Skip to content

June 2, 2012

June 4, 2012




USPS offers buyouts to 45,000 employees


By SEAN REILLY | Last Updated:May 25, 2012

The U.S. Postal Service is offering $15,000 buyouts to virtually all of its 45,000 career mail handlers, a spokesman said Friday.

The buyouts will be payable in two $7,500 installments — one in December and another in December 2013. With a few exceptions, all career employees covered by the Postal Service’s national agreement with the National Postal Mail Handlers Union are eligible, according to a bulletin on a Postal Service website.

Full-time workers wanting to sign up must do so by July 2 and agree to leave or retire by Aug. 31. Part-time career mail handlers are eligible on a pro-rated basis tied to the number of hours worked in the last year. Part-timers have until July 16 to make a decision, but also must be out the door by the end of August.

In a Friday phone interview, NPMHU President John Hegarty said he thought that at least several thousand would sign up overall.

“Obviously, we don’t want to lose members,” Hegarty said, “but we realize that with the downsizing the Postal Service is engaging in, that this might create landing spots for people who aren’t able to retire.”

The buyout is the largest since 1992 in terms of the number of employees eligible, he said.

Confirmation of the agreement with the mail handlers union came a week after USPS executives said they would proceed with the closing or consolidation of 48 mail processing plants this summer as the first step in a historic downsizing that will eventually shrink the plant network by half and eliminate 28,000 jobs. In a final rule published in Friday’s Federal Register, the agency said it is going ahead with changes to first-class mail delivery standards that will allow it to run the remaining plants more efficiently. Implementation will begin in July and continue into 2014.

At the American Postal Workers Union, which also represents some mail processing plant employees, spokeswoman Sally Davidow said Thursday that the Postal Service had so far not extended a formal buyout offer for its members. She could not immediately be reached for comment Friday.

The Postal Service spokesman, Mark Saunders, had no comment on that issue Friday. He also declined to say whether the Postal Service has a target for the number of employees it hopes will take the buyouts.

“It’s an important personal decision and we can’t speculate on how many people will take advantage,” he said.

The troubled mail carrier, which lost $6.5 billion in the first six months of fiscal 2012, is eager to cut costs by enticing workers to leave voluntarily. Earlier this month, the Postal Service offered $20,000 buyouts to some 21,000 postmasters under a separate plan to trim operating expenses at 13,000 post offices.

In 2009, the Postal Service extended $15,000 incentives to employees represented by the NPMHU and the postal workers union in hopes of encouraging some 30,000 to leave. In that case, the payments were split into $10,000 the first year and $5,000 the second. Among workers not eligible for this latest offer are those on probation, along with any who are transferring to another federal agency, according to the Postal Service.


China Official Says Country To Top U.S. Consumer Market By 2015


Kenneth Rapoza, Contributor

5/29/2012 @ 12:00AM

Forget what’s playing in Peoria and what people are reading on the Number 6 downtown.

It’s what’s playing in Shanghai and what the Lin family is reading on the high speed maglevs to Guangzhou that matter now.

The U.S. is fast being replaced by China as the world’s most important consumer market. That doesn’t mean each country has similar tastes. But broad appeal products like Coca Cola and Nike will find more consumers in China than in the U.S., and if one Chinese official is right, they might find that market better than their home one as early as 2015.

Commerce Minister Chen Deming said on Monday that China will become the world’s largest consumer market in three years. The volume of consumer retail sales will surpass $5 trillion by then amid an accelerated urbanization rate and rising incomes, Chen said at the opening ceremony of the first Beijing International Fair for Trade in Service.

Demand for home services, education and training, medical care, financing, technology and tourism is booming, he said. China currently ranks fourth in the world in terms of service trade volume, with $419.1 billion in 2011 compared with $66 billion in 2000.

This article is available online at:



Newly identified computer virus, used for spying, is 20 times size of Stuxnet

Washington Post

By Ellen Nakashima,

Researchers have identified a sophisticated new computer virus 20 times the size of Stuxnet, the malicious software that disabled centrifuges in an Iranian nuclear plant. But unlike Stuxnet, the new malware appears to be used solely for espionage.

Variously dubbed Flame, Skywiper and Flamer, the new virus is the largest and possibly most complex piece of malware ever discovered, which suggests it is state-sponsored, researchers said.

It is loaded with functions, but so far none appear to be destructive, they said.

As with Stuxnet, the creator of Flame remains a mystery, though some analysts say they suspect Israel and the United States, given the virus’s sophistication, among other things.

Some researchers say that certain characteristics common to Stuxnet and Flame suggest that whoever ordered up Stuxnet is also behind Flame.

“It’s very likely it’s two teams working effectively on the same program but using two very different approaches,” said Roel Schouwenberg, a senior researcher with Kaspersky Labs, a Russian cybersecurity firm, which announced its analysis of Flame on Monday.

Still, much research remains to be done on the new virus, which has also been analyzed by CrySys, a cryptography and system security lab at the Budapest University of Technology and Economics.

Skywiper, as CrySys calls the virus, may have been active for as long as five to eight years. It uses five encryption methods, three compression techniques and at least five file formats. Its means of gathering intelligence include logging keyboard strokes, activating microphones to record conversations and taking screen shots, CrySys reported.

It is also the first identified virus that is able to use Bluetooth wireless technology to send and receive commands and data, Schouwenberg said.

One of the characteristics Stuxnet and Flame share is the ability to spread through computers that can share a printer on one network by exploiting a particular Windows vulnerability, Schouwenberg said. Flame is reminiscent of DuQu, a virus thought to be related to Stuxnet, in that its function is espionage.

“We would position Flame as a project running parallel to Stuxnet and DuQu,” Kaspersky Labs said in a blog post Monday.

Flame contains 20 megabytes of code. Though malware’s size is not per se a measure of sophistication, Schouwenberg said, in this case “its size shows that it’s taken a lot of time and work to create.”

So far Kaspersky, which has clients around the world, has identified Flame infections primarily in Iran, Israel and other Middle Eastern countries but none in Europe or North America. The infections have hit computers belonging to individuals, educational institutions and state- related organizations, Kaspersky said.

The virus’s creators seemed interested in general intelligence — e-mails, documents, even instant messages, Kaspersky said. But the lab has no evidence so far to document any data stolen.



DoD’s Next Crisis: Excess Inventory


May. 28, 2012 – 11:48AM |


Rows of mine-resistant ambush-protected vehicles are staged in the port yard of the Charleston, S.C., seaport prior to shipment to U.S. Central Command. (U.S. Army)

With billions of dollars in excess inventory stuffed in warehouses, and a flood of items expected to return from Afghanistan in the near future, the U.S. Defense Department is facing an inventory crisis without an easy way to eliminate extra items, a former director of the Defense Logistics Agency (DLA) said.

That could translate to yet another cost that Pentagon planners have failed to foresee, and one they’ll have to address as the department tries to cut expenses.

Keith Lippert, a retired U.S. Navy vice admiral who stepped down as DLA director in 2006, told an audience May 23 at the Defense Logistics and Materiel Readiness Summit in Alexandria, Va., that the inventory problem facing DoD is troubling given current fiscal pressures, and certain to get worse.

“There is a need to dispose of material,” he said. “We have to free up this warehouse space, and in terms of priorities of all the things that they do at DLA and the services … if there are 25 things that have to be done, disposal is probably number 26.”

The excess inventory is all-encompassing: parts and supplies for vehicles, gear, weapons — everything the U.S. military has needed over a decade of fighting two wars.

“You add to this everyone coming back from Afghanistan and Iraq, all the material coming in, it’s just going to compound the problem,” Lippert said.

Beyond the issue of priority, Lippert said, excess inventory is also a practical problem. Many of the items must either be sold for pennies on the dollar, marketed for a higher value through foreign military sales, or destroyed, simply because the U.S. lacks enough space to store all the items once they return from overseas. All three solutions require manpower that is already stretched thin trying to keep track of needed parts in warehouses with too many items.


Lack of Metrics

Recognizing its growing stockpiles that include more than $9 billion of excess in an inventory valued at roughly $100 billion, according 2010 figures released by DoD, the department launched the Comprehensive Inventory Management Program in to 2010.

A Government Accountability Office report on the program, released in May, found that DoD has likely avoided $1 billion in cost, but that a lack of metrics could seriously harm its efforts to cut inventory.

“As part of the plan, DoD is developing metrics to assess the effectiveness and efficiency of its inventory management, but it has not determined if it will incorporate these metrics into guidance,” the report said. “This may hamper its ability to assess inventory management performance and sustain management attention on improvement.”

The report, however, did cite the systemic inventory issues that have plagued the Pentagon for years.

“Since 1990, we have identified DoD supply chain management as a high-risk area due in part to ineffective and inefficient inventory management practices and procedures, weaknesses in accurately forecasting the demand for spare parts, and challenges in achieving widespread implementation of key technologies aimed at improving asset visibility,” it said. “These factors have contributed to the accumulation of billions of dollars in spare parts that are excess to current requirements.”

Concerned about the pace at which the DoD is eliminating inventory, Lippert, who is the chief strategy officer at Accenture National Security Services, said that without action, the Pentagon will be overwhelmed.

“All the reduction that may happen will be offset because here comes this other stuff,” he said. “And if you think disposal is a challenge now, just wait till all this comes back, because inventory is going to grow and it’s going to become a bigger challenge.”

Although the GAO report points to concerns about DoD’s ability to reduce its existing stockpiles, Lippert said that stronger action, possibly in the form of congressional hearings, is likely needed to cause real change.


“It’s probably going to take some kind of burning platform to get everyone’s attention other than a new GAO report,” he said.


Analyzing Data

Part of what has made the process so difficult has been the lack of data on inventory, but that has changed in recent years, experts said.

“There’s a lot of data that’s being generated, automated data,” said Col. Edward Mays, assistant commander for acquisition, logistics and product support at Marine Corps Systems Command. “It exists, but we haven’t had the time to think about how to use it.”

Now, with usable data, the armed forces are starting to use statistical analysis to more intelligently manage inventory and service schedules, although on only a small scale.

Mays leads a small group at his command that is attempting to find inefficiencies and savings. In the year it has been operating, the group identified nearly $50 million in mine-resistant ambush-protected vehicle servicing and parts savings, among other areas.

The emphasis on analysis comes as the focus on war fighting begins to decline and fiscal restraint enters regular parlance.

“We supported the war fighter, but many things fell to the side,” Mays said. “As we went off to war, we haven’t really thought much about policy. We’ve been running really hard, we’ve been doing a lot of things, but we haven’t thought about policy.”

Mays said that his work is being considered by the chain of command, but that the magnitude of the problem makes solutions difficult to implement. The use of the statistical analysis that and others are doing can be a boon in the new age of efficiency, Lippert said.

“There’s no doubt in my mind that there are all kinds of savings here,” he said.


Senate Authorizers Agree to Axe Global Hawk Block 30s

Air Force Magazine


The Senate Armed Services Committee last week became the first congressional defense oversight panel thus far to agree to the Air Force’s proposal to retire the RQ-4 Global Hawk Block 30 remotely piloted aircraft fleet next fiscal year. The committee’s mark-up of the Pentagon’s Fiscal 2013 budget request “upholds the termination” of the Global Hawk Block 30s, according to the SASC’s May 24 release highlighting the panel’s changes to the budget request. The committee said it would apply unexpended funds appropriated for these aircraft in Fiscal 2011 and Fiscal 2012—some $545 million—”to pay for priorities” in next fiscal year’s budget. The Air Force proposed divesting the Block 30s since it wants to continue operating its manned U-2 reconnaissance aircraft for longer. The House’s version of next fiscal year’s defense authorization bill would keep these Global Hawks in service. House defense appropriators also blocked the Air Force from retiring the Block 30s next fiscal year.


UK researchers discover backdoor in American military chip


By Dawn Lim

May 29, 2012

11:24 AM ET

U.K.-based security researchers have found a backdoor that was “deliberately” inserted into an American military chip to help attackers gain unauthorized access and reprogram its memory, according to a draft research paper.

Sergei Skorobogatov, a researcher at Cambridge University, discovered that a military-grade silicon device made by California-based Microsemi Corp., the ProASIC3 A3P250, contained a glitch that would allow individuals to remotely tweak its functions. “This permits a new and disturbing possibility of a large scale Stuxnet-type attack via a network or the Internet on the silicon itself,” the paper suggests. The Stuxnet worm, discovered in 2010, targets industrial systems.

Skorobogatov, collaborating with a researcher at U.K.-based Quo Vadis Labs, which researches sensor technology, found “proof that the backdoor was deliberately inserted and even used as a part of the overall security scheme.” The duo did not disclose details, citing a “confidentiality agreement.”

The backdoor is “close to impossible to fix on chips already deployed” because software patches can’t fix the bugs. The security holes can only be removed by removing all such chips installed in systems, the duo noted.

Microsemi’s aggregate net sales to defense and security users represented approximately 29 percent of total net sales in 2012, according to its most recent quarterly regulatory filing. The device in question is “heavily marketed to the military and industry,” the draft report states.

A Microsemi spokesperson did not respond to a request for comment.

The research duo’s full findings will be presented at a conference in Belgium in September, Skorobogatov said in an email to Nextgov.


