Lawyer Paul Rosensweig and national security analyst Megan Reiss think John Bolton getting rid of the "cyber czar" position is "a magnificent idea:"
Bolton is completely correct that there is no need for any coordinationbetween the various federal agencies on this issue. Cybersecurity is not a cross-cutting problem that affects all sorts of equities. We have no concerns that eliminating this position will result in conflicting mission imperatives. We have every confidence that the National Security Agency, for example, can work out vulnerability disclosure equities without the need for input from the Departments of Commerce, Justice or Homeland Security (much less Treasury or State).
We also are confident that the decision accurately reflects the diminished importance of cybersecurity as a national issue. Cybersecurity is no longer deserving of the prominence that so many national security experts seem to give it. We fully expect the Office of the Director of National Intelligence to eliminate the cybersecurity menace from its annual threat assessment. We are confident that the trend lines for cyber threats and intrusions are down.
Didn't we already know John Bolton was incompetent?
Greg Sargent this morning points out that my party's congressional candidates aren't running the campaigns that the popular imagination thinks they are, which is a good thing:
There’s a narrative about our politics right now that you constantly encounter on social and political media. It goes like this: Democrats are too obsessed with the Russia investigation, or with Stormy Daniels, or they’re just too focused on “not being President Trump,” and as a result, they aren’t articulating an affirmative agenda and risk getting caught flat-footed by Trump’s supposedly rising popularity.
But this narrative is entirely wrong, and two new pieces this morning help set the record straight.
The first article is by Nate Silver, and it puts Trump’s job-approval numbers in their proper perspective.
If Trump’s numbers are rising, they are only doing so inside a very narrow range that remains abysmally low. And don’t forget the polling that shows strong disapproval of Trump is running higher than strong approval, which could impact disparities in voter engagement.
The second piece is by Ron Brownstein, and it reports accurately on how Democrats are actually running their campaigns right now. As Brownstein notes, many Democrats think that their chances of winning this fall turn less on whether Trump gets further dragged down by scandal, and more on their ability to link the GOP’s tax cuts to its failed (but continuing) drive to roll back health coverage, which together amount to a deeply unpopular overall set of GOP priorities.
With Republican primary elections in Indiana, Ohio, West Virginia, and North Carolina going on today, we may have even better data about how we're retaking the House in November.
On the other hand, Bruce Schneier notes that both parties' campaigns are dangerously nonchalant about IT security. Great.
A couple stories of interest:
OK, back to being really too busy to breathe this week...
I'm writing a response to an RFP today, so I'll have to read these when I get a chance:
There were two more stories in my inbox this morning, but they deserve their own post after lunch.
Via Bruce Schneier, DHS Senior Analyst Jack Anderson describes how walls are still a dominant security metaphor, and the consequences of that choice:
Walls don’t fail gracefully. But there is a bewitching tendency to trust them more than we should, and this leads to dangerous liabilities. Extreme risk prognosticator Pasquale Curillo calls this tendency to depend too much on controls we’ve put in place the “fence paradox.” By protecting things — which they must — organizations can encourage situations where they stand to lose a lot if their wall is breached. When that fortification fails (and eventually, every fortress fails) it fails catastrophically. The scale of the Equifax hack in 2017 and the Brussels bombings in 2016 both illustrate the way that organizations and systems organize risk, tending to put together massive targets for potential threats. Walls actually encourage this kind of thinking. If you build walls to protect something, it makes sense to expect them to work. But network architects and airport security designers both need to listen to de Montluc, the 16th century French military mastermind: “Nothing is impregnable.”
We need a new awareness of what walls do. It’s tempting to think of them as blocking threats, but they don’t. They behave more like filters — winnowing out only those threats not serious enough to circumvent them. And this implies a secondary problem apart from the fence paradox. A wall that prevents large-scale foot traffic across unsecured locations in the U.S border means that only determined, capable adversaries will be able to cross the wall. The people who are the least threatening are the only ones who are easily deflected. It may prevent smaller scale losses, but it actually encourages your biggest threat to innovate, leaving room for catastrophe. Bag checks and barricades moved a perimeter outward at the Mandalay Bay Casino last October, but Stephen Paddock circumvented this by moving his position upward. As Washington considers the marginal benefits of a massive border wall, it needs to think equally of this revenge effect.
This weakness is where the idea of “defense in depth” (layered security) comes from. A good summary of the reasons for defense in depth comes from a 1921 Infantry Journal, published by the U.S. Infantry Association: “All essential elements of the defense should be organized in depth. If the forward defensive areas are captured, resistance is continued by those in the rear.”
That's bronze-age wisdom, in fact. And yet security designers don't seem to learn. And the President's wall around Fantasyland will not prevent the threats he fears, not one little bit.
Lots of things popped up in my browser today:
And now, back to work.
Via Bruce Schneier (and other sources), the Australian government suffered one of its worst-ever disclosures of secrets caused by not looking through used furniture:
It begins at a second-hand shop in Canberra, where ex-government furniture is sold off cheaply.
The deals can be even cheaper when the items in question are two heavy filing cabinets to which no-one can find the keys.
They were purchased for small change and sat unopened for some months until the locks were attacked with a drill.
