NSA meta data no help

from Greg
The Verge posted a story about NSA data collection programs producing no usable results according to the New America Foundation. I am no fan of the NSA meta data program. They have collected information on every phone call I have made since becoming a Verizon customer three years ago. You can have my meta data when you pry it from my cold dead iPhone.

Read the full story HERE

Read the report HERE

Get a PDF of the report HERE

from The Verge
Is NSA surveillance really necessary to defend against terrorist attacks? It's been a common claim by the agency's defenders as the programs come under scrutiny, but a report released today by the New America Foundation casts doubt on that logic. The report examines how NSA surveillance functioned in 225 counterterrorism cases since 9/11 and concludes that the agency wasn't as crucial as it would have you believe.

The report found that the NSA was responsible for 7.5 percent of counterterrorism investigations, and there was only one case out of the 225 that was initiated by NSA evidence. The case involved a cab driver named Basaaly Moalin who was convicted of sending money to Somalian terrorist groups. While successful, the case did not involve any direct threat of attack, and took more than two months between the initial tip and the eventual action by the FBI. Far more common were cases initiated by traditional tools like informants or suspicious-activity reports, which helped law enforcement focus their attention on particular targets. "The overall problem for US counterterrorism officials is not that they need vaster amounts of information from the bulk surveillance programs," the report says, "but that they don’t sufficiently understand or widely share the information they already possess."

from the New America Foundation
By PetervBergen, David Sterman, Emily Schneider, Bailey Cahall

January 13, 2014

On June 5, 2013, the Guardian broke the first story in what would become a flood of revelations regarding the extent and nature of the NSA’s surveillance programs.  Facing an uproar over the threat such programs posed to privacy, the Obama administration scrambled to defend them as legal and essential to U.S. national security and counterterrorism. Two weeks after the first leaks by former NSA contractor Edward Snowden were published, President Obama defended the NSA surveillance programs during a visit to Berlin, saying: “We know of at least 50 threats that have been averted because of this information not just in the United States, but, in some cases, threats here in Germany. So lives have been saved.”  Gen. Keith Alexander, the director of the NSA, testified before Congress that: “the information gathered from these programs provided the U.S. government with critical leads to help prevent over 50 potential terrorist events in more than 20 countries around the world.”  Rep. Mike Rogers (R-Mich.), chairman of the House Permanent Select Committee on Intelligence, said on the House floor in July that “54 times [the NSA programs] stopped and thwarted terrorist attacks both here and in Europe – saving real lives.”  

However, our review of the government’s claims about the role that NSA “bulk” surveillance of phone and email communications records has had in keeping the United States safe from terrorism shows that these claims are overblown and even misleading.  An in-depth analysis of 225 individuals recruited by al-Qaeda or a like-minded group or inspired by al-Qaeda’s ideology, and charged in the United States with an act of terrorism since 9/11, demonstrates that traditional investigative methods, such as the use of informants, tips from local communities, and targeted intelligence operations, provided the initial impetus for investigations in the majority of cases, while the contribution of NSA’s bulk surveillance programs to these cases was minimal. Indeed, the controversial bulk collection of American telephone metadata, which includes the telephone numbers that originate and receive calls, as well as the time and date of those calls but not their content, under Section 215 of the USA PATRIOT Act, appears to have played an identifiable role in initiating, at most, 1.8 percent of these cases. NSA programs involving the surveillance of non-U.S. persons outside of the United States under Section 702 of the FISA Amendments Act played a role in 4.4 percent of the terrorism cases we examined, and NSA surveillance under an unidentified authority played a role in 1.3 percent of the cases we examined. 

Regular FISA warrants not issued in connection with Section 215 or Section 702, which are the traditional means for investigating foreign persons, were used in at least 48 (21 percent) of the cases we looked at, although it’s unclear whether these warrants played an initiating role or were used at a later point in the investigation. (Click on the link to go to a database of all 225 individuals, complete with additional details about them and the government’s investigations of these cases: http://natsec.newamerica.net/nsa/analysis).

