Cybersecurity Conversation with the Director of the U.S. NBIBGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-04-01T04:00:00Z, Megan Gates<p>​Following a massive data breach at the U.S. Office of Personnel Management (OPM) in 2015, the Obama administration created the National Background Investigations Bureau (NBIB) in January 2016 to improve how the U.S. federal government conducts and delivers background investigations.​</p><p>The NBIB, which became operational in October 2016, is the primary service provider for governmentwide background investigations for the U.S. federal government. It’s also responsible for providing investigative systems training and conducting oversight evaluations of other U.S. agencies to ensure compliance with U.S. security regulations.</p><p>“NBIB has the responsibility of conducting background investigations for over 100 federal agencies—approximately 95 percent of the total background investigations governmentwide,” according to the bureau’s website. “Subsuming the existing mission, authorities and staff of the former Federal Investigative Service, the NBIB was stood up without interruption to the crucially important investigative services OPM is tasked with providing.”</p><p>For further insight into the creation of NBIB and how it’s working to keep background investigations’ data secure, Security Management Associate Editor Megan Gates sat down with NBIB Director Charles Phalen, Jr. Phalen has spent 30 years in the federal service, most recently as the director of security for the CIA. </p><p>Their conversation has been edited for clarity.</p><p><strong>Gates:</strong> The NBIB director position is an appointed one. When you got the phone call asking you to take the job, what made you say yes?</p><p><strong>Phalen:</strong> I had retired not once—but twice—from the U.S. government. Northrup Grumman has a mandatory retirement age for vice presidents at 65, and I hit that magic number in 2016. So I’d retired from there and was available.</p><p>I got a call from some folks in the U.S. Department of Defense that I’ve known for a long time who said, ‘Would you consider this?’</p><p>The world knows that this is a program that has some significant challenges. When you couple that with the fact that I have been doing this for a long time, and I do feel very strongly about the need for trusted people in the business, I said, ‘Sure, I’ll be happy to talk.’</p><p>I spent probably three or four weeks talking to various folks in different parts of the government, including OPM, the Office of Management and Budget, and at the Pentagon. I asked more questions than they asked. And concluded at the end that this was an opportunity that may not occur again. Putting it more succinctly: In all those years that I have seen—not just in the classified world but in the whole world—things that a trusted workforce can accomplish, whether it’s a trusted workforce in government or a trusted workforce in industry. And the stuff we’re able to put out gives this country the edge that it needs.</p><p>I’ve also seen what happens when somebody betrays that trust—seen it upfront and personal. And I know that this is an impossible task—to stamp it out completely—but we have an opportunity to do better at it, and mitigate those opportunities, reduce those opportunities, and go at it in maybe a different way.</p><p>When’s the last time we had a big chance like this? Probably 1986, the Year of the Spy, when we had a lot of opportunities to change things. Whether we did it all right or not is for other people to look at and decide. But there’s enough momentum right now, with people interested, and enough driving force that this is an opportunity that won’t come around again anytime soon. I feel very strongly about the business, and this just seemed like a good thing.</p><p><strong>Gates: </strong>You were appointed by U.S. President Barack Obama to lead the NBIB when it was created, and then asked to stay on by President Donald Trump. What were the main issues for you going into your role?</p><p><strong></strong><strong>Phalen: </strong>There were two big main focuses. One is, there is this backlog of background investigations that everybody refers to—it’s significant. That number is interesting, but it’s not the real number. The real number is how long does it take us to turn out an investigation? If we had a backlog of 5 billion cases, nobody would care as long as we were turning out the investigations on a timely basis. We aren’t, so we have an immediate problem to deal with which is to reduce the time it takes to get somebody a national security clearance. </p><p>The other piece is, what does the future look like? We’re operating with legacy IT systems; we’re operating with a process that dates back to before I was born. We have a good chance to reexamine that process of how do you initially determine whether somebody is trustworthy and…how do you continue to maintain that trust? What can you do today that you couldn’t do 30, 40, or 50 years ago?</p><p>So that’s the other focus: how do we start the process of examining both the technology that will help us do those things, and what are those things we can do tomorrow that will help us maintain that trust throughout the lifetime of that individual?</p><p>Those are the two big challenges. And we can’t do one. We’ve got to do both. </p><p>And there’s a third piece that is part of both of those issues. One, the end of the contract that OPM had with a contractor, and it ended that contract fairly abruptly, reducing our capability to do investigations significantly. The contractor was doing more than half of the investigations, so the demise of that really hurt.</p><p>And those folks did not simply migrate to another contractor. Most of them went away and never got back in the business. That was a national level of capacity that was diminished almost overnight—a significant impact.</p><p>These problems were already there when the data breach was discovered. That resulted in a brief shutdown of all the intake processes, but was not the main contributor to the backlog. The demise of the contract is what did it.