National Security WeaknessesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-02-01T05:00:00Z, Mark Tarallo<p>The U.S. Department of Defense (DOD) is planning to spend more than $1.5 trillion to develop its portfolio of major weapon systems. Although the investment may result in a state-of-the-art deterrence program in the future, the weapons currently have a glaring vulnerability–they are relatively easy to hack. <br></p><p>Officials from the U.S. Government Accountability Office (GAO), which was asked to review the state of DOD weapon systems cybersecurity, recently ran some tests to see if they could hack any of the Pentagon’s weapons.  </p><p>They could, without much difficulty. </p><p>“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the GAO explains in its report, <a href="" target="_blank"><em>Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities.</em></a></p><p>It’s likely that the testing revealed only a small number of the actual existing weaknesses. “In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats,” the report says. </p><p>It’s a disconcerting finding, considering that adversaries of the United States are developing increasingly sophisticated cyberespionage and cyberattack capabilities to target DOD weapons. The GAO found several reasons for these vulnerabilities.</p><p>One is that the Pentagon’s weapons systems are increasingly dependent on IT. The amount of software in today’s weapons systems is growing exponentially and is embedded in numerous subsystems. But this dependence on software increases the weapons’ attack surface. </p><p>Similarly, DOD weapons systems are more networked and interconnected than ever before, and they are also connected to some external systems, such as GPS. These factors further increase vulnerability. </p><p>In addition, DOD has only recently made weapon systems cybersecurity a priority. Instead, for many years, DOD focused its cybersecurity efforts on protecting traditional networks, such as accounting systems. “Until around 2014, there was a general lack of emphasis on cybersecurity throughout the weapon systems acquisition process,” the report says. </p><p>This late-to-the-game approach will have long-term consequences, the GAO found. “Numerous officials we met with said that this failure to address weapon systems cybersecurity sooner will have long-lasting effects on the department,” the report explains. “Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.” </p><p>In the last few years, however, DOD has made progress on some new weapon cybersecurity initiatives and policies. Given this, GAO urged the DOD to press forward with these efforts. “To improve the state of weapon systems cybersecurity, it is essential that DOD sustain its momentum in developing and implementing key initiatives,” the report says. Finally, GAO pledged to continue to evaluate the issue.</p> maladies Sanctuary the Green Light Scrutiny maladies Sanctuary Weaknesses Shock to the System Maladies in the Mind Review: Personal Security Maladies

 You May Also Like... Pirates Sail the Digital Seas<p>In the late 16th century, the British Empire granted official documents called “letters of marque” to seafarers, authorizing them to attack and pillage Spanish vessels in the New World. These privateers became known as Queen Elizabeth’s Sea Dogs; among them were the famous Sir Francis Drake and Sir Walter Raleigh. These privateers were essentially granted a license to commit piracy and help England gain a foothold in new territories–even when Spain and England were not at war. But some Sea Dogs decided to turn away from their queen and seek personal gain instead. One such man, Captain Kidd, was eventually arrested and executed for his mutiny. </p><p>Sea Dogs like Captain Kidd strayed far from their original purpose of helping build up the British Empire, and instead brought embarrassment to the crown. Eirik Iverson, director of product management at Tangible Security, compares such privateers to the Chinese nationals who have been accused of stealing trade secrets from U.S. firms.</p><p>Research by U.S.-based cybersecurity firms and, most recently, charges by the U.S. Justice Department, indicate that China is funding its own cyber privateers to spy on and steal secrets from U.S. businesses. But Iverson predicts that, like the British Sea Dogs, eventually the Chinese are going to feel some pain from their own privateers. He says the hackers “go where the opportunities are, and eventually that opportunity is going to be in China.” </p><p>As the evidence shows, China is not punishing its own cybercriminals who are attacking other nations. But the U.S. government took a broad step in prosecuting Chinese cybercrime in May when, for the first time, the Justice Department brought cyber espionage charges against five nation-state actors, all members of the Chinese People’s Liberation Army (PLA). </p><p>A grand jury in the Western District of Pennsylvania brought the charges, which