Analysis: Cyberwarriors face a hard truth

By John Grady

May 25, 2012

A $200 million budget increase wouldn’t have seemed like much in the thousands of Defense Department line items a few years back. But with long-term cuts totaling $487 billion over the next 10 years, the denizens of cybersecurity would gladly count their blessings with $3.4 billion to spend in fiscal 2013. They are living in a world of fiscal fact, not science fiction.

The capabilities of cyber are fast approaching what until recently seemed possible only in a sci-fi thriller. Cyber technology “will become both a standalone warfighting instrument with global reach, and it will also be a ubiquitous enabler of the joint force,” Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, said at a recent Joint Warfighting Conference in Virginia Beach, Va. “It will be both part of the 20 percent [of the military complex] that’s new and part of what allows the other 80 percent of the force to be used differently.”

The possibilities and the vulnerabilities of cyberwarfare repeatedly came to the surface during the three-day military conference.

Marine Corps Lt. Gen. George Flynn, director of force development on the Joint Staff, sized up the drawbacks of the high-tech battlefield. “The first risk would be if we don’t have the ability to communicate amongst ourselves” after the network fails in a cyberattack, he said. “The second risk is if our partners are not able to join the network. Another risk is that our pursuit of advanced technology proves to be unaffordable.”

Take the F-35 Joint Strike Fighter for example, priced at more than $200 million per aircraft. “We built the F-35 with absolutely no protection for it from a cyber standpoint,” said retired Marine Corps Gen. James Cartwright, former vice chairman of the Joint Chiefs of Staff. Even if cyber defenses were built into the aircraft over the course of its 30 years in the inventory, someone, somewhere would be able to break its code. “Every aperture out there is a target,” he said.

According to Royal Navy Vice Adm. C.A. Johnstone-Burt, chief of staff for NATO’s Allied Command Transformation, future warfare will involve more partners — not fewer — including nongovernmental organizations. Keeping those partners technologically in step, especially the military, will be increasingly important.

But marching together in the same direction is difficult, even within the U.S. military. The services’ “silos of excellence,” as Army cybersecurity director Maj. Gen Steven Smith put it, prevent everyone from viewing the battle space in the same way with the same understanding.

Army Maj. Gen. Mark Bowman, director of command, control, communications and computers on the Joint Staff, acknowledged the challenge. “We are pushing for all the services working together [with] shared infrastructure and shared situational awareness and a single security architecture,” he said. It starts with enterprise email, Bowman explained, a seemingly small step aimed at building a joint information environment, a huge leap.

But what happens when the network and Global Positioning System tools are taken out by jamming or some other form of attack? The risks run high in what Dempsey called the degraded environments of military wargaming. “GPS is terrific when it’s working,” he said. “But if it gets jammed, we have to be ready to continue the mission.” That means training officers and enlisted members what to do in those circumstances.

“We do not fully understand the power of the network” in military operations or installing it in the curriculum of the services’ training base,” said Lt. Gen. Keith Walker, deputy commanding general at the Army’s Training and Doctrine Command. Top brass at the conference compared the challenge of educating today’s officers in cyberwarfare to educating yesterday’s officers to deploy air power effectively. “We have to put some brainpower to it,” said Air Force Maj. Gen. Thomas Andersen, director of the Curtis E. LeMay Center for Doctrine Development and Education, adding that the key is determining “what we can control and what we can’t control.”

Preparing for cyberwarfare and thinking through the second and third order of effects “is as much a matter of leadership and training as it is engineering,” Dempsey said, noting that such knowledge is crucial for commanders at the brigade level. Cyber rules of engagement were last updated in 2005.

Cybersecurity is larger than the military. It includes figuring out what kind of cyber capability is needed to defend the nation’s financial institutions, law enforcement, homeland security, electric grid and other utilities. “We’ve got to develop capabilities now and work out the authorization policy later,” said Lt. Gen. Richard Mills, the Marine Corps’ deputy commandant for combat development and integration, noting that cyber should be considered a weapon inside the command-and-control system.

Flynn agreed, saying cyber is a new domain in warfare, which makes the homeland a part of the battle space. “Space and cyber now join sea, air and land as contested space,” he said.

One small budget boost for cyberwarfare; one giant challenge for reinventing the rules of engagement.

Feds don’t always see mobile as cost saver

By Camille Tuutti

May 25, 2012

New research exploring what effect mobile technology has on the productivity and operations of federal agencies confirms that many believe a move to mobile would boost productivity and save money in the long run.

The findings from a survey of 300 federal managers come just a day after the White House announced its new mobile strategy to make government services available on mobile devices.

“Americans deserve a government that works for them anytime, anywhere, and on any device,” President Barack Obama said in announcing the directive that requires agencies to pick two services citizens depend on and make them available on mobile phones within the next 12 months.

Market Connections conducted the survey, commissioned by AOL Government. It showed that 75 percent said mobile technology will make it easier to complete work off-site, bumping up productivity and cost savings. An overwhelming number (82 percent) said mobile technology would make it easier to telework. Nearly 70 percent also think providing immediate access to agency data through mobile devices helps decision making.

Most respondents said the greater cost-savings from a move to mobile will come from lower real estate costs (57 percent); reduced net computer hardware costs (49 percent); lower software licensing costs (42 percent); and lower help- desk costs (35 percent). Respondents said an overall shift to mobile could save as much as 29 percent per year over time.

But mobile doesn’t always bring savings, some respondents pointed out. A transition to mobile technology would likely hike up spending for wireless and carrier subscriptions. Nearly 70 percent also anticipate a higher spend for adding mobile devices, and 62 percent foresee additional costs for security for mobile devices.

With the backdrop of the newly rolled-out strategy for a digital government, 44 percent said they need more guidance or roadmaps from federal IT leaders on how to best proceed with mobile technology. More than 40 percent said they would like to see better acquisition processes to buy mobile technology.

The survey polled 300 federal managers who work with establishing polices, initiatives, buying or developing systems that involve mobile technology.


Senate version of defense bill tackles cyber workforce, procurement

May 25, 2012

The Senate Armed Services Committee has approved its version of the National Defense Authorization Act, giving the green light for the bill to head to the upper chamber’s floor sometime in June or July. At $631 billion, the budget includes $3 billion more than President Obama’s original request.

It does not account for the potentially forthcoming sequestration process that would slash spending across the government and hit the Defense Department particularly hard – a scenario Defense Secretary Leon Panetta has deemed “catastrophic.” However, the bill does include a provision that DOD leadership must produce a contingency plan for the potentially dramatic budget cuts.

The bill includes a number of mandates intended to cut down on duplicative programs and efforts and to increase oversight, and continues to fund anti-terror projects, a range of support programs to Afghanistan, and some plans for technology innovation, including $200 million for high-tech research and development.

Here’s a brief rundown of some of the Senate bill’s highlights:


  • Recruiting young people with computer skills to be developed into cyber expertise for military service and careers.
  • Identifying a DOD component to oversee a cyber testing and evaluation range, including its funding, infrastructure and personnel.
  • Requirements for consolidating networks to improve security and management and to free up personnel for an understaffed U.S. Cyber Command.
  • Improvement of security, quality and competition in the acquisition of DOD software.
  • Development of next-generation host-based cybersecurity tools and capabilities.


  • Prohibits the use of cost-type contracts for the production of major weapon systems, with few limited exceptions.
  • Restrictions on “pass-through” contracts and orders that at least half of work on any service contract be performed by the prime contractor or by a subcontractor noted in the contract agreement.
  • Cap on DOD-reimbursed contractor pay decreased from $750,000 to $237,000.
  • Review and revising of guidelines on contractor performance and profits.
  • Whistleblower protection for anyone reporting waste, fraud, and abuse on DOD contracts.


  • More than $6 billion in programs in Afghanistan, including support to Afghan security forces, infrastructure and humanitarian aid.
  • $1.5 billion to the Joint Improvised Explosive Device Defeat Organization.
  • $160 million for U.S. Special Operations Command intelligence, surveillance and reconnaissance tools
  • $600 million for the Joint Tactical Radio System, with the provision that funding is withheld until the Army furnishes an approved acquisition strategy for full and open competition.
  • $3.9 billion in advanced funding for block buys of Air Force satellites 5 and 6 over the next six years.
  • Integration of satellite and ground systems.
  • $50 million for ISR for central African forces to defeat Joseph Kony and the Lord’s Resistance Army.

Internal affairs

  • $59 million toward DOD Inspector General oversight and authorities aimed at rooting out waste, fraud and abuse.
  • Codification of Panetta’s stated goals of DOD becoming audit-ready.
  • Full review by the Under Secretary of Defense for Personnel and Readiness of the strategic workforce plan.
  • Full inventory by the DOD CIO of department software licenses and determination of potentially duplicate or overlapping agreements.
  • Flexibility in hiring of personnel at the Defense Advanced Research Projects Agency.
  • Establishment of social media standards.
  • Veto on further rounds of Base Realignment and Closure Act plans.



Feds are less satisfied with their pay, survey finds

By Amanda Palleschi

May 29, 2012


Federal workers were less satisfied with their pay in 2011 than in 2010, according to the Partnership for Public Service’s annual Best Places to Work survey released Tuesday.

The nonprofit concluded that the dip in employee satisfaction with pay, down 6.1 percent from its 2010 survey to 59.1 points out of 100, is “likely reflecting the two-year freeze on comparability pay increase imposed by Congress in December 2010, and the concern that additional cutbacks might be in the offing.”

The Partnership based its analysis on data from a 2011 Office of Personnel Management survey. The governmentwide survey found that pay ranked third after commitment of an agency’s senior leaders and the belief that employees’ skill sets were suited to their agency’s mission in driving overall job satisfaction.

“Federal employees weigh the totality of their job experience, and if they admire the agency leaders, get along with their supervisor and feel their talents are being used well toward a compelling mission, they may remain engaged and motivated even if they are dissatisfied with pay,” the Partnership said in a statement.

The Federal Deposit Insurance Corporation was ranked the best place to work in this year’s survey, and it also had the highest pay satisfaction. It scored nine points higher than the Nuclear Regulatory Commission, which came in second place after being ranked first the past three years. The partnership noted FDIC was not affected by the federal pay freeze and is able to offer higher pay.

The Transportation Security Administration’s results were “most troubling,” according to the report, registering the lowest score of any agency included in the Best Places to Work rankings. Only 35.8 percent of TSA employees were satisfied with their pay.


At the Labor Department, the survey found additional “potential red flags for management,” noting pay was a “key driver” for the Mine Safety and Health Administration, the Employee Benefits Security Administration, and the Occupational Safety and Health Administration; satisfaction with pay dropped at all those subcomponents of Labor by more than 15 percent.

The Partnership’s study also found that the gap between pay for men and women in the federal workforce was smaller than for the workforce in general. According to the survey’s results, there was no gap in how men and women in the federal workforce viewed the issue of pay, and only a “negligible gap” between older and younger employees.

White employees, however, tended to be more satisfied with their salaries than minority groups, including black, Asian, American Indian and multiracial workers.

An unrelated survey of Senior Executive Service members released Friday found declining satisfaction with pay among top feds as well.



Google Apps Clears Key Security Hurdle

Google Apps for Business wins ISO 27001 certification, potentially opening the door to wider adoption in government and regulated industries.

By Thomas Claburn, InformationWeek
May 29, 2012

Google said Monday it had received ISO 27001 certification for Google Apps for Business, a recognition of its information security practices that will make its cloud services more palatable for use in government and other regulated industries.

Back in 2007, when Google first introduced a version of Google Apps for Business–under the name “Google Apps Premiere Edition”–worries about security made many companies reluctant to migrate from on-premises IT to cloud computing.

Since then, Google has addressed those concerns, where warranted, through features like the integration of Postini’s enterprise message services, support for two-factor authentication, and the launch of FISMA-certified Google Apps for Government.

Eran Feigenbaum, director of security for Google’s enterprise group, says that security is now a reason that organizations are adopting Google Apps rather avoiding it.

“The reason for this shift is that businesses are beginning to realize that companies like Google can invest in security at a scale that’s difficult for many businesses to achieve on their own,” he said in a blog post.

In the past five years, Google has managed to convince a number of high-profile businesses and government agencies to utilize its cloud services. It’s been a long haul, but cloud computing is no longer exotic. With plenty of companies committed to cloud computing and Microsoft pitching Office 365, businesses considering a move to the cloud no longer have to play the role of pioneer. They can look to their peers for examples of the benefits and potential pitfalls.

Google’s ISO 27001 certification, granted by Ernst & Young CertifyPoint, further cements the legitimacy of Google Apps as a business tool. The certification requires that management carefully examine organizational security risks, designs and deploys reasonable security controls to address those risks, and adopts a management process to maintain organizational security controls.

“This certification validates what I already knew, through due diligence, about Google Apps–that the technology, process, and infrastructure offers good security and protection for the data that I store in Google Apps,” said Chet Loveland, CISO and global compliance office of MeadWestvaco, in a statement.

Google Apps for Government is FISMA certified and a number of Google services have passed SSAE 16 / ISAE 3402 / SAS 70 audits. These include: Gmail, Google Talk, Google Calendar, Google Docs (documents, spreadsheets, presentations), Google Sites, iGoogle, Control Panel (CPanel), Google App Engine, Google Apps Script, Google Storage for Developers, and Google Postini Services (Google Message Security and Google Message Discovery).

UN Warns Member Countries of ‘Flame’ Cyber-Spying Malware


By: Brian Prince



A United Nations technology agency is issuing an alert for countries to be on the lookout for cyber-espionage malware known as Flame, which has hit computer systems in the Middle East heavily, according to Reuters.