</p><p>The breach issue was trust, and trust in ourselves and in the American public as to whether we can protect this stuff, both now or in the future. So that takes us to another challenge, which is a partnership between me and our chief information officer (CIO) and the DoD CIO, and maintain our the current systems we have in as secure manner as possible. At the same time, we’re also investing in a future system that is probably two to three years in the offering that will give us greater capabilities, but still have that same level of security that we need to build into this to protect peoples’ information.</p><p><strong>Gates: </strong>The Federal Investigative Service was doing the work that the NBIB is doing now. How has the transition worked?</p><p><strong>Phalen:</strong> Essentially, all the assets of the Federal Investigative Service are now part of NBIB—they’re just merged over and it’s now under a single command. </p><p>What makes it different? It’s really a couple of things. One is the introduction of some capabilities and some organizational changes, additions, that will help us move into the future. The biggest one is the establishment of something called the Federal Investigative Records Enterprise—FIRE—their mission is to reach out and find those new data sources for us that we can get electronically, and to find ways—working with the CIO—to store and appropriately use this information as part of the investigative process.</p><p>This is a fairly significant investment, because right now there are so many data sources out there that are shoe-leather driven. We need to find ways to get that information more efficiently and more electronically, where possible.</p><p>But it does not eliminate the shoe leather piece, for a couple of reasons, not the least of which is not everybody posts their personal feelings online. And the second thing is electronically, there are a lot of places we need to get data from today that don’t have electronic interconnectivity.</p><p>We know that police records are a key piece of some things that we’re gathering. So we have identified a law enforcement liaison role to go out and draw more closely with that population. </p><p>And we have renewed a greater emphasis on both privacy laws and on network protection issues—a key piece of this thing. </p><p><strong>Gates</strong>: The law enforcement liaison role—what will that look like and how will it benefit NBIB’s mission?</p><p><strong>Phalen:</strong> One of the biggest sources, collectively, of adjudicatively significant information is law enforcement records. The absence of one is good; but having one is adjudicatively significant.</p><p>So, one might think that there’s a single repository for that stuff. If you think about shows like Criminal Minds or NCIS where there’s an analyst sitting in the basement and they say, ‘Go find everything you can about Charlie,’ and they (mimes typing on a keyboard) and up pops everything. It doesn’t work that way in real life.</p><p>We have a number of states that we work with that don’t share records electronically. There are a lot of places that don’t share electronically records within the state. What that means for an investigation is I need to know where you’ve been hanging out and then we have to put somebody on the street to go out and talk to a law enforcement agency that you lived in to get those records.</p><p>That’s what we’re trying to overcome [with the liaison] and develop our ability to reach out and establish a better relationship and talk about and explore ideas about how things can be interconnected. It’s going to be critical as we move on.</p><p><strong>Gates: </strong>The NBIB is also referred to as semi-autonomous from OPM. What does that mean?</p><p>Phalen: We have our independent contracting authority, our own independent hiring authorities, and our own dedicated procurement staff—our own team of lawyers and a legislative liaison. We’re not independent from OPM, but we have a lot of autonomy from the main stream there, which will give us some ability to push out what we think is our key message.</p><p>We also have our own dedicated communications team. One of the byproducts of the security business is that we tend to keep things quiet. Maybe we can do a better job of communicating with what would be our client base—anybody trying to be hired by the government or get a clearance for the government—because right now, we’re doing 95 percent of all background investigations. We’re doing all or part of it.</p><p><strong>Gates: </strong>Who’s doing the remaining 5 percent of the background investigations?</p><p><strong>Phalen: </strong>Some of the intelligence agencies do it all themselves for some of their cases. But there’s a fair amount of them that do use some of our resources, as well, for part of their investigations.</p><p><strong>Gates: </strong>You mentioned trust earlier, and getting to the point where people who apply for a job with the U.S. government, know that their info will be secure and safe. How do you see the NBIB building trust?</p><p><strong>Phalen:</strong> The worst thing I could do is lose any more data. The second worst thing I could do is make promises I can’t keep, so we have worked extensively with the CIO and other outside organizations—including the U.S. Department of Defense—to look at our system as it is. A lot of work was done immediately after the breach; they did a lot of strengthening of the system, and I am comfortable that today it is protected to a fairly high degree.</p><p>But having said that, how do I convince the world? I don’t have a good answer for that right now other than we have to prove to them that we can protect it. We obviously don’t want to publish all the protections, because that would give somebody a sense of, ‘Where’s the backdoor?’</p><p>But, we worry incessantly about these things. In particular, the guy who feels most focused on it besides me and the folks at NBIB is the CIO at OPM. Between him and his chief information security officer, they have the responsibility to actually do those mechanical things on the system to protect it.</p><p>So, I don’t really have a good answer for how do I convince the American public that we can be trustworthy—putting out a poster that says, ‘Trust me,’ I don’t know that that works. Our record’s going to reflect that.</p><p><strong>Gates: </strong>Looking into the future, what do you see in 2017 as being the major challenges and opportunities for NBIB?