Surveillance of American phone metadata has had no discernible impact on preventing acts of terrorism and only the most marginal of impacts on preventing terrorist-related activity, such as fundraising for a terrorist group. Furthermore, our examination of the role of the database of U.S. citizens’ telephone metadata in the single plot the government uses to justify the importance of the program – that of Basaaly Moalin, a San Diego cabdriver who in 2007 and 2008 provided $8,500 to al-Shabaab, al-Qaeda’s affiliate in Somalia – calls into question the necessity of the Section 215 bulk collection program.  According to the government, the database of American phone metadata allows intelligence authorities to quickly circumvent the traditional burden of proof associated with criminal warrants, thus allowing them to “connect the dots” faster and prevent future 9/11-scale attacks. Yet in the Moalin case, after using the NSA’s phone database to link a number in Somalia to Moalin, the FBI waited two months to begin an investigation and wiretap his phone. Although it’s unclear why there was a delay between the NSA tip and the FBI wiretapping, court documents show there was a two-month period in which the FBI was not monitoring Moalin’s calls, despite official statements that the bureau had Moalin’s phone number and had identified him. ,  This undercuts the government’s theory that the database of Americans’ telephone metadata is necessary to expedite the investigative process, since it clearly didn’t expedite the process in the single case the government uses to extol its virtues. 

Additionally, a careful review of three of the key terrorism cases the government has cited to defend NSA bulk surveillance programs reveals that government officials have exaggerated the role of the NSA in the cases against David Coleman Headley and Najibullah Zazi, and the significance of the threat posed by a notional plot to bomb the New York Stock Exchange. 

Related articles

• Study Shows NSA Metadata Collection Doesn't Prevent Terrorist Attacks
• Nsa Snooping Fails to Prevent Terrorist Attacks, Watchdog Group Says
• New America Foundation Report: "Do NSA's Bulk Surveillance Programs Stop Terrorists?" Nope
• NSA Bulk Collection of Americans' Phone Data Had "No Discernible Impact" on Preventing Terrorism, Says New Study

Add to Cart View detail

Let's defeat Lockheed Martin's attempt to trademark "Cyber Kill Chain" and keep it in common usage

I'm organizing a complaint to the US Patent and Trademark Office which says that Lockheed Martin (NYSE: LMT) shouldn't be granted a trademark for "Cyber Kill Chain" because it is in common usage. As I wrote earlier, I was surprised that they even filed for a trademark since I was the one who first coined the term (as far as I can tell), but coinage of the phrase isn't enough to defeat Lockheed Martin's attempt to trademark and build a business around it. Common usage, however, is an argument that the US PTO will listen to, especially if we can show a good number of people objecting to its registration.

If you wish to have your name added to my US PTO complaint, please send me an email to that effect. It should include your contact information, how often you've used the phrase, and your objection to LMT's trademarking of it. 

Add to Cart View detail

OSCE's Cyber Security Confidence Building Measures Revealed by Anonymous

Anonymous has been able to exfiltrate a second, smaller batch of documents from OSCE's webserver (OSCEPA.AT) on November 11, 2012; even after the company knew that they had been attacked. This second batch of documents contains up-to-date information on the OSCE's Internal Working Group 1039 whose mandate (.pdf) is to create cyber security Confidence-Building Measures (CBMs) that would reduce the risk of cyber conflicts. The chairman of the IWG 1039 is U.S. Ambassador Ian Kelly.

The latest revised draft set of CBMs was circulated in a document marked RESTRICTED among IWG 1039 members on November 7, 2012 in preparation for their meeting today, November 13, 2012 in Dublin. They are as follows:

