Category Archives: cybersecurity

Get Over It, Already

trump-cover-final

“Thousands Across the U. S. Protest Trump Victory”.  USA Today, November 10, 2016.

“Not My President, Thousands Say”, Washington Post, November 10, 2016

“Campuses Confront Hostile Acts Against Minorities After Donald Trump’s Election”, New York Times, November 10, 2016.   (An article about how some Trump supporters are targeting minorities with hate crimes.)

I’ve rarely blogged here about political themes or issues (a notable exception:  Last year when Trump slandered John McCain’s military service.   I’m a retired Army Officer and that was too much.)

I’m also an unabashed Democrat and supporter of Hillary Clinton.  I’m fiscally conservative – too often liberals and Democrats think government is the solution to every societal problem, and they implement new taxes or programs without thought about the negative effect of higher taxes on rents, housing prices and middle/low income wage earners.

But the election is over.   Hillary Clinton won the popular vote.  More voters felt she was the best choice for President.   But, under the Constitution and the Electoral College, Donald Trump won the presidency.  To the protestors and the Trump-supporter-hate-crime-perpetrators I say “Get Over It”.

To the protestors, I say:  did you vote?  Where were you over the last 6 months?  Why didn’t you work on registering voters and getting out the vote before Tuesday November 8th rather than taking to the streets in virtually fruitless protests afterwards?  Get involved in your government, your public safety and in politics starting today so you can really effect the change you want.

I could, like the protestors, write and scream about all the regressive laws and consequences which will take place over the next two years:  repeal (rather than fixing) Obamacare, actions against immigrants (although, frankly, Obama deported more illegal immigrants than any prior President), backing away from climate change and environmental protection, and so forth.

But, to be honest, Donald Trump will be President and we all need to concentrate on common ground – on all the work that needs to be done to improve the safety, quality of life and economy of the United States.

City InfrastructureHere are some examples of such common ground:

  • Infrastructure. Both Clinton and Trump correctly proposed massive increases in spending on roads, bridges, utilities and other infrastructure.   Let’s get together and do it.
  • Cybersecurity.  The Obama Administration has made great strides toward improving our cyber warfare and defense capabilities, and we need to do more.  In particular, we need to protect our local and state governments, our financial institutions, our defense industries from the potential of a devastating cyberattack.  Let’s get together and do it.
  • Veterans. It is a serendipitous coincidence that I publish this post on Veterans’ Day, 2016.  The terrible and stupid Iraq war perpetrated by the Bush-Cheney administration has resulted in hundreds of thousands of mentally- and physically-injured veterans.  The Obama Administration has started to correct the awful way the VA Healthcare system has treated veterans, but we must do more.  I support a son-in-law – a Marine with 100% disability – by buying him food and helping him with rent and care for his PTSD because his military disability pay and care is simply not sufficient for him to live in Seattle.  But many veterans don’t have anyone to help them and end up homeless and wandering the street, causing problems for our police and paramedics and emergency rooms.  For example, the Seattle Police Department alone has 10,000 encounters a year with people in crisis on the streets, many of them veterans.  Let’s get together and fix this.
  • Mental health and Opioid Addiction. Just as with veterans’ care, many people have mental health issues and/or are addicted to heroin, methamphetamine and other drugs.  Up to 60% of the calls a Seattle police officer handles are people in crisis.  This must be addressed and it is a bi-partisan issue.   Republican Ohio Senator Rob Portman has made addressing opioid addiction a centerpiece of his campaign and his legislative agenda.  Let’s get together and do it.
  • FirstNet and support of our First Responders. I joined the First Responder Network Authority because I fervently believe in its mission to build a nationwide wireless network for public safety and our first responders.   FirstNet was created by both Republicans and Democrats in bipartisan legislation passed in 2012.  That legislation funded FirstNet with $7 billion from sale of spectrum to commercial carriers, and that same sale provided $35 billion or more to reduce the deficit.  FirstNet will give first responders – indeed all public safety responders – the technology and tools they need to deal with many of the issues listed above, as well as crime, wildfires and emergency medical care.  Let’s get together and do it.