</p><p><strong>Phalen:</strong> Related to the Trump administration, I don’t see any major challenges. There is a common thread that no administration wants people to betray trust, and administrations want us to have people who are cleared and trustworthy.</p><p>I don’t expect that there will be any change in requirements from any new administration in terms of producing that trustworthiness. We [NBIB] do the investigation. We don’t do the adjudication. So if somebody decides they’re going to clear you, it’s going to be somebody in an agency sponsoring you.</p><p>NBIB just gives them as much as we can find out about you to make that determination. That has its own particular sort of challenges, which are, if agency A adjudicates you and says, ‘Megan’s fine,’ agency B may say, ‘Yeah, except for there was that one traffic stop that she had that we didn’t like the way it turned out.’ You can actually get different answers for people from the same set of data. But our goal is to give them as much data as we can so they can make an informed decision on it.</p><p>The real issue with anything is are things funded? This has been a perennial issue in security in general, ensuring that the amount of funding is there to make sure that the investigations can be done and that [the government agencies] can fund them.</p><p>And again, not just what we’re trying to do at NBIB, but the whole issue of protecting information globally by the government is absolutely crucial. The last administration got it; I expect this one will get it. I don’t see any huge changes.</p><p>I also don’t see any roadblocks to us continuing the progress that we can make towards streamlining the background investigation process. I have every reason to believe, without anybody telling me this, the administration will follow suit like every other administration. They want us to do this right. And we’ll get an opportunity to do it right.</p><p><strong>Gates: </strong>Many of our readers are interested in how you can have a successful career in security. How have you stayed employed and relevant in the industry?</p><p><strong>Phalen: </strong>You’ve probably seen the Pink Panther movies. There’s one great line where somebody says to Peter Sellers, ‘How does an idiot like you get to be a police lieutenant?’ And he says, ‘I applied.’</p><p>I never really worried about where my career would go. I started out in 1973 and worked for a company where within the first 18 months I ended up with a management job—maybe they were desperate; I’m not exactly sure why. </p><p>But ultimately, about midway through, we as a team, with leadership from our director of security at the time, started working very heavily on a newfangled thing that would be a great deterrent to shop lifting. And it’s still here, because when you buy a garment and you take it home and it’s got that stupid tag on it, and you’re sitting there cursing the sales person for not having taken it off, you have to take it back to the store.  The company was called Sensor-Matic, and we Sensor-Matic tagged everything in sight, and it turned out to be a pretty powerful deterrent.</p><p>And then I got a job at the CIA and spent 30 years there. The thing I like most about that—and other jobs like that in government—is that in 30 years, I had 17 jobs. In the last 10 years, I only had three jobs—so that means there were 14 in the first 20 because we were moving around and doing a lot of things.</p><p>What I liked about it was none of us thought we’d ever get to be in some of those leadership jobs; we moved laterally and then a little bit up, and laterally, and got really smart about the entirety of the business.</p><p>In a situation like that, you have to understand how important it is to have trusted people, how important it is to make sure that people are operating out of secure facilities and trusted facilities. The physics of how to protect a building are largely the same. And certainly, the physics of moving things electronically is the same, but how all that works together has changed incredibly. </p><p>I mean, I tell folks that when I was in college, the cyber threat pretty much was me dropping punch cards at the University of Maryland. Cyber has changed, and I’m probably on my fifth iteration of trying to learn what it’s about. I will by no means claim to be an expert, but I’m at least reasonably conversational in the concepts.</p><p>But it has changed immeasurably, and keeping up with it is really, really hard. As people are moving up through careers, that’s the kind of stuff they’ve got to latch on to—find those things that are going to change and those that remain the same, and certainly that IT piece is the most dynamic.</p><p>The other thing that is most unpredictable is the humans because everything we do—almost everything we do today about human trust—is based on prospectively deciding whether or not we trust you. Not did you do something bad. Because I don’t want to get to that point. I want to decide you’re okay to start, and then if I see things starting to go south, be able to deal with it before it goes really badly south.</p><p>So, that then sort of takes you to, what does the next version of a background investigation look like? And I’m sure you’ve heard the phrase continuous evaluation bounced around…at the front end I don’t know anything about you, I’m going to do a pretty healthy examination of what we can find out about you.</p><p>Once you’re inside, it doesn’t make any sense to wait five years to ask again if you’re still okay, because you can do a lot of damage in five years—or just be dumb in five years. Because a lot of our problems are just people doing stupid things, not just evil things.</p><p>The range of human behavior is so wide and trying to predict who in that universe is going to go bad in advance is really difficult. </p><p><strong>Gates: </strong>Do you think we’ll ever get to the point where we can predict who is going to harm the organization?