Sigh–ber

It’s been a while since I opined on matters I know little about…so I thought I would continue that tradition by putting out a few thoughts about all things cyber.  No doubt you have all heard about cyber-xxxxx until you are becoming immune to the cries of “Danger Will Robinson.”

RobotAnd that is a real problem because cyber crime, cyber snooping, cyber intrusion, cyber war, and all manner of other things is perhaps the most significant challenge to the well-being of the good ole US of A in this century, IMHO.  I’ve attended a series of meetings and had a couple of events in my personal life that have caused me to think a lot about this problem.  But they way, I don’t claim ownership of any of these ideas.  I have heard them in a variety of places from a variety of people.  I just wrote them down in one place.

Nothing chafes me more than getting my credit card rejected, and then finding out that my credit card company has detected the unauthorized use of my card and I must get a new one.   That’s when I realize just what a poor job I have done in protecting myself….I even have a spreadsheet now with all the web sites that I have to visit to update my credit card number.  It has web addresses, user names, account numbers and passwords all laid out so I can spend about two hours on line changing them all…..Am I the only one with this problem??? I’ve started trying to put everything on line through PayPal, but who’s to say that won’t be hacked next?

Think about all the bad things that have happened due to cyber crime in the last year or so…..Target gets hacked, the Joint Staff email system is fried, the Pentagon Food Court is penetrated, the OPM debacle.  SF86-doodyBTW I just got my ( less than timely) letter last week from OPM informing me that all the information on my  SF86’s was compromised….that’s efficiency for you!!! (No wonder they got hacked if the timeliness of their notification is any indication of their expertise) How long has it been since we all knew about the OPM fandango???? And yet…..no one has gone to jail on the criminal side and no one has been fired or disciplined ….for any of those things.  And I’ve got to say that in the case of OPM, it seems to me the cure is worse than the disease….Let me get this straight…..I get free monitoring for a couple of years and all I have to do is enter in all the personal information they couldn’t keep secure anyway…They want me to enter driver’s license number, bank account numbers, credit card numbers….What kind of idiot do they think I am?  They gooned it up once……and most likely will goon it up again…There’s no way I’m putting all that info into anything that has anything to do with OPM or the US Government, for that matter…( Isn’t the lowest bidder providing most of the government’s security packages?). They should just ask the Chinese or the Russians for my info, since they apparently already have it………but I digress.

As I have been thinking about cyber security and listening to the experts over the past few months, it has dawned on me that this is a problem like no other we have ever encountered.  And that means it’s going to require some very innovative and unconventional thinking to fix it (and thus the perfect reason why DoD shouldn’t be in charge).  Moreover, this problem is much too serious to be given to the techies to manage.  This is far too important to keep in the IT closets of government and corporate America.  Management and leadership must know this stuff cold and be intimately involved every day, in every way.  Why do I say that? Here are a few unique aspects to the problem:

  • Everyone is an operator.  Except for a few holdouts from America’s Greatest Generation, virtually everyone is slammin’ away at a keyboard or tip-tapping on a touch screen or talking to Siri(for those who are unable to get anyone else to talk to them).  You don’t need a license, or any training, or have any awareness of just how badly you can screw things up to “operate” on the Internet.  You all know people who shouldn’t be allowed on the Internet….the people who actually reply to the email from Mr. H. J. Spankle, Esq. from South Africa telling them that their long-lost cousin has left them a fortune. Or the ones who hit the “reply” button on the email from their bank telling them to update their user name and password……And yet they are all out there spending hours on-line, causing who knows how much damage.  Their vote counts just as much as yours, by the way.   This is why cyber experts will tell you that in most breaches, it’s not technology, but people at the root cause.
  • There are no boundaries. There are no borders to control, no time zones, no hours of operation, no holidays, no boundaries of any type on the Internet.  As a result, it’s not clear where jurisdictions begin and end.  I suppose you could say that firewalls are a type of boundary, but even the best of firewalls eventually get penetrated.  I was recently visiting NAS North Island in San Diego and went to the Mother of all Starbucks, located next to the carrier pier.  I tried to use my smartphone app to pay for coffee, but was told they weren’t allowed to use that feature on the base because of the possibility that using the Starbucks Pay App might cause a cyber-intrusion in the base network…Huh?  If that’s the case on NAS North Island, why isn’t that the case at any Starbuck’s.  They don’t even use the Navy network and yet the Navy is worried about intrusion.  Can that be true?  Do the folks making those decisions really know what they are doing???  I hope so, but it doesn’t make sense to me. This type of mentality reminds me of the old saying in Naval Aviation, ” If safety was paramount, we would never fly!”
  • No one is in control. This relates to the no boundaries problem. Since there are no boundaries, it’s not clear who is in charge.   Of course, there are several organizations that may exercise some moderate influence,  like the Internet Corporation for Assigned Names and Numbers (ICANN) or maybe some of the companies maintaining Authoritative Name Servers (the keeper of the “phonebook” for domains like .com, .net, .org, etc)  Until about 1999, a company known as Network Solutions,Inc. did this function, but now several entities claim this responsibility, along with organizations for domains like .biz and .edu.  The United Nations has been monkeying around with Internet Governance as well, claiming that they don’t want the US in charge (BS IMHO) but in the end there is no single “belly button” in charge.
  • There in no difference between military, government and civilian operations. Everyone is in the same boat.  This becomes a real problem after a hacking event when trying to attribute the attack to someone or something.  Was it a hostile act by an opposing military power or was it a criminal act by some organized crime actor, or was it a terrorist act by a radical group, or was it just a random act of boredom by a “hackivist”  wasting time between Minecraft games?  Who knows?  It all looks the same.  This is a fundamental problem in determining what type of response is appropriate for any given attack.  I have no doubt the US has the capability to “smoke check” every single computer in North Korea….or even turn my own laptop into a time bomb fueled by a “Phaser Overload” in my lithium battery pack, but to what end? Is it our responsibility to be the “Net Police”? Is it DoD, DHS, FBI, FCC, Radio Shack???? I just don’t know (and apparently neither does any of our leadership).
  • All share in the risk.  Just look at the Target incident.  Even though I might have been a completely hygienic internet user with impeccable security habits, all I needed to do was buy a lightbulb from Target using a credit card and BINGO….I’m hacked!!  And think about the problem of someone else using your computer for whatever reason…all they need to do is click on one spam message and you are hacked.  In fact, it takes just one ne’er-do-well on your vastly secure network to plug in one thumb drive, and you are hacked.  You are at risk, even if you chose not to play the game.  This has huge implications.  BTW,  do you all have the new credit cards with the chip that is supposed to enhance security?  You know, the one that doesn’t work in any of the credit card readers?????? As far as I can tell it’s still swipe, swipe, swipe your personal information away!!!!!!
  • Cyber-Health is nonexistent in the masses. Probably an overstatement, but the point is that even very well educated folks are constantly falling prey to all sorts of scams, phishing schemes and electronic theft.  Think about the little device that criminal stick to the ATM card slot that copies all your ATM card info. Or what about the scanners that can cue your smart phone to dump its address book (now we need metal card holders to prevent intrusion, a la the new Pentagon Badge Holders?).  So my contention is that the vast majority of internet “operators” pay about as much attention to cyber-hygiene as they do about the dangers of texting and driving…..Once again, it only takes one to spoil the whole barrel and there are plenty of rotten apples running around out there.

So there are just a few reasons why cyber-related problems are unlike any we have tackled before.  No great revelations here and sadly no solutions.  But I contend that to get to the solution, we must first understand the problem we are fixing. I don’t think we are anywhere near understanding the extent, nature or consequences of living in a world where everything is connected.  To my way of thinking, we have too much of a good thing and that can be bad thing.  I am reminded of a discussion I once had with a prospective bridegroom when I was a marriage mentor.  We were talking about the special relationship between married couples….no secrets, everything open and above board…Then I remembered that sometimes openness and honesty may not always be the best policy when it comes to marriage….I made that mistake early on in our marriage…..I recall coming home just weeks into our wedded life and passing on the blueberry pie the lovely Mrs. Crenshaw has spent many hours preparing (after attending classes all day).  “Just so you know, I don’t like blueberry pie,” I said.  Some four-two years later I regret that moment of honesty every day!!!!!!!!!!blueberry

 

 

   Send article as PDF   

Stealth works in the Budget Too!