The United Nations’ International Telecommunication Union is issuing a warning for nations to be on guard for the newly identified Flame malware, according to a report.

“This is the most serious [cyber] warning we have ever put out,” Marco Obiso, cyber-security coordinator for the U.N.’s Geneva-based International Telecommunications Union, told Reuters.

Also known as Skywiper and Flamer, the malware has been discovered on systems in the Middle East, and has hit Iran the hardest. The discovery prompted Iran’s National Computer Emergency Response Team to issue an alert stating the malware was tied to multiple incidents of “mass data loss” in the country’s computer networks.

Thought to be a tool for cyber-espionage, security researchers say the malware has been traced back to at least 2010, with experts at the Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics stating it may have been operational for five years or more.

According to Kaspersky Lab, Flame is a backdoor Trojan with worm-like features that allow it to propagate itself on local networks and removable media. When a system is infected, the malware is capable of a number of operations, including taking screenshots, recording audio conversations and intercepting network traffic.

“Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators,” Alexander Gostev, head of Kaspersky Lab’s Global Research and Analysis team, blogged May 28.

“Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyber-war and cyber-espionage.”

When all of its modules are installed, the malware takes up 20 MB in data storage. It also contains code written in Lua, a programming language uncommon in the cyber underworld.

“Lua is a scripting (programming) language, which can very easily be extended and interfaced with C code,” Gostev explained. “Many parts of Flame have high order logic written in LUA—with effective attack subroutines and libraries compiled from C++…usage of LUA in malware is uncommon.”

According to Symantec’s Security Response team, the modular nature of the malware suggests its developers created it with the goal of maintaining the project over a long period of time—most likely along with a different set of individuals using the malware.

“The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date,” according to Symantec. “As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives. Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry.”

According to Gostev, there does not appear to be any overarching theme in regards to targets, indicating that Flame may have been designed for more general cyber-espionage purposes. He speculated that Flame was developed separately from Duqu and Stuxnet and noted that Flame’s developers did not use the Tilded platform used for Duqu and Stuxnet. However, he noted that Flame makes use of the same print spooler vulnerability exploited by Stuxnet. It also abuses AutoRun, just like Stuxnet.

“Currently there are three known classes of players who develop malware and spyware: hacktivists, cyber-criminals and nation states,” Gostev noted. “Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cyber-criminals and hacktivists, we come to the conclusion that it most likely belongs to the third group…the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.”

To perform a quick manual check for Flame, users can search for the file ~DEB93D.tmp. If it is present, the computer either is or has been infected with flame, Gostev blogged today. Also, users can check the registry key HKLM_SYSTEM\CurrentControlSet\Control\Lsa\ Authentication Packages. If mssecmgr.ocx or authpack.ocx is present, this is another indication the computer is infected, he added.


Was flame virus that invaded Iran’s computer networks made in USA?

By Robert Windrem

NBC News


As the United Nations and Iran warn that the newly discovered flame computer virus may be the most potent weapon of its kind, U.S. computer security experts tell NBC News that the virus bears the hallmarks of a U.S. cyber espionage operation, specifically that of the super-secret National Security Agency.

The flame virus, which is intended to gather intelligence — not destroy equipment or data, as was the case with the notorious Stuxnet virus — is too sophisticated to be the work of another country, said one U.S. official, speaking on condition of anonymity. “It was U.S.,” said the official, who acknowledged having no first-hand knowledge of how the virus operates or was introduced into the Iranian computers.

The U.S. was also believed to have a hand in the creation and insertion of the Stuxnet virus, which targeted Iran’s uranium-enriching centrifuges.

The newly discovered flame virus essentially “colonizes” the targeted computers, giving hackers control over critical data stored on them, according to cybersecurity experts who spoke with NBC News.

U.S. intelligence officials declined to discuss the virus. “We have no comment,” said one. Israeli officials, suspected in previous attacks, denied involvement.

The virus was first discovered and announced over the weekend by a Russian cybersecurity organization after reports of massive data losses in Iranian government computers. Kaspersky Lab told Reuters it found the flame infection after the International Telecommunications Union asked it to investigate. By some accounts, the virus has been operating in the wild for as long as five years.

“This is the most serious (cyber) warning we have ever put out,” Marco Obiso, cybersecurity coordinator for the U.N.’s Geneva-based ITU, told Reuters on Tuesday, referring to a bulletin about the virus expected to be issued in the next few days.

The confidential warning will tell member nations that the flame virus is a dangerous espionage tool that could potentially be used to attack critical infrastructure, Obiso said.

Other experts said the virus appears to be a different type of invader than Stuxnet.

“From reading press reports, this appears to be penetrating networks to surveil, as opposed to destroy, as was the case with Stuxnet,” said Michael Leiter, former director of the National Counter Terrorism Center and now an NBC News analyst. “Such computer network operations are core components of what our and other intelligence services do day in and day out.

“Our intelligence services know that any weakness in an information system can mean the entire system is vulnerable. This makes defense very, very hard. Network defenses must work reliably and in real time across the entire network to defend against persistent intruders.”

Iran’s cybersecurity officials seem to agree. The New York Times reported Iran’s Computer Emergency Response Team Coordination Center issued a warning Tuesday, saying, “This malware is a platform which is capable of receiving and installing various modules for different goals.”

If this is indeed a U.S. cyberwarfare operation, said computer security expert Roger Cressey, the target is likely to be Iran’s nuclear program and its decision-making apparatus.

“Whoever has developed this is engaged in very sophisticated intelligence gathering on computer networks throughout the region. Clearly, Iran is a top priority for this program,” said Cressey, former chief of staff of the President’s Critical Infrastructure Protection Board under George W. Bush and now an NBC News analyst.


Two years ago, the U.S. and Israel were suspected of inserting the Stuxnet virus into the Iranian centrifuge center at Natanz. When the control software was corrupted, the motors that control the uranium centrifuge operations didn’t operate correctly, wobbling instead of spinning the way they’re supposed to, U.S. officials say.

Iran’s President Mahmoud Ahmadinejad has said that the work of Kaspersky Labs helped Iran uncover the infection and remove it from the centrifuge control program. Cybersecurity officials have told NBC News that the infection, while heavily publicized, was not as effective in disrupting Iran’s nuclear program as has been portrayed in some media accounts.

But Stuxnet is an example, said one U.S. official, of how those aiming to slow the Iranian nuclear program, which the U.S. says is aimed at producing nuclear weaponry, can have an effect similar to that of economic sanctions. The Iran program keeps making progress, he said, but never quite gets there.

Other U.S. officials said that the viruses not only affect the targeted program; they also make Iranian officials “paranoid.” Additionally, countering the attacks diverts valuable assets and resources from the core mission, they said.

While the flame virus appears to be aimed more at gathering intelligence on the Iranian program, it, too, aims to make the Iranians paranoid, the officials said. It does so by making them wonder about security and by raising questions about whether the enemy knows the intricacies of Iranian decision making, not just on the nuclear program but on a host of other issues important to the U.S. and the West, they said.


Robert Windrem is a senior investigative producer for NBC News; Chief Foreign Correspondent Richard Engel contributed to this report.



Fracking Boom Spurs Environmental Audit

Researchers struggle to understand the health implications of the technique that is unlocking new nature gas reserves

Tuesday, May 29, 2012 | 7

Scientific American

By Helen Thompson of Nature magazine


For Ohio, a Midwestern state hit hard by recession, the promise of an energy boom driven by hydraulic fracturing, or `fracking’, would seem to be a sure route to financial health. Far less certain is whether the technique has an impact on human health. Fracking uses high-pressure fluids to fracture shale formations deep below ground, releasing the natural gas trapped within. With the number of gas wells in Ohio that use fracking set to mushroom from 77 to more than 2,300 in the next three years, the state is the latest to try to regulate a rapidly growing industry while grappling with a serious knowledge gap. No one knows what substances — and at what levels — people near the gas fields are exposed to in the air and water, and what, if any, health threat they might pose.

In a nod to those concerns, Ohio’s legislature passed a bill on 24 May, awaiting signing by the state governor as Nature went to press, that requires companies to disclose the chemicals they use during the fracking process and during the construction and servicing of the wells. However, the bill does not compel companies to divulge a complete list of the ingredients in their fracking fluid before it is pumped underground. Some of those ingredients are deemed trade secrets, a position that troubles environmental groups and increases the problem for researchers trying to understand the risks.

“There is a real lack of data,” says John Balbus, senior adviser on public health at the National Institute of Environmental Health Sciences in Bethesda, Maryland, who spoke at a workshop organized by the Institute of Medicine in Washington DC last month to discuss research strategies for studying the health impacts of gas extraction. “There’s a lot of variability from region to region, in the kinds of mixtures that need to be used for the specific geology.”

Fracking fluids are primarily water and sand, but they also contain chemical additives that aid the horizontal fracturing of shale and the release of natural gas. Some components, such as citric acid and coffee grounds, are benign, whereas others, such as benzene or toluene, could cause chronic health problems at certain doses. Waste water — fracking fluid mixed with groundwater containing high levels of brine and traces of natural radioactive elements — comes back to the surface during the drilling process.

“The big threats to public health are in wastewater pits and storage and also during transportation when you are trucking around contaminated water,” says Deborah Swackhamer, an environmental chemist at the University of Minnesota in St Paul. “You can have spills or leaks or flooding.”

With uneasiness growing about the increasing scale of fracking in the United States, the pressure on companies to be more forthcoming is growing. The Ohio bill would allow a doctor to request proprietary information about fracking fluid when treating a patient who shows signs of exposure to a toxic chemical that might have come from a gas well — but doctors must keep what they learn confidential. An amendment to the bill supported by the Ohio State Medical Association would allow doctors to break the confidentiality rule when professional ethics demands it.

“The end result of any legislation should not impact a physician’s ability to care for his/her patients,” wrote Timothy Maglione, senior director of government relations for the medical association, in a letter to the legislature dated 22 May.

A tougher national disclosure requirement is in the works. Earlier this month the US Bureau of Land Management released a draft version of its rules for fracking operations on federal and Indian lands. Like the Ohio bill, the rules allow companies to withhold trade secrets, but they also put the burden on the firms to convince the bureau that a trade-secret claim is valid. Environmental groups say that even these rules don’t go far enough.

“There is no one chemical-disclosure provision out there that gives the public enough information to know if they’re being exposed to something through natural-gas drilling,” says Thom Cmar, a Chicago-based attorney with the Natural Resources Defense Council in New York City.

Testing the air and water near fracking operations could give a clearer indication of human exposures (see `Riches, at a price’). A survey by the US Environmental Protection Agency (EPA) will include case studies in five states where fracking occurs. The studies will draw from existing water, air and soil data; test waste water; analyze well design and construction; and conduct toxicity tests. At two sites, the agency will compare pre-drilling testing to post-drilling testing. The study, now a year old, will run into 2014, but initial results are expected by the end of this year.

But even after the environmental data from the EPA roll in, there will still be a dearth of information on effects on human health. “There really is nothing out there in terms of well designed epidemiological studies,” says Madelon Finkel, an epidemiologist at the Weill Cornell Medical College in New York City.

At last month’s meeting in Washington, researchers from the Geisinger Health System, which includes hospitals, clinics and community practices in central and northeastern Pennsylvania, announced a plan to use their own 10-year database of electronic health records to map health trends before and during drilling. The database includes more than 2.6 million residents in a region that has some of the highest concentrations of fracking wells in the United States. “We can at least get a surveillance-level snapshot of what some of the health trends might be,” says David Carey, director of Geisinger’s Weis Center for Research in Danville, Pennsylvania.

Other researchers hope to tap Geisinger’s records for joint projects. Brian Schwartz, an epidemiologist at Johns Hopkins University in Baltimore, Maryland, wants to mine them for multiple health indicators, including trends in asthma cases, which can serve as a bellwether for air quality. His team will overlay these data with computer models for environmental air quality based on EPA monitoring data, which will provide a picture of whether air quality around wells has changed as fracking in the region has intensified and how, where and when pollutants could be affecting asthma patients.

Robert Oswald, a pharmacologist at Cornell’s College of Veterinary Medicine in Ithaca, New York, is taking a different tack: using animal-health reports as proxies for humans. When farmers split their herds between pastures close to and distant from fracking activity, they create inadvertent experimental and control groups. “They’re sentinels for human health,” says Oswald. “If you want to look at reproductive problems, you might be hard pressed to find 100 pregnant women living near a wastewater impoundment pond, but we can probably find 100 pregnant cows.”

His case survey, published in January (R. Oswald and M. Bamberger New Solutions 22, 51-77; 2012), finds two instances of correlation between gas-drilling activity and mortality rates in livestock, but there are several caveats, including small sample size, the fact that the individual cases were all reported by different people, and the fact that toxic sources unrelated to fracking could explain the pattern.

Conducting controlled studies among people will be slow and costly. But Finkel warns that questions about the long-term effects of the fracking boom are too urgent to ignore. “We don’t know the impact on human health,” she says, “and living in blissful ignorance isn’t a solution.”


Bankrupt wireless firm LightSquared cuts employees, but not lobbyists

The Hill

By Brendan Sasso and Kevin Bogardus – 05/30/12 05:00 AM ET


Wireless startup LightSquared has laid off nearly half of its workforce and filed for bankruptcy, but isn’t parting with its extensive network of Washington lobbyists.