iot-internet-unfollow-coffee-machine

  • Internet of Things (IoT).
    Many if not most of our electronics and gadgets will become part of the Internet of Things, perhaps 25 billion devices by 2020.  Smart light bulbs, thermostats, DVD players and video cameras are just the start. Utilities will connect every water and gas and electric meter, transformers, valves and the rest of their infrastructure.  Industry is creating whole manufacturing plants with every device connected.  But IoT is a huge security risk, as shown by the Mirai IoT botnet attack of September 20th.  IoT poses both great potential and risk for our society, and, frankly, the IoT needs to be regulated and secured as well as deployed.  Let’s get together and do it.
  • The march of technology and loss of jobs. Much Presidential campaign rhetoric talked about the loss of jobs to China or Mexico.  But, frankly, only 12% of the 5 million factory jobs the United States lost since 2000 have been lost to trade.  A whopping 88% of the job loss is attributable to automation and robotics!  Indeed, U.S. manufacturing output increased by 18% between 2006 and 2016, while the number of jobs decreased.  The issue we need to address is finding living wage jobs which can co-exist with the never-ending march of technology and automation.  Let’s get together and do it.

obamasnumbers-2016-q2_4

I agree, there is a time to protest, and I’m certain I will be in the streets at some point in the next two years.

But I’m also going to roll up my sleeves, find common ground on the issues I’ve listed above, and work to continue the improvements in the economy, quality of life, technology, infrastructure and public safety which have happened in the years since the beginning of the Great Recession (graphic at right).

I encourage you to join with me.

Let’s get together and do it.

Advertisements

1 Comment

Filed under cybersecurity, economy, elections, Fedgov, FirstNet, government, government operations, Internet of Things, Uncategorized

Fearing Government, Fearing Technology: the Ying and Yang

America's Top Fears 2015Americans fear government corruption more than anything else.

More than terrorist attacks, identity theft, running out of money, economic collapse, drunk drivers, police brutality, insects and snakes.   Gee, we fear Government Corruption more than we are afraid of Obamacare and even more than Reptiles.

Government corruption?  In the United States of America?   Our greatest fear?

And that fear trumps any other by a wide margin – 13 percentage points.   Our second greatest fear – Cyberterrorism – isn’t even close.

Well, so says Chapman University’s Wilkinson College of Arts, Humanities, and Social Sciences which recently completed a statistically valid survey of what Americans fear.

Chapman classified all the fears into 10 “fear domains” such as man-made disasters, technology, government, crime, daily life, and so forth.   As a group (or domain), Americans most feared man-made disasters, then technology, then government.  Lowest domains on the “fear scale” are Personal Anxieties, Daily Life and the Judgment of Others.

This makes some sense.  We believe we have much control our personal lives than we do over global issues such as war, disaster, or even the march of technology.  “Daily Life” we as individuals can conquer.  “Cyber terrorism” not so much.

Here are the respondents’ worst fears:

Fear Fear Domain Afraid or Very Afraid
Corruption of Government Officials Government 58.0%
Cyber-terrorism Technology 44.8%
Corporate Tracking of Personal Information Technology 44.6%
Terrorist Attacks Man-Made Disasters 44.4%
Government Tracking of Personal Information Technology 41.4%
Bio-Warfare Man-Made Disasters 40.9%
Identity Theft Crime 39.6%
Economic Collapse Man-Made Disasters 39.2%
Running out of Money in the Future Personal Future 37.4%
Credit Card Fraud Crime 36.9%

 

Many, if not most, of these concerns revolve around technology.  Even a couple of fears classified as “crime” are really technology-based:  identity theft and credit card fraud.

“Fear of technology” is a long-standing and even ancient human dread.   Such fears gave rise to the Luddite movement, when humans smashed power looms creating cloth in the early 19th Century, and many science fiction stories ranging from Frankenstein to the 1927 film Metropolis to the computerphobia of the 1980s (“you’ll never get one of those damned computers on my desk.  I have a secretary with a typewriter.”)

New waves of techno-phobia are now washing our shores, including the fear of robots taking over work and a significant new fear of artificial intelligence (AI).  Even tech heavyweight entrepreneurs such as Elon Musk and Bill Gates have voiced the fear of AI, which, of course, might be the last fear humans ever have, as our future robot overloads decide to do away with the frail, short-lived, human beings who created them.   This concern about AI has caused the White House to hold four workshops around the United States to address the effects of artificial intelligence.  The first one, held in Seattle on May 24, 2016, focused, perhaps not surprisingly, on the effects of AI on government and the legal system.