</p><p><strong>Phalen:</strong> 100 percent? No, and that’s even if you put every full court press you can on it, which includes polygraphs, and looking over your shoulder. </p><p>I think the bigger problem, although insider threat tends to focus on evil people, the bigger problem is people that are careless. People that aren’t necessarily trying to commit espionage, but speaking out of school or metaphorically leaving an email on a park bench somewhere. </p><p>The other sort of change in perception is the, traditional security program starts with, can you work here? Somebody does some sort of a background investigation, whether you’re a company or an industry, or something, and they decide whether you can work here—the company has made a trust determination.</p><p>When you get to the door, there’s a guard there of some sort, some badge system or security that the company is controlling your access. And you get to the keyboard and you login and you’ve got to use your password and it’s got to be a strong password, and if you’re not fast enough, it logs you out in five seconds and you’ve got to redo it again and you’ve got to change it every 30 days and all that kind of stuff.</p><p>But now you’re in. and if you’re in a system that is an Internet based system, you’ve just become the access control officer for the company. And your decisions to open that email or send something someplace else, have just made access control decisions for the company that are out of the bounds and purview and a lot of times observation of any oversight security organization.</p><p>And that’s the real change with the introduction of these kinds of things and the proliferation of networks, is that every employee has a responsibility they didn’t have before because their mistake can cause a huge problem.</p><p><strong>Gates: </strong>That’s something I’ve seen while covering the cyber beat. I’m hearing more and more that people are having the realization that what my employees do on their computer and their habits online at home translate into the office. If they don’t have good habits, they’re impacting my organization’s security.</p><p><strong>Phalen: </strong>There’s a cartoon out there somewhere…it’s a woman sitting at a keyboard and she’s dressed in Greek robes and everything, and she’s going, oh just one little thing. And the caption is “Pandora’s inbox.”</p><p>But going back to discussing careers in security… I seriously believe that for somebody in the security business, they should get as broad as they can. Don’t do the same job forever. Move laterally and get to understand the entirety of the business, because they’re all interconnected. And if one of them is not working, the others have to compensate for it but the others have to understand where the issues are. </p><p>I think the linchpin in security is that trusted people piece; if we don’t get that part right, the rest almost doesn’t matter because we have all those barriers and everything up, but every day we invite thousands—millions—of people in whatever venue it is, and we’ve got to trust them to do the right thing. </p><p>And if we don’t get that right, then again, that front stuff doesn’t matter.</p> Sneak Peek: Moving to the Cloud Repositions Security Data Rules Blind Conversation with the Director of the U.S. NBIB War Games Protocols and Practices Put the IoT Revolution at Risk Review: Social Media Risk and Governance Top Five Hacks From Mr. Robot—And How You Can Prevent Them the CEO War Games Protocols and Practices Put the IoT Revolution at Risk Review: Hacked Again Review: Secrets Spotlight: Internet of Things Toward Disaster

 You May Also Like... Top Five Hacks From Mr. Robot—And How You Can Prevent Them<p>​Mr. Robot may be doing more to make Americans cyber aware than any official awareness campaign has so far. The popular, award-winning series focuses on Elliot Alderson, a young programmer, who works as a cybersecurity engineer and is recruited by “Mr. Robot” to join a group of hacktivists—fsociety—targeting a company, E Corp.</p><p>For Cybersecurity Awareness month,<em> Security Management </em>Cybersecurity Editor Megan Gates sat down with OneLogin Lead Product Marketing Officer Al Sargent to discuss some of the most successful Mr. Robot hacks and how they can be prevented. <br></p><p>“I think <em>Mr. Robot</em> has done a really good service for the cybersecurity community because it makes these issues…realistic and, even though it’s realistic it’s very fun to watch,” Sargent says. “So it’s a great way for people to learn more about cybersecurity issues and how they can address them.”<br></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read de43818f-6122-4cb2-b7dd-7fbb7fffd423" id="div_de43818f-6122-4cb2-b7dd-7fbb7fffd423"></div><div id="vid_de43818f-6122-4cb2-b7dd-7fbb7fffd423" style="display:none;"></div></div><p>​<strong>1. Password Cracking</strong></p><p>This is essentially where you guess what someone’s password is based on what you think some of their interests are. It’s a form of combining social engineering with brute force, Sargent says.<br></p><p>For example, Elliot’s psychiatrist’s password was Dylan2791, which is her favorite musical artist and the year she was born backwards. Elliot was able to crack her password in 24 seconds.<br></p><p>“What would take maybe years or centuries to crack, might take mere minutes or even seconds to crack when you put in certain terms,” Sargent explains. “And Elliot is able to pull this information off of social media profiles and using other sources.”<br></p><p>Some measures companies can take to prevent this kind of attack is by enforcing stronger password requirements, such as requiring passwords use more characters, frequent password changes, and multifactor authentication, such as using a smartphone to approve a login attempt.<br></p><p>One way to create a good password, Sargent explains, is to think of a sentence that makes sense to you. For instance, if you’re a baseball fan, it could be “itsanevenyearletsgoGiants2010.”<br></p><p>“Now, if you’re a Giants fan, that makes a lot of sense because the Giants have won the World Series on even years 2010, 2012, and 2014; unfortunately, not this year,” Sargent says. “If you write that out, it’s very easy for you to remember. But if you look at the number of combinations, it’s very hard for a computer to crack because it’s many, many characters.”<br></p><p>And because the password is rooted in a topic that you’re passionate about, it makes creating a new, strong password easier when you need to change it. <br></p><p>“In the case of baseball, you could say, ‘IwishtheCubshadntbeatentheGiantsthisyearhopewillnextyear” and when it’s time to rotate your password again next month, you could be talking about something around the players you hope the Giants can recruit next year,” Sargent adds.