Philip Falcone and his investment firm, Harbinger Capital Partners, invested billions of dollars in LightSquared’s plan to build a high-speed wireless network that would have served more than 260 million people, but federal regulators denied it permission to launch in February over concerns that it would interfere with GPS devices.

LightSquared assembled an impressive roster of K Street names to push for the network. Last quarter, at least 14 different firms lobbied for LightSquared, according to disclosure forms.

The company spent more than $2.8 million on lobbying in 2011, according to records, roughly quadrupling 2010’s total of nearly $700,000.

But the lobbying offensive wasn’t enough to get LightSquared’s network proposal past regulators. The company announced plans in February to lay off nearly half of its 330 employees, and filed for bankruptcy in May.

Despite the financial troubles and staff cutbacks, LightSquared has yet to disband its lobbying army — an implicit acknowledgment that the company’s future is contingent upon what happens in Washington.

John Scofield of Shockey Scofield Solutions said his firm would still be lobbying for LightSquared.

“We are proud to be part of the LightSquared team and look forward to helping them successfully navigate the regulatory and political process to deploy its nationwide broadband network,” Scofield said. “LightSquared’s voluntary Chapter 11 filing was necessary to preserve the value of LightSquared’s business and to enable continued operations. We have not and will not let up and expect to be successful in the end.”

LightSquared is still looking for ways to salvage its network. When it filed for bankruptcy, the company released a statement saying the move was intended to give it “breathing room” from creditors to continue working on ways to launch its 4G network.


The company has suggested technical fixes could solve the GPS interference problem, and floated the idea of switching to new wireless frequencies farther away from those used by GPS devices.

A source close to LightSquared said the company needs to keep up its K Street spending to fight GPS companies that have been lobbying against their network. GPS companies including Trimble and John Deere have formed their own group, the Coalition to Save our GPS, to urge regulators and lawmakers to block LightSquared.

“If they lay down and quit, there’s no telling what may happen,” the source said.

The source said that the company’s lobbying efforts have “basically not changed” since the bankruptcy filing. The source has seen “no evidence of mass terminations or cutting back” on advocacy spending, and predicted that the company won’t significantly scale back on lobbying until it makes it through the bankruptcy process.

Nonetheless, LightSquared has canceled lobbying contracts with at least two firms, the Podesta Group and Ballard Spahr, according to termination reports filed last quarter. Podesta reported ending work for LightSquared on March 3, while Ballard Spahr reported ending work on Feb. 29.

The startup also cut off its contract with public-relations powerhouse Burson-Marsteller.

Several lobbying firms did not return requests for comment when contacted for this piece.

Other lobbyists, including former Rep. Jim Walsh (R-N.Y.) of K&L Gates and former Rep. Bob Walker (R-Pa.) of Wexler & Walker Public Policy Associates, referred questions to LightSquared when asked about their firms’ representation of the company.

LightSquared declined to comment.

Some Republicans have questioned whether LightSquared’s dozens of lobbyists inappropriately influenced the White House and the Federal Communications Commission (FCC).

Sen. Chuck Grassley (R-Iowa) held up President Obama’s two nominees to the FCC for four months in a bid to force the agency to turn over its internal documents on the company.

In a speech on the Senate floor last week, Grassley accused the FCC of not taking the GPS interference problem seriously until late in the review process.

“It seems strange that a project that was so obviously flawed was allowed to go so far, but LightSquared had help,” Grassley said, pointing to the lobbyists.

House Republicans have launched their own investigation into the FCC’s review of the company.

In its bankruptcy filing, LightSquared listed the holders of its 20 largest unsecured claims. That list included Boeing, to which it owes $7.5 million, and Alcatel-Lucent, which it owes $7.3 million.

Also on that list was Burson-Marsteller, which LightSquared owes nearly $265,000. Another $20,000 is owed to Mehlman Capitol Strategies, along with $35,000 to Shockey Scofield.

Paul Cordasco, a spokesman for Burson-Marsteller, said the firm is going through the “normal channels” to recover its money, but declined to specify whether that would include filings in LightSquared’s bankruptcy proceeding.

Now that the company has filed for bankruptcy, some of the decisions about which bills to pay will be up to the judge, though the source close to LightSquared said the firms will not be left out to dry.

“I don’t anticipate there are going to be problems with payment,” the source said.


Job recovery is scant for Americans in prime working years

Washington Post

By Peter Whoriskey, Published: May 29

The proportion of Americans in their prime working years who have jobs is smaller than it has been at any time in the 23 years before the recession, according to federal statistics, reflecting the profound and lasting effects that the downturn has had on the nation’s economic prospects.

By this measure, the jobs situation has improved little in recent years. The percentage of workers between the ages of 25 and 54 who have jobs now stands at 75.7 percent, just a percentage point over what it was at the downturn’s worst, according to federal statistics.

Before the recession the proportion hovered at 80 percent.

While the unemployment rate may be the most closely watched gauge of the economy in the presidential campaign, this measure of prime-age workers captures more of the ongoing turbulence in the job market. It reflects “missing workers” who have stopped looking for work and aren’t included in the unemployment rate.

During their prime years, Americans are supposed to be building careers and wealth to prepare for their retirement. Instead, as the indicator reveals, huge numbers are on the sidelines.

“What it shows is that we are still near the bottom of a very big hole that opened in the recession,” said Heidi Shierholz, an economist at the Economic Policy Institute, a left-leaning think tank.

The falloff has been sharpest for men, for whom the proportion had been on a slow decline before the recession. The percentage of prime-age men who are working is smaller now than it has been in any time before the recession, going all the way back to 1948, according to federal statistics. The proportion of prime-age women is at a low not seen since 1988.

The nation’s unemployment rate has shown signs of improvement, ticking down from 10 percent to 8.1 percent. But if it tallied people who have given up looking for jobs, it would certainly be higher.

The ratio of employment to population, which economists refer to as “epop,” “is a much better measure for what people are experiencing in the job market,” Shierholz said. “The unemployment rate is screwy right now because the labor market is so weak that people have stopped trying.”

For example, last month, the unemployment rate ticked down from 8.2 percent to 8.1 percent. Ordinarily, a drop in unemployment would be interpreted as a sign of improving economic health. But it dropped largely because so many people stopped looking for jobs.

Shierholz estimates that about 4 million workers have simply stopped looking, and so do not show up in the tally used for the unemployment rate.

As the presidential race heads into the summer, the health of the economy — and how voters view it — becomes critical, and for many people, the job market is their most significant contact with the economy.

According to the most recent Washington Post-ABC News poll, the issue of paramount interest to voters is the economy and jobs, with more than half describing it as the “single most important issue.”

By comparison, the next most important issue, health care, trailed far behind at 7 percent, and moral and family values followed at 5 percent.

The polls also show that, while the official statistics show improvement, voters offer gloomy economic diagnoses

About 83 percent of those in the poll, conducted in mid-May, rated the state of the economy as “poor” or “not so good,” a much higher portion of negative views than at any other time in the 10 years preceding the recession.

The job market “feels like a game of musical chairs — if you didn’t have a job when the market crashed, well, that chair is gone,” said Karen Akers, 50, of Vienna, who lost two jobs to budget cuts during the recession.

She just reentered the workforce in March, although at a lower salary in client relations at a sprinkler company.

“I don’t know that people trust any of these economic numbers these days, anyway, because they were all good before the crash,” she said. “Whatever economists are telling us, I don’t know that we can believe it any more than what we see in the job market — and what you find there is not good.”

Indeed, in interviews outside the unemployment office in Alexandria on Friday morning, people looking for work said that finding a job today, three years after the recession’s official end, seems just as hard as it did during the recession.

“In 2008, it was much easier — I got a job right away,” said 41-year-old Rob from Arlington, who last worked in sales for a defense contractor. Like other workers interviewed at the unemployment office, he declined to give his last name to protect his privacy.

“It’s definitely more negative, which really caught me off guard,” he said. “Employers have gotten used to doing pretty much what they want to do in this market.”

“I’m actually considering a position in retail,” said a 53-year-old Northern Virginia woman who had held a senior position in international sales and recently earned a master’s degree in management. She has been looking for a job for three years. “I can’t tell you how many women I know, one of whom was a bank vice president, who have already taken these kinds of jobs — they’re working at Joann’s Fabrics, Sur la Table and Crate & Barrel.”

The impact of these difficulties reaches far beyond those looking for work.

For those working, real wages have been stagnant since 2008, Shierholz said.

Moreover, the number of people quitting jobs — a figure that tends to rise when jobs seem plentiful and fall when they seem scarce — remains lower than it was at any time in the years leading up to the recession, according to government statistics.

Some of the workers have sensed a slight strengthening in their outlook, however: a few more calls, a few more openings, a few more interviews than they’d previously seen. Indeed, the “epop” figure for prime-age workers has risen since October.

Mark, 50, a heating and AC technician from Alexandria, was out of work in 2009 but found a job right away. He was laid off again about six months ago and, standing outside the Alexandria unemployment office, said it seems harder this time around.

“The economy is just really messed up right now,” he said.


Congress Taking No Action to Address ‘Fiscal Cliff’


May 29, 2012 – 9:42 p.m.

By Joseph J. Schatz, CQ Staff

With strong words on taxes and spending flying back and forth, it’s as if negotiations were under way toward resolving the “fiscal cliff” issues that will confront Congress and the country at the end of the year.

But in reality, nothing like that is happening. Neither side is ready to budge, and the increasingly aggressive rhetoric from Republicans and Democrats is aimed at reinforcing positions, closing party ranks and setting up the political dynamics that each side hopes will drive a post-election deal.

Despite warnings from the Congressional Budget Office, the Federal Reserve and others about dire economic consequences if taxes rise and spending drops as scheduled under current law come Jan. 1, no one is suggesting that anything will be resolved until voters are heard from in November.

Although no serious talks have occurred, party leaders have begun to stake out positions. Some Democrats are increasingly vocal in saying that they will use the $98 billion in automatic fiscal 2013 discretionary spending cuts as leverage to force Republicans to accept revenue increases. But while Republicans appear to remain dug in against tax hikes, Democrats are not of one mind when it comes to tax policy.

Republicans also could find themselves divided when the showdown occurs, and Speaker John A. Boehner, R-Ohio, will probably have his hands full once again as he tries to keep his House majority united.

The verbal skirmishing is occurring in what amounts to a political echo chamber, with each side trying to pin blame for the current impasse on the other side.

In mid-May, most Senate Republicans signed a letter to Majority Leader Harry Reid calling for a debate this summer on extending the 2001 and 2003 tax cuts that expire at year’s end and on reconsidering the defense portion of the automatic spending cuts scheduled to begin in January. In other words, the Democratic leader was urged to avoid the fiscal cliff by acceding to GOP positions.

Action on the tax rates or the spending sequester required under last summer’s debt deal (PL 112-25) before the fall elections has never been a real possibility, and the most likely alternative has become that lawmakers will kick major decisions into 2013 with some kind of short-term post-election truce.

That became even more clear when Republican presidential candidate Mitt Romney said that, if elected, he would want Congress to put off all major decisions until after he has taken the oath of office Jan. 20. “I would like to be able to deal with these issues on a structural basis, on a permanent basis as opposed to a stopgap effort that would require unraveling and re-evaluation,” he told Time magazine in an interview published May 23.

But there is at least some bipartisan resistance to action that would blunt the impact of the automatic budget cuts. Sens. Mark Warner, D-Va., and Tom Coburn, R-Okla., urged congressional leaders last week to prevent an outcome that delays the sequester until later in 2013 and thus reduces the pressure on lawmakers to reach an agreement by the end of this year.

Reid is taking the position that unless Republicans agree to make additional revenue part of the deficit-reduction equation, there will be no deal to alter the automatic spending cuts. “Unfortunately, it appears that Republicans’ blind adherence to tea party extremism is making it impossible to reach this sort of balanced agreement before the election,” the Nevada Democrat said in a letter last week responding to the GOP senators.


Support for Smaller Defense Budget

Although Republicans have sought to pressure Democrats into rolling back the defense cuts, which will account for half of the total spending reductions, Reid and Senate Democrats have held firm, seeing the impending cuts as their best leverage on taxes. There are signs of public support for a shrinking defense budget — underscored in a recent study by the Center for Public Integrity, the Program for Public Consultation and the Stimson Center — that may bolster their position.

What House Democrats will hold out for, however, is less clear. Minority Leader Nancy Pelosi, D-Calif., said the 2001 and 2003 tax cuts should be extended for all taxpayers except those with more than $1 million in annual earnings.

That is a departure from the $250,000 threshold the White House has used as the level where “wealthy” begins and beyond which the tax cuts should run out.

The $1 million level has been used before. Democratic proposals to levy a “millionaire’s tax” have been a constant feature of fiscal debate over the past year. But some liberal groups have raised alarms over what they see as a potentially substantial shift, and that may muddy the Democratic position on the George W. Bush administration tax cuts.

Senate Majority Whip Richard J. Durbin, D-Ill., prefers the $250,000 threshold, which is still the official White House position, and he noted that members of the Senate Democratic caucus have varying views on “whether $250,000 is too high, whether $1 million is too high.”


House to Vote on Tax Rates

House GOP leaders plan a vote before the August recess on extending all the current tax rates. “The Senate should join us in providing this very basic level of certainty prior to November,” Majority Leader Eric Cantor, R-Va., said in a May 25 memo to his caucus.

