« “The Earth stands on the brink of its sixth mass extinction and the fault is ours” - TTG | Main | Israel's Two Faced Game with the Druze »

23 June 2015

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Babak Makkinejad

TTG & CP:

This breached data, together with the data this either freely available - such as in Facebook or LinkedIn or other WWW social sites - and data that is available at certain nominal costs (for a state or country) enables all these people and their extended families and relations to be identified, mapped, and tracked.

Using such relationship, one may then find personal, financial, medical vulnerabilities that could then be exploited.

Facebook should have been banned long time ago - in my opinion.

Allen Thomson


> For example, would the SF86 information be useful in selecting US humint targets?

It'd be a pretty good starting point. (Though, as has been pointed out, there are other security systems that don't depend on OPM.)

Fred

WRC,

"... cultivation of those junior in rank but potentially leaders of their organization in some way [or others?} might well be of current and future interest."

The Chinese (and/or others) now have all the ammunition they need to recruit or coerce any of these future leaders or their families. Congratulations to the Obama administration. At least we'll get that pesky flag removed and did you hear the latest about Caitlyn??

Patrick D

[QUOTE]With that information and a halfway decent data mining tool, one can easily construct an accurate and detailed model of the vast national security structure of the USG.[EOQ]

[Bitter Sarcasm Alert]
I recall a story some years back that the national security structure had become so vast that no one in the USG had any idea how big it was, who it employed, and what security clearances they had. Maybe the hackers can sell this model back to the USG so they can get a handle on it.
[End of Sarcasm]

This is beyond words. Thanks to CP and TTG for the post.

mbrenner

Some savvy managers in organizations where highly expert skills are central to its mission solve the problem by cultivating a 'specialist relationship" with a person of excellent qualifications and personal integrity. He may be at a one of the 17 national research facilities, at a preferred contractor like DIA, an academic, or other. That person has established a track record of competence and credibility - therefore is trustworthy. In some respects, he may also serve as a de facto consultant on consultants. I have know a couple of instances in the nuclear export area where such an arrangement has worked out very well.

Of course, it requires a manager who has the ability to identify such a person, to know how to use him, and to value dispassionate judgment. Unfortunately, that is not Sibelius or the guys who have been running the NSA empire.

An ideal candidate to serve in this capacity on matters of electronic warfare defense is Edward Snowden. He pointed out to his superiors many of the weaknesses in their systems; they ignored him - preferring to rely on the many phoneys among the 831,000 with the highest grade security clearances to do whatever to keep the budget robust. which afterall is the NSA leadership's top priority.

HankP

I've worked in IT all my life, and I can tell you one thing - once a system is rooted it can never be trusted again. Software or hardware. Data can be recovered, but it must be done very carefully.

steve

You have the same large, inefficient bureaucracies choosing which contractors to hire. A lot of potential to make things even worse.

walrus

I was a senior manager at an IT outsourcing firm for a few years (Group General Manager - System Integration), CP and TTG have it right.

Our mission was to totally lobotomise our clients, making them utterly reliant on our goodselves. To that end, we:

(A) After a suitable interval of months, reminded the customers project sponsor ("project champion") that her future career prospects depended on the outsourcing being perceived as successful by her Board.

(B) Hired the best of the customers IT staff ourselves, the low level staff were simply fired.

© Identified potential technical critics within the customers organisation who wouldn't leave. We arranged for these potential troublemakers to be fired using the leverage of (A).

So now we have complete control of one of the customers core competencies. We control their IT strategy and execution and hence exert influence on their entire business plan. There is no one technically competent to quibble over our pricing. We know their innermost thoughts if they commit them to email. We know their business plan, profitability and future ideas. As long as our project sponsor/mole is believed and in the ascendant within the customer, nothing can touch us.

This situation produces a very ugly hangover at Board level when they realise they have lost control of their core technical competency and then they have to simultaneously reacquire technical nous and prise our fingers from their keyboards.

My guess is that there is/was an "Outsourcing Project Champion" at OPM who drove this project with great enthusiasm, surmounting all hurdles and vanquishing anyone who sounded a warning. They must be feeling suicidal by now if they have the ability to feel remorse, which I doubt.

mbrenner

The story line of the OPM and related hacks, as presented to us by the MSM & most commentators, strikes me as being remiss - in its portrayal of the main protagonists and in its plot. The US is represented as the victim of unprovoked cyber aggression by the Chinese, coming out of the blue. This seen as a potentially major blow in an assumed contest for global dominance between the two powers. But is any of this true? Frankly, we haven't even seen the proof that the PRC was behind all the attacks - nothing except the word of people who record is one of serial lying. But let's assume that it was the Chinese.