First thing: Yesterday’s blog on Shared Services fell flat on the website with only a handful of hits.  I take it the world of Shared Services is not so hot on the list of “interesting” topics.  But there’s still a lot of money to be saved there.  In fact, I would contend that there’s a lot of money floating around in areas that most people don’t find so interesting.  It’s the uninteresting that ironically is the most interesting in terms of budget cutting.  They escape scrutiny during the year-to-year  budget battles, floundering in cash. The big programs which matter, act like a Black Hole, sucking up more and more money with less and less light escaping.  On the other side of the coin, the programs with marginal dollars become the darling of the Pentagon budget cutters.  It’s ooh  so easy to cut a Billion or so from the commissary subsidy program, but try and take $10 Million from the JSF and the fan starts getting hit with “not-so-nice stuff.”  With leaders unwilling to take on the issues that really matter and foolishly focusing instead on the margins, I would suggest that they take a look at the “stealth” portions of the budget, those areas with relatively large dollars, but never targeted for cuts.  Forcing agencies into a shared service environment is one of those areas. (There, I said it and I promise never to write another word on Shared Services!).  When looking at these stealthy programs, there’s virtually no risk of offending a large defense corporation, a Congressman or Senator, or even another Service because they have no constituency.  When I did the budget for the Navy I used to think that out of the $130 Billion or so under my control, every Million had a evangelist waiting in the wings to mount the pulpit and extoll the value of their million over the remaining 129,999 million.

How about the family of Defense Working Capital Funds (WCF) and Revolving Funds?  These funds exist  in the shadows, out of public scrutiny, but with lots of dollars associated with them.  For those of you not familiar with working capital funds I suppose you could relate them to petty cash, or “Walking Around” money.  It’s the corpus of operating cash the Department uses to pay  bills day-to-day.  Here’s a link to short list of many of the DoD funds and what’s in them.  In simple terms, when  Organization A provides a service or item to Organization B, it uses the WCF funds to pay their costs and they bill Organization B, using rates set at the beginning of the year.  A takes money from the WCF and B pays it back (at least in theory).  How much money is in these accounts you ask?  North of $100 Billion…..Yep, that’s correct…$100 Billion!!  That’s roughly 20 per cent of the budget.  One of the reasons there’s so much money in these funds is the requirement to carry 7-10 days of cash on-hand.  In this age of electronic accounting, ERPs and near-perfect connectivity I can’t for the life of me figure out why it has to be so much.  Most of these WCFs have their own accounting systems (Darn! I said I wasn’t going to mention Shared Services again).  To be fair, these funds are as close to being run like a commercial business as anything in DoD, and individually they are generally well managed.  But there’s not a lot of cross-talk, the rates don’t generally reflect the real costs of good and services and they are sometimes used as a cash cow to buy just about anything.

So the next time you hear the DoD poobahs whining about the cost of  benefits, people, etc.,  why not ask them about the Working Capital Funds and what they are doing to trim them back.  I’ll bet you they will have to take that question for the record!  Not in their scan because it’s stealthy money, they don’t understand how it works and would rather slash the margins because of their inability to slash the big ticket items.

 

   Send article as PDF   

Cyber: Too Big Not To Fail

I admit that I am not much of a cyber-techie.  I do know a little about computers though. When Microsoft announced they were  not supporting Windows XT a while back, I had a bit of a cyber-rebellion because I refuse to spend anymore money on Mircrosoft Operating Systems, which I assume, much like the NSA, report your every keystroke and video back to some central repository for “troubleshooting.”  Right….But I instead elected to move to linux.  I’ve not noticed a degradation in what I can do, don’t have to worry about virus checkers and internet security programs that slow my system down….and all for FREE!  Sometimes the simpler solutions are the best.  I think we have so many problems with IT implementations and cyberattacks because they are so complicated and intricately interwoven that it is impossible for those who make decisions to understand what they are deciding.  Unlike my previous post on the JSF (Too Big to Fail), the cybersecurity and IT world is just the opposite: Too big not to Fail!” It’s just too complicated and the consequences are too dire to trust decisions in the Information and Communications Technology (ICT) world.  (See, you are already behind, it’s no longer IT and Cyber, it’s ICT) Come on, get with it!

