Paul's Blog

THOUGHTS ON CYBER WARFARE

Transatlantic Cybersecurity Research Workshop at the Hungarian Embassy

I would like to share some of my thoughts about the Transatlantic Cybersecurity Research Workshop at the Hungarian Embassy.  I would like to thank our CSFI members and friends who attended this event with me, David Simpson (CSFI Security Engineer and lab genius), Steve Smith (cyber Hungarian friend), Ambassador Smith (always inspiring me on political issues), and Connie Peterson Uthoff (CSFI OSINT Analyst).  I have been in contact with Joe Weiss for 2 years, and I finally had the opportunity to meet Joe personally and listen to his presentation. 

Below is part of the introduction to the Transatlantic Cybersecurity Research Workshop as described in the news section of the website of the Embassy of Hungary, which can be found at http://www.huembwas.org/News_Events/20110408_cyber_conf/draft%20agenda.htm

Since threats, and the critical infrastructures criminals and state actors target, have become global and increasingly sophisticated, the need to come up with effective protection is also a shared responsibility by the democratic community of nations.  To support such efforts, the Hungarian Embassy in Washington DC (Hungary is currently assuming the role of the Presidency of the Council of the European Union) is organizing a one-day Transatlantic Cybersecurity Research Workshop with legislators, policymakers, researchers, scholars and representatives of the private sector from both sides of the Atlantic.  Members of the relevant European parliamentary delegation – all belonging to the Parliament’s Civil Liberties, Justice and Home Affairs Committee – are coming to Washington to have talks on PNR, SWIFT, data protection issues.  At the same time they are also in charge of overseeing European cybersecurity planning and agreed to lend us a hand in discussing EU cyber policy.  The half day workshop will aim to focus on how cybersecurity research may be harmonized or even prioritized between the US and the EU.

Ambassador György SZAPÁRY was very kind to welcome the audience and to make their Embassy open to our group for this special cyber event.

Panel Discussion: Most Urgent and Emerging Cyberthreats to Critical Infrastructure         

Jody WESTBY, Adjunct Distinguished Fellow at Carnegie Mellon University and CEO of Global Cyber Risk

Carlos KIZZEE, Director, Strategic Initiatives, Critical Infrastructure Cyber Protection & Awareness, National Cyber Security Division, Cybersecurity and Communications, National Protection and Programs Directorate, DHS

Kristjan PRIKK, Defense Counselor, Estonian Embassy

Joe WEISS, researcher, Applied Control Solutions

Moderator: Lynn VAN FLEIT, Founder and Executive Director, Diplomacy Matters Institute

Jody Westby gave us a good summary of what the United States is trying to accomplish in cyberspace in terms of policy and regulation, she covered some of the cyber bills and initiatives. I personally believe that it is time for industry and government to start taking a harder look at all of our proposed bills, improve them and finally get serious about passing them.

Carlos Kizzee gave a realistic speech about the efforts of DHS to protect our critical infrastructure and how DHS has created collaboration channels with CYBERCOM. “We all have to accept that cyber security is a complex issue that cannot be solved by one country, one vendor or one actor by itself; it requires coordinated response, coordinated mitigation, and it is an ongoing activity”.  We cannot fix the problem by creating a new set of problems; we cannot erode civil liberties, voiced Mr. Kizzee. The solution set must be something that changes the game, something that we have not seen before, in his words.

He stressed four elements: Coordination, Alignment, Testing and Innovation.

I only wish our government got more serious about the issue by increasing the cyber R&D budget, currently at an embarrassing amount of 40 million dollars. We have great minds in the DHS like Mr. Kizzee and Dr. Douglas Maughan, but we all know that 40 million dollars for cyber R&D is ludicrous. We have Ferraris in the garage and no gasoline.

Joe Weiss, also a CSFI member, spoke at the event, a much anticipated speech that I enjoyed very much so. His main message is that the control systems world is much different from the IT world! Cyber security professionals are not trained to deal with control systems. In the control systems world confidentiality means little, and availability is king. When we try to apply cyber security regulations and principles to the world of control systems, we run the risk of making things worse. Joe talked about intentional and unintentional attacks. There are 10 or 12 SCADA vendors out there supplying their code internationally, making it possible for companies in the US to control nuclear plants in Japan and vice-versa, a global reach that physically affects processes! He made sure to clarify that PLCs are not IT, like the STUXNET attack using IT as the delivery vehicle, but in reality the “warhead” was a control system attack. There is no anti-virus, no patch for addressing the warhead. Neither Estonia nor Georgia had their infrastructure attacked by this form of attack. Joe pointed out that we have too many IT professionals who know nothing about control systems; there is a lack of education and training in this field, due to the lack of control systems professionals and initiatives.

We as a nation must stop being secretive and obscure about this problem and start facing reality by creating programs that are open to the public to educate and train America on control systems security and the role of cyber in this environment. Joe is one of the few control systems professionals preaching this truth out there; we all should listen to him and take action. I am glad to say that CSFI is ahead of the curve by creating our STUXNET workshop and producing control systems training, ALL of it done with minimal budget and volunteerism efforts. If we can do it, so can our government. I would like to voice Joe’s concern and invite our leaders to think about such initiatives, to collaborate, join hands with industry and take action before it is too late. I always tell my children that freedom comes from education, and we need to be more educated about cyber security and control systems security in order to be free. 