accuse the hackers of infiltrating the networks of six U.S. companies and stealing information “from those entities that would be useful to their competitors in China,” according to the official indictment. </p><p>Advanced Persistent Threats</p><p>In February 2013, cybersecurity firm Mandiant released a well-publicized 60-page report on a group it refers to as APT1 (Advanced Persistent Threat 1), which it had suspected for some time was a state-funded group of Chinese cyberthreat actors. The Justice Department indictment alleges that the five hackers were a part of the same unit Mandiant names in its report. </p><p>From 2004 on, Mandiant collected IP addresses, command and control information, and other important data about the hacking group. In January 2010, Mandiant released limited information in a small public report to see how the group’s cyber activity was affected.</p><p> “We put out a ton of indicators about the infrastructure, the sort of nuts and bolts of where these actors were coming from,” says Laura Gallante, manager of threat intelligence at FireEye, a firm acquired by Mandiant earlier this year. “Then what we were able to do was watch what happened from that released infrastructure for the next year.” </p><p>Gallante explains that criminal activity generated by the machines belonging to those addresses subsided, and eventually stopped. The infrastructure Mandiant made public was no longer in use. “So there was an entire shift in the IP addresses, in the infrastructure that this group was using,” she says.  </p><p>After further observation of how the group operated, Mandiant concluded that there was evidence the group was linked to the Chinese PLA. For example, much of the malicious cyber activity was coming out of the army unit’s headquarters in Shanghai. In its report, Mandiant revealed that at least 141 breaches were directly attributable to the group. Further, Mandiant determined that the Chinese government was almost certainly directly sponsoring the hackers. </p><p>“Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support,” the APT1 report stated. </p><p>State Actors</p><p>Understanding that the group behind the recent cyber espionage charges is state-funded makes the allegations substantial, says Paul Tiao, a partner at Hunton & Williams and former senior cybersecurity counselor to the FBI. “What’s different here is that these are actually Chinese government employees. It’s the implications of the charges that are really damaging, as opposed to the nature of the charges themselves,” he notes. </p><p>The 56-page indictment outlines in detail the alleged cyber theft carried out by Chinese hackers against six U.S. companies: Alcoa, U.S. Steel, Westinghouse, Solar World AG, Allegheny Technologies Inc., and the United Steel Workers. The indictment brings 31 counts in total, including conspiring to commit computer fraud, accessing a computer without authorization for the purpose of commercial advantage and private financial gain, damaging computers through the transmission of code and commands, aggravated identity theft, economic espionage, and theft of trade secrets.</p><p>The charges brought by the Justice Department are historic, but in some ways not surprising, as the White House has been ramping up efforts to combat cyber espionage over the past two years. The 2013 National Intelligence Estimate revealed that China and Russia were the most aggressive nation-states going after U.S. intellectual property and other sensitive information via cyber espionage. “Russia and China remain the most capable and persistent intelligence threats and are aggressive practitioners of economic espionage against the United States,” the report stated. “Countering such foreign intelligence threats is a top priority for the Intelligence Community for the year ahead.” </p><p>Tiao explains that there have been many criminal cases involving Chinese nationals and trade theft. The Computer Crimes and Intellectual Property Section (CCIPS) of the Justice Department investigates and prosecutes cybercrime cases, but these usually do not involve nation-state hackers. “They’re private actors; they’re individuals either acting for themselves or for criminal organizations or for hacker organizations, and they read like these indictments do,” he says.