House Republicans may agree on that point, but after the election Obama or a President-elect Romney will be dealing with a volatile House Republican caucus unable to agree on many other big-ticket issues.

Boehner has made clear, very early in the process, that he will not support an increase in the federal debt ceiling unless it is accompanied by an equal amount of savings. The Speaker took the same position in last summer’s debt limit showdown. Democrats quickly declared that Boehner is promising another round of damaging fiscal brinkmanship.

Other observers, however, suggest that Boehner’s position can be read as a cry for help — an acknowledgment that, once again, it will be difficult to deliver Republican votes for a debt ceiling increase. That political dynamic is unlikely to change after Election Day.


White House threatens veto of bill that would extend fed pay freeze


By ANDY MEDICI | Last Updated:May 30, 2012

The White House is threatening to veto a House spending bill to pay for military construction and veteran programs in part because it would extend the current two-year pay freeze on federal employees for another year.

“A permanent pay freeze is neither sustainable nor desirable,” the Office of Management and Budget said in a statement of administration policy released Wednesday. It urged Congress to support President Obama’s proposed 0.5 percent pay raise for feds in 2013.

The administration also objects to a provision that would prohibit the use of project labor agreements for federal construction projects. Under these agreements, agencies set wage and benefit levels for workers with a union before construction begins.

The agreements “can provide structure and stability to large construction projects, and allow agencies to complete these projects more efficiently,” according to the statement.

The legislation provides $10.6 billion for construction projects — a $2.4 billion dip from this year’s funding level and $573 million less than what the administration requested.

But the administration said in the statement that, while the funding levels in the overall bill are “sufficient,” it would leave other agencies without enough funding to operate effectively.

At issue are the terms of the Budget Control Act passed last year by Congress. The law caps 2013 spending at $1.05 trillion. But a House-passed budget resolution caps spending at $28 billion less than that.

“The funding level would also degrade many of the basic government services on which the American people rely, such as air traffic control and law enforcement,” according to the statement.

On April 18, OMB’s acting director, Jeffrey Zients, told Rep. Harold Rogers, R-Ky., chairman of the House Appropriations Committee, in a letter that Obama will veto any 2013 spending bills that cut agency budgets below levels set in last year’s Budget Control Act.


Congress to consider giving more control of Internet to UN

By Jasmin Melvin

5/30/2012 9:23:02 PM ET

U.S. lawmakers will delve on Thursday into an international debate on whether to hand more control of the Internet to the United Nations, a move many fear would turn it into a political bargaining chip for censorship and global taxes on Web companies.

U.S. government officials are gearing up for a December meeting in Dubai where delegations from 193 countries will discuss whether the U.N. should have more say over how the Internet is organized and controlled.

Critics say that, under such a regime, each nation regardless of size has one vote, which could give China, Russia, Iran, Saudi Arabia and other countries greater ability to isolate their populations and silence political dissidents.

“What proponents of Internet freedom do or don’t do between now and then will determine the fate of the Net, affect global economic growth and determine whether political liberty can proliferate,” Robert McDowell, a Republican commissioner on the Federal Communications Commission, said in testimony prepared for Thursday’s hearing.

A House Energy and Commerce subcommittee is holding the hearing in what will be one of the highest-profile airings so far in the United States on the coming debate at the World Conference on International Telecommunications (WCIT) in December.

The U.S. government is trying to drum up support, both domestically and internationally, to preserve a decentralized Internet.

Obama administration officials held a closed-door meeting a few weeks ago at the White House with representatives from U.S. companies such as Comcast and advocacy groups such as the international nonprofit Internet Society to build solidarity.

( is a joint venture of Microsoft and NBCUniversal, a unit of Comcast.)

“This is one of those circumstances where I think it’s fair to say there’s absolute unanimity. I don’t believe you’d find any dissent at all to the view that we would like to keep the Internet free of inter-governmental controls,” said a State Department official, who was not authorized to speak on-the-record about the discussions.

The Internet is currently policed loosely, with technical bodies such as the Internet Engineering Task Force, the Internet Corporation for Assigned Names and Numbers and the World Wide Web Consortium largely dictating its infrastructure and management. The United States holds significant sway with those bodies.

U.N. treaty last revisited in 1988
When the delegations gather in Dubai, they will renegotiate a U.N. treaty last revisited in 1988 and debate whether to consolidate control over the Internet with the U.N.’s International Telecommunications Union (ITU).

The ITU is used to set communications standards, such as deciding when technologies can be labeled 4G and approving a standard for a universal telephone charger.

For many countries, it seems a natural progression for the ITU, formerly the International Telegraph Union in the 1800s, to morph into the International Internet Union in the 21st century. But for countries such as the United States the move is seen as dangerous.

The United States fears that authoritarian regimes will campaign for their initiatives by promising to back proposals from developing countries that would like to see tariffs on content-heavy Internet companies such as Google and Facebook.

“The votes of governments would be traded for considerations that have nothing to do with the Internet. That political horse trading is the hallmark of inter-governmental bodies,” said Steve DelBianco, executive director of NetChoice, a coalition whose members include AOL, eBay, Facebook, Oracle, VeriSign and Yahoo.

Seeking diplomatic approach
The House panel said in a memo released on Tuesday that there is bipartisan agreement that the United States should stand firm in opposing any treaty provisions at the WCIT that would give the U.N. substantial control of the Internet.

“Pending international proposals to regulate the Internet could jeopardize not only its vibrancy, but also the economic and social benefits it brings to the world,” the memo said.

The hearing will include testimony from Ambassador Philip Verveer, the deputy assistant secretary of state who will negotiate with other nations at the WCIT and help represent the United States in Dubai.

Vinton Cerf, regarded as one of the fathers of the Internet and now vice president and chief Internet evangelist at Google, and David Gross, the State Department’s former ambassador for international telecom policy and now a partner at Wiley Rein, will also testify.

Gross, who is appearing on behalf of an industry coalition that includes Google, Microsoft and News Corp, said in his prepared testimony that this is not the first attempt to centralize control over the Internet, pointing to UN talks in 2003 and 2005.

He said the United States must take a diplomatic approach that does not unnecessarily attack the UN’s telecommunications authority, but instead concentrates on countries seeking to impose government mandates on the Internet through the UN.

Gross called for a strong coalition between the United States and like-minded countries.

“This has been done before and it must be done again,” he added.

Additional reporting was done by Claire Davenport in Brussels.


Where the Drones Are

Mapping the launch pads for Obama’s secret wars.

Foreign Policy



Tuesday’sNew York Times features a blockbuster story, based on interviews with some three dozen current and former Obama administration officials, about the White House decision-making process behind the highly controversial U.S. policy of targeted killings. In it, we learn that while there are near-weekly interagency meetings with the 100 or so officials who compile the “kill list,” President Barack Obama is intimately involved in individual targeting decisions and most of the estimated 2,000 to 3,000suspected militants or terrorists killed by the United States outside the battlefield have died via drone strikes.


Share on twitter Twitter

Share on reddit Reddit


But Obama’s policy of killing by remote control is by no means new. Over the last decade, America’s overseas use of drones has expanded exponentially in scope, location, and frequency. Beyond their use across the battlefields of Afghanistan, Libya, and Iraq, U.S. drones have been used to target suspected militants and terrorists in Pakistan, Yemen, and Somalia, as well as to conduct surveillance missions over Colombia, Haiti, Iran, Mexico, North Korea, the Philippines, Turkey, and beyond.

To maximize flight time over these countries, the U.S. military and the CIA require a network of geographically dispersed air bases and the explicit support of host nations. Stationed at these bases are the drones and what’s known as the “launch recovery element” — the personnel who control the drones during take-off and landing, load and unload munitions, and provide routine maintenance. Many drones are based at long-established airfields in host countries that are quietly expanded and modernized by American engineers.

The countries that are willing to host U.S. drone operations have shifted as their political sensitivities have evolved. While the United States lost access to both Iraq and Pakistanin 2011, other host nations are more tolerant, albeit more evasive. For instance, a remote CIA airstrip in the Persian Gulf was reportedly completed in September, although the country remains publicly unidentified.

Given the politically sensitive nature of stationing U.S. government personnel or private contractorsto support drone operations in another country’s sovereign territory, it is impossible to identify and verify the complete architecture of air bases from which U.S. strike and spy drones fly. Many journalistsand researchers have previously written about American drone bases, from which this piece benefitted tremendously. The 12 bases that appear below, scattered across three continents, are but a representative sample of drone bases around the world compiled through publicly available information. There are assuredly others, perhaps at MasirahIsland Air Base in Oman or SocotraIsland Air Field off the coast of Yemen. We welcome updates and corrections.


Location: Incirlik, Turkey

Coordinates: 37, 35.26

Last November, Foreign Minister Ahmet Davutoglu announcedthat four U.S. Predator drones would be deployed to Incirlik,
a massive air base primarily used by U.S. and Turkish forces that serves as a staging point for regional air operations. (In general, four aircraft are required to provide around-the-clock surveillance over a particular area of interest — one airborne while the others take off, land, refuel, or undergo maintenance.) The four Predators are launched and recovered by 15 U.S. airmen from 414th Expeditionary Reconnaissance Squadron, while the Nevada-based contractor Battlespace Flight Services flies the drones. Real-time intelligence from the Predators is transmitted via satellite link to the combined intelligence fusion cell in Ankara. The cell, opened in November 2007 to process surveillance imagery from U.S. manned and unmanned systems flying over Iraq, is staffed by Turkish and U.S. military personnel working side by side to provide targeting information on suspected members of the Kurdistan Workers’ Party, or PKK, for strikes by Turkish F-16s in Turkey or Northern Iraq. According to reports, on Dec. 28, a Predator provided video imagery of a caravan of suspected PKK militants near the Turkish border. After Turkish officers directed the drone to fly elsewhere, Turkish aircraft attackedthe caravan with four sorties, reportedly killing 34 civilians.


Location: Jalalabad Airfield, Afghanistan

Coordinates: 34.40, 70.50

Both the U.S. Air Force and the CIA use Jalalabad Airfield as a launching pad for their fleets of Predator and Reaper drones. In August 2009, the New York Times reported, “Officials said the CIA now conducted most of its Predator missile and bomb strikes on targets in the Afghanistan-Pakistan border region from the Jalalabad base, with drones landing or taking off almost hourly.” In late 2011, when the Pakistani government kicked the remaining U.S. drones and their support personnel out of Shamsi air base, they were reportedly relocated to Jalalabad.

Location: Khost Airfield, Afghanistan

Coordinates:33.33, 69.95

Located adjacent to the western border of Pakistan, Khost — also known as Forward Operating Base Chapman — is under the operational command of the CIA. Khost houses CIA officers, operatives, and analysts who collect, assess, and interpret intelligence information as well as select suspected militants as targets. Because of its location in one of the most violent regions of Afghanistan, Khost also serves as a recruitment center for informants. It is perhaps best known as the site of a suicide bombing that claimed the lives of seven Americans on Dec. 30, 2009 — the deadliest day for the CIA since the 1983 bombing at the U.S. Embassy in Beirut. After the attack, the CIA retaliated swiftly with 11 attacks that killed nearly 100 suspected militants, marking one of the most intense periods of the drone program thus far.

Location: Kandahar Airfield, Afghanistan

Coordinates: 31.50, 65.85

Kandahar Airfield is one of the largest bases in Afghanistan. Run by the U.S. military, it serves as a major base for both surveillance and strike drone operations in Afghanistan, as well as intermittently into Pakistan to pursue suspected militants. The U.S. Air Force also shares some of the surveillance footage with Islamabad. It is also home to the RQ-170 Sentinel — nicknamed the “Beast of Kandahar” — an advanced surveillance drone that reportedlywas used to monitor the Abbottabad compound where al Qaeda leader Osama bin Laden was ultimately killed.

Shindand Airfield, Afghanistan

Coordinates: 33.39, 62.26

On Nov. 29, 2011, a CIA-controlled RQ-170 Sentinel drone flying out of the Shindadbase crashed140 miles inside Iran. (The United States began flying drones over Iran from Iraq as early as April 2004.) Although Iranian officials claimed to have downed the drone through electronic warfare, U.S. officials countered that the drone had suffered from a technical malfunction. Before the incident, the Sentinel had reportedlyflown undetected over Iran for three years, making hundreds of sorties over dozens of suspected nuclear weapons sites up to 600 miles into the country. U.S. officials claimthat Sentinel surveillance flights over Iran have continued despite the well-publicized crash.

Location: Al-Udeid Air Base, Qatar

Coordinates: 25.12, 51.32

Al-Udeid features the longest and most advanced runways in the Middle East, serves as a major transshipment site for American troops and resources headed to Afghanistan, and also hosts the Combined Air and Space Operations Center (CAOC), which relocated from Saudi Arabia in 2003. The airbase serves as a drone operations command and control center throughout the Middle East, including Iraq and Afghanistan, for the U.S. Air Force, which through CAOC manages day-to-day joint air operations. Lawyers are stationedat Al-Udeid 24 hours a day to approve drone strikes carried about by the U.S. military.

Location:Zamboanga, Philippines

Coordinates: 6.92, 122.06

The Philippine government reportedly allows the United States to fly unmanned surveillance drones to monitor militants from the al Qaeda-linked group Abu Sayyaf on the island Mindanao. The most active site is in Zamboanga, one of the locations where the Joint Special Operations Task Force-Philippines is based. U.S. drones are said to have provided the location of prominent Abu Sayyaf militants that were subsequently killed in an air strike carried out by the Philippines Air Force in February 2012.