1. Participating States will voluntarily provide their national views on some aspects of national and transnational ICT security. These may include, but are not necessarily limited to, views on doctrine; strategy; norms; lessons learned; real and potential threats; protective measures; concepts of operating in cyberspace.
2. Participating States will voluntarily share information on national organizations, programmes, or strategies relevant to their ICT security. This information will include the organization of the structures and a description of their mandate. Participating States will nominate a contact point to facilitate communications and dialogue on ICT-security matters.
3. Participating States will voluntarily provide contact details of existing official national Computer Security Incident Response Teams (CSIRTs), or equivalent official national structures, so that national experts can enter into a direct dialogue. Participating States will update contact information annually but in any event no later than thirty days after a change has occurred.
4. In order to reduce the risk of misunderstandings in the absence of agreed terminology, participating States will on a voluntary basis provide a list of national terminology related to ICT security accompanied by an explanation or definition of each term. It will be for each participating State to select those terms they deem most relevant for sharing.
5. Participating States will voluntarily exchange views on how existing OSCE mechanisms, such as the OSCE Communications Network, maintained by the OSCE Secretariat's Conflict Prevention Centre, could be used to facilitate communications regarding incidents involving ICTs, (e.g. establishing protocols to ensure rapid communication at high levels of authority, to permit concerns to be raised at the national security level.)
6. Participating States will, at the level of national experts, meet at least three times each year, within the framework of the Security Committee and its Informal Working Group established by PC Decision 1039 to discuss information exchanged and explore appropriate development of this initial list of confidence building measures as well as others that might be candidates for future consideration.

This set of draft CBMs are for discussion by the members. One of the documents included in the latest batch (Comments_AZE_IWB_1039.doc) offers comments from the delegation of Azerbaijan and Lithuania who both want to considerably beef up the language with a few intriguing suggestions:

General comment: Proposed list of CBMs, in general is not result-oriented and does not identify any imperative actions. All proposed CBMs are based on voluntary actions and most of them are already carried out by pS through other various international and regional organizations. We need some more concrete actions that define the responsibilities of the Participating States for the incidents stemming from the use of ICTs. 

Specific comments:

• Support the proposal made by Lithuania to add the following CBM to the list: “Participating States will refrain from directing malicious cyber activities against critical infrastructure vital to the wellbeing of civilians, such as telecommunications, energy, transportation and financial systems”;

• We support the following proposal made by Lithuania, as well: “Participating States will accept responsibility for their national cyberspace jurisdictions”.

• Moreover, in addition to the CBMs defining the responsibilities of the states for their actions in the cyber-space, it is very important to identify also the responsibilities of the States over their ICT companies to act in accordance with national legislation of other Participating States.

The concept of a nation state being held responsible for attacks emanating from servers within its borders has come up for discussion within U.S. DoD too. It would certainly make attribution a lot easier if we could simply point to the geolocation of an IP address and say case closed. Unfortunately, that's a completely unrealistic scenario since Internet Service Providers aren't regulated entities and because web servers are easy to compromise (i.e., OSCEPA.AT).

Most of the suggested CBMs are voluntary and fairly ineffective even if put into practice. That's probably due to the fact that the membership of this committee is heavily loaded with policy makers and lawyers and has very few technologists or security engineers. The attack that was levied against the OSCE by Anonymous was apparently of the same variety that its members prefer - looking for easy pickings against poorly-protected web servers. The first confidence building measure that these OSCE national experts should draft is to invoke an Assumption of Breach security framework. In other words, expect to be breached and keep your sensitive documents in a separate, controlled and monitored environment ; i.e., not on a web server.

Add to Cart View detail

Who Needs a Zero-Day? "Plants are Insecure by Design" - Dale Peterson

Dale Peterson of Digital Bond is one of the most respected security voices in the Industrial Control System community. He runs an annual SCADA security conference called S4 that's always filled to capacity and he has equal credibility with the U.S. Intelligence Community (Dale's an ex-NSA'er) and the private sector. His blog post "Suits & Spooks vs. Engineers" is a great read because it underscores an important issue: security engineers talking exclusively to other security engineers frequently results in nothing getting done. Here's how Dale put it in his article:

Over the past ten years have seen dramatic increase in cyber security of a specific DCS or SCADA system occur in two different ways: 

(1) A CEO/COO determines that ICS security is a top priority. In this case the security posture improves dramatically in 2 to 3 years. The security posture is at a level that most in the ICS security community believes is near impossible or doesn’t exist. 

(2) The Operations team determines that ICS security is a top priority. In this case the security posture improves to an appropriate level in 5 to 7 years. Improving ICS security is much more of a time investment than equipment purchase, so with the right emphasis and diligence over years an Operations team can get there. 

So one key is to convince CEO/COO or those that influence CEO/COO that run SCADA and DCS that they need to get serious about securing their ICS. Convince them it is in their best risk management interest to devote resources to this and measure results. Unfortunately, we are reaching few if any CEO/COO at ICSJWG, WEIScon, SANS Summits, … or on this website. 