Tracking Personal Information

Some of these fears interact with other.   Respondents to this survey clearly are concerned about tracking of their personal information by corporations and governments.   Yet many of us willingly “opt in” to this tracking, using store loyalty cards or tagging the faces of our friends and children on sites such as Facebook and Instagram.

Don’t we know that we are willingly building huge corporate databases every time we search for something online or make a credit card purchase?    Every time we tag a friend’s face online we are contributing to vast corporate data store which will be (or perhaps is) being used for facial recognition.  For these reasons, and the advent of apps like FindFace, the Observer recently recommended individuals pull all their photos off the Internet. (if you check out my Facebook page you will see very few photos of family.)

And access to these databases is sold to the highest bidder.   Soon we’ll walk into a restaurant or other store and be greeted by name, thanks to a database of faces and facial recognition software.  Perhaps the greeter will be a robot replacing the infamous elderly WalMart employees at the door.   The greeter will ask what we want for dinner or what we are shopping for, and even make suggestions based upon our previous purchase history of food and menu items, or our most recent online searches on Amazon.

Mobile phone companies are getting into the tracking game.  Verizon has tried it, and NTT Docomo launched its tracking software in May, 2016 (that link, if you click on it, has a tracking code embedded as well!).

Potentially even more disturbing uses exist.   Perhaps a store will match our face and identity with our history of unpaid parking tickets.  And some big data algorithm will identify that people with unpaid parking tickets who have few Facebook friends but are looking to buy camouflage clothes are at high potential for shoplifting.

Many private buildings and stores also use video surveillance.  These private videos were essential to capturing the Boston marathon bomber.   But how do corporations use their troves of video data?   Are they marrying facial recognition databases, online search/shopping data and video so they know and track who is on premise?  Certainly such data is useful in solving theft and other crimes, but how else might corporations use it?   It is possible that the whereabouts of individual human beings might be constantly tracked in the future, as soon as they leave their private homes.

Government Tracking and Corruption

Edward Snowden revealed new information about United States Federal Government tracking of data including a database of cell phone call data (although not, as far as we know, recording of domestic calls themselves).   We also know local and federal law enforcement has used “stingray” devices to simulate cell sites thereby capturing the identities of all cell phones in a geographical area.   Many jurisdictions have extensively deployed video surveillance cameras as well as dashboard cameras and now body-worn video.

Furthermore some police departments are monitoring social media including twitter, Instagram and Facebook.  Much of this “monitoring” is really for criminal investigation.  Many crooks are notoriously vain and stupid, posting their hauls from home burglary on Facebook or fencing the goods on Craigslist.  Unfortunately domestic violence threats and threats toward teachers and schools are also often found on social media.

No police department, in my extensive personal experience, is building a giant database of facial images and personal information for tracking and spying on citizens.  Certainly such databases exist for people who have been booked into jail, and facial recognition apps exist for use by law enforcement, based upon mug shot databases.  But collection of information about individual law-abiding citizens is, I think, rare.

And this brings me full circle back to Americans’ Number 1 fear:  government corruption.

Again, in my personal experience, corruption simply does not exist in the work of the average government employee.  On the West Coast, at least, police officers don’t accept $20 bills when you hand over your driver’s license after being caught speeding, and building plans officials don’t expect cash to expedite a permit or overlook certain violations of the building code.   There certainly are individual cases of corruption such as one which recently occurred in Utah.

Politicians – elected officials – get in trouble all the time, to the point where Virginia and Illinois both seem to expect corruption from their Governors.

And, indeed, perhaps this is why Americans fear Government Corruption.   It is not the cop they meet on the street, or the building inspector, or the DMV license examiner.  It is the Governor, the assemblymen, who are on the take.   It is Hillary Clinton, who kept her State Department email on a server in the basement of her home, or Donald Trump, who lies publicly about Muslims rejoicing after 9/11, yet wins elections.

Perhaps government corruption should be our number 1 fear.

1 Comment

Filed under corruption, cybersecurity, disaster, fear, government

Cyberhacked – Again

Hacked!In the face of continuing breaches, what are Governments to Do?

The depressing news made headlines in Washington State and nationwide last week – the Washington State Courts systems had been hacked, and about 160,000 social security numbers and the information from a million driver’s licenses was potentially exposed to hackers. This announcement was almost coincident with the news of $45 million stolen from the world’s cash machines, a problem with weak security in several private banks.