</p><p>The companies that were targeted are large, but Tiao, who formerly served as a federal prosecutor in the cyberspace unit, says he handled cases on much smaller scales, and believes the U.S. government wants to protect organizations of all sizes. “I’m hoping that the public doesn’t think that that U.S. government only goes after the biggest hackers,” he notes. </p><p>The Justice Department made its intentions clear in its official announcement of the charges, stating that it intends to prosecute any cybercrime against U.S. critical infrastructure. “With our unique criminal and national security authorities, we will continue to use all legal tools at our disposal to counter cyber espionage from all sources,” FBI Director James Comey said in a joint statement with Attorney General Eric Holder and other U.S. officials. </p><p>Critical infrastructure. Experts say the companies targeted by the Chinese hackers are noteworthy because each business is considered to be critical infrastructure. “This is about as opposite as you can get from the Target and Neiman Marcus and retail store hackings,” says Craig Newman, managing partner at Richards Kibbe & Orbe LLP. “This is more aimed, clearly, at sabotaging U.S. companies and undermining competition in a free-market system. These [attacks] were meant to go to the heart of competition and create an unlevel playing field when it comes to commercial transactions.” </p><p>That undermining of the competition is apparent, for example, in the SolarWorld AG case outlined in the indictment. The Oregon-based company was “rapidly losing its market share to Chinese competitors that were systematically pricing exports well below production costs; at or around the same time, members of the conspiracy stole cost and pricing information from the Oregon producer,” the indictment states. </p><p>In the Westinghouse case, the Pennsylvania nuclear power company was negotiating the construction of four power plants in China when hackers stole data. The information included “proprietary and confidential technical and design specifications for pipes, pipe supports, and pipe routing for those nuclear power plants that would enable any competitor looking to build a similar plant to save on research and development costs in the development of such designs.” </p><p>In both instances, the Justice Department says national security, not just competitive advantage, is a concern because hackers stole “sensitive, internal communications that would provide a competitor, or adversary in litigation, with insight into the strategy and vulnerabilities of the American entity.”</p><p>Newman points out that there are critical Chinese-U.S. business relationships that drive the economies of both nations, making the diplomatic consequences of the case a significant factor. “The United States and China will probably do their best to minimize the commercial consequences, but at the same time the U.S. government is making clear that it’s not going to stand for this sort of widespread hacking, especially against companies that are so important to America’s critical infrastructure,” he notes.  </p><p>Sponsorship. According to Lance James, head of cyber intelligence at Deloitte, nation-state threat actors don’t necessarily have a modus operandi, so businesses across all verticals should be vigilant about protecting against potential attacks. “In some cases, such as APT1, the motive is to seize intellectual property for financial gain, though unlike other forms of financial crime, the financial interest is presumably tied to overall global economic standing and trade deficits,” he notes. </p><p>In other cases, the nation-state actors could be operating under an ideological agenda, or trying to launch “kinetic warfare” with denial of service attacks or other tactics designed to shut down infrastructure. </p><p>Gallante echoes this sentiment, noting that the nation-state actors often want to find out how to build the program that made the plane–not just obtain the blueprints for the plane. “It’s the broader understanding, the business know-how that makes U.S. and global businesses so much more competitive” that the hackers are after, she explains. </p><p>As the APT1 report demonstrates, the 141 companies hacked by the Chinese group represent 20 different industry verticals, but Gallante adds that “there are certain sectors…aerospace, manufacturing, pharmaceuticals, clean energy, energy in general, high-tech, that have a broad targeting profile” that attract the Chinese hacking groups. </p><p>Network Defense</p><p>In the case of the six U.S. companies that were breached, experts agree it is unlikely the suspects will ever see the inside of a U.S. courtroom. But the indictment should serve as a wake-up call for companies wanting to protect their intellectual property and other assets. “A lot of folks don’t think they’re the target,” says Iverson of Tangible Security. “This indictment…helps to manage the denial that’s out there, and instills a sense of vigilance that is absolutely needed,” he explains, adding that U.S. companies should not look at this case as an indication that the U.S. government is going to solve all their cybersecurity issues for them.  </p><p>Still, the message sent by the U.S. government that it intends to help businesses with cases involving cyber theft is an effective one, says Tiao. “I think it does send a strong message and it does create some level of deterrence, even if those people are never actually brought into court.” </p><p>Iverson says that employing reliable security architecture is the basis of a sound security program, from the basics, like firewalls and signature-based detection, up to more advanced offerings, like sandboxing, vulnerability scanning, and penetration testing. With penetration testing, skilled network professionals are hired to essentially breach an enterprise’s defenses to find out where the holes exist. “Face them in the practice yard, rather than in the battlefield, where the Chinese make real theft and deliver real harm,” says Iverson. </p><p>James says starting with the basics is key. “Know your environment, your network, and what assets you need to protect,” he says. “What secrets need to be protected, and where are they? How are they used, and are they stored securely?” </p><p>He says that once an organization has established those answers, risk management controls can be applied. For example, companies can physically segment network servers and apply stricter controls on e-mails and virtual private networks.  </p><p>Education. Gallante notes that user education cannot be overstressed for potentially protecting an organization against a full-scale attack. An attacker can gain a foothold in the network by infiltrating the account of a single employee. </p><p>The recent charges by the Justice Department reveal just how successful this technique can be–several attacks outlined in the indictment began with spear phishing e-mails. Such messages are disguised to appear as if they come from a legitimate source, and trick the recipient into clicking on a URL or downloading a document that contains malicious content. </p><p>In one case outlined in the indictment, 20 employees of U.S. Steel received spear phishing e-mails from one of the attackers, who disguised himself as the company’s chief executive. In another case, the hacker purportedly “attached a file disguised as an agenda for Alcoa’s annual shareholders meeting, which, once opened, would install malware on the recipients’ computers.”</p><p>Once the malware is downloaded to the user’s machine, the hackers have an entryway into the network. They can then move through the rest of the company’s infrastructure and do damage, often remaining undetected for long periods of time.  </p><p>Gallante says a particularly successful phishing e-mail for attackers is one in which the hackers purport to be the organization’s IT department and prompt the recipient to change his or her password in fields contained within the message. She says this type of e-mail has tricked employees at all levels of organizations, from the CEO down. </p><p>“Over 90 percent of the compromises that we see start with a phishing e-mail,” Gallante adds. </p><p>Companies should be vigilant about training their employees to be on their guard against such e-mails and always think twice before clicking on any links or downloading attachments coming from a source that’s possibly unknown.  </p><p>Information sharing. Any amount of intelligence provided by an organization that’s suffered a breach can be useful in preventing future attacks by the same entity with the same toolkit, says James. “It is critical that information-sharing exists. We run up against the challenge of over-classification when it comes to ‘national security’ issues, and this can hinder the sharing flow,” he notes.</p><p>James says focusing on remediation and minimizing impact when actors have infiltrated one’s network is important, but taking that extra step to share threat intelligence is helpful to other organizations.  </p><p>But when it comes to combating cyber incidents, industry operators involved in threat intelligence “have a responsibility to respect the limits of our reach when it comes to nation-state activities,” James says. </p><p>James further notes that getting law enforcement involved immediately is crucial when it comes to state-sponsored activity, and may even help prevent future escalation internationally between nations. “It is not always wise to expose such actors publicly without this coordination,” he says.</p> GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Quiet Threat: Fighting Industrial Espionage in America<p><span style="color:#ff0000;"><strong><em>****</em></strong></span><strong><em>* The Quiet Threat: Fighting Industrial Espionage in America, 2nd Edition. By Ronald L. Mendell. Charles C. Thomas Publishers, <a title=";">;</a> 272 pages; $43.95.</em></strong></p><p>As this book explains, colleges are adding intelligence courses to business and security curricula at an increasing rate. They are needed because as companies outsource technology, they open avenues for the criminal element or the competition to intercept information. This second edition updates its treatment of the topic with additions on tradecraft of the industrial spy and data mining of business information.