Let us recall that it the United States that launched the first cyber attacks - some years ago by the NSA. This history is detailed in the Snowden documents whose authenticity never has been questioned. We succeeded in trespassing on the computer networks of several PRC agencies and individuals. We boasted about our success in intra-governmental communications. Those occurred at a time when related documents now in the public realm revealed the NSA's ambition to tap into every electronic communications network in the world and laid out a program for achieving that goal.

Simultaneously, the United States was launching offensive assaults on Iran. The targets there included not just their nuclear research facilities but also critical centers for the oil and gas industry. These are acts of war. Yet there was never a mandate from any international body for doing so, nor a casus belli. We did it in collaboration with the Israelis because we made the unilateral judgment that aggression was in our national interest. Now we are outraged that others are doing what we have done. This is rank hypocrisy - it also is not very bright. For the initial actions made the casual assumptions that the US would always have an advantage; therefore, the setting of norms and rules was unnecessary and undesirable. The same logic operated in regard to drones and targeted assassinations.

Conditions now have changed and the US is vulnerable to attack. The option of negotiations international rules of the road and perhaps formal regulations is slipping away. We will have to live with the chaotic mess that we have created.

Whatever thinking the NSA did on the subject (and perhaps other agencies) bears an uncanny resemblance to Curtis Lemay's attitude toward nuclear strategy. An emphasis on offense because it played to our advantage; defense only in the form of "massive retaliation" which - for Lemay - was the strategic cover for massive first strike; and a conviction that this was an unavoidable zero-sum game played for the highest stakes. In other words, cowboy strategy. And it is cowboy strategic thinking that has ruled in the NSA.

The most revealing article on this appeared in WIRED a while back. In the piece written by James Bamford ( 21.07.14), General Keith Alexander, since retired, revealed the full scope of his ambition in an article by Here are some of its more noteworthy quotes; “For years, U.S. General Keith Alexander has been amassing a secret cyber army. Now it’s ready to attack….Alexander’s forces are formidable – thousands of NSA spies, plus 14,000 cyber troops….Endgame hunts for hidden security weaknesses that are ripe for exploitation.” Plans included a ‘launch on warning” doctrine whereby massive cyber retaliation would be directed automatically at whomever made a strategic attack on sensitive U.S. computers. Its code name is MonsterMind. Preparations for the Great Cyber War evidently left no time to keep track of smaller attacks. (See also THE INTERCEPT 10/10/14 "Core Secrets: NSA Saboteurs in China and Germany" By Peter Maass and Laura Poitras 

CONCLUSION: There is no substitute for brains at the top. As of now, there aren't any there. The record speaks for itself.

wisedupearly

scary story and well worth reflection.
Clearly the Champion received a fat private bonus and an offer of employment at the outsourcing company.
Corruption is the death of all endeavors as the logic response, rules - regulations - inspectors, defeats the rationale of the organization.
Once key people lose their self-imposed loyalty to the project then the project fails.
Key example being the vulcans/neocons.
Just by chance this morning saw an article in the Guardian on Iraq
http://www.theguardian.com/world/2015/jun/23/iraq-war-worth-the-fight-chaos-gertrude-bell
with this quote
“Outside these walls (museum), you’ll find nothing that has been built since British rule that commemorates the country like all of the things within these walls.”
no cohesion, no strength.

Richard Armstrong

Walrus- I don't think I've ever read s more succinct description of how IT consulting operates. This was exactly how we operated. The TV show " House of Lies" provides the same information about consulting guided as entertainment.

Fred

On a very bright note the TPP (v2) has passed the House and now the Senate. Congratulations! At least we got that flag down, which is appropriate given the loss of sovereignty.

DeWitt

My pleasure - glad to contribute something useful. Schneier always has the goods.

DeWitt

It should be noted that Kaspersky Labs was hacked (purportedly by the Israelis), who used Duqu, a variant of Stuxnet, to penetrate and inhabit Kaspersky's servers for several weeks or months. When one of the top private computer security firms in the world can be pwnd, it would seem to add some color to this discussion.

http://www.computerworld.com/article/2934593/security0/duqu-2-0-kaspersky-israel-itbwcw.html

Babak Makkinejad

If I did not know any better, I would have started shedding tears for the Poor Customer.