Plenty of similar news abounds – South Carolina’s Department of Revenue had a data breach which affected 6.4 million businesses and residents and has cost the state $25 million, so far. The State of Utah had the personal information (social security numbers, healthcare information, etc.) of 780,000 residents compromised in 2012. Indeed, 21 million people have had their health records lost or stolen or breached in the last three years, and millions more have been victims of identity theft, loss of credit card or personal financial information, and similar issues. Even law enforcement is not immune, as the Salt Lake City police department itself was hacked and information lost in early 2012, and the Honolulu Police Department revealed a breach this past week as well.

Believe me, these reports are just the tip of the iceberg in terms of lost or breached data in government and the private sector.

What’s a government to do?

I have several practical suggestions:

1. Hang together, don’t hang separately.

In every government, departments are silos. Each department wants to assert its independence from the others and manage its own data, technology and IT systems. At another level, there are three branches of government – judicial, legislative and executive. For the Federal government these are the federal courts (e.g. U.S. Supreme Court), Congress and the President. Each branch asserts its independence from the others. And, of course, cities are independent of their counties who are independent of their states and everyone mistrusts the Federal government.

When it comes to cybersecurity, this is bullshit.

The “bad guys” are incredibly well-organized. Bad actors could be a criminal syndicate, as in the ATM hack earlier this week, or Anonymous, or even nation-states. Several national governments – China, Israel and the United States – are widely cited as developing cyber weapons.

To respond to these threats, cyber defense teams have to work together, ignoring their organizational silos. There might be separate teams in separate branches or departments, but they need to support each other, probe vulnerabilities in each others’ systems, and actively share information. Every government should have cross-agency cyberincident response teams and forensic investigation teams which are activated at a moment’s notice whenever an incident – even a single infected computer – occurs.

2. Actively use private sector resources.

Many private companies will handle credit card processing, perform vulnerability scans, and do risk assessments. They’ll even manage a network on behalf of a government. No government should be doing its own credit card processing or holding/securing citizen credit card information. At the very least governments can contract with private companies to scan their networks and websites for vulnerabilities, do audits of internal systems, and similar work. Private companies will have much more expertise than most governments can hope to hire directly.

3. Consider the “cloud”.

Amazon, Microsoft, Google, and a number of other companies offer to store data or manage applications at their data centers and sites, in their “cloud”. These companies have teams of information security experts to protect this data. Governments should actively think about using such services. One problem is contractual – most cloud providers want to limit their liability in case a breach occurs. Unfortunately, I’m not aware of contract language with a cloud provider which would satisfy all of a government’s concerns about breaches and loss of personal information, and I encourage your comments about this.

However, another alternative is for one government to create and host cloud services for others, again using joint cyber protection and response teams. Such a technique might also address other concerns such as the need for backgrounding data center employees for CJIS or HIPPA compliance.

4. Use hackers.

Every state has a major university. A friend of mine, CISO at a university, has described the school as having “35,000 potential hackers”. Governments could create special relationships with their colleges and universities to employ students and student interns in a wide variety of tasks to manage, monitor and audit/probe their government systems. This technique has the added advantage of helping to train these students – give them practical skills necessary to solve the shortage of information security workers.

There are, undoubtedly, many other protection techniques governments should adopt. A major problem in my experience, however is complacency. “Our techniques are working.” “It can’t happen here.” “We passed a cyber security audit last year.” Again, such complacency is bullshit. Cyber attacks, vulnerability discovery and the application software we use changes too rapidly.

This underscores the most important of my suggestions – the first one – working together. Too often we government employees put our department first, or believe we “work for the xxx independent branch of government”, not the governor or mayor or legislature or (fill in the blank). Maybe we’re afraid of losing our jobs or fear what the results of an audit might disclose.

In the face of the attacks above, this attitude, this culture absolutely must change. We all work for the citizens of our city or our state, who entrust us with their sensitive data. And we absolutely must cooperate much more to safeguard that information.

After all these data breaches, have we learned our lessons?

Sadly, I doubt it. I expect that, over the next 12 months, I’ll be tweeting and reporting further breaches and potential losses of citizen information.

When will we really learn?

(Full disclosure:  I now work for the State of Washington.  However I have no “inside” knowledge of the breach at the State of Washington Courts.)