Location: Al-Dhafra Air Base, United Arab Emirates

Coordinates: 24.25, 54.55

In January 2002, the 380th Air Expeditionary Wing (AEW) was deployed to Al-Dharfa to support operations in Afghanistan and the war on terrorism. At the time, there were only 300American servicemembers on the base. According to a diplomatic cablereleased by WikiLeaks, by September 2007 there were 1,300 Air Force personnel at Al-Dhafra. The 380th AEW also broughtmanned U-2 spy planes and the unmanned RQ-4 Global Hawk to the base. In 2005, an anonymous Air Force official stated, “There is a major Global Hawk operating base being built in the UAE.” According to Aviation Week and Space Technology, in June 2010 there were four Global Hawks at Al-Dhafra; by June 2011, there were six (five Air Force and one Navy). More recently, the United States has begun deploying F-22s, its advanced stealth fighter. According to Matthew Aid’s book Intel Wars, Global Hawks operating out of Al-Dhafra “fly daily [signals intelligence] and imagery collection missions along Iran’s borders with Iraq and Afghanistan and along Iran’s Persian Gulf coastline.”

Location: Al-Anad Air Base, Yemen

Coordinates: 13.18, 44.76

In the heart of the Lahij province in southern Yemen, the U.S. military works directly with Yemeni forces to monitor, target, and kill suspected militants affiliated with al-Qaeda in the Arabian Peninsula (AQAP), the local franchise of the global jihadist group. The close cooperation between the United States and Yemen was brought to light in a confidential cable published by WikiLeaks, which quotedthen President Ali Abdullah Saleh, “We’ll continue saying the bombs are ours, not yours.” U.S. drones often provide surveillance information to Yemeni forces to carry out assaults, as well as to launch airstrikes. According to the Long War Journal, the United States has conducted 21 airstrikes in the first five months of 2012, more than double the number in all of 2011.


Location: Arba Minch, Ethiopia

Coordinates: 6.04, 37.59

In January 2007, the U.S. Air Force carried outat least two attacks with AC-130 gunships against suspected Islamic militants in Somalia from a base in Ethiopia. After reports emerged with details of the attacks, the Ethiopian government expelled the U.S. military from that base. In October 2011, after four years of negotiations, the U.S. military was permitted to reestablish a presence in Ethiopia, with Reaper drones being flown out of the Arba Minch airfield for surveillance missions over Somalia.

Location: Camp Lemonier, Djibouti

Coordinates: 11.54, 43.15

Six days after the 9/11 attacks, President George W. Bush signed a Memorandum of Notification that authorized the CIA to kill a “high-value target list” of 24 al-Qaeda leaders. Included on this list was Abu Ali al-Harithi, mastermind of the attack on the U.S.S. Cole. On Nov. 3, 2002, a Predator drone killed Harithi and six others in Yemen, marking the first targeted killing outside of a battlefield. The drone reportedly originated and was controlled from Camp Lemonier. The CIA has also flown drones launched from Djibouti over Somalia, targeting militants affiliated with al Qaeda. Camp Lemonier has been the home of Combined Joint Task Force-Horn of Africa since 2003, and reportedlyhouses 3,500 U.S. personnel from various military and civilian agencies.

Mahe, Seychelles

Coordinates: -4.6700823, 55.5146885

In 2011, the U.S. military reopeneda base on the island nation of Seychelles — an archipelago roughly twice the size of Washington, D.C. — for a small fleet of armed MQ-9 Reaper drones. Although the Seychelles had previously served as a base for surveillance drones to track pirates in the Indian Ocean, classified U.S. government cables released by WikiLeaks revealed that drones have also carried out strike missions against al Qaeda affiliates in Somalia. According to another cable, Seychelles President James Michel requested — twice — that the inaugural launch of U.S. drones be documented with a photo-op or celebration. U.S. drone operations from the Seychelles have continued, as demonstrated by a MQ-9 Reaper crashing into the Indian Ocean after skidding off the runway in December 2011.


Micah Zenko (@MicahZenko) is a fellow and Emma Welch is a research associate with the Center for Preventive Action at the Council on Foreign Relations. Micah writes the blog Politics, Power, and Preventive Action.


States fight for drone biz

Six UAV test sites are up for grabs — and state governments are eager to get their hands on them

By Jefferson Morley

May 31, 2012

More than a dozen state governments across the country are scrambling to get into the drone business with the expectation that unmanned aviation will create new jobs in the near future.

This summer, they will begin competing for approval from the Federal Aviation Administration to run one of six unmanned aviation test sites around the country. Mandated by Congress earlier this year, the test sites are intended to demonstrate that unmanned vehicles can be integrated safely and quickly into U.S. airspace.

The domestic drone market is still small. In 2012, the civil unmanned aviation vehicle (UAV) market will account for only 1.4 percent of the $7 billion-plus drone industry, according to a recent industry survey. This year 98.6 percent of all UAV spending will pay for military applications. But the burst of interest in funding the establishment of the UAV test sites indicates many businesses and elected officials expect that to change soon.

The scope of the states’ plans emerge from more than 200 public comments submitted to the FAA earlier this year.

The state of Florida said it “intends to build a UAS [unmanned aviation system] test and operational range … in partnership with civil and military government agencies, academia and industry.”

The Ohio Unmanned Aircraft Systems Initiative aims to make Ohio “the destination of choice for all UAS researchers, developers, manufacturers, suppliers, trainers and educators.”

The Colorado Unmanned Aviation Systems Team, a consortium of 35 companies and agencies, hopes to do drone testing for the FAA throughout the state’s airspace.

A host of major defense contractors submitted comments on the test sites, including Sikorsky, Boeing, Northrop Grumman, Honeywell and Raytheon. And so did a number of universities, including University of Alaska at Fairbanks, the Georgia Tech Research Institute, Texas A&M, North Carolina State, Kansas State, and Embry Riddle Aeronautic University. Universities have taken the lead in getting FAA permission to fly drones in U.S. airspace.

But the most fully developed proposals for running the test sites are likely to come from state consortiums of industry, government and universities, which will put up the money to run the sites. The FAA is not providing any funding for the sites.

The U.S. armed forces are likely to play a role in the test sites, as several groups cited their collaboration with local military bases. The U.S. Air Force Research Laboratory, headquartered at Wright-Patterson Air Force Base just outside of Dayton, Ohio, is a major partner in the Ohio initiative, which is perhaps the most ambitious in the country. Another serious initiative is the Mid-Atlantic Unmanned Aircraft Test System Team, a venture backed by Virginia and Maryland, which touts its work with Naval Air Warfare Center, Naval Surface Warfare Center and NASA’s Langley Research Center.

Stan Van Der Werf, a retired Air Force Colonel who heads the Colorado effort, says the economic potential of domestic drones is “enormous” but dependent on the regulations that the FAA is now writing.

“The more freedom of movement the FAA allows, the greater the private business will be,” Van Der Werf said in a phone interview. “If unmanned vehicles have access similar to that enjoyed by manned aircraft, I think the commercial business will be ten times larger than the Department of Defense business.”

Brian Zinke, a state senator from Montana and head of the Center for Remote Integration, foresees using domestic drones for wildfire control, wildlife and livestock management, and agriculture crop optimization.

Several commenters to the FAA expressed concern about privacy. One woman wrote

Drones of all sizes can easily be weaponized, can easily gather data on citizenry via use of biometrics, and conduct surveillance without a warrant. These capabilities are draconian enough for wartime – but even their use in ‘war’ has not been fully thought out. …. As a retired air traffic controller, I know we have plenty of MOAs [military operations areas] and other restricted airspace already, so if the military wants to test drone systems there, they can go right ahead. Mixing privately owned UAS with piloted aircraft, either commercial or general aviation, is hopefully a long way off.

In comments to the FAA, the Electronic Privacy Information Center called for privacy protections to be written into regulations. Applied Research Associates, an engineering firm based in San Diego, argued privacy protections would benefit the industry.

“UAS manufacturers and operators must consider the risk of litigation and the effect that legal rulings will have on their ability to utilize this technology,” wrote one company engineer. “Research data should be collected to establish standards that protect citizens’ privacy rights and establish ‘best practices’ for industry. Such research will prevent the chilling effect that undefined legal responsibility has on innovation.”

The future of drones in America is a work in progress. The FAA will issue its criteria for the test sites and start accepting formal proposals in July. The six sites will be selected by December and are supposed to become operational in 2013.

Jefferson Morley is a staff writer for Salon in Washington and author of the forthcoming book, Snow-Storm in August: Washington City, Francis Scott Key, and the Forgotten Race Riot of 1835 (Nan Talese/Doubleday).



Is someone compiling information on federal employees?

By FCW Staff

May 30, 2012

The recently reported hacker attack on a contractor that works on the Thrift Savings Plan could be a sign of more trouble to come, according to reports.


As reported in NextGov, the target of the attack was Serco, a contractor to the Federal Retirement Thrift Investment Board. The attack resulted in unauthorized access to 123,000 TSP accounts and exposed the Social Security numbers of those account holders. It happened in July 2011, but the board learned of it from the FBI on April 11.

Now, reports Aliya Sternstein, cybersecurity experts worry that it could have just been the vanguard of a new wave of attacks against government computers.

One source that Sternstein cited was James Lewis, a cybersecurity analyst who advises the Obama administration and Congress. Lewis said he has the impression that “at least one smart country is building a database on [U.S. government] employees, using things like TSP and social networks.”

Meanwhile, Sen. Susan Collins (R-Maine) wants to know why the retirement board waited until late May to inform Congress of the breach.

Writing in the Federal Times, Stephen Losey reports the board reported the attack to the Senate Homeland Security and Governmental Affairs Committee on May 25. It reported it to the public the same day. Collins is the ranking Republican on the committee.

According to Losey’s report, it’s not clear when the FBI discovered the breach or why it waited until April 11 to inform the board.

As for the further delay in reporting to Congress and the public, Losey cited FRTIB external affairs director Kim Weaver, who said the data the FBI provided in April was unreadable at first.

“We had some data that was just strings of numbers,” Weaver said in the Times article. “You couldn’t tell what was a Social Security number, what was the day of the month, what was a payment amount, so it took quite a bit of time to get the data into a format where we could figure out the information.”


Weapons school integrates cyber warfare

by 1st Lt. Ken Lustig

99th Air Base Wing Public Affairs


5/31/2012 – NELLIS AIR FORCE BASE, Nev. — Every day, an invisible war is being fought on the world’s communication networks – a war the Air Force’s cyberspace warriors are training to win.

This June, eight students will complete the very first Cyber Weapons Instructor Course, taught at the 328th Weapons Squadron of the U.S. Air Force Weapons School, and join the ranks of the Air Force’s weapons officers. The WIC students are primarily cyber warfare officers, but the course also accepts qualified applicants from the intelligence, space & missile and engineer career fields.

Weapons officers are tactical experts trained in the art of battlespace dominance who instruct the Air Force’s instructor corps and serve as advisors to military leaders at all levels.

Although this cyber class is the school’s first, Maj. Brent Wells, 328th Weapons Squadron director of operations for the Cyber WIC, says the graduates’ accomplishment will ultimately reduce the distinction between cyber and traditional operational specialties.

“Although we ‘deep dive’ into the cyber curriculum during the first phase of our academics, what we’re really trying to get across to our students is this: You’re not a cyber officer first, not an intel or space officer first – you’re a weapons officer and your job is to provide advice and counsel to our leaders and be that expert on all Air Force capabilities,” Wells said.

“The purpose of this course is to refine these officers’ cyber skills and round them out by teaching them to be expert instructors, problem solvers, leaders and tacticians, ultimately teaching them how to integrate the cyber piece with the entire spectrum of Air Force and Joint capabilities,” he said.

To this end, all of the approximately 115 students from the USAFWS’ 18 weapons squadrons – each specializing in one of 24 ‘platforms’ (battle concepts or weapons systems) – are brought together at regular intervals and must rely on each other for critical knowledge and coordinated planning. After the first third of the course, the academics broaden to give all students a clear picture of how all of their capabilities are used in conjunction, both within the Air Force and with those of the joint services.

Wells said that the addition of the cyber WIC is part of a bigger Air Force effort to further integrate and operationalize its cyber capabilities.

“In the past, we have often thought of cyber in terms of monitoring networks and responding to trouble tickets – a maintenance mindset,” he said. “But as our adversaries become increasingly effective and sophisticated at engaging in the cyber realm, it is clear that the cyber domain has become a key terrain of the battlefield, and we have to move beyond the old way of thinking.”

Lt. Col. Bob Reeves, 328th Weapons Squadron commander, says the school’s space course was created in 1996; it addressed but did not deeply delve into cyber operations. The new cyber WIC was created in part to help the Air Force take its cyber capability in new directions.

“We want our graduates to transform and inspire our nation’s combat power, to bring the cyber piece to operational planning, but also to help build the cyber force to recognize that they are part of the overall picture and a capability we are providing to the combatant commander.”

Reeves said the lessons learned at weapons school are applied across the force.

It is not enough just to train our weapons officers. We are taking the lessons learned from our exercises and planning, and feeding that innovation into other exercises and even real-world operations where those techniques and tactics can be validated,” he said. “We take what works and export it.”