</p><p>Ronald Mendell explains governmental spying and how it differs from industrial espionage, with the latter being the primary focus of this work. He also discusses how espionage has in large part evolved from high-tech gadgetry of the Cold War to business-on-business cyberespionage and social engineering. He completes the explanation with a discussion of the espionage process and the players involved, who can include university researchers, suppliers, contractors, and others connected to the finished product.</p><p>Each chapter explains a particular aspect of espionage. A historical component is included to further define its relevance and how it has morphed into what it is today. He discusses what one would seek, for example, by visiting an Ironworks in 1861 versus what one would seek at a ma­jor defense contractor in 1993 and how the information would be accumulated and used.</p><p>Mendell explains that an adversary is as likely to show up on a shop floor during a tour as to attack through cyberspace. He does a good job of defining intellectual property versus a trade secret, and he notes that how they are defined in court is often a matter of how they are protected. He emphasizes that security awareness is important regardless of company politics or position.</p><p>This work was informative and engaging in its presentation, aided by graphs, references, and suggestions for further reading. It would be useful as an upper level university text, certification requirement, or general knowledge reference for a security practitioner.</p><hr /> <span style="color:#800000;"><strong>Reviewer:</strong></span> William Eardley, IV, has 26 years of experience in security and corrections. He is a member of ASIS International.GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Balk on Bud<p>​When seasoned security manager and longtime ASIS International member Brian Gouin started working as a consultant and virtual security manager for a medical marijuana production facility in Maryland, he certainly had some questions about the security challenges that the new gig might pose.  </p><p>Would external theft be a problem?  He had no experience in this sector, and dark visions of criminal cartels stormtrooping the facility to steal product occasionally crossed his mind. Luckily, that never happened.</p><p>"External theft has really not been a big problem. Surprisingly, there has not been a lot of that," says Gouin, who has spent nearly 30 years in the security industry and is currently owner of Strategic Design Services, a firm specializing in security design and project management services.</p><p>Still, the marijuana production facility did employ armed guards, because it held product that was worth at least $5 million. "That's more dollar value than 99 percent of banks in the state," Gouin explains. And since marijuana is so easy to sell, that product can be considered almost the equivalent of cash, he adds.   </p><p>But unlike external theft, internal theft was a problem. Employees sometimes helped themselves to a bit of product "to go" when leaving the facility for the day. Finding ways to screen workers on the way out was difficult. Complicating this matter is that keeping track of the on-hand marijuana supply can be a complex task. "You can't inventory it the way you inventory other products. You have to dry the plant; when you dry the plant, it loses weight," Gouin explains.  </p><p>And working with certain company employees was an unusual experience, even for a veteran security consultant well-accustomed to adjusting to different types of office cultures.  "It's so unique because of the type of person working there. Most of these people five years ago were running from the cops and making this stuff in their basement," Gouin says. "They are naturally distrusting of security."  </p><p>Overall, many of the facility's biggest security challenges stemmed from the fact that it is a nearly all-cash business. The ramifications of this are many. For instance, cash at a thriving marijuana business can accumulate quickly; but when it comes time to deposit the money earned, banks generally do not want to accept huge currency bundles, which can result in scrutiny from federal regulators, Gouin explains.</p><p>Given this, many marijuana businesses are forced to keep significant cash on hand. Some outgoing expenses, like compensation for day workers and certain bills, can be paid in cash, Gouin explains. Much of the rest can be deposited in smaller amounts that are spread out, so the bank will accept them. Of course, transiting large amounts of cash can also be risky, so the operation bought and used an armored vehicle, described by Gouin as "a small vanny-type thing."</p><p>Still, in one way the business that Gouin works for is lucky—it found a local bank that will take its money.  </p><p>Because U.S. federal law still includes marijuana on its Schedule I list of illegal substances, no large "tier one" bank will do business with cannabis companies now, says Joshua Laterman, CEO and founder, National Association of Cannabis Businesses (NACB). This is the "black letter of the law" that means that banks can be charged with crimes like money laundering if funds they have accepted from cannabis companies are mixed with other funds and enter the U.S. federal wire deposit system. This could lead to a federal indictment. </p><p>"No tier one bank enters the sector unless the law changes or some type of [exception] is put into place, like a safe harbor," Laterman says. "There is no cure, full stop."