Leave a comment

Filed under cybersecurity, homecity security

– Can a City be Hacked to its Knees?

we-are-anonymousThe New York Times had the audacity to research and write a story critical of Chinese Prime Minister Wen Jiabao’s family.    In return for its journalism, the Chinese government apparently unleashed a four-month long hacker attack against the Times stealing, among other data, every one of its employees’ passwords.  This effort was apparently searching for the sources for the story.  Ars Technica has a short, frightening, account of the hack.   And, of course, the Chinese government succeeded – would people crticial of the regime dare to talk to the New York Times now, knowing its technology can be hacked?

There are many related and frightening stories – the Wall Street Journal was attacked, a power station in the United States has been offline for three weeks due to an attack based on a USB drive, and, of course, Anonymous (or someone) has been hard at work with denial of service and web defacing attacks on banks and government agencies.

Could a City, County or State government be subject to a similar attack ?

A few years ago, when I was CIO in Seattle, I would have dismissed the notion out of hand.  A City government does not hold the secrets to making a nuclear weapon in its digital vaults, nor do cities have active networks of foreign spies (with the possible exception of my friends in the Big Apple) whose identity needs to be uncovered by foreign powers.

Today I feel exactly the opposite.

Cyberwar is real.  Cyberwar is happening today, even as I’m writing this.   And the New York Times attack is only the latest.

The evidence is everywhere.  Nation-states (and perhaps others) are creating malware with the express purpose of attacking other nations or private company.  Stuxnet is one example, as is the malware which fried 30,000 computers at ARAMCO in Saudi Arabia.   Many governments have been compromised with malware to steal money from their accounts by stealing finance officers passwords.

Why would anyone – other than a criminal botnet out to hack finances and bank accounts – target a City or County or State government?

The New York Times attack highlights the reasons clearly.

Suppose a Mayor or Governor publicly opposed allow trainloads of coal to pass through their city or state, in order to be loaded onto ships, sent to China, and used to power the Chinese electrical grid.  Wouldn’t such opposition essentially constitute economic warfare and potentially provoke a cyber response?

Suppose a Mayor or County Executive, hoping to combat a rash of gun violence, initiates programs for a network of video surveillance cameras and gunshot detection technology (read:  microphones) in a City.   Could that provoke Anonymous or a similar organization?

Defacing a City or County website is bad.   Stealing taxpayer money from government bank accounts is worse.   Compromising SCADA systems to shut down a water supply or electric grid is dangerous.  But we haven’t yet seen the worst potential attacks, such as bringing down a 911 telephone network or freezing a police or fire computer-aided dispatch system or perhaps crashing a public safety radio network.

And these overt acts pale by comparison to covert actions which may be occurring undetected – systematically compromising and falsifying utility bills, or hacking into and changing criminal and court records.    We have no evidence such covert acts have ever occurred, but given the myriad of different levels of government and many repositories for the information, such databases must represent a juicy and lucrative target for criminal networks, Anonymous and even nation states.

All these potential threats indicate cities, counties and states cannot be complacent, but rather need active cyber security programs, preferably in cooperation with other agencies.

Yes, Dorothy, a City could be hacked to its knees.   Worse yet, it might not be discovered for months or even years after the act.

Leave a comment

Filed under cybersecurity, homecity security

– My Mother-in-Law, Ms. Btfsplk

HackedThis past week Gizmodo/Wired Writer Mat Honan’s iPhone, iPad, iCloud (and probably iRaq) where all hacked and wiped clean after a hacker stole his password, aided and abetted by the help desks of none other than Amazon and Apple.

This little episode provided plenty of grist for the blogosphere this week, as tech writers far and wide trotted out their best advice for us common folk to avoid getting our finances and data drawn, quartered, toasted, fried and bobbed like an Apple on Halloween. Mr. Honan himself probably got the highest blog hit rate of his career, and Slate’s Farhad Manjoo wrote a serious column on the subject. My friend Glenn Fleischman of Seattle exposed his answers to all the common security questions, thereby saving hackers the trouble of a brute force attack on his own Internet presence.

Of course I have to partake of this Dear Abby Advicefest as well, giving government CIOs and employees some expert security advice on how to avoid being Mat-ed (not mated) or Honanized.

1. Always reboot without saving your files and never make take time to make those pesky backups. Apparently Mr. Honan was following this advice to the letter, as he didn’t have backups of his data.