Inside was the trove of documents now known as The Cabinet Files.
The thousands of pages reveal the inner workings of five separate governments and span nearly a decade.
Nearly all the files are classified, some as "top secret" or "AUSTEO", which means they are to be seen by Australian eyes only.
But the ex-government furniture sale was not limited to Australians — anyone could make a purchase.
And had they been inclined, there was nothing stopping them handing the contents to a foreign agent or government.
The found documents ranged from embarrassing (to both major Australian parties) to seriously top secret (troop deployments, police investigations). In response, the Australian government is calling for increased penalties for publishing or even possessing secret documents—but as Schneier points out, in this case that would have made the breech immeasurably worse for Australia:
This illustrates a fundamental misunderstanding of the threat. The Australian Broadcasting Corp gets their funding from the government, and was very restrained in what they published. They waited months before publishing as they coordinated with the Australian government. They allowed the government to secure the files, and then returned them. From the government's perspective, they were the best possible media outlet to receive this information. If the government makes it illegal for the Australian press to publish this sort of material, the next time it will be sent to the BBC, the Guardian, the New York Times, or Wikileaks. And since people no longer read their news from newspapers sold in stores but on the Internet, the result will be just as many people reading the stories with far fewer redactions.
In all, it's a reminder of the security adage that no security system can completely protect against human stupidity.
I got a weird text from T-Mobile a few minutes ago:
T-Mobile Alert: We have identified an industry-wide phone number port out scam and encourage you to add account security. Learn more: t-mo.co/secure
Well, that does not sound good.
And it's not. Apparently thieves have found that American mobile phone providers are unusually helpful when it comes time to steal mobile phone numbers (called "SIM hijacking") or to port those numbers to third-party mobile providers. In both cases, the thieves now have a way to bypass any three-factor authentication (TFA) you may have set up with, for example, your bank.
T-Mobile at least offers a service called "Port Authentication" which lets you set up a 6- to 16-digit PIN that you must have to make any changes to your account—like, for example, getting a new SIM. After getting the text alert, and validating it with trusted online sources, I immediately called 611 and set up port authentication.
There are a couple of other things you should do:
- Lock your phone all the time, with something very hard to subvert, like a strong password. If you must use a convenience feature like iris or fingerprint authentication, make sure the phone still requires a password on reboot.
- Set your phone up so that it doesn't display the contents of texts or IMs when your phone is locked.
- Encrypt your phone, so that even if all your other security is bypassed, you won't be stuck.
Seriously, this all costs you nothing and can save you a fortune.
As part of my current project's non-technical requirements, I've just completed 5 hours of anti-terrorism and security training. Biggest takeaway: bullets ricochet down, grenade shrapnel goes up. Also, don't put random CDs in your computer. Oh, and I have to repeat about 3 hours of it a year from now.
Today is actually a company holiday but I've got a lot of work to do, including this training. Also we've gotten about 60 mm of snow today with more coming down. So steps go down, heating bill goes up.
Kerry Howley, writing for New York Magazine, profiles the "terrorist [with] a Pikachu bedspread:"
In those first months on the job, the country was still adjusting to Trump, and it seemed possible to some people that he would be quickly impeached. Reality listened to a podcast called Intercepted, hosted by the left-wing anti-security-state website the Intercept’s Jeremy Scahill and featuring its public face, Glenn Greenwald, and listened intensely enough to email the Intercept and ask for a transcript of an episode. Scahill and Greenwald had been, and continue to be, cautious about accusations of Russian election meddling, which they foresee being used as a pretext for justifying U.S. militarism. “There is a tremendous amount of hysterics, a lot of theories, a lot of premature conclusions being drawn around all of this Russia stuff,” Scahill said on the podcast in March. “And there’s not a lot of hard evidence to back it up. There may be evidence, but it’s not here yet.”
There was evidence available to Reality.
The document was marked top secret, which is supposed to mean that its disclosure could “reasonably be expected” to cause “exceptionally grave damage” to the U.S. Sometimes, this is true. Reality would have known that, in releasing the document, she ran the risk of alerting the Russians to what the intelligence community knew, but it seemed to her that this specific account ought to be a matter of public discourse. Why isn’t this getting out there? she thought. Why can’t this be public? It was surprising to her that someone hadn’t already done it.
The classified report on the Russian cyberattack was not a document for which Reality had a “need to know,” which is to say she wasn’t supposed to be reading it in her spare time, let alone printing it, and were she to print it for some reason, she was required to place it in a white slatted box called a “burn bag.”
Why do I have this job, Reality thought, if I’m just going to sit back and be helpless?
Reality folded up the document, stuffed it in her pantyhose, and walked out of the building, its sharp corners pressing into her skin. Later that day, President Trump fired James Comey, who had been leading an investigation into Russian election-meddling. Reality placed the document in an envelope without a return address and dropped it in a standing mailbox in a strip-mall parking lot. Court documents suggest she also sent a copy to another outlet, though which one we don’t know.
For a bad decision she made at 25, she may spend most of her productive years in prison. And in the current climate of secrecy and surveillance, it's hard to see how she can even defend herself against the charges.
Her trial is set for March.