Sunday, November 25, 2012

Solving Cyber Security

I am usually a fan of Heritage Foundation products. So it is with regret that I disagree with their argument that “information sharing” will solve the problem of national level threats to cyber security.  ( ). However, my 15 years of teaching and writing in homeland security convince me they are wrong. Here’s why.
Many people think of a computer like a telephone. You use it to connect to only those you want to talk to. Not so.
Unless you actively intervene, when you connect to the internet, your computer is potentially connected to every other computer in the world. Your friend’s computer, your bank’s computer, the Russian mob’s computer – every one can call you and listen in, whether you know it or not. It is like living in a house without walls. Unless you put up curtains, everyone can see what you are typing, sending, and filing on your computer. And everyone who you contact needs curtains, else the computer at your doctor, your bank, the credit card company, etc. are all subject to having their information (which now includes your information) compromised as well. Unless you all put up walls, outsiders can even hijack your computer to use it as a weapon against others, or they can use someone else’s computer against you – all without your knowledge.  In fact, without special protection, every computer connected to the internet – at hospitals, chemical plants, police stations, airports, nuclear power plants – every one is open to attack and hijack. This threatens the entire nation, not just you and your personal computer.
Remember, the internet was designed to let a few trusted military stations communicate during a nuclear war. Security was provided by controlling access to the few computers available, and the few connections that linked them. Now, with a much expanded internet and no security features designed in from the start, security against attack must be added on, like a roof rack and trailer hitch added to a sports car. And that’s not easy, because the whole idea of the internet it to connect quickly and smoothly to many other computers.
So the security measures you apply – that everyone applies -- must be able to recognize quickly innocent computers and “open the door,” while instantly identifying malevolent computers and shutting them out. Meanwhile, this challenge changes constantly – many times a day – as attackers routinely develop new ways to use the doors you must open in the course of normal internet operations.
Meeting this challenge is difficult and expensive, and nobody wants to pay the price in time and money. This is true of individuals, who rarely know exactly what to do to fully protect their computers. It is true of government, where small budgets and long procurement times almost always produce outdated systems with outdated protection schemes. And it is especially true of business, where security is perceived as all cost while creating no new profit.
Now the situation is becoming critical with vulnerabilities mounting to the point that the Secretary of Defense has a warned of a “Cyber Pearl Harbor” which might cripple the nation as a whole.
What to do? How to ensure people and organizations improve their security daily as threats mount?
Some are pressing for government mandated standards, and centralized government power to monitor who is meeting the standards and punish those who don’t. Heritage rejects this as a sole solution, and so do I – plodding traditional government bureaucracies alone just can’t keep up with the changing means of attack.
But Heritage and some others think voluntary “information sharing” will be enough to encourage everybody to protect themselves (and you and the nation in the process).  I don’t. Experience is clear– most people, most agencies and most businesses simply will not learn what needs to be done, pay for it, and do it, unless there is some direct reward for being good, or direct penalty for being bad. Voluntary compliance on something so important poses an extraordinary risk.
And so the solution is . . . well . . . some experts say the only solution is to rebuild the internet from scratch, incorporating security from the ground up.  Good luck with that.
Before I offer my solution to patrolling the information highway, let’s consider how we reached an acceptable level of security on the real automotive highways we all use every day.
Automobile use began with maximum freedom – design anything you want, go anywhere you want, use any driver you want. No headlights, no safety glass, no car seats for children, no licenses for drivers. Everybody just cooperate and share information on auto safety. Result:  mayhem, injury and death – and excessive hazards to ourselves and others.
Eventually, however, we ended up with a system that combined essential government regulation with a reasonable amount of freedom. Today we accept design regulations, speed limits, drivers licenses, safety inspections, etc., but within those rules we drive when and where we want. How did we reach this balance? How did we arrive at a system where my neighbor is allowed a reasonable degree of freedom in using a tool that can threaten my life, and yet we all stay reasonably safe?
Answer: through a system that includes reasonable government regulations, fines and penalties for violating those regulations, and stiff civil judgments against those who ignore the regulations and cause harm to others. Individual freedom balanced by both civil and judicial punishment for those who act irresponsibly.
Perhaps this is not a bad way to think about how we are going to control traffic and irresponsible drivers on the information highway. Not government over control. Not libertarian bumper cars with public safety and security at risk. But a balance of rights and responsibilities, bounded by minimum safety regulations, punishments for violation of those regulations, and civil penalties for damages inflicted on others. 
Drivers Ed anyone?

Friday, November 16, 2012

Getting it Wrong Next Time: Sandy, Leadership and the Press

     The poor response to Hurricane Sandy is more than a national disaster.  It is a national disgrace.
     Tens of thousands of American citizens were still sitting in cold, dark, wet, ruined houses weeks after the storm passed through. This hurricane was not “unthinkable” as the Governor of New Jersey said. It was anticipated years ago and its impacts detailed by DHS as one of “15 National Planning Scenarios.”
You can read a brief summary of the predictions for a Category 5 storm (Hurricane Sandy was only a Cat 1) at . DHS, FEMA, Emergency Managers, and Federal, State and Local Officials should have been thinking about this, talking about this, planning for this, and exercising their plans for years.  Instead they blew off these responsibilities and focused on what they wanted to focus on -- lesser issues they know how to manage -- challenges that let them be in charge and distribute the money without revealing their inability to deal with what the head of FEMA has called a “Maximum of Maximums” event.  The press should be all over this. Instead, all the guilty are off the hook. There are several reasons why:
- Press resources were spread thin between the election and the storm. The A Team was on the campaign trail and that is where the producers focused. So national networks depended on local reporters and stations to cover the story – and they focused very locally. Nobody told the story of whole storm and whole disaster as a whole.
- The story was hard to cover. The storm came ashore at night reducing the dramatic pictures - and the viewing audience. It produced thousands of road blocks making travel difficult. And there were few dramatic rescues. It is easy to take a picture of people on a roof. It is hard to capture cold children in a dark, wet house.
- The press really did not want to damage President Obama in a tight election. They harped on the hug between Governor Christy and the President, but touched lightly the bewildered citizens looking for food and warmth.
- The press really did not - and does not - understand this story. They are focused on gas lines, shelters and blanket distribution. They should be focused on response plans and coordination between jurisdictions. They do not know enough to question the proper use of NIMS (National Incident Management System). They fault FEMA and the Red Cross without asking “where are the local officials FEMA and the Red Cross are supposed to coordinate with?” They never heard of the 15 National Scenarios and do not recognize the collapse of DHS’s vaunted "Whole of Community" response. They do not see how political inattention crippled infrastructure over time and made repairing that fragile infrastructure difficult.
- The press has missed the story about the struggle between National Security and Public Safety -- between Emergency Managers and Security Professionals -- for the soul of homeland security. They do not know that the crimped vision of local Emergency Management  has won out, so there are no real national standards for measuring local preparedness. The losers in this struggle, as we see on TV, are the citizens.
            - The press really does not understand that top leaders (federal, state, and local) had the opportunity to prepare for exactly this problem and threw it away. Here is the question the press should be asking: “National guidance says state and local government should have been ready for an event like Sandy. When is the last time you and your staff exercised your plans for response and recovery on this scale?” We all know the answer. I would like to hear elected officials  say it out loud.
- And finally -- much of what Katrina wiped out was in such bad shape that it could hardly be called infrastructure. And most of the people directly impacted moved (to Houston, Dallas, Los Angeles, etc.). You could take time for recovery, because the homes and business were largely abandoned. But the damaged parts of NY and NJ are densely populated with functioning neighborhoods and Critical Infrastructure important to the nation as a whole. The residents want to stay during the rebuilding. How do you recover, while the people stay in place?  This is not easy. It requires planning and preparation which federal, state and local leaders, liberal and conservative, did not do.
The press is not calling these leaders to account for these failures. And so the next time we face a terrible but fully anticipated disaster, we can expect more of the same.

Thursday, November 8, 2012

Hurricane Sandy: When Risk becomes Reality

What happened in NY/NJ with Hurricane Sandy is really important -- and most of the main stream media has missed the story.
1) Gov Christy said the damage was "Unthinkable." Really?
Answer: No - that is how he and other local officials covered their behinds after their own abject failure. Sevevn years ago DHS published "15 National Scenarios" that local officials were to use as a benchmark for preparations. One of them looked almost exactly like Sandy. Officials in NY and NJ (and elsewhere) ignored the warning. And they let their Emergency Managers focus on lesser contingencies. This is another major failure of state and local leadership (Christy and Bloomberg and Cuomo) -- just like Katrina -- with those officials desperately trying to shift blame (like in Katrina).
2) Where was FEMA?
Answer: Exactly where it was supposed to be doing what it is supposed to be doing. FEMA does not do RESPONSE, which is what the first 3-5 days is all about. That belongs to state and local officials. FEMA does RECOVERY -- by law. That means evaluating damage and writing checks -- mostly for infrastructure, not individuals. FEMA rebuilds schools and sewage systems. It does not go door to door performing rescues. It does not provide hot meals to the community. FEMA is only about  3000 people -- smaller than the NYC Transit police. It does not clear trees and evacuate hospitals or hand out water. It hires contractors and arranges to have water and other materials shipped to the areas impacted. Again, like Katrina, this was a huge state and local fail.
3) So DHS got it right?
Answer: No DHS failed in a different way - primarily in the guidance they provided states and the requirements they laid on states. DHS has shifted from a focus on Preparedness under Chertoff to Risk Management under Napolitano. This encourages officials to prepare for what is most likely, not necessarily what is most dangerous. Local responders love this because it is easier and puts them in charge. Preparing for really hard stuff (like the 15 scenarios) means they have to meet somebody else's standards (the Feds) and not their own. DHS has also shifted focus from preparation by Top Officials to "community response" -- getting everybody to partner and play together in an emergency. Takes the pressure off top leaders, and off federal planners both -- they just set it all up and all these various partners cooperate in time of emergency. And the problem heals itself.
"Whole of Community" (the new federal buzz word) failed miserably and as a result, tens of thousands of people were without food and shelter and 1 million still without power 9 days after the storm.
4) What went right?
Answer: Heroism by local responders and citizens, Cooperation by neighbors. Help from across the nation (utility crews, Baptist men, Red Cross, etc.) Response worked at the bottom. It failed at the top.
RECOVERY will be a TRILLION $ issue. We ought to consider who failed in Preparedness when we consider who will pay for Recovery.
In Sandy, the Administration failed, DHS failed, state and local leaders failed -- and reporters, distracted by the election, did not call them on it. A national scandal.
PS -- Major Hurricane in a Major Metropolitan Area was only 1 of the 15 National Scenarios. 3 of the 15 dealt with bio threats. And everybody knows NYC is target #1 for a nuclear weapon. If you think the hurricane was a mess . . ..