The high cost of savings

Washington Post

By Marjorie Censer, Published: May 25

Three years ago, the Pentagon began canceling the Army’s ambitious modernization program, which would have cost billions and created a sophisticated network of vehicles, drones and radios.

This kind of cut might appeal to politicians calling for significant decreases in government spending. But turns out, it’s not that simple. Even years later, the Defense Department and the Army are still negotiating with the contractor and estimate they’ll pay a fee of almost $500 million — on top of the roughly $19 billion an Army study estimated the service already paid for the complex program that never came to fruition.

With the Pentagon looking to trim its budget and politicians finding traction in urging government cuts, these cancellations could become all the more common and the government could face even more drawn out and expensive negotiations.

“With all of the budget pressures that agencies are going to be faced with … we are going to be seeing a lot more terminations, restructures and changes to contracts,” said Elizabeth A. Ferrell, chairwoman of McKenna Long & Aldridge’s terminations and contract restructures group, which was only established last year. Companies “believe that their programs are at risk.”

Contract termination is a complex legal process, but essentially the trouble starts when the government needs to terminate for convenience, rather than for cause.

If a termination is for cause or default — meaning something has gone wrong with the program — the government is off the hook. But if it’s for convenience — which is typically what happens — the government must pay the contractor the costs it will incur to shut down the contract.

Analysts and attorneys say the government is often in a position of weakness in these negotiations as contractors with expensive attorneys fight for large fees.

The Army confirmed this month that it expects to pay nearly $500 million — still $200 million shy of the level it anticipated — to close out with prime contractor Boeing the sprawling Future Combat Systems program, which began to shut down in 2009 when then-Defense Secretary Robert Gates cut its manned ground vehicle component.

The high-priority program was made up of multiple parts, including a family of vehicles, unmanned air and ground systems and high-tech radios, all connected by a network. While some pieces have been salvaged, the program as it was imagined was never built.

The vehicle cancellation fee alone is expected to hit about $164 million, according to the service.

In a statement, the Army said termination negotiations — being handled by the Defense Contract Management Agency — are still ongoing because the contractor has a year to present termination fee proposals. Most of those negotiations are expected to end in December; some are slated to continue until July 2013.

New contract language needed?

“I think contract termination costs are going to become an increasing consideration,” said Todd Harrison, a senior fellow at the Center for Strategic and Budgetary Assessments. The government has “got to do a better job, I think, from now on in writing contracts, thinking through what would happen if this contract were terminated at any given point.”

In the case of the Army’s FCS program, the contract’s payment structure was split between a fixed fee earned annually and an incentive fee paid out incrementally based on achieving key goals. Boeing was able to earn part of those fees even before the goal event, said Paul Francis of the Government Accountability Office.

“The contractor could earn 80 percent of its fee by the time it got to critical design review, and really it’s not until that point that you have information about whether this is a going concern or not,” he said.

Gates cited its contract structure as one of the program’s many flaws when he began the process of unraveling it, first by canceling the vehicle piece. Eventually, the Army found itself negotiating to terminate most pieces of the complex program.

“Boeing continues to cooperate with the Army on termination negotiations,” the company said in a statement. “Since discussions are ongoing, we’d prefer not to speculate on the conclusion.”

Cheaper to just continue

Under government regulations, once a program is terminated, the contractor must stop work and terminate its subcontracts with other companies, according to a GAO report on terminations. It creates a termination inventory of the materials it has made or bought and submits a settlement proposal for what it believes the government owes.

These proposals typically have three parts: costs the company has incurred for the work it’s done, which can include direct costs such as materials and indirect such as overhead; a fee or profit on that work; and termination costs, which are generally related to putting together the settlement proposal, negotiating with subcontractors and dealing with the unneeded inventory.

In some cases, the Army has said letting a program go forward — even if unwanted — would be preferable to paying high termination fees.

At a 2011 hearing, Army Secretary John McHugh told Congress that the service planned to move forward with what’s known as a “proof of concept” for the Medium Extended Air Defense System, a missile program developed in cooperation with Italy and Germany.

Even though the proof of concept was set to cost hundreds of millions, McHugh said it made more sense than the alternative.

“If we withdrew this year, there are substantial withdrawal fees that the United States would have to bear and pay into the program that would not make it a wise decision,” McHugh said.

Harrison argues there can be other considerations as well.

“If you cancel a program for a major platform that you’re going to need eventually, then you have to restart a new program and redo a lot of the development program,” he said. “You end up doing a lot of the same work again, so you don’t actually save any money in the long run.”


Flame Malware’s Ties To Stuxnet, Duqu: Details Emerge

All three pieces of malware seemingly commissioned by the same entity and developed on the same platform, but by different groups of developers, security researchers say.

By Mathew J. Schwartz, InformationWeek
May 31, 2012

Three of the most high-profile pieces of malware to have been discovered in the past two years have been Stuxnet, Duqu, and as of this week, Flame. Now, researchers are suggesting that whoever commissioned Stuxnet and Duqu also ordered up Flame.

“We believe Flame was written by a different team of programmers but commissioned by the same larger entity,” Roel Schouwenberg, a security researcher at Kaspersky Labs, told
The New York Times. But he declined to name the larger entity–or nation states–that he thought had commissioned Duqu.

If the three different malicious applications share a common origin, each appears to have been designed for a different purpose. Duqu, for example, was cyber-espionage malware created “to act as a backdoor into the system and facilitate the theft of private information,” said Kaspersky Lab security researcher Ryan Naraine in a blog post. The private information in question, according to Kaspersky Lab, included nuclear facility blueprints and industrial control system schematics. Duqu was first discovered in September 2011.

According to Kaspersky Lab, Duqu’s developers appeared to keep to Jerusalem time, and notably didn’t work on the Jewish Sabbath–occurring between Friday evening and Saturday evening–in which some Jews observe a day of rest, The New York Times reported Wednesday.

Meanwhile, Stuxnet–first discovered in June 2010–was designed to sabotage the high-frequency convertor drives used in a single uranium enrichment facility in Iran. Notably, the malware adjusted the speed of the drives to run at very high and low frequencies, while reporting normal behavior via the industrial control system software interface that ran the machines. The result was destroyed centrifuges and uranium that hadn’t been enriched.

Kaspersky Lab researchers last year had already noted that Stuxnet and Duqu appeared to have been developed by the same team, on the same platform, which appears to have been used between 2007 and 2011. Furthermore, they suspected that additional malware–even if it hadn’t yet been found–would have also been created using the platform. Timing-wise, according to AlienVault, Flame fits into that scenario, as at least one component in Flame was first compiled in 2008, while later modules date from 2009, 2010, and 2011.

While the Stuxnet malware was designed to spread automatically, the Duqu Trojan would only infect PCs when ordered to do so via its command-and-control channel. Likewise, the Flame malware–which may have infected just 1,000 PCs–only spread to designated PCs, which made it tough for security vendors to spot or stop. “Flame has been operating under the radar for at least two years, which counter-intuitively may partially be attributed to its large size,” according to a blog post from Websense.

Another similarity between the three pieces of malware is that while they might be complex, and all targeted known zero-day vulnerabilities–which can be purchased on the black market–they used coding capabilities that had been seen before. (Although in the case of Stuxnet, no one had ever seen such capabilities being used by malware to cause physical damage.) “While it really doesn’t do anything we haven’t seen before in other malware attacks, what’s really interesting is that it weaves multiple techniques together and dynamically applies them, based on the capabilities of the infected system,” according to Websense.

Researchers are continuing to study Flame to unravel how it works, and the task is made difficult by the malware’s size. Notably, it starts out with an initial infection that’s between 900 K and 6 MB in size, but which can grow to 20 MB after additional modules have been loaded onto a PC. “This is a lot of code, and a lot of possibility,” said Bob Reny, a systems engineer at network access control vendor ForeScout Technologies, via email.

“The number of different components in W32.Flamer is difficult to grasp,” according to an analysis from Symantec. “The threat is a well-designed platform including, among other things, a Web server, a database server, and secure shell communications. It includes a scripting interpreter which allows the attackers to easily deploy updated functionality through various scripts. These scripts are split up into ‘apps’ and the attackers even appear to have something equivalent to an ‘app store’ from where they can retrieve new apps containing malicious functionality.”

Another interesting new Flame finding suggests that its builders may have been native English speakers. According to an analysis from Alexander Gostev at Kaspersky Lab, units in various modules sport names such as Beetlejuice (discovers nearby Bluetooth devices), Microbe (records audio), Infectmedia (infects USB drives), Euphoria (launches Flame), Limbo (creates backdoor on system), Frog (infects predefined accounts on machine), Weasel (lists the computer’s directory), Gator (connects to C&C server), and Suicide (removes all files connected to Flame). Meanwhile, the purpose of other discovered units in modules, sporting with names such as Bunny, Driller, Headache, and Gadget, has yet to be determined.

FBI: New Internet addresses could hinder police investigations

As the Internet prepares to celebrate World IPv6 Day next week, law enforcement is worried the transition could hinder legitimate investigations. Some tech companies agree it’s a concern.

Declan McCullagh

May 31, 2012 11:58 PM PDT

The FBI tells CNET that the IPv6 transition may require it to develop “additional tools” for surveillance.

The FBI is worried that an explosion of new Internet numeric addresses scheduled to begin next week may hinder its ability to conduct electronic investigations.

A historic switchover that will give the Internet a nearly inexhaustible supply of network addresses — up from the current nearly exhausted total of 4.3 billion — is planned for next Wednesday. AT&T, Comcast, Facebook, Google, Cisco, and Microsoft are among the companies participating.

Side effects from the transition to Internet Protocol version 6, or IPv6, “could have a profound effect on law enforcement,” an FBI spokesman told CNET. “Additional tools” may need to be developed to conduct Internet investigations in the future, the spokesman said.

That’s one reason the FBI recently formed a new unit, the Domestic Communications Assistance Center in Quantico, Va., which is responsible for devising ways to keep up with “emerging” technologies. CNET was the first to report on the formation of the center in an article last week.

While Wednesday’s World IPv6 Day is only one step in the transition to the next-generation system, it’s expected to mark the beginning of a gradual decline in popularity of the outgoing IPv4 standard. The participating Internet providers will begin to switch over a fraction of their residential subscribers on Wednesday, and router makers will enable IPv6 by default for their products. (Here’s an IPv6 FAQ.)

That’s what worries the FBI, which has been meeting quietly with Internet companies to figure out how its agents can maintain their ability to obtain customer records or perform court-authorized surveillance.

“This is a very real concern,” says Jason Fesler, Yahoo’s IPv6 evangelist. It will “impact a service provider’s ability to readily respond to legal requests from law enforcement agencies,” according to the Broadband Internet Technical Advisory Group, or BITAG, which counts AT&T, Cisco, Comcast, Time Warner Cable, Google, and Microsoft as members.

D-Link, the Taiwan-based company that’s one of the largest makers of routers and networking gear worldwide, agrees. “D-Link is aware of potential issues concerning IPv6 and law enforcement concerns that are currently being assessed,” a company spokesman said. “D-Link is committed to IPv6 support and will comply with any future guidelines.”

The Internet engineers who recognized the need for more addresses as far back as the 1980s, and began sketching out what became IPv6 over two decades ago, didn’t intend to create headaches for police agencies. Instead, it was an unintended consequence of the hybrid technologies that were created to allow IPv4 and IPv6 connections to share one network during the transition.

Once IPv6 is near-universally adopted, it’s likely to prove a boon to police, a fact that some law enforcement representatives privately acknowledge. That’s because each device —tablets, phones, refrigerators, lawn-mowing robots, and so on — will sport its own unique Internet address.

So far, the FBI is taking a wait-and-see approach to the transition, saying that “it is too early to know the extent of the impact of IPv6 upon law enforcement until more providers deploy it.”

The bureau’s concern about IPv6 is one component of what it calls the “Going Dark” problem, meaning that the surveillance capabilities of police may diminish as technology advances. CNET was the first to report that the FBI is asking Internet companies not to oppose a controversial proposal crafted in response to Going Dark that would extend the Communications Assistance for Law Enforcement Act (CALEA) to the Web.

FBI’s GCN problem: the technical details
At the moment, if someone suspected of committing a crime is posting about it on Facebook, for instance, police can obtain a court order to trace an IPv4 Internet address such as back to a single household.

But the exhaustion of IPv4 addresses is prompting many Internet providers to embrace a transitional technology called carrier-grade Network Address Translation, or CGN, that allows a single Internet address to be shared by hundreds of homes, or even an entire town, at the same time. It’s common to have 1,000 people share one Internet address.

That means it’s no longer enough to know that someone’s publicly visible address is

Facebook and other Web sites that want to trace a network connection back to a person — for their own anti-abuse purposes or to assist law enforcement — will need to log the IP address and also what’s known as the port number. (Port numbers, such as assigning one household the range 12000-12009, are how hundreds of households can share a single Internet address simultaneously.)

In addition, an Internet provider using CGN also will have to keep logs of which port numbers map to which customer.

“You will need more,” Keith O’Brien, a Cisco distinguished engineer, told the High Technology Crime Investigation Association this month. O’Brien said increased use of CGN “will require more information to be gathered in order to accurately identify a subscriber.”

O’Brien suggested to his audience that, when conducting investigations, they should ask Web sites for the Internet address address, the exact time, and the source and destination ports that were in use.