2. Make sure you choose a password extraordinarily hard to guess. Preferably one which uses a lower case letter, an upper case Cyrillic character, and middle-kingdom-sized Chinese hanzi character, a Roman numeral, and a special character with an IQ less than 80. Or, if you have a unique first name (like “Mat” as opposed to Tom, Dick, Harry or Bill) you can just use your first name as a password.

3. Completely Trust the company making your devices, especially if they have a monopoly, and they have the most popular products in the market, and their name can be confused with a common fruit. If they say you can “find your fruit-phone” and remotely vaporize, slice and dice it like the promises of a Popeil Veg-O-Matic, and they further promise all your data is safe in their cloud with the gold lining (their gold, not yours), what more do you need?

4. Have all your password resets pointing to the same email address, and make that email address something easy for anyone to guess. Something like bill@schrier.org using both your firstname and lastname. That way once you or the hacker have your email password, access to all the other jewels in your kingdom falls easily into place. (Yes, yes, bill@schrier.org is indeed my personal email address. But I’m not worried about getting a lot more spam and malware to that e-mail account, as I have spam-blocker software from a company which only has to issue security patches twice a month whether they’re needed or not.)

5. Turn on six factor authentication immediately. This means you’ll have to prove your identity using six different methods whenever you log into a website. Ideally, those methods would include:
a. A strong password like, well, ”Mat” – see above.
b. A retinal scan, preferably one conducted with a military-grade laser.
c. A sample of your DNA. Drawn from a fresh blood sample. After two days your thumb will look like a pin cushion.
d. A hard-to-guess personal attribute like your mother-in-law’s maiden name.  Like Btfsplk.  If you’re unmarried or your mother-in-law is unmarried or she kept her birth name, or your mother-in-law is a guy, you’re really in trouble on this one.
e. The key fob which opens your garage and perhaps fires missiles from a nearby nuclear submarine.
f. A toeprint from your company’s Chief Information Security Officer.

There are many advantages to six factor authentication. For one, it is so complicated you’ll never be tempted to use online services, and therefore cannot be hacked. For another, your authentication will always be within one degree of separation from Kevin Bacon.

Ok, ok, enough levity already. I don’t really mean to offend my favorite fruit company (gee, I have five fruit-iPhones on my personal plan), or Mat Honan, who I’m sure is as gifted a writer as he is poor at backing up his data, or my favorite hometown retailer, Amazon. We all make mistakes, especially in this rapidly evolving technology age. And we learn from them.

Oh yeah. Read Manjoo’s column and follow his advice.

And don’t answer your security questions like Glenn does!

Leave a comment

Filed under cybersecurity

– Tech Terror List 2010

Tech Terror 2010

Tech Terror 2010

We are at the end of this quite frightening year of the Great Recession 2010, and at the eve of another frightening Halloween filled with tiny goblins ringing the front door shouting “trick or treat”.  But what are the “real world” goblins knocking at the door, and facing the chief information officer who opens it?

It is time for me to update my 2008 list of nightmares which frighten a CIO. 

Tablet computers (and smartphones). Tablets were on my 2008 list, but are on my 2010 list for an entirely different reason. They’re everywhere. They’re invading! They’re unmanageable.  And every employee wants to use their own. CIOs have long practiced the mantra of standards standards standards.

You need a computer? Yup, we give you a standard HP model with Windows XP, Office 2007 and Anti-Virus loaded on it. You need a smart phone to do your job? Yup, here’s your BlackBerry connected to Outlook and locked down from installing any dangerous applications which present a security threat.

The CIO as Grinch

Grinch CIO?

All of a sudden it’s “HELLO Mr. CIO” – the iPhone explodes on the scene, then it’s the iPad, and soon it will be the Windows Phone 7 and Android phones and the RIM Playbook and the Samsung Galaxy. And employees LIKE them and wonder why Mr. CIO is the Grinch and won’t connect them to e-mail and the network.

But of course the Outlook sync doesn’t work exactly right on the iPhone and appointments get dropped. Oh, and someone loses their Android smart phone with all the home and cell numbers of half the police command staff but gee we can’t remotely wipe its contents because installing the remote wipe software is the bureaucratic Sign of the CIO Grinch. Oh, and all of a sudden a public disclosure (FOIA) request comes in and the employee needs to cough up all the documents and messages on their personal iPad, even though some of them are quite personal or even relate to the employee’s personal business or political activity. And oh, gee, by the way, the employee “forgot” to back up all those docs on that personal device, violating not just the public disclosure act but the records retention act as well.