Of course it would help if those active in ICS security would stop “the soft bigotry of low expectations”. The security deficiencies from insecure by design to basic security implementation vulns are frequently bemoaned, but the same people who recognize the dire situation more often make excuses that call people or companies out to fix the real problem.

Please read Dale's entire article, and if you agree, please support Suits and Spooks Boston by registering to attend and spreading the word. And if you want to add your company's name to the event, we're still looking for one more corporate sponsor.

Add to Cart View detail

Actress, Banker, Soldier, Spy: Announcing Suits and Spooks II

I'm pleased and excited to announce an open registration policy for our next Suits and Spooks conference scheduled for February 8th, 2012. It'll be held at the beautiful Waterview Conference Center in Rosslyn, VA and registration will be limited to no more than 100 persons. Breakfast, lunch and a cocktail reception afterwards is included.

The Challenge: Shaping a Revolution in Security Affairs.
The complexity of today's computing environment has surpassed anything that the world has seen before. The amount of data generated globally is 72 Gigabytes per person on earth according to a 2011 EMC report. Past models for securing that data have had marginal to zero effectiveness. The U.S. government has produced multiple cybersecurity initiatives over the years which lay out many hard challenges along with recommendations for R&D. Suits and Spooks II will explore new thinking on how to re-shape an information security framework based upon the revolutionary work of individuals across a wide swath of disciplines including medicine, finance, entertainment, and technology. This transdisiplinary approach will include a visual scribe and real-time link analysis projected onto a split-screen behind the speakers. At the end of the day, we'll produce a report on our findings and distribute to the relevant agencies.

This second event is going to be different from our first Suits and Spooks conference in two very important way:

1. Open Admission. The first event was by invitation only because we were creating offensive and defensive strategies using social media as an attack platform. For obvious reasons, we felt it necessary to control admission. This event is focused on problem-solving using a multi-disciplinary approach (also known as Transdisplinarity) hence an invitation-only event would be too limiting. If you have an idea about how to build a better security framework, we want you to attend however we can only accomodate 100 of you.
2. Audience Participation.  We call these events an anti-conference because we aren't interested in packing seats to listen to lectures, nor are we interested in introducing customers to vendors. We involve the attendees directly in accomplishing the objective of the event. In this case, we'll be performing live link analysis using a mind-mapping application (we haven't selected one yet) on a screen behind the speakers. This will be done simultaneously with the speaker's presentations. Attendees will be able to send SMS messages or use a white board to communicate their insights into how any given speaker's presentation may connect to another speaker's presentation on a different topic or to the challenge that we're addressing. An operator will transfer those insights and connections to the application and build linking diagrams in real time.

We have some great speakers lined up, and I'll be featuring several of them in follow up posts this week. For starters, there's Christopher Burgess, Daniel Geer and Janina Gavankar:

Christopher Burgess. Christopher serves as the Chief Security Officer and President Public Sector for Atigeo, LLC a compassionate technology company.  He most recently served as the senior security advisor to the CSO of Cisco where he led the Global Threat Analysis, Global Investigative Support, Government Security Office and Litigation Support teams.  Prior to joining Cisco, he served from more than 30 years as a career intelligence officer within the Central Intelligence Agency.  Christopher was awarded the Distinguished Career Intelligence Medal by the CIA in recognition of his sustained significant accomplishments in the national security arena.  He sits on a number of advisory boards, including Mayo Clinic’s Social Media advisory board, and Rune Information Security.  Burgess is also a sough after speaker and writer, providing thought leadership on the topics of intellectual property protection, security stratagem, online safety  & privacy, social media, security education and awareness, intelligence, counterintelligence, protecting against corporate/industrial espionage and global geopolitical/economic affairs.  Additionally, he is the co-author of “Secrets Stolen, Fortunes Lost:  Preventing Intellectual Property Theft and Economic Espionage in the 21stCentury”.