</p><p>This is a significant problem, given the growth and revenue-generating power of the cannabis industry. Going into 2018, nine states and Washington, D.C., had legalized marijuana outright; for medical purposes, marijuana is legal in 29 states and D.C. This year, at least 12 states are poised to consider marijuana legalization; Vermont already did so in January. On the whole, the industry generated $7 billion in revenue in the last 12 months, and this figure is expected to rise to $10 billion this year, according to NACB.</p><p>Given this revenue generation, some local banks (like the one working with Gouin's facility) and credit unions have tried to step in and fill in the vacuum. "It's the only show in town right now," Laterman says. These local banks often charge an extra compliance fee, and they usually just provide an account and some checks, without offering more involved services like credit cards. On the whole, these banks believe that the potential reward is worth the potential risk, and that working with local business is "in service of their mission." </p><p>"It's all very hyper-local," Laterman says. "They do it in a very personal way."</p><p>Nonetheless, these local banks usually cap the amount of deposited funds at $250,000, the limit that the Federal Deposit Insurance Corporation (FDIC) will insure. All things considered, there are not nearly enough of these smaller banks willing to accommodate all the revenue. "It's like trying to handle a two-liter soda with a Dixie cup," Laterman says.  </p><p>Across the northern border, no such problem exists. Canada has legalized marijuana for medicinal purposes throughout the country, and banks and other financial institutions have no problem working in the industry. "You're seeing investment banks, you're seeing accounting firms, and you're seeing law firms who will not do any transactions in the United States, but they are doing a lot in Canada," Laterman explains.</p><p>However, back in the United States, it is possible that there will be some movement on the legal issue in the near future. Some analysts have said that if more states continue to legalize marijuana, it will simply not be tenable for the country to have two sets of applicable law. Congress will have to act and change the banking laws to allow for an exception, so that a licensed marijuana distributor can use the banking system.</p><p>Moreover, what may help drive an effort for a solution is the U.S. government's realization that an industry generating billions in revenue without a banking and finance structure to support it could turn into a security nightmare. </p><p>"The money needs a place to be put, and there's not enough places to put it in. That's a growing public safety risk," Laterman says. California, he adds, holds some promise as a potential solution driver. As part of that state's legalization effort, officials set up a high-powered working group to address the legal issues. "It's a great effort; they are getting great people around the table," Laterman says.</p><p>He adds that NACB, which describes itself as the only self-regulatory organization (SRO) in U.S. cannabis, will continue its work of professionalizing the industry with credentialing, licensing, education, and other such programs. "We need to address the trust and information gaps, and better understand who the players are," Laterman explains. </p><p>Meanwhile, security managers who are curious about what it is like to work in the U.S. cannabis industry may want to check out The Marijuana Project, a novel published by Gouin (under the pen name Brian Laslow) that was in part inspired by his experiences in the industry. </p><p>In the book, security expert Sam Burnett, a conservative family man who runs a security program at a medical marijuana production facility, wrestles with the moral issues of working with the drug while he navigates the dangerous plot twists and turns that the thriller storyline takes him through. Although the book is fiction, the various industry issues and scenarios that the main character, a security expert, is involved with may be of educational value.</p><p>As for the real-life Gouin, who initially wondered if working in the cannabis sector would tarnish his professional reputation, he now says his experience was a positive one for his business: "It gave me another niche." And so his advice for fellow security managers who are interested in following his lead is "go for it"—as long as they do their due diligence beforehand.</p><p>"You have to understand the quirks of the industry," he says. ​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465