Tag Terrorism

The Leading Edge of CyberSecurity… Where is it?

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Tim RieckerI finally had a chance to read through Homeland Security Today’s publication of The Leading Edge Today.  The January edition was focused on cyber security.  The Producer’s Corner article (i.e. letter from the editor), cites a study and report compiled by Verizon and other entities from around the globe, including the US Secret Service.  This report, called the 2012 Verizon Data Breach Investigations Report, is staggering.  They cite 855 confirmed cases of enterprise data loss and say that most entities that are hacked aren’t aware of it for weeks or months – and are usually notified by someone else of the incident (i.e. law enforcement or an enterprise internet security firm).  The remainder of the publication offers some good information and insight on trends and prevention activities in the realm of cyber security.

Obviously The Leading Edge Today was published prior to the President’s signing of the cyber security executive order just a couple of days ago.  All reports so far indicate that the executive order really has no teeth.  It’s not law and only provides recommendations, although it does call for the establishment of a Cyber Security Framework (perhaps to parallel the National Response Framework?) and calls for the NIST to establish the standards of this framework.  DHS is charged with sector-specific outreach to engage the private sector.  It’s not the full package of what our nation needs, but it’s a start.  It’s apparently a political throwing-down of the glove to challenge Congress to promulgate and pass a cyber security bill.

I’ve not had the chance to do any research on it, but what are other nations doing?  I imagine that there must be countries out there who have not dragged their feet as much as we have on this matter; and hopefully they have been able to implement not only strategic plans that outline progress, but have also implemented tighter defenses.  This may also be an opportunity for a global defense against cyber crimes – particularly in consideration of the perpetrators and the victims often times being from around the world.  In my eyes, this cyber terrorism needs to be viewed as an attack on our sovereignty, on our economy, and on our personal and corporate privacies.  To fight it is to wage war against those who perform it and those nations who sponsor it – just like any other act of terrorism.

Critical Infrastructure Dependencies

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Homeland Security Today published an article recently on the FCC’s examination of wireless network issues post Hurricane Sandy.  While the article speaks mostly on the need to bolster the wireless telecom infrastructure, it does mention the obvious dependencies that wireless has on our energy infrastructure.  These types of dependencies can be seen throughout all our critical infrastructure, linking them intimately, and demonstrating how fragile we really are without proper preparedness efforts and redundancies.  The illustration below outlines eight (of eighteen) of our critical infrastructure sectors: Fuel, Communications, Water, Banking, Electric Power, Transportation, Emergency Services, and Government Services.  I take no credit for the graphic, which was simply found on Google Images, but it is a great example depicting a number of the linkages (i.e. dependencies) that each of these sectors has on one another.  Like dominos, multiple sectors can be made to topple by exploiting vulnerabilities in one or more of them.  We’re not just talking about terrorism here, although preventing the intentional interference with critical infrastructure is obviously a major concern, but we’re also looking at natural hazards.

Critical Infrastructure Dependencies

Critical Infrastructure Dependencies

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

We’ve seen from real life on multiple occasions what damages to our infrastructure can cause.  Our electrical infrastructure is perhaps the most fragile, but is also the one linked to every other sector – no wonder there is so much attention paid to preparedness and mitigation efforts to make this sector more resilient.  The above graphic shows, not accidentally, the electrical sector being in the middle of all others.

There has been further attention brought to the matter recently by the National Infrastructure Coordinating Center (NICC).  In this article by Homeland Security Today, it was announced that the National Infrastructure Coordinating Center will be hiring contractor support as a force multiplier in their monitoring activities.  Last week FEMA just released IS-913, their Independent Study course on Critical Infrastructure Protection: Achieving Results Through Partnership & Collaboration.  This course compliments other critical infrastructure protection-oriented training programs of FEMA’s.  FEMA Independent Study courses are free and open to all US citizens.  I would strongly encourage that you explore what they have to offer if you haven’t already.

Critical Infrastructure Protection (CIP) is an important topic spanning all of emergency management and homeland security.  Additional information on CIP can be found from the DHS CIP website and other sources.