<br></p><p>“It’s something you’re passionate about, so it’s something you can really remember,” he says. “But it’s hard for a password cracker. And that’s the key thing; people don’t think about passwords as passions, but it really is important to combine the two to make something memorable for you and hard for a computer to guess.”<br></p><p><strong>2. Zombie accounts</strong><br></p><p>The next common type of attack uses what’s called a Zombie account, a user account that remains active even though the user should not have access to it. </p><p>For instance, E Corp fires its senior vice president of technology, Tyrell, who is very angry with what happened and could potentially use his access to E Corp’s network to do a great deal of damage.<br></p><p>“Because he was senior VP of technology, Tyrell had access to a lot of privileged information,” Sargent says. “Now the thing is, once somebody is let go from a company, especially when they’re angry—as Tyrell was—you want to be able to deprovision them very quickly.”<br></p><p>This means that human resources staff need to work closely with IT to ensure that when an individual is fired or resigns from a company, that person’s technology access is cut off—just as their access might be to a physical building.<br></p><p><strong>3. Phishing</strong><br></p><p>Nearly one in three phishing emails were opened in 2015, and about 12 percent of targets then went on to click the link or open the attachment in that email, according to Verizon’s <em><a href="" target="_blank">2016 Data Breach Investigation Report. </a></em></p><p><em>Mr. Robot</em> showcases this method of attack in Season 1 Episode 3 when Elliot hacks his girlfriend's account because he wants to know more about her, so he phishes her.</p><p>“Phishing is very much a constant worry, not just in <em>Mr. Robot</em> but in corporate environments because there are now very well constructed phishing attacks,” Sargent says. “It’s no longer the email from the Nigerian prince; it’s the email from someone who might be the CEO asking the CFO to do something and it seems like a very well-constructed email.”<br></p><p>This specific type of phishing attack is known as a Business Email Compromise (BEC) scam, which have seen a 1,300 percent increase between January 2015 and June 2016, according to the FBI.<br></p><p>For more on how to prevent BECs and phishing attempts, read Security Management’s October Cybersecurity Department <a href="/Pages/Spoofing-the-CEO.aspx" target="_blank">“Spoofing the CEO.”</a><br></p><p><strong>4. Physical Access</strong><br></p><p>Sometimes to really pull off a successful hack, you need physical access to a critical facility. <br></p><p>This is demonstrated in Season 1 Episode 5 when Elliot pretends to be a Silicon Valley billionaire asking for a tour of a Steel Mountain facility, which stores all of E Corp’s records. He gains access and uses that to install a Raspberry Pi computer into the HVAC system, which can override temperature controls and melt all of E Corp’s back-up tapes.<br></p><p>To prevent this type of attack, companies should take a look at who has physical access to the servers that support their network and try to limit that access.<br></p><p>“As Elliot said in the episode, ‘People make the best exploits,’” Sargent explains. “So, we as OneLogin employees can’t get a tour of a data center. And we don’t even know the physical machines that are running our service.”<br></p><p>Amazon has tens of thousands of machines running in its data centers, which then run virtual machines that provide OneLogin’s service. <br></p><p>“We don’t know what machines provide our service. And if we don’t know, hackers don’t know,” Sargent says. “That makes it very hard to hack and makes it basically impossible to hack by gaining physical access because A) how do you get into a facility? And B) how do you even know, out of the tens of thousands of machines, which one at any given time is running the virtual machines?” <br></p><p><strong>5. DDoS Attacks</strong><br></p><p>Distributed denial-of-service (DDoS) attacks occur when systems flood the bandwidth or resources of a targeted system. These kinds of attacks are often the result of a botnet (multiple compromised systems) being used to flood the targeted system with traffic.<br></p><p>In Season 1 of <em>Mr. Robot, </em>Elliot single-handily saves E Corp. from a DDoS that’s been propagated by fsociety. To prevent this kind of attack taking down One​Login’s service, Sargent says it houses its service in multiple Amazon Web Services (AWS) regions and in multiple AWS availability zones in multiple states within the United States, as well as in Germany and Ireland.<br></p><p>“Additionally, we have multiple active DNS providers, so that way if one DNS provider gets overloaded through a DDoS, we have another DNS provider that can help us out,” Sargent says. Domain Name Servers (DNS), work like a phone book for the Internet and facilitate requests to specific webpages.<br></p><p><br></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 New Recruits<p>​<span style="line-height:1.5em;">“Leave our children alone!” That’s the message a Bolingbrook, Illinois, mother wants Islamic State (ISIS) leaders and recruiters to hear. In January, Zarine Khan’s oldest son, 19-year-old Mohammed Khan, tried to travel with his 17-year-old sister and 16-year-old brother to Istanbul to join ISIS. The three were stopped at Chicago O’Hare International Airport, and Mohammed Khan, an American citizen, is now being charged with attempting to provide material support to ISIS militants.</span></p><p>Zarine Khan told news outlets she believes her children were recruited over social media and secretly saved money to purchase passports and airline tickets. “We condemn this violence in the strongest possible terms,” she said after her son’s courthouse appearance. “We condemn the brutal tactics of ISIS and groups like it. And we condemn the brainwashing and the recruiting of children through the use of social media and Internet.”