I had the pleasure to talk with Jeff Moulton, and I appreciate his comment during the event about cyberspace being a war fighting domain. This reality must not be forgotten, and it is DOD doctrine. I understand that many cyber security professionals may not like to use the term cyber warfare and rather say cyber conflict or cyber operations, and that is OK. The fact of the matter is that nation states and other actors can fight through and in cyberspace to accomplish military missions, using cyberspace as a medium for warfare.

This article was a bit long, but I feel passionately about the things I heard at the event and would like to share this with my dear CSFI members and friends.

 Paul de Souza, CSFI Founder Director

Filed under: Uncategorized

GOVSEC 2011

The GOVSEC Conference took place at the Walter E. Washington Convention Center in DC. I had the opportunity to attend this incredible event and was impressed from the beginning with the way the event was organized with helpers throughout the place to answer questions about their tracks. I liked the combination of cybercrime and cyber security, and it ended up being a well-balanced event. 

I really enjoyed the list of keynote speakers and the great variety of the other featured speakers. One of my favorite tracks was the “Insider Threat: Challenges, Technologies & Solutions” with Amanda Woods (Senate Committee on Homeland Security and Governmental Affairs), Scott Schober (Berkeley Variatronics Systems) and Dennis Wolfe (Virtual Imaging, a Canon U.S.A. Company). The approach for this panel covered physical security for the most part from an imaging and signals perspective. The presentation by the panel was enjoyable because I had the opportunity to learn about some interesting technologies being used by law enforcement and DHS to help keep us safe. 

Amanda Woods covered some of the initiatives taken by the FPS. The Federal Protective Service (FPS) is the federal police force of the Secretary of Homeland Security. As a component of U.S. Department of Homeland Security, National Protection and Programs Directorate within DHS Headquarters, FPS is responsible for law enforcement and security of nearly 9,000 federally owned and leased buildings, courthouses, properties, and other federal assets and the personnel associated with those assets. Amanda Woods mentioned the GAO’s report on the FPS: http://www.gao.gov/new.items/d08683.pdf. FPS faces several operational challenges that hamper its ability to accomplish its mission, and the actions it has taken may not fully resolve these challenges. Because physical security is entirely dependent on network systems, collaboration between physical and cyber professionals is vital. 

Dennis Wolfe’s presentation was probably one of the most educational presentations on “transmission” scanning I have ever seen. He went about explaining the advantages of “transmission” scanning over “Backscatter” and “Milliwave” for airports. I really wish I had his PowerPoint presentation to share. But, the basic idea is to educate the general public about the fact that transmission scanning has the capability of seeing body cavities with less intrusion than its counterparts and with more certainty and security. Dennis Wolfe explained that this form of technology is being used in our prisons in the US to find foreign objects inserted into the human body. Backscatter and Milliwave would not be able to find that, making it easier for terrorists trying to get through our physical security checks at the airports. He made a point that we have been using ineffective scanning technologies at the airports. Perhaps we should be using a combination of the two? With more than 2500 airports in the US, a technological migration could cost us a fortune, but according to Dennis Wolfe, it should be done. It was also explained to the audience that transmission imagining technology is safer, causing less harm on the human body than a normal day outside in the sun. His presentation was quite interesting to say the least. 

GOVSEC was filled with great presentations, one after another, with topics for any kind of security professional. If you think that this event is only for law enforcement, you are mistaken. They had an abundant number of vendor booths with a great selection of physical and cyber security technologies. I would like to point out some of my favorites: Stephen Day from TIBCO http://spotfire.tibco.com/ (Thank you, Stephen, for taking your time to answer my many questions!), Scott Schober from Berkeley Varitronics Systems and his cell phone detector wolfhound product (very interesting solution here!) http://www.bvsystems.com/, the folks from Homeland Security News Wire http://www.homelandsecuritynewswire.com/. There were many vendors with interesting technologies and solutions.

I would like to congratulate GOVSEC for putting together this great event, and I do recommend our CSFI members to attend. I know I plan to go back next year!

Paul de Souza, CSFI Founder Director

Filed under: Uncategorized

CSFI Blog Calendar

April 2011
M T W T F S S
« Mar   May »
 123
45678910
11121314151617
18192021222324
252627282930  

Enter your email address to follow this blog and receive notifications of new posts by email.

CSFI Twitter

Career Thoughts

I am humbled and honored to have the opportunity to manage and run one of the biggest and most active forums on the Internet dealing with cyber warfare and cyber security – CSFI (The Cyber Security Forum Initiative). With over 16 years of cyber security experience, I continue to actively raise Cyber Warfare/Cyber Security awareness worldwide. I have worked as a Chief Security Engineer for AT&T, where I designed and approved secure networks for MSS. I have also consulted for several governments, military and private institutions on best network security practices throughout my career.

CSFI and its divisions CSFI-CWD (Cyber Warfare Division), CSFI-LPD (Law and Policy Division) and CSFI-WD (Wireless Division) continue to grow and expand with more than 60,000 information security members.

One of my personal goals is to serve our security community to the best of my abilities, in the protection and defense of our American national security interests, the American people, and that of our international partners. I am always ready to serve and to give of my time and skills to help our society with the growing problems we experience in cyberspace. I thank God and my family for the opportunities I have had in life and the most precious of all opportunities, which is the chance to serve others. I love what I do, and I appreciate all the support I have received from friends, family and our CSFI members.

___________________________________________

Paul de Souza, CSFI Founder Director