Customers can and do fire IT Outsourcers; look at how GM fired HP.

In many instances, HP staff knew the business better than the GM guys.

This is just another phase in the same old - same old pattern:

Out source today - in source later - however the wind/fashion blows

Do a merger today, go through a divestiture tomorrow - merge again...

The Beaver

Mr Brenner

Speaking of Gen K Alexander, this brings me to the thread of 2010 about Lani Kass and Cyberspace and warfare :

http://turcopolier.typepad.com/sic_semper_tyrannis/2010/04/dr-lani-kass.html

Interesting bits and pieces back then,such as :

"Her brainchild really never took off. All DOD "cyber" activities are being merged into the joint CYBERCOMMAND and will be official once DIRNSA, Gen Alexander, is confirmed by the Senate for a fourth star. DISA and NSA will be the two biggest players, not the Air Force. And those two agencies are driving the boat right now not the individual military components."

LeaNder

Thanks, Beaver, interesting.

The technical system security context looks like a real horror scenario, even without the larger outsourcing problem.

Have you taken a look at the Nov 2014 report? From Page 9 onward you find the chronology from the "material weakness" in 2007 to the upgrade to "significant deficiencies" in Nov. 2014, within limits or based on clearly defined strictures.

"Material weakness related to security governance upgraded to significant deficiency."

While limited tangible improvements have been made to the security management structure in FY 2014, the ISSO positions that have been planned, approved and funded represent significant improvements over prior years. Therefore, we are upgrading the material weakness to a significant deficiency for FY 2014 due to the imminently planned improvements. However, we will reinstate the material weakness in FY 2015, if the OCIO fails to adequately implement the approved changes."

ISSO = Information System Security Officer
OCIO = Office of the Chief Information Officer


*******

I took a look at USIS and KeyPoint too. Here is USIS history from Wikipedia:

"USIS was founded in 1996 after the investigative branch of the OPM was privatized. Its creation was due to an effort of Vice President of the United States Al Gore's effort to reduce the size of the civil service. Originally known as U.S. Investigations Services Inc.,[3] it was at first an employee-owned company. Around 2000 the Carlyle Group invested in USIS and in 2003 Welsh, Carson, Anderson & Stowe committed capital to them. In 2007 Carlyle announced that it would sell USIS to Providence Equity Partners, a private equity firm, for US$1.5 billion.[4] In the fiscal year 2012 the company received $253 million for the contract work of the OPM, 67% of the OPM's contract spending for the fiscal year.[3]"

Unexpected consequences? ... Although, looks as if they never really took security seriously.

The chatter among insiders and people inquiring about work conditions in the two entities are interesting.

*********************

But strictly I find it much worse that there is no central IT department in control of system and security, not even after 7 years in Nov. 2014, and apparently over the years largely no documentation.

Imagine people completely untrained in the field work as DSO's (designed security Officers) in addition to their actual job. STILL in Nov. 2014.

***********

Ars:"Unfortunately, many other small federal agencies may be just as vulnerable to attacks. Two decades of bad security practices, a long decline in internal information technology experience within civilian agencies, and a tendency to contract out critical parts of IT to private companies without a great deal of technical oversight have created ripe attack conditions. To boot, DHS's efforts to provide a first line of defense against network attacks is based on an approach rooted in security strategies more than a decade old—and even that strategy is only now being fully put into place."

**********

Strictly none of the arguments convince me completely as far as suspects and the supposed detected suspect are concerned.

But then:

"The greatest trick the Devil ever pulled was convincing
the world he didn't exist"
--- Verbal Kint

LeaNder

"the UK's recent Snowden accusation is a political football."

thanks, that was my impression too, when I stumbled across it.

"as the Sunday Times reported an anonymous source saying, “we have now seen our agents and assets being targeted,” the NSA and GCHQ should first take a look into their mirrors"

Forgot about him. Someone linked to him before, good man.

Wasn't it a blog? Yes, here it is:
https://www.schneier.com/

mbrenner


Federal personnel chief: ‘I don’t believe anyone is personally responsible’ for Chinese hack


Katherine Archuleta blamed "legacy" computer systems on the failure to upgrade cyber security.

confusedponderer

"We did it in collaboration with the Israelis because we made the unilateral judgment that aggression was in our national interest. Now we are outraged that others are doing what we have done. This is rank hypocrisy - it also is not very bright. For the initial actions made the casual assumptions that the US would always have an advantage; therefore, the setting of norms and rules was unnecessary and undesirable. The same logic operated in regard to drones and targeted assassinations."