States Rushing to Limit the Use of Drones by Law Enforcement

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Tim RieckerInspired by this Washington Times article.  I must say I don’t understand why people are protesting the use of drones (aka unmanned aerial vehicles or UAVs) domestically.  Yes, they fly; and they have cameras with telephoto lenses.  Their use, however, from a law enforcement perspective is largely no different from that of helicopters or small fixed-wing aircraft – except at a much lower cost and no danger of physical harm to individuals, such as pilots or crew, which occur far too often – mostly with helicopters.  I think portions of the public have greatly overreacted to what they have seen of the military versions of these drones by way of mass media.  They certainly do have great capability in that theater, but use domestically is vastly different – especially being that they aren’t armed with hellfire missiles and the like.  Now with politicians weighing in, the over-reaction continues, and at a detriment to public safety.

I truly hope that a compromise can be found with people realizing that the use of drones, within all current standards of surveillance, warrants, etc., is not a threat to their privacy.  It is, in fact, a demonstration of smart government, leveraging technology to enhance capabilities at a lower cost and increased safety.  In aerial surveillance, drones can be used for nearly anything a helicopter or small fixed-wing aircraft could be used for; including rapid deployment after a shooting or robbery to look for a subject, or to find an Alzheimer’s patient gone missing.  These are noble and proper efforts that I hope won’t be impeded by knee jerk reactions based upon misinformation.

What are your thoughts?  Am I missing something here?

NY Times Allows Cyber Attacks for the Sake of Research

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Timothy RieckerJust read a very interesting article about the New York Times falling victim to cyber attacks from China – and allowing it!  As the article states, the Times took a gamble for a period of four months, allowing these hackers to repeatedly penetrate their servers and steal information.  This was a calculated decision by the NY Times, however, made with the assistance of a cyber security firm, and with the intentions of analyzing patterns to build better defenses.  Essentially, it seems, the cyber security firm used by the Times would deftly parry certain attacks by the hackers, allowing some blows through their defenses and letting a bit of blood.  Slowly, as the patterns of attack were recognized, the firm would tighten up their defenses until they shut down the attack completely.  A dangerous gamble, given the information the NY Times may have on its computers, but seemingly worthwhile.  An interesting bit of information from the article was that the hackers installed 45 pieces of custom malware over this period of time, with only one of them being recognized and stopped by their Symantec antivirus software.

I commend the NY Times for this effort, but certainly don’t recommend it!  It’s a heck of a gamble and a great deal of damage could have been done.

From Emergency Management Magazine – Catastropic Power Outages Post Significant Recovery Challenges

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Emergency Management Magazine posted a great article written by Adam Stone about catastrophic power outages.  The article lays out some interesting facts and prompts many thoughts on how our society would sustain with limited power.  Mr. Stone also mentions how vulnerable our grids are to both cyber attacks and squirrels!

Reblog – School Security

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Excellent guidance, not only for schools but for other facilities as well.

diamondsecurite's avatarDiamond Security

School EntranceAlthough the facts remain unclear as to how Adam Lanza, 20, was able to enter Sandy Hook Elementary School and kill 26 children and adults on Friday, news reports indicate he forced his way into the front entrance, possibly by shooting out or somehow breaking glass in the office’s door or window. It has also been reported that the front entrance was equipped with an intercom/camera system designed to screen visitors. Additionally, all of the other entrances/exits to the school were locked by the time Lanza entered the school.

What the official investigation will reveal remains to be seen. That said, considering the attack began at the school’s front door, it would behoove K-5 officials to review the security of their campuses’ entrances.

If anything good can come from Sandy Hook, it’s the knowledge that the security upgrades recently implemented at the school, as well as the heroic actions of…

View original post 595 more words

Active Shooter Info from DHS

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Good active shooter info from DHS.

Bruce Harman's avatarThe Security Takeaway

The tragedy in Newtown, Conn.  raised awareness of the Active Shooter threat. Listed below please find links to a number of reference and training resources which highlight response to the Active Shooter threat.

DHS Reference Materials:

DHS, Active Shooter – Booklet:   How to Respond www.dhs.gov/xlibrary/assets/active_shooter_booklet.pdf

 FEMA Online Courses:

Active Shooter:  What You Can Do http://training.fema.gov/EMIWeb/IS/IS907.asp

 

 

View original post

10 Years of the Department of Homeland Security

Tim Riecker, The Contrarian Emergency Manager Leave a comment

A few days ago I looked at four different links related to the 10 year anniversary of the US Department of Homeland Security (DHS).  Every one of these links (here’s one of them) called for the abolishment of the department and decried everything they have done and stand for.  Being the relative moderate that I am, I take a slightly different view on this – let’s make some changes, but in the end DHS will still stand – albeit a different agency.

