that also are not classified. What does this mean? It means that the information is not encrypted or scrambled. In turn that means that if the information is stolen, it is readily accessible by the thieves.

What has to change is the ground rule on encrypting sensitive, but not classified information.

Most government information is poorly protected because it is not encrypted –information such as tax forms, social security data, health and human services documents to name a few. The bulk of defense system information is not encrypted.

The classical division between classified information and unclassified information is no longer functional. We need to implement encryption, not classification, for all government materials that are not accessed by the public, and particularly for defense information. Defense contractors should be directed to do the same.

Good encryption will block the Chinese from using stolen information. While it won’t prevent cyber attacks (we still need good cyber defense for that), it will blow up China’s effort to use our defense systems against us.

Tagged , , , , , , , ,

OUR FAULT: CHINA, SUPERCOMPUTERS AND NATIONAL SECURITY

by Stephen Bryen

Sponsored by SDB Partners LLC 

Newsweek is carrying an important article on China and supercomputers, written by Dan Lyon. The thrust of the article is that China is ahead of the United States in supercomputers and this development is causing great concern. (http://www.thedailybeast.com//content/newsweek/2011/11/27/in-race-for-fastest-supercomputer-china-outpaces-u-s.html )

China’s rapid development of supercomputers does not come as any surprise. In fact, China’s success comes from the transfer of American technology at least since the end of the Cold War. Far from developing its supercomputers in isolation, China had available to it all the American expertise, know how, hardware and software it needed to launch its ambitious supercomputer development program.

This is exactly what I warned about fifteen years ago in numerous articles and in Congressional testimony. These warnings did no good. In fact, the transfer of technology got worse, not better.

It is true that, today, modern supercomputers are readily available on a global basis, as massively parallel supercomputer networks can be accessed by scientists and engineers from just about any global location. But in this sort of environment it is also complicated to try and hide research objectives or use supercomputers to crack encryption codes.

The growth of supercomputing in China will have grave consequences for the United States. It will negatively impact America’s high technology economy because supercomputers offer rapid design of machinery and equipment and the ability to run advanced simulations reducing time and cost in developing technology applications.

It will impair American intelligence because it will enable China to crack computer and encryption codes and launch ever-more sophisticated attacks on cyber-based systems.

It will help China leapfrog in military technology, as in the rapid development of stealth-enabled weapons, automated and advanced recognition algorithms, space weapons and advanced nuclear warheads.

America’s freedom of action to turn off the technology spigot to China is compromised over our dependence on China for monetary support and the overall poor condition of America’s economy.

There is a total lack of commitment to technology security to protect our country. This needs to change, and fast.

Below is what I said in 1997 about supercomputers and China.

 

TEXT OF REMARKS OF DR. STEPHEN D. BRYEN PREPARED FOR DELIVERY ON THURSDAY, NOVEMBER 13, 1997 TO THE NATIONAL SECURITY COMMITTEE OF THE HOUSE OF REPRESENTATIVES

Supercomputer Export Control Policy

I appreciate the opportunity to testify today. Let me take this opportunity to congratulate the Committee for its successful effort to put in place restraints on the sale of supercomputers. The Committee’s action and its leadership in this area are an important accomplishment.

Over the past four or more years the administration has pursued a reckless policy on technology transfer, and it has shown a total disregard for prudent technology security measures. The administration is pushing sales at the expense of security.

The failure of the administration’s policy is reflected in the fact that numerous supercomputers have disappeared and cannot be found. In addition, experts in our government believe that many computers sold to China have been upgraded to supercomputer status without proper notification given to the Department of Commerce. While there is no firm number, it is not implausible to believe that China may have already acquired between 100 and 150 supercomputers. In any net assessment, it has to be assumed that many, if not all, these machines are being used, or can be used to design weapons.

Technology security policies and procedures are an important part of our national defense strategy and programs. Without a coherent technology security program, the threat to the United States and to its friends and allies will increase perhaps to unacceptable levels.

The administration appears to understand this when thinking about Iran acquiring nuclear capability, or Iraq producing chemical and biological weapons. But, except for these two points of light and clarity, the administration fails to understand what it means to transfer sensitive technology to other countries.

China is a case in point. Our objectives in respect to China are to see China play a responsible role in world and regional affairs and to have China participate in general security arrangements that will benefit peace and stability. But, while we pursue these goals, we also are pushing the contrary policy of transferring advanced technologies, such as supercomputers, that are going right into China’s weapons programs, including nuclear weapons developments.

So far as I can determine, the Defense Department has prepared no evaluation of the impact these technology transfers will have on our overall national defense posture. There is no assessment of what the transfer of supercomputers will do to China’s timetable of deploying Tomahawk-type cruise missiles; nor is there any understanding of what would happen if such weapons were sold to countries such as Iran or Iraq. It is truly unfortunate that the Defense Department has remained silent on such an important strategic issue.

Some say, why should we care? After all China already has nuclear weapons. So what difference do some supercomputers make?

This argument obscures what China hopes to achieve in enhancing and modernizing its nuclear arsenal. Today a superior US nuclear arsenal can counter China’s nuclear delivery systems. Consequently, China has to operate in the shadow of US nuclear superiority.

However, if China can develop long range weapons, which are difficult to locate and destroy, China will be able to credibly threaten US assets. This will embolden the Chinese military and political leadership to believe it can act more aggressively on a regional or global basis. For example, China will be far better positioned to threaten neighbors such as Taiwan or, even, Japan; and the US will find it more difficult than ever to respond.

I believe that an effective technology security program can slow down any leap forward by China’s military. Moreover, a technology security program is particularly important during a period where we continue to cut the defense budget and slow down important initiatives, such as ballistic missile defense.

Supercomputers are one of the important tools China needs to build small and efficient nuclear weapons and to be able to “test” these weapons in simulations where our intelligence agencies cannot detect their progress.

Other complimentary technologies -such as advanced machine tools, hot section engine manufacturing know-how, the global positioning system-are being sold to China and will be used by China to build the ballistic and cruise missiles that will be a threat early in the next century. In fact, while the United States has, from time to time, complained about other countries transferring weapons technology to China, the truth is we are the worst offender because we are providing the know how that enables state of the art weapons development, particularly WMD systems.

 

Tagged , , , , , , , , , ,
%d bloggers like this: