Latest posts


Quick Study

By Brian Robinson

View all blogs

NSA stakes another claim to cybersecurity leadership

Much is being made of the recent Wall Street Journal story about the National Security Agency’s “Perfect Citizen” program, which reportedly is aimed at putting sensors into networks at such places as defense contractors, power plants and big Internet companies in order to better sniff out cyberattacks before they can wreak major damage.

Most of the commentary so far has been about the potential Big Brother aspects of this, with the government spying on private industry and so on. However, it should come as no surprise to people who have been following the progress of the government’s Einstein 3 system, since the clear implication is to get that also into the critical public infrastructure as well as government networks.

But there are other interesting nuggets in these reports, such as the program being voluntary but that NSA is dangling incentives to companies such as additional government contracts if they comply. There’s also an implicit threat there, since if companies already have government contracts, then non-compliance could damage their future dealings with government.

The NSA must follow the federal acquisition regulations, but it doesn’t usually advertise its procurements and it makes liberal use of the national security exemption in awarding contracts. It would be naive to think that agencies and the government overall don’t use procurement as a giddy-up to companies to get them to do certain things, but this seems to steer close to outright bribery.

Some commentators wonder why the NSA is going so public with this story. But while there’s a lack of official statements, all of the inside sources quoted suggests some kind of informal leak.

Perhaps we should look no further than that ancient government practice of turf war. Cyber security has quickly gone from being a blip on the policy radar to a major concern, at least the high levels of government. The Obama Administration has been hot for it from the get-go, and now Congress is hammering away at legislation.

Which means cybersecurity is probably the biggest item in terms of influence and potential budget gains in Washington, D.C. right now. The Homeland Security Department is being pushed as a leader on all of this, but the NSA has made it plain through various means that it thinks it should be fronting this. Its involvement has been a big reason for previous government cyber czars quitting their jobs.

Perfect Citizen should be seen as another shout-out from the NSA in its claim to be the agency that’s on top of cybersecurity.

Posted on Jul 08, 2010 at 9:03 AM0 comments


Beware of that bug: It could be following you

When you think of intelligence-gathering robots the images that most readily come to mind today are of low-flying unmanned aerial vehicles such as the Predator drone, scanning vast regions of land below them and using high-resolution cameras and sophisticated sensor technology to detect enemy men and materiel.

In the future, however, UAVs may more closely resemble fluttering insects.

In the long term, the U.S. Army certainly sees miniature “bug” UAVs as a big part of its battlefield operations. According to a recently released roadmap, clouds of them would be used to survey buildings and various sites before soldiers enter them.

That future may be closer than people imagine, given the pace of developments in this field. The University of Washington, for example, has developed thermal-powered bug robots that can carry up to seven times their own weight, something that will be essential if these things are to operate in the field for any extended periods while also hefting the sensors needed to gather intelligence.

Needless to say, the Defense Advanced Research Projects Agency is one of the sponsors of this research, along with the National Science Foundation.

Another development consists of small robots that use a new form of artificial intelligence to use insect-like instincts to land and stick to any surface, and then release on command. That doesn’t sound like a big deal, but it’s something that is essential for these robot swarms to move over rough terrain, such as would be needed for use in areas devastated by natural or man-made catastrophes.

This perching mechanism allows the tiny bots to conserve energy to the maximum, and is apparently a big advance on past swooping maneuvers used for landing. Releasing has also apparently not been easily possible before. Here’s a cool video showing this.

All things being said, as difficult as a lot of this seems, it’s probably more viable than another DARPA plan to use real insects as spies.

Posted on Jul 02, 2010 at 9:03 AM0 comments


'Encryption on a chip' raises hopes for better security

Encryption is often cited as one of the answers to cybersecurity woes, but it's a tough process to handle for many of the smaller devices that people now carry around—and tend to lose—along with all of the sensitive data on them (think laptops at the Defense and Veterans Affairs departments, among others).

Putting encryption into the processors that run these devices would greatly simplify things.

Huzzah! Chipmaker Intel Corp. recently announced it has come up with a process that would allow the random-number generator, which is the basis for encryption, to be made with the same semiconducting material and at the same feature size now used for modern processors. The generators would also be all digital, rather than the current generation of hard-to-handle analog components.

An IEEE Spectrum story quotes Greg Taylor, director of Intel's Circuit Research Lab, as saying that this new device can generate billions of random bits per second and is more random than current analog generators, which means the encryption is even stronger.

Here's an example of what encryption can do for you, if done properly. Brazilian police trying to get a look at the hard drive on a suspected financial criminal's computer were unable to crack the encryption he used after months of trying and after getting the FBI and its famed investigators involved.

One of the algorithms apparently was based on the venerable 256-bit AES encryption standard, which is one of the standards recommended by NIST.

However, as security guru Bruce Schneier points out (and hat-tip to him for the Brazilian story lead), it's how you apply encryption that matters.

Posted on Jun 30, 2010 at 9:03 AM2 comments


Cloud computing and the disaster in waiting

There’s nothing like a disaster story to get the headlines whirring on just about anything else, and the fairly mundane subject of cloud computing -- all the current hype aside -- is apparently no different. Some industry watchers now warn that the IT industry’s own Deepwater Horizon event is just around the corner.