In the meantime, the budget of the IT department has been cut 13.3%, and I’ve laid off 5% of my workforce, but still we’re the Grinch because we can’t support this exotic stew of personal devices.  Arggh!

(I’m convinced we’ll eventually support personal smart phones and tablets, but we need better tools and more staff. For 2010, they remain on my Tech Terror Watch List.)

Cyberterrorists and Malware. There is much new to fear on this front in 2010. There is the Stuxnet worm, apparently written by a nation to infiltrate and damage Iran’s nuclear program, but sophisticated enough to attack many industrial or electrical control systems, and hard to find and eliminate. This is only the tip of the iceberg of a new set of computer viruses and malware written by nation-states to attack each other.

Then there was a rash of Trojan viruses and keystroke loggers which infiltrated some government and school sites.  These viruses stole passwords for financial employees at these firms, and those passwords were used to steal hundreds of thousands of dollars.

And there is the appearance of malware on legitimate websites, so even innocent employees doing their job on the Internet could get their computers infected.  Cyber threats go onto my Terror Watch List.

Stop and Think, before Connecting (and also have a good firewall and anti-virus program!).

Smart Phone Apps. One problem with Smart Phones is that anyone can write an app for them, including criminals, hackers and cyberterrorists. Apple, at least, reviews and tests Apps before allowing them into the iTunes store. Such testing doesn’t happen for BlackBerry or Android apps. I really hope Microsoft does thorough testing on its Windows Phone 7 apps before releasing them into the wild. Smart Phone Apps go onto my Terror Watch List.

Water. And Fire. These remain on my watch list for the same reason as in 2008 – a broken water pipe or a fire in my data center can put it out of commission for a considerable length of time. But this year there is hope – “the cloud”. And no, the Cloud doesn’t rain on the parade of my technology. It means that many of our services and applications might eventually live in the Cloud of servers and storage in distant data centers, much less susceptible to earthquake, fire, water and other disasters.

Speaking of Fire, I have a very recent story to relate. Early on Sunday morning, October 17th, someone started a fire (probably to keep warm, as it is a place homeless are often found) behind a rented City building near 3rd and Main. That fire raced up a conduit burning through fiber and copper cables, bringing down phone and data network services to Seattle’s Fire Administrative Headquarters and main transportation department dispatch center.

The outstanding information technology staff of my department, with support from cabling contractors and Fire/Transportation department staff restored most services within 18 hours, but it illustrates why Fire remains on the Watch List.  And why skilled, dedicated, employees are the best defense against such terror.

Customer expectations. Most terrifying of all is the rise of customer expectations in the midst of the Great Recession, falling IT budgets and reduced staffing. Government employees use computers at home, use tablets and smart phones. They bank online, download apps, text message and use Facebook and blogs. But with reduced technical staff, plus a whole series of requirements like HIPPA and CJIS and the public disclosure act, the CIO Grinch has fewer and fewer resources to meet the expectation that those same tools and applications can all be used at work.

On Halloween, 2010, it is those increased expectations which really terrify me as a CIO.

1 Comment

Filed under cybersecurity, disaster, terror

– Cyber City Armageddon?

and Loose Laptops Sink Cyber (Security)

and Loose Laptops Sink Cyber (Security)

Is City-Cyber-Armageddon just around the corner?

Today City governments depend upon technology – more than ever – to operate.  Constituents depend upon the Internet, web, e-mail , cell phones to communicate with their government for information and services.  But, gee, how secure and reliable are these systems, these networks and these communication?

I recently had a non-classified meeting with some fedgov Department of Homeland Security cyber folks, and DHS contractors about potential cyber security tools.  I’m a “geek”, so I love tools and software.  I’m a senior public official, so I also like charts and graphs and statistics.  My meeting had plenty of both tools and statistics.  But I walked away from the meeting ready to move to a mountain cabin “off the grid” and isolated from the world.

Is cybersecurity really a major issue?  What can a municipal government do to improve HomeCity Security?