</p><p>If Mohammed Khan is found guilty of providing material support to a terrorist organization—a provision of the U.S. Patriot Act—he will face up to 15 years in prison. </p><p>Unfortunately, this is not an isolated incident. A new report by the International Centre for the Study of Radicalization and Political Violence (ICSR) found that some 20,000 foreign fighters from 50 countries have traveled to Iraq and Syria to join terrorist organizations since 2012, and more than 4,000 of those are from Western nations.</p><p>Disturbing reports seem to surface every month of Westerners—many of whom are teenagers or young adults—attempting to travel to join ISIS as fighters or brides, often after being recruited over the Internet. </p><p>Another increasingly prevalent issue is the return of radicalized Westerners to their home countries. Governments are struggling to address the issue in the absence of proof that the returning citizen actually committed a crime.</p><p>“The propaganda of the Islamic State, the ability to communicate in message, is better than any I have seen to date since we had the development of Al Qaeda in the early ’90s,” says Charlie Allen, who has served with the CIA and the U.S. Department of Homeland Security (DHS). “It is a very interesting thing—we’re going to have people self-radicalized, and it’s hard to stop traffic and travel to and from Europe.”</p><p>The exodus of American and European citizens to the Middle East—mainly Syria or Iraq—began in 2012 during the height of the Syrian civil war after ISIS urged Muslims to fulfill their religious duty to wage a holy war against the enemies of Islam. Although some foreigners took up arms with other terrorist organizations, such as Al Qaeda and Jabhat al-Nusra, most are flocking to aid ISIS, which is considered to be the dominant force of Syrian opposition and currently controls about a third of Syria. </p><p>More than 100 Americans have traveled to the region to fight, but experts are more concerned about jihadists from European countries, where thousands of citizens—mainly from Belgium, France, Germany, and the United Kingdom—have crossed through Turkey’s porous border into Syria and Iraq.</p><p>Veryan Khan, editorial director for the Terrorism Research and Analysis Consortium (TRAC), a political violence database, says that in terms of modern global jihad movements, the current exodus is the third and the most popular call to jihad. ICSR, which has kept track of the global jihad to Iraq and Syria since 2012, notes that the current numbers surpass those of the Afghanistan conflict in the 1980s and the 2006 flight from Somalia, making the conflict in Syria and Iraq the largest mobilization of foreign fighters in Muslim-majority countries since 1945.</p><p>Veryan Khan says a large percentage of foreign fighters are young men and women—some not even out of their teens. The Bipartisan Policy Center’s 2014: Jihadist Terrorism and Other Unconventional Threats points out that many young adults who attempt to join ISIS “are far from threatening.” At least eight 18- to 20-year-old Americans have been apprehended attempting to join ISIS over the past two years, one of them admitting in court that “concerning my fighting skills, to be honest, I do not have any.” </p><p>Other cases are more serious. One high-profile Western jihadist is 22-year-old Maxime Hauchard, a Frenchman identified as one of the executioners in an ISIS video depicting the decapitated body of American aid worker Peter Kassig. Hauchard converted to Islam when he was 17 and was recruited online to ISIS, according to media outlets. </p><p>Veryan Khan explains that young jihadists may be looking to belong because they do not feel at home in Western culture. “There are many other reasons for radicalization: the need for redemption, the perceived obligation to one’s motherland, the guilt of living a good life in the West while others suffer, a personal retribution for the death of a family member or friend, the list goes on and on,” he explains.</p><p>Europe has taken a step to curb the relentless—and effective—online propaganda by ISIS. Last summer, nine European nations endorsed an initiative to work with Internet providers to take down the hundreds of ISIS recruitment websites and messages. But the biggest online draw may come from radicalized Westerners themselves.</p><p>Foreign fighters who have made the journey to Iraq or Syria have told their stories via Twitter, Facebook, and other blogging websites, encouraging their peers to join them. The posters speak of the friendships they have made with their brothers and sisters of the Islamic State, or the pride they feel in answering the call to jihad.</p><p>“Allahu Akbar, there’s no way to describe the feeling of sitting with the Akhawat [sisters] waiting on news of whose Husband has attained Shahadah [martyrdom],” tweeted one British woman who traveled to Syria and married a fighter. </p><p>The call to join ISIS in the Middle East is not the only trend that concerns experts. Many foreign fighters are returning to their home countries after fighting alongside ISIS in the Middle East, and Allen points out that having trained, radicalized fighters traveling back to their homes in the West is a potentially dangerous situation.</p><p>“We have the worst possible storms that are now erupting in the Middle East, and the foreign fighters, those from North America and Europe, are likely to return,” Allen explains. “Some have been martyred, including Americans, but some will continue their extremist ways and proselytize to get other Americans to join them.”</p><p>Individual governments are left trying to figure out what to do with returning fighters. Turkey, considered the main passageway from Europe to Syria and Iraq, announced at the end of January that it is beefing up security along its borders to stem the flow of potential jihadists to the battlefield. The country is also constantly updating a database of more than 10,000 individuals suspected of traveling through to aid ISIS.</p><p>The problem that Turkey and many other countries face is that they cannot indict individuals for aiding a terrorist organization without proof. Traveling to and from the region alone does not hold enough weight for law enforcement to intercept an individual.