An Ars Technica writer recently spoke to various industry sages who talked about how, at some point, there will be a major breach of security or act of terrorism involving the cloud that will cause everyone in industry and government to engage in a massive rethink of the worth of the cloud.

Of course, whether the oil spill disaster in the Gulf ends up causing anything more than a momentary blip in offshore drilling is an open question, given all the money and political capital invested in the issue. Cloud computing isn’t exactly in the same league, but it’s arguable that the tipping point about the move to the cloud has already been reached, so how badly such IT-based disasters would affect that is questionable.

However, there’s no doubt that security and privacy are among the strongest of the potential show stoppers for the cloud. A recent Pew Internet survey (http://pewinternet.org/Reports/2010/The-future-of-cloud-computing.aspx) said as much, as did an IDC survey. Those worries tend to outweigh the perceived benefits of the cloud, at least for now.

Then again, you could take the attitude that the current frenzy over cloud computing is just the result of clever marketing. According to a story in Internet Evolution, at least, cloud computing is really nothing more than a fancy term for the good old client/server link. At the end of the day, according to the author Gideon Lenkey, “you’re using a software client to access data on a server, a machine in a rack, across a network.”

Instead of worrying about the security of the cloud, he says, just focus on worrying about security, period. No matter what name you give to today’s favored IT flavor, that problem never seems to go away.

 

Posted on Jun 24, 2010 at 9:03 AM4 comments


Military, intell agencies dismiss DARPA-led cyber range

It looks like the Defense Advanced Research Projects Agency (DARPA) may be getting squeezed out of the competition to build a test range for potential cyber security solutions, with pushback from both military and intelligence agencies who want to see more speed and action.

The main complaint about DARPA over the years has been the difficulty it has had in turning lab technology into operational systems, according to a story in Aviation Week, so the potential customers of the cyber testing range have apparently been pressing for a bigger say in the actual testing and deployment of cyber systems.

“The services didn’t want to wait around for DARPA,” the story quotes a senior program official saying. “The Navy’s 10th Fleet Cyber Command wants to expand a small range at Network Warfare Command in Little Creek, Va. The National Security Agency wants a range at Fort Meade, Md. And the 24th Air Force wants its own capabilities.”

DARPA’s goal with the cyber range is to revolutionize the state of cyber testing, according to Michael VanPutte, the DARPA program manager of the National Cyber Range. That entails a fully automatic range that can be rapidly configured to “get the results back out to the community.”

The cyber range is a part of the Bush era Comprehensive National Cybersecurity Initiative, which is a governmentwide rather than strictly a military undertaking. It was supposed to be a focal point for industry and government to test their cyber tools.

However, it’s not happening fast enough for the various intelligence agencies. The seven-year program envisioned by DARPA is considered way too slow—which means DARPA may now be involved only up to the prototyping stage and not in the actual building of the range.

 

Posted on Jun 21, 2010 at 9:03 AM0 comments


Security concerns persist about microchips used in smart devices

A recent investigation by the Center for Public Integrity and ABC News turned up the fact that microchips and antennas intended for U.S. e-Passports were being manufactured in Thailand—a country currently plagued by political and social unrest which, in turn, creates all kinds of security risks for terrorism and others tampering with the main identification used for crossing U.S. borders.

Sen. Charles Schumer, the New York Democrat who heads the Senate Committee on Rules and Administration, is pressuring the Government Printing Office (GPO), which is in charge of e-Passport production, to bring that chip manufacturing back to the U.S.

GPO complained that no U.S. vendor is up to snuff when it comes to testing these chips for international-standards compliance, but Schumer dismissed that pretty handily. “There are more than 25 companies in the United States — and at least five companies in New York — who possess the capability and knowledge to manufacture the chips,” he told GPO.

This points up what’s likely to be an increasing headache for U.S. government users of technology, given that just about all of the electronics they manipulate now to do their jobs is made overseas, including the chips.

It used to be that Intel, AMD and other chip companies did most of their manufacturing in the United States, but that’s not true anymore. A lot of the design still happens here, but manufacturing and testing is increasingly going abroad, primarily to contract Asian foundries, although Germany could soon be another major source of these chips.

One immediate example of what this could mean for the United States is the momentum that’s gathering to give U.S. soldiers smart phones that they could use in the field. The assumption is that the farther away the chip manufacturing for these phones moves from the United States, the less secure the whole system could be.

That’s even more relevant to the weapons the U.S. military uses, which are increasingly computer- and communications-centric. And that’s led to programs such as DARPA’s Trust in Integrated Circuits, which is looking to develop ways to certify that chips that go into these systems haven’t been messed with by bad people with malicious intent.

Given the cutthroat competition in the electronics markets these days, chip companies are unlikely to pull back from these cheaper foreign manufacturers. But, for the really essential stuff, perhaps Schumer has a point?

 

Posted on Jun 16, 2010 at 9:03 AM1 comments


Defense Systems eNewsletters