On November 25, 2002 President George W. Bush signed into law the Homeland Security Act of 2002, which authorized the largest governmental reorganization in the US since the creation of the Department of Defense.  The goal was to bring, in whole or in part, 22 US agencies which were chartered in some way with domestic terrorism protections under one agency umbrella.  Interestingly enough, two agencies who took a lot of heat for perceived intelligence and coordination  failures prior to the 9/11 attacks – the FBI and CIA – were not included in this reorganization… thankfully!  It seems that over the last decade, nearly every entity brought into DHS has suffered in some way.

Looking back, there absolutely was a need for increased coordination amongst federal agencies when it came to intelligence.  The US Intelligence Community is significant, with a multitude of agencies all playing a necessary role.  In my humble opinion, there should have been a strengthening of the role and powers relative to intelligence coordination of the Director of National Intelligence.  Perhaps even some agencies could have been merged, in whole or in part, to streamline missions.

Relative to the agencies brought into the fold of DHS, intelligence is a secondary or tertiary function to many of them (I speak of the function, not mental capacity).  Similar to streamlining missions amongst intelligence agencies, certainly there could have been some mergers, again in whole or in part, amongst these 22 DHS-bound agencies to help streamline the response, training, and critical infrastructure missions that many of them touch upon.  This would have had a much greater (positive) impact to the public safety and emergency management community than stuffing them all into one house and hoping they would get along.  Despite intelligence not being a primary function of these agencies, DHS has jumped head first into the deep end of intelligence as a knee jerk reaction instead of going about it the right way.  In this haste, we see some big mistakes with fusion centers, grabbing a lot of media attention.  In government there tends to be a desire to over-legislate things.  When we see a problem we create a bill and pass a law.  That law creates a new agency or charges an existing agency to do something different.  Often times, an existing agency is already doing what needs to be done or has the resources available to do it – which would be the easy fix.  Instead we see something called mission creep, where agencies will wander into mission areas already occupied by someone else, and using some legal charter to justify the action.  The creation of the US Department of Homeland security was the worst possible amalgamation of these circumstances, forcing changes in command structure and hierarchy of 22 different agencies – even taking away the cabinet-level position held by one of those agencies (FEMA) – a move that was realized as a significant mistake when Hurricane Katrina struck.  The Washington Times even reports that President Bush was resistant to the concept, not seeing a need for such a large agency.

DHS became a massive bureaucracy, not only through the merging of these 22 agencies, but through the creation of a substantial overhead organization.  That overhead organization does little to provide shared services for those 22 agencies such as HR, payroll, purchasing, finance, etc. – which would be an ideal use.  Instead, things grew so complex that for several years of the last decade, KPMG – one of the largest audit firms in the nation – was unable to complete an audit of the agency.  Hundreds of billions of dollars have been budgeted to DHS over the last decade – dollar amounts far in excess of the value to the American public.  Even their grants, which have benefitted many state, county, and local governments, have gone overboard and lack proper accountability.  Some of the grant rules are so cumbersome that many jurisdictions haven’t been able to spend grant funds going back several years.

But should we get rid of DHS?  I say no.  The Department of Homeland Security, originally created as the Office of Homeland Security (prior to the Homeland Security Act) was charged with developing a national strategy to secure our nation from terrorist attacks to include the coordination of detection, preparation, prevention, response, and recovery efforts.  The creation of DHS should have been a modest and conservative reflection of this original charter, drawing in the necessary agencies and resources to accomplish this mission.  It should not have swallowed agencies that have their own distinct missions, those that functionally don’t belong under another agency (i.e. emergency management as a function of homeland security) or those who best function with cabinet-level representation (i.e. FEMA).  Yes, I do stand in obvious defense of FEMA, but 21 other agencies were also impacted significantly by this.

It’s not too late to make the necessary changes.  As I’ve said in the past – let’s be smart and use some common sense.

Electric Grid Vulnerabilities

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Government Security News (GSN) just published an article (http://www.gsnmagazine.com/node/27833?c=infrastructure_protection) about the recent declassification of documents identifying that our electric grid is still vulnerable to terrorist attacks.  Really?  I’m not sure there needed to be a classified document in the first place.  The vulnerability of our grid should be pretty obvious.

The report was focused on the vulnerabilities to terrorist attacks – but thankfully did at least acknowledge that impacts can be caused by natural disasters (by the way, the lights are still out on Long Island).  Terrorist vulnerabilities absolutely do exist, though.  Our energy infrastructure is very open, physically and virtually.  Generally, power generation facilities have decent security – particularly nuclear power plants.  Security does drop notably with other facilities, especially hydro-generation plants, which should have the same measure of security as nuclear power plants as most of them are associated with a dam, which, if breached not only knocks out power generation but also is bound to impact a population catastrophically.