</p><p>Some countries have passed laws that make it easier to detain potential jihadists. In Austria, Belgium, Britain, France, and Germany, authorities hastily passed legislation allowing governments to detain individuals suspected of involvement in a terrorist organization abroad. </p><p>Other countries, such as Denmark, are taking a soft-handed approach in handling returning fighters by offering free counseling services, as well as assistance in finding jobs or enrolling in school.</p><p>U.S. lawmakers are worried that foreign fighters coming to America may be able to slip through the cracks—under the Visa Waiver Program, residents of 38 European countries can travel to the United States without a visa. Former Senate Intelligence Committee Chairwoman Dianne Feinstein has announced plans for legislation that would tighten the program.  </p><p>Allen says that most foreign fighters aren’t secretive about their involvement in Syria and can be easily tracked, so the threat of a jihadist slipping into the United States unseen is small.</p><p>“I believe we have good legislation, good tools, and a good understanding of who may be in Syria, and we’re very careful to ensure when they return that we know who they are and what they’re doing,” Allen explains. “The Customs and Border Patrol does an excellent job of sorting through these people as they return. It’s hard to charge them if you don’t know whether they’ve committed crimes, but I think the collaboration between DHS and the FBI is improving.”</p><p>TRAC’s Khan speculates on the bigger picture—why are these young fighters, coming back home? He says the list of grievances from foreign fighters is critical to combatting radicalization efforts. </p><p>“They get to their perceived holy war only to find out that they are just killing other Muslims, which is haram (forbidden),” Veryan Khan explains. “There’s this perceived hypocrisy within the movement, as well as the realization that they are not merely fighting against the Assad regime to create a heavenly Caliphate but more than likely fighting other opposition groups.”</p><p>There are a number of firsthand accounts explaining the grievances, Veryan Khan explains, but they’re not as prevalent as the propaganda-filled tweets and blogs convincing young people to join ISIS in the first place.</p><p>“Using those firsthand accounts to our advantage is the best tool to curb the momentum,” Veryan Khan says. </p><p><em>To read in Spanish, <a href="/Pages/Los-Nuevos-Reclutados.aspx">click here.​</a></em></p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Hunt for Talent<p>​​FBI Director James Comey was talking to his daughter recently about the Bureau’s struggle to recruit talented cybersecurity professionals amidst a talent shortage when she summed up his problem: He’s the Man. </p><p>“Which I thought was a compliment,” Comey said in an appearance at ASIS 2016 in Orlando, Florida. But then his daughter added, “You’re the Man; who would want to work for the Man? The Man is boring. The Man is crusty. The Man is white and male. Who’d want to work for the Man?”</p><p>To be an FBI cyber agent, candidates have to have integrity, be physically fit, and have a cyber specialty. They also have to want to work for the government, which can make the candidate pool extremely small to choose from because some candidates might not find that attractive.</p><p>Comey’s daughter might be on to something, not only when it comes to the FBI but when it comes to corporate cybersecurity recruitment as a whole. What if there are individuals who are out there with the skills organizations need, but they don’t know how to attract them? Or they are not candidates that fit the typical corporate mold?</p><p>Take Bugcrowd, a crowdsourced security testing company with a community of researchers that finds and reports vulnerabilities for rewards—commonly known as a bug bounty program. CEO and cofounder Casey Ellis launched the community via his Twitter account in 2012. Four years later, more than 45,000 researchers have signed up to be part of the community.</p><p>Seventy-five percent of researchers who responded to a Bugcrowd survey said they were between 18 and 29, and 19 percent of researchers were ages 30 to 44. Most striking, however, was the finding that 88 percent had completed at least one year of college, 55 percent of them had graduated with a bachelor’s or postgraduate degree, and all respondents had at least a high school diploma. </p><p>Furthermore, just 15 percent of these respondents said they participated in bug bounty programs full-time; meaning 85 percent of researchers participate in bug bounty programs as a hobby or as a part-time job.</p><p>“What we’ve seen is a lot of the best, most prolific folk, and best-paid folk that we have on the platform don’t come from a security career background,” Ellis says. Instead, they are often from an engineering, development, or systems administrator background.</p><p>“These are folks that don’t work in security, but, lo and behold, they’ve been sitting up until 3 a.m. every night, chatting with their hacker buddies,” he adds. “The cool thing about especially the bug bounty model is that there’s zero barrier to entry. It’s truly meritocratic. If you can come in and prove the fact that you can do this, as evidenced by the fact that you’ve found something that’s valuable, great.”</p><p>And for some researchers, this process has led to being hired for positions off of the bug bounty platform. “They work their way up the ranks, they’ll get spotted as unique talent, and actually get a job out of it,” Ellis explains. </p><p>“You can teach someone to hack. You can teach someone how to think with that kind of criminal entrepreneurship type of bent, but I think the more efficient path for the industry at large is to identify the people that are already there,” he adds.</p><p>Bugcrowd has done this through word of mouth and actively promoting researchers' work on social media. But how can hiring managers at other companies recruit nontraditional talent? </p><p>First, they might have to take a hard look in the mirror and ask themselves if they are blind to talent that already exists. Winn Schwartau, president and founder of The Security Awareness Company, has written extensively on this topic in his series Hiring the Unhireable: A Rationale Imperative for Protecting Networks & Nations.