Yes, the US has yesterday set the precedent for what it complains about today. America's conduct since Clinton is notable for lack of observable self-restraint and foresight.

It's "Yes, we can!" ever since, and as for why "Because!" has always sufficed as a justification.

It will have come full circle when the US freak out at some country conducting a targeted assassination, or perhaps a drone strike, against an enemy on US soil.

I guess a hegemon is fond to think it can scoff at all this folksy old realist stuff like rule of law, sovereignty, reciprocity, the fact that others can retaliate and that international actors set legal precedents.

The Izzies are just as dumb in that their by conduct likeweise sets precedents for behaviour they themselves would find threatening and unacceptable if they ever found themselves in a position of actual (as opposed to professed) weakness. Alas, they are strong for now so they do what they want while their neighbours suffer what they must. The point is, they won't forget.

I wonder for how long that merry state of affairs can endure.

The US for their part has begun to realise, alebeit penny by penny and still well short of a dime, that there actually are limits to the utility of coercion and force. If threats, bombs don't work, more threats, bombs won't work either? Puzzling!

The Twisted Genius

All,

We (the USG) have been having our ass handed to us by the Chinese fro at least a decade. In the earlier days, there was no finesse to the attacks in the early days. They would suck down so much information from an installation that the installation's network would crash. I've seen other things just as bad. Our networks are massive, often patched together with outmoded hardware and software. There aren't near enough top notch network security people to defend this.

The only good news is that the Chinese are in the same predicament. Our guys are damned good and their networks aren't any better protected than ours. The cyber world consists of inter-networked bad neighborhoods and battlefields where no one or no data is truly safe. We can do better, but it take government acceptance of the hacker-sysadmin mentality. We need digital versions of Professor Van Helsing... lots of them. We also need to embrace ubiquitous strong encryption.

LeaNder

A series of brilliant responses today, Dr. Brenner. ;)

May I add the links? Actually Cyberwar caught my attention too a lot post 911, but it didn't seemed to be widely discussed, only in expert and Geek circles.

Maas/Poitras
https://firstlook.org/theintercept/2014/10/10/core-secrets/

Bramford - NSA Snooping Was Only the Beginning. Meet the Spy Chief Leading Us Into Cyberwar 06.12.13

http://www.wired.com/2013/06/general-keith-alexander-cyberwar/

Two of the six Bramford presents, some not publicly recognized:

JFCC-NW

(Joint Functional Component Command for Network Warfare) Created in 2005 as part of US Strategic Command, which controls the nation’s nuclear arsenal, it played a lead role in promoting the idea of thwarting Iran’s own nuclear ambitions with a cyberattack. Folded into Cybercom in 2010.


USCYBERCOM

(US Cyber Command) Established by the Department of Defense in 2009 to deter cyberattacks—”proactively.” In March, Alexander gave a hint of the command’s mandate to the House Armed Services Committee: “I would like to be clear that this team, this defend-the-nation team, is not a defensive team.”


In May 2010, a little more than a year after President Obama took office and only weeks before Stuxnet became public, a new organization to exercise American rule over the increasingly militarized Internet became operational: the US Cyber Command. Keith Alexander, newly promoted to four-star general, was put in charge of it. The forces under his command were now truly formidable—his untold thousands of NSA spies, as well as 14,000 incoming Cyber Command personnel, including Navy, Army, and Air Force troops. Helping Alexander organize and dominate this new arena would be his fellow plebes from West Point’s class of 1974: David Petraeus, the CIA director; and Martin Dempsey, chair of the Joint Chiefs of Staff.


The Edward Snowden Story with a correction on 22, August 2014.

http://www.wired.com/2014/08/edward-snowden/#ch-2

Amir

US consular services to non-citizens was shut down from 8th of June till yesterday. No visa's could be delivered due to security concerns. Apparently the they have been resumed for limited number of applicants as of today. Does this have anything to do with the hack? http://london.usembassy.gov/niv/

rjj

Indirect predation. It was invented ages ago by women and courtiers.

rjj

Ever see the Pinter/Losey film "The Servant" ??? It's a parable.

The comments to this entry are closed.

My Photo

February 2021

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28            
Blog powered by Typepad