Daniel E. Geer, Sc.D. Dr. Geer has 10 years in clinical and research medical computing followed by five years running MIT's Project Athena, the first distributed computing emplacement.  After a series of entrepreneurial endeavors either as a founder or an officer of the company, he's now in government service at In-Q-Tel, the investment arm of the US intelligence community. Dr. Geer's milestones include: The X Window System and Kerberos (1988), the first information security consulting firm on Wall Street (1992), convenor of the first academic conference on electronic commerce (1995), the "Risk Management is Where the Money Is" speech that changed the focus of security (1998), the Presidency of USENIX Association (2000), the first call for the eclipse of authentication by accountability (2002), principal author of and spokesman for "Cyberinsecurity: The Cost of Monopoly" (2003), co-founder of SecurityMetrics.Org (2004), convener of MetriCon (2006-present), author of "Economics & Strategies of Data Security" (2008), and author of "Cybersecurity & National Policy" (2010).  Creator of the Index of Cyber Security (2011) and the Cyber Security Decision Market (2011).  His participation in government advisory roles include the Federal Trade Commission, the Departments of Justice and Treasury, the National Academy of Sciences, the National Science Foundation, the US Secret Service, the Department of Homeland Security, and the Commonwealth of Massachusetts.

Janina Gavankar. Janina is an actress (HBO's True Blood) and a social media developer. I invited her to speak at Suits and Spooks after reading this Forbes article about how she found an innovative way to solve a problem that she and many of her fellow actors struggled with and that existing platforms like IMDB didn't solve. She kindly agreed to take time out of her HBO shooting schedule to make the trip to DC and share details about the problem set and her innovative approach to solving it. Understanding how individuals are tackling and solving hard problems outside of the information security industry and whether we can gain insights from that to apply to InfoSec will be a key component of our February event.

More speakers will be announced this week. I can promise you that Suits and Spooks 2 will be unlike any conference that you've ever attended. We anticipate a lot of interest in attending this event so I recommend that you take advantage of the early bird discount and register today. A free signed copy of the second edition of my book (due out in January 2012) will be included for all attendees.

REGISTER TO ATTEND SUITS AND SPOOKS 2

Related Posts:

"Suits and Spooks: Why I'm inviting the IC to Palo Alto"

Add to Cart View detail

The Coming Backlash Against Information Security Vendors

Last week I spoke at a private dinner attended by about a dozen Fortune 100 CIOs. I had been invited to share my perspective on why corporations continue to be compromised in spite of millions of dollars being spent on enterprise IT security solutions, and offer my recommendations on some alternative protective strategies. I was delighted at how eager the attending executives were to discuss their frustrations and share their experiences in trying to protect vast networks spanning, in some cases, over 100 countries. One of the takeaways for me was the almost visceral anger that some executives felt for "Big InfoSec". Big InfoSec is starting to emulate "Big Pharma"; those giant drug companies who have no interest in curing an illness because the money is in treating symptoms, not in finding a cure. The parallels to large anti-virus companies were obvious to everyone.

But it goes far beyond growing disillusionment with Anti-Virus, IDS, IPS, behavioral analysis and other off-the-shelf solutions. There's a growing lack of trust inside the C-suite in the ability of automated solutions to protect key corporate assets. An even more extreme situation exists in India where there's NO trust in private industry by the government. One Indian national security advisor explained it to me this way: "How do we trust a company whose motive is profit to act in the best interest of our country?" And he has a point. There are very few U.S. multi-national companies who calculate national security interest when weighing their investments in foreign states that are potential adversaries to the U.S. unless such an action would also result in higher profits for the company's shareholders. Likewise, how does a CIO know that the sales engineer for XYZ security company is presenting the best solution for the CIO's company or simply a solution that's best for XYZ's bottom line?

The coming backlash against Information Security vendors is just beginning to brew. It's taking place in private conversations among senior executives at events where Chatham House rules are invoked or after NDAs are in place. I don't believe that it'll emerge from under the surface into a full-blown tsunami until 2012 but by then it'll be too late to do anything but scramble for cover and hope that there's something left of your over-valued InfoSec company to salvage afterwards.

UPDATE (07 Mar 2011): Robert Vamosi wrote an excellent article which underscores the point that I tried to make: "Why Cybersecurity Should Focus On Failure". 

Add to Cart View detail