</p><p>“We don’t have a lack of talent. What we have is a provincial mindset, entrenched over decades, in a flawed Cold War binary philosophy,” Schwartau writes. “Many of the current hiring systems all too often enforce an arbitrary, capricious, and discriminatory set of criteria, which is fundamentally designed to eliminate true, valuable human talent—consciously choosing instead to often default to the center of the Bellcurve; that 68 percent we refer to as ‘normal.’”</p><p>Hiring managers from the United States, the United Kingdom, the European Union, and elsewhere often bemoan that they need tens of thousands of security employees, but can’t find them, he adds.</p><p>But “what they can’t find are good security people who fit into their hard-crusted mold of what corporate and government structures have become,” Schwartau explains. “There is actually a lot of truly great talent out there. But we may not see it in the traditional ways.”</p><p>To better identify this nontraditional talent, hiring managers need to adjust their mindset and expectations about hiring, says Timothy O’Brien, senior manager of security operations at Gigamon, a network visibility and traffic monitoring technology vendor.</p><p>“We are creating this category as hiring managers of talent that we will never hire, yet we’re talking about there’s nobody to hire. In some ways, we’re creating our own problem,” O’Brien explained in his session “Hackers Hiring Hackers” at the 2016 (ISC)² Security Congress, copresented with Magen Wu, senior consultant at software company Rapid7.</p><p>Hiring managers often get in their own way when they list a position with a job description that’s all over the place, such as an entry level position that asks for a Certified Information Systems Security Professional (CISSP) certification and five years of experience.</p><p>“Folks have talked to me and said they are trying to break into information security and they basically apply for everything because they can’t figure out what we, as hiring managers, even want or need,” O’Brien adds.</p><p>This means that it is especially critical for hiring managers to break down what they want versus what they need, and to take a hard look at what skills an individual will need to possess to be successful in that role in the organization.</p><p>“Be clear about what that job will entail, as much as you know, because security changes,” he explains. </p><p>O’Brien also recommends that hiring managers consider whether certifications and college degrees are important, or if they are an HR requirement that’s potentially limiting the pool of candidates managers could draw from.</p><p>“There’s plenty of folks that I’ve met that have been great hackers, great security professionals, but don’t have a degree because they got so bored out of their mind they could not sit through the degree programs, or they didn’t have the financial capabilities to go get a degree,” he says. “So let’s find those folks with that talent, help nurture them, and help them get that degree.”</p><p>If, however, having certifications or degrees is important for filling the position, O’Brien says hiring managers should make sure to vet candidates to make sure they did not just memorize information to pass a test—that they learned and retained the information the certification implies they knew at one time.</p><p>One way of doing this, O’Brien says, is by asking a candidate during phone interviews about how their personal home computer network is set up and what they would like to improve upon in the next six months.</p><p>“I’ve gotten everything from, ‘Well I just have my Cox cable modem and it goes into my computer,’” which is usually the end of the interview, O’Brien says, “to ‘I’ve got this VPN (virtual private network) and a couple of computers…’ and that leads into a series of questions that I have, like ‘On that network, when you open a browser and type in, and like magic Google comes up, how does that work?’”</p><p>The key is to use explanatory questions in interviews to get a feel for whether a candidate can articulate to someone who’s technical, but also to someone who’s from a business background, about information security and how systems work.</p><p>O’Brien also recommends getting involved with the recruiting team and human resources to make sure they understand what you as a hiring manager are looking for. And this doesn’t always mean meeting with these individuals in a conference room.</p><p>For instance, O’Brien says he’s worked with organizations to create computer emergency readiness teams (CERTs) and specifically places a recruiter or a technical person from human resources on the team “so they get more involved and they know what we need, and what roles we’re trying to fill.” </p><p>And when it comes to finding nontraditional talent, Wu says that hiring managers should look to conferences, local meet-ups, and online portals. This is because Wu, like others in the industry, encourages job seekers to use these venues to attract the notice of recruiters.</p><p>“Get involved with the community—we have such a large community with what we do,” she adds. “Start going to conferences, local meet-ups, giving presentations, writing blog posts, and that’ll get your name out there more. That’ll make you look more interesting to hiring managers.”</p><p>While the debate continues to rage as to whether the talent shortage is real and, if so, how bad it is, hiring managers need to reassess their recruiting process to ensure that they are not overlooking qualified candidates who fail to meet their traditional criteria.</p><p>“I strongly feel that there’s a lot of talent out there, and we’re actually not accessing that talent pool right now,” Ellis says. “The challenge is to find something, put something together that actually draws them out. And takes them from where they are right now into something that’s more valuable to them and the industry itself.”</p><p>And the FBI is taking note, Comey said, assessing the way it recruits talent and how it uses cyber agents to better mitigate and investigate cyber threats.</p><p>“We’re not at bean bags and cut-off shorts yet; we do not let people smoke weed,” he explained. “But we’re trying really, really hard to be cooler than we ever were to not only attract great talent, but so when they come to us, they find it an exciting, iterative, agile place to work.”   ​</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465