I received a briefing yesterday  on a report recently completed by the GSA and DoD entitled, Improving Cybersecurity and Resilience through Acquisition.” It’s signed by Frank Kendall from DoD and Dan Tangherlini of GSA. I’ve read through it a few times and I swear I still can’t make heads of tails out of it, and I very much doubt that the signees did either. The report is about increasing the use of cybersecurity standards in Federal acquisitions. Keep in mind there are similar standards for National Security Systems, so I assume they are so unique that they need their own (there’s always an exception isn’t it?) They make six recommendations in no particular order of priority:

  1. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions
  2. Address Cybersecurity in Relevant Training
  3. Develop Common Cybersecurity Definitions for Federal Acquisitions
  4. Institute a Federal Acquisition Cyber Risk Management Strategy
  5. Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers,  or Other “Trusted Sources” Whenever Available, in Appropriate Acquisitions
  6. Increase Government Accountability for Cyber Risk Management

I don’t know about you, but I don’t feel any better after reading them than before!  Heck, the wording is so complicated and full of Pentagon-speak I can’t figure out what they mean.  To be fair there are explanatory paragraphs written in the same cyber-jargon that most decision makers in the Pentagon are not likely to understand. It’s fine for the techies to toss all those words around, but wouldn’t it be better when stuff like this is released to the public it would be in the Cybersecurity for Dummies format? At least have the techies who wrote it sign it.

This all flows from the Cyber Stone Tablet, “Framework for Improving Critical Infrastructure Cybersecurity” , done by NIST and released last week. Like most bureaucratic products it’s steeped in organization, tiers, overlays, constructs, phases and interrelated touch-points.  I dare you to understand it!  I’ve seen this before.  Remember the Office of Business Transformation?  They spent so much time developing papers and frameworks and touching those interrelated points that they forgot to do anything.  It was all about organization not about doing.  I see this cyber mess going  down the same path..lots of organization and logical interrelationships with countless coordination meetings between Governing Councils.

How would I do it?

  1. Put one person in charge-the Cyber Czar (even though we don’t like Putin very much)
  2. Listen to the techies, but not be controlled by them
  3. Get buy-in from top leadership that no one is exempt from our policies and regulations
  4. Stop admiring the problem and start doing visible, effective steps to fix the problem
  5. Insist that the Cyber Czar has the authority and the money to reward the stars and punish the evildoers. (nothing gets done without control of the money in this town)
  6. Make it mandatory for all!

 I cringe when I see words like  “this is a living document” and “Use of this voluntary Framework is the next step to improve the cybersecurity of our Nation’s critical infrastructure.” We need action verbs and Proper nouns in this framework

Without those steps, the whole schmegegge will flop because It’s Too Big Not To Fail

   Send article as PDF   

Federal Financial Shared Services

I attended the AGA Federal Shared Services Summit last week and came away thinking there is still a lot of work to do.  This is a case of “the spirit is willing but the body is weak.”  There is no doubt that agencies must move to a shared services model in order to make ends meet in the current fiscal environment, but the devil is in the details.  What is the motivation for agencies to become Shared Service Providers?  Is it the prospect of more money?  And why would an agency want to cede control of its financial system to another agency? I have experienced these questions in my not-for-profit life as we have tried to control “back office” costs.  It was ultimately a question of survival.  Without sharing back office functions, we would not survive.  In the case of a government agency, they will continue to survive, so where is the motivation to go to the shared services model?  I believe there needs to be clear incentives for agencies to make the shift and I don’t see them…..at least not yet.

 

   Send article as PDF