Most energy sub-stations are not staffed, and while there is passive security in place, such as fencing, these can obviously be overcome easily.  Utility lines stretch across our nation above and below ground – generally accessible with little trouble to people with malicious intent.  Remember that acts interrupting our grid may not necessarily come from Al-Qaeda, but can come from disgruntled locals as well.  Take a look at the pictures below.  These were actually taken by my father who worked for a utility company in New York State.  Shortly after these high power transmission lines were put up over 25 years ago, a local, in protest over these lines going through their land, actually unbolted the tower from the base.  They never caught the person who did it – but this is a federal crime – and taken very seriously by prosecutors and law enforcement, including security personnel of the utility companies.  This same transmission line passes through my property and my family and I have made several calls through the years to the security office of the utility company when we see people loitering around and taking pictures or notes on these towers.

 

 

 

 

 

 

 

 

 

 

 

 

In consideration of cyber attacks – guess what – they happen EVERY DAY!  Most, fortunately, are pretty weak and stopped well short of their goal.  Some do have some measure of success, penetrating fire walls and other defenses.  Some come from individuals domestically, but many are known to come from the likes of China, North Korea, and Iran – all of which ‘officially’ deny sponsoring such acts of terrorism.  Practically everything is controlled by a computer, and practically every computer is networked and accessible from the outside world by people who know how to do so.  Energy plants can be shut down, overloaded, or have safety protocols circumvented.  Scary stuff.

So what’s the result of all this?  Much more than the inconvenience of a short-term power outage, I can assure you of that.  Our energy grid is the most critical of our infrastructure.  Without it nothing works.  We’ve only scratched the surface of examples from the areas that were hit by Hurricane Sandy and still don’t yet have power.  It impacts our other critical infrastructures such as communications, hospitals, the economy, and others.  It breaks beyond discomfort and inconvenience when it endangers lives during periods of temperature extremes.  All in all we have an aging infrastructure in our nation, but not only do we need to work on replacing and improving it, we need to protect it.

A different approach against terrorism

Tim Riecker, The Contrarian Emergency Manager Leave a comment

I was watching another TED talk yesterday by Jason McCue titled Terrorism is a failed brand.  McCue is an attorney by trade, who has found a rather distinctive niche litigating against terrorists.  Certainly a noble job and not at all one I would want to try.  I hope he has a great home security system and a solid kidnap and ransom insurance policy.

This Ted talk is one of the longer, 20 minute presentations, but well worth the time.  McCue outlines ways to defeat terrorism by taking away their power to influence.  By doing so, they won’t be supported financially or ideologically and will have trouble recruiting.  He is a rather compelling speaker with a great approach to his ideas.  Throughout his talk he provides a few case studies where such approaches have led to success and even draws a parallel between terrorism and commercial branding – proposing that a strong marketing campaign against terrorism be implemented.  I think he makes a great argument for it overall.  I do, however, have some difficulties accepting this as an approach for all forms of terrorism.  It seems his approach would work well against IRA-style terrorism, where the collateral damage is directly impacting the ones that the cause purports to defend and support.  In fact, the greatest part of McCue’s experience lends itself to IRA litigation.  On the other hand, there is al-Qaeda, who I don’t think would be affected as much by this type of tactic.  We might be able to strike against some of their financial backing and perhaps some of their recruitment, but I don’t see where we will strike much sympathy within the ranks of al-Qaeda from the death, destruction, and dismemberment caused by their suicide bombers and other attacks – which is a tactic McCue identified as a success against the IRA.

While McCue doesn’t identify his tactics as the only solution, I would certainly say that it would not be, especially against al-Qaeda type entities.  I believe strongly that military actions against their leaders and training camps must certainly continue, as should political and legal pressures against their supporters – be they nations or sponsor terrorism or investors funding these acts, as well as counter terrorism and intelligence operations.  It is only with a multi-pronged approach that we will win against terrorism.  Note, however, that I say ‘win’, not ‘defeat’.  I don’t think terrorists, whatever ilk they may be of, will ever be truly defeated.  We can’t stop people from having opinions, nor would we want to.  The problem is when those opinions go to an extreme of causing harm upon others to coerce a population.