Is it an issue? I offer the following observations:
•   A laptop computer with records of 26.5 million veterans was stolen from the home of a Veteran’s Administration employee in May 2006 (later recovered).  But these veterans (including me – I’m a retired Army Officer) received letters notifying us of the problem.  The VA also lost records of 1.8 million veterans in February 2007 and covered up other data breaches.  They (that’s “we” for those of us who pay fedgov income tax) paid for a lot of clean-up and credit monitoring.
•   The day after his inauguration, President Obama published a cybersecurity plan and intends – as a top priority – to appoint a national cybersecurity advisor.
•   Within the last few months, Heartland Computer Systems may have lost over 45 million consumer credit card numbers .
•   The nation’s electrical grid is allegedly vulnerable to cyberattack (and my City operates the nation’s ninth largest municipal electric utility with 300,000 customers)
•   Conficker worm may be infecting one million new computers a day

What scares me?

1. Injury to the people who trust the government of the City of Seattle.  The people of Seattle entrust their credit card numbers, their phone numbers, their personal information to my government.  When they call 911, they expect help.  And we’ve had web-based SQL databases compromised by SQL injection attacks, so any constituent visiting those websites receives computer viruses… from us!   If someone is hurt physically or financially or emotionally because we’ve failed to keep the telephone network or their personal information cybersecure, I’ve failed as CTO, and I’ve failed big-time.   I never want to be sending letters like the one I received from the VA.

2.  Damage to the City of Seattle’s reputation.  One reason my government works so well is that the people of Seattle trust us: last November, despite a looming recession, they passed levies to fund more parks, a Pike Place Market renovation, and a $17 billion transit system.  A cyber-incident will damage that special relationship.

3.  Outage of the City’s technology systems. Constituents use technology to report problems and request service from the City.  They call 911 or 684-3000 (utility customer service).  They send e-mail.  The pay bills on the web.  And City employees use technology to coordinate our response – radio systems for public safety, telephone and data networks, electronic mail systems, Windows servers and a 24×7 data center.  I’m proud of 99%+ uptime on those systems to “make technology work for the City.  Cyber incidents endanger those systems.

How can we improve HomeCity Cybersecurity?  Here’s what I’m doing:

1.  Hired a damn fine CISO.  My Chief Information Security Officer, Mike Hamilton, is the best.  Worked for a long time in private industry, came to Seattle ready to give his expertise in public service.  Like all CISO’s, he sees bad guys everywhere.  Unlike many CISO’s, he knows that technology and the Internet are here to stay and we need to take practical measures to make them as secure as possible.

2.  Assemble and train a team of cyber-techies and professional cyber-sleuths.  We have dedicated, skilled IT security professionals scattered throughout City government.  Their departments and agencies spent money to train them, and CISO Hamilton matrix-manages them to patch and secure systems.  We use them as a cyber-incident-management team under Hamilton’s Deputy – David Matthews – to investigate and get to root cause of any potential cybersecurity incident.  They are our best cyber-defense.

3.  Test every doggone Internet-facing application.  Do penetration testing on our Internet connection.  Watch firewall logs.  Apply every Microsoft or Cisco or (fill-in-the-blank technology company) security patch as soon as you can.  No more than five days max from patch release to deployment.

4.  Selectively outsource.  We’ve outsourced management of credit card payments to skilled third parties, rather than “storing and managing our own”.  We can’t outsource accountability, but we can share risk.

5.  Buy some basic tools.  Anti-virus for every computer.  Patch distribution software.  Vulnerability scanning software.  System logging and aggregation software.  Web site blocking software.  Then use it.

6.  Educate, train, harangue and educate again.  The weakest link in every cybersecurity defense is employees.  Employees who transport data from work to home on thumbdrives, potentially losing the data or introducing a new virus or worm.  “Loose lips sink ships” and “Loose laptops sink cyber-security”.  Employees who surf the Internet and hit questionable websites.  We train employees on good security practices, harangue management to enforcement them, and then train again. 

I’m not as concerned about cyber attacks crippling public safety radio systems or the SCADA systems which control the electrical grid and water supply or traffic signal control.  These systems are vulnerable, but have in-depth layers of defense and employees dedicated to protecting them.

I’m concerned about that single lost portable hard drive with social security numbers.  Or that one SQL server database which should be “read only” but is “read-write” and compromised.  Or that employee who goes to a web gambling site and downloads a day-zero cyber virus.

Technology is here to stay. Internet access will only increase.  But we’re working hard to mitigate the vulnerabilities.

And I don’t sleep very well at night.

2 Comments

Filed under 911, cybersecurity, egovernment, Fedgov, government operations