Fesler, Yahoo’s IPv6 evangelist, said that in addition to storing IP addresses, his employer is now recording the source port from which its users are connecting. “Only with the combination of time, address, and source port, will any Internet service provider have any chance of checking their logs, and associating that information back to a specific subscriber,” he said.

Last summer, engineers from AT&T, Yahoo, and Juniper Networks jointly published “Logging Recommendations for Internet-Facing Servers,” which the Internet Engineering Steering Group approved as a best-practices document called RFC 6302. It recommends that anyone operating a Web server record the source port number of inbound connections down to the precise second “to support abuse mitigation or public safety requests.”

One inevitable side effect of all this extra logging is the expense: detailed logs consume an extraordinary amount of storage.

CableLabs, a research and development organization founded by the cable industry that counts representatives of Comcast, Rogers Communications, and Time Warner Cable on its board, says the log size is immense. It estimates the average subscriber opens 33,000 connections per day, which means 1.8 petabytes per year per million subscribers just for logging.

But, says Chris Donley, CableLabs’ project director for network protocols, there’s a way to chop log sizes. It involves assigning port ranges in advance to specific Internet addresses, which will reduce log volumes in the range of 100,000- to one million-fold, he estimates.

Law enforcement representatives like the idea, Donley says. “It will make it easier for ISPs to respond to public safety requests without requiring onerous infrastructure on either the ISP or public safety part,” he said. “We’ve been meeting with a number of public safety agencies roughly quarterly to discuss this approach.”

Not all Internet providers are using CGN. Comcast, for instance, has taken a different approach using what’s known as a “dual stack,” meaning their customers’ computers will run IPv4 and IPv6 simultaneously.

Increased logging can also lead to privacy concerns. “We have urged providers not to log information that they don’t need for their own provision of services, even if someone else might want the information or they hypothesize that it might be valuable someday,” says Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation in San Francisco.

And mandatory logging — required by an FBI-backed bill that a House of Representatives committee approved last year — would be especially problematic for smaller Internet providers. “We couldn’t retain records” even under the smaller data requirements of IPv4, says Brett Glass, owner of, a local Internet provider in Laramie, Wy. “There would be too much volume.”

“There is no doubt that the wiretappers are being left behind and challenged,” says one attorney who represents telecommunications providers. “It is just a question of whether you have an always-on storage of everyone’s activity for law enforcement’s benefit when the Federal Trade Commission is suing you for overcollection in other contexts, and less intrusive measures can be used.”

Live IPv6 wiretaps
In theory, intercepting IPv6-only traffic isn’t any different from intercepting IPv4 traffic. Readily available sniffing tools such as tcpdump, Ethereal, and Wireshark can decode IPv6 packets. In practice, however, some hurdles can arise.

CALEA: The 1994 law called CALEA resulted in industry standards requiring telecommunications companies to make their networks readily wiretappable by police. But those standards, including one element called CACmII (which stands for the awkwardly-titled phrase Content-Associated Communications Identifying Information), are incompatible with IPv6.

During a presentation at a networking conference last fall, AT&T researchers warned (PDF) that “the standards are steps behind the industry evolution” to IPv6.

Encryption: Any computer with IPv6 has built-in encryption called IPsec (which can also be available with IPv4). The New York Times reported in 2010 that the FBI was lobbying for a law requring telecommunications companies offering encryption to build in backdoors for law enforcement, a requirement that would likely cover IPsec, but the bureau distanced itself from that idea a few months later.

“The frequency of use should increase with IPv6,” predicts a network engineer at, an Internet provider in Santa Rosa, Calif. “None of this is good news for law enforcement organizations.”

But some of the technical details are challenging, and IPsec is still not widely used. Neither are HTTPS encrypted connections; Arbor Networks estimates that only 2 percent of native IPv6 traffic is HTTPS, not counting file sharing traffic.

Tunneling: A technology called Dual-Stack Lite, or DS-Lite, is designed to help with the transition by wrapping an IPv6 packet around an IPv4 packet, which can be faster than other methods.

It, too, can cause problems with wiretaps. An Internet draft published in March by representatives of Telecom Italia and France Telecom acknowledges DS-Lite can hinder eavesdropping. “A single IPv4 address, or some range of ports for each address, might be set aside for monitoring purposes to simplify such procedures,” they recommend.

The FBI says it’s paying close attention to these aspects of IPv6: “Some of the optional capabilities will determine whether existing law enforcement tools and techniques will continue to support lawfully authorized collections or additional tools will need to be developed.”


Where does all the oil go?


Posted May 31, 2012 at 3:14 pm

“To reduce our reliance on foreign oil, we need more [insert wind, solar, natural gas, nuclear, or other energy sources here.]” This is a typical call we’ve heard many times from many sources, but the truth is that unless we can diversify the energy which creates mobility in this country, we will remain beholden to one highly price-volatile global commodity—oil—the lifeblood of the transportation sector which powers 94% of all transportation. If we want to be less reliant on foreign sources of oil, then we must look at how we use oil, and understand that this fuel source’s monopoly on our transportation sector is the real problem at hand. That is why, even though it’s fun to talk about all the different potential sources of power generation to explore, the only way to reduce oil dependence is by bringing other fuel sources into this vital sector. Most feasibly, electric vehicles for personal transportation, and natural gas for heavy duty trucks, are viable solutions capable of providing this diversity. Furthermore, we have the electricity, and we have the natural gas, we simply aren’t using it within the transportation sector. Just take a look at this section of an energy-usage visual that the Congressional Budget Office released earlier this month:

Oil and transportation are like squares and rectangles: not all oil is transportation, but all transportation is oil. Why is this a problem? Because every time the oil market moves, it has a direct impact on the budgets of people and businesses and directly impacts the health of the economy. With this graphic, CBO defines energy securing as “the ability of households and businesses to accommodate disruptions of supply in energy markets,” and by this definition we are extremely energy insecure. When compared with the healthy mix of (domestic) sources powering the electrical grid and the true advantages of electric vehicles become apparent. Some other important observations:

  • Petroleum is the largest share of the nation’s energy mix at 37%; transportation is the most expensive use of energy at $533 billion annually.
  • Since 1991 gasoline’s price volatility has ranged from between 0.5 to 3.5 (with prices in January 2000 indexed at 1.0); electricity has remained between 1.0 and 1.5 during the same 21 year period.
  • “No country is independent of the world oil market. Canada, a net exporter of oil, experiences the same prices changes as Japan, which imports all of its oil.”

Obama Order Sped Up Wave of Cyberattacks Against Iran

NY Times
Published: June 1, 2012

WASHINGTON — From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran‘s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.

Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.

At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised.

“Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.

Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.

This account of the American and Israeli effort to undermine the Iranian nuclear program is based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts. None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day.

These officials gave differing assessments of how successful the sabotage program was in slowing Iran’s progress toward developing the ability to build nuclear weapons. Internal Obama administration estimates say the effort was set back by 18 months to two years, but some experts inside and outside the government are more skeptical, noting that Iran’s enrichment levels have steadily recovered, giving the country enough fuel today for five or more weapons, with additional enrichment.

Whether Iran is still trying to design and build a weapon is in dispute. The most recent United States intelligence estimate concludes that Iran suspended major parts of its weaponization effort after 2003, though there is evidence that some remnants of it continue.

Iran initially denied that its enrichment facilities had been hit by Stuxnet, then said it had found the worm and contained it. Last year, the nation announced that it had begun its own military cyberunit, and Brig. Gen. Gholamreza Jalali, the head of Iran’s Passive Defense Organization, said that the Iranian military was prepared “to fight our enemies” in “cyberspace and Internet warfare.” But there has been scant evidence that it has begun to strike back.

The United States government only recently acknowledged developing cyberweapons, and it has never admitted using them. There have been reports of one-time attacks against personal computers used by members of Al Qaeda, and of contemplated attacks against the computers that run air defense systems, including during the NATO-led air attack on Libya last year. But Olympic Games was of an entirely different type and sophistication.

It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives. The code itself is 50 times as big as the typical computer worm, Carey Nachenberg, a vice president of Symantec, one of the many groups that have dissected the code, said at a symposium at Stanford University in April. Those forensic investigations into the inner workings of the code, while picking apart how it worked, came to no conclusions about who was responsible.

A similar process is now under way to figure out the origins of another cyberweapon called Flame that was recently discovered to have attacked the computers of Iranian officials, sweeping up information from those machines. But the computer code appears to be at least five years old, and American officials say that it was not part of Olympic Games. They have declined to say whether the United States was responsible for the Flame attack.

Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks.

“We discussed the irony, more than once,” one of his aides said. Another said that the administration was resistant to developing a “grand theory for a weapon whose possibilities they were still discovering.” Yet Mr. Obama concluded that when it came to stopping Iran, the United States had no other choice.

If Olympic Games failed, he told aides, there would be no time for sanctions and diplomacy with Iran to work. Israel could carry out a conventional military attack, prompting a conflict that could spread throughout the region.

A Bush Initiative

The impetus for Olympic Games dates from 2006, when President George W. Bush saw few good options in dealing with Iran. At the time, America’s European allies were divided about the cost that imposing sanctions on Iran would have on their own economies. Having falsely accused Saddam Hussein of reconstituting his nuclear program in Iraq, Mr. Bush had little credibility in publicly discussing another nation’s nuclear ambitions. The Iranians seemed to sense his vulnerability, and, frustrated by negotiations, they resumed enriching uranium at an underground site at Natanz, one whose existence had been exposed just three years before.

Iran’s president, Mahmoud Ahmadinejad, took reporters on a tour of the plant and described grand ambitions to install upward of 50,000 centrifuges. For a country with only one nuclear power reactor — whose fuel comes from Russia — to say that it needed fuel for its civilian nuclear program seemed dubious to Bush administration officials. They feared that the fuel could be used in another way besides providing power: to create a stockpile that could later be enriched to bomb-grade material if the Iranians made a political decision to do so.

Hawks in the Bush administration like Vice President Dick Cheney urged Mr. Bush to consider a military strike against the Iranian nuclear facilities before they could produce fuel suitable for a weapon. Several times, the administration reviewed military options and concluded that they would only further inflame a region already at war, and would have uncertain results.

For years the C.I.A. had introduced faulty parts and designs into Iran’s systems — even tinkering with imported power supplies so that they would blow up — but the sabotage had had relatively little effect. General James E. Cartwright, who had established a small cyberoperation inside the United States Strategic Command, which is responsible for many of America’s nuclear forces, joined intelligence officials in presenting a radical new idea to Mr. Bush and his national security team. It involved a far more sophisticated cyberweapon than the United States had designed before.

The goal was to gain access to the Natanz plant’s industrial computer controls. That required leaping the electronic moat that cut the Natanz plant off from the Internet — called the air gap, because it physically separates the facility from the outside world. The computer code would invade the specialized computers that command the centrifuges.

The first stage in the effort was to develop a bit of computer code called a beacon that could be inserted into the computers, which were made by the German company Siemens and an Iranian manufacturer, to map their operations. The idea was to draw the equivalent of an electrical blueprint of the Natanz plant, to understand how the computers control the giant silvery centrifuges that spin at tremendous speeds. The connections were complex, and unless every circuit was understood, efforts to seize control of the centrifuges could fail.

Eventually the beacon would have to “phone home” — literally send a message back to the headquarters of the National Security Agency that would describe the structure and daily rhythms of the enrichment plant. Expectations for the plan were low; one participant said the goal was simply to “throw a little sand in the gears” and buy some time. Mr. Bush was skeptical, but lacking other options, he authorized the effort.

Breakthrough, Aided by Israel

It took months for the beacons to do their work and report home, complete with maps of the electronic directories of the controllers and what amounted to blueprints of how they were connected to the centrifuges deep underground.

Then the N.S.A. and a secret Israeli unit respected by American intelligence officials for its cyberskills set to work developing the enormously complex computer worm that would become the attacker from within.

The unusually tight collaboration with Israel was driven by two imperatives. Israel’s Unit 8200, a part of its military, had technical expertise that rivaled the N.S.A.’s, and the Israelis had deep intelligence about operations at Natanz that would be vital to making the cyberattack a success. But American officials had another interest, to dissuade the Israelis from carrying out their own pre-emptive strike against the Iranian nuclear facilities. To do that, the Israelis would have to be convinced that the new line of attack was working. The only way to convince them, several officials said in interviews, was to have them deeply involved in every aspect of the program.

Soon the two countries had developed a complex worm that the Americans called “the bug.” But the bug needed to be tested. So, under enormous secrecy, the United States began building replicas of Iran’s P-1 centrifuges, an aging, unreliable design that Iran purchased from Abdul Qadeer Khan, the Pakistani nuclear chief who had begun selling fuel-making technology on the black market. Fortunately for the United States, it already owned some P-1s, thanks to the Libyan dictator, Col. Muammar el-Qaddafi.

When Colonel Qaddafi gave up his nuclear weapons program in 2003, he turned over the centrifuges he had bought from the Pakistani nuclear ring, and they were placed in storage at a weapons laboratory in Tennessee. The military and intelligence officials overseeing Olympic Games borrowed some for what they termed “destructive testing,” essentially building a virtual replica of Natanz, but spreading the test over several of the Energy Department’s national laboratories to keep even the most trusted nuclear workers from figuring out what was afoot.

Those first small-scale tests were surprisingly successful: the bug invaded the computers, lurking for days or weeks, before sending instructions to speed them up or slow them down so suddenly that their delicate parts, spinning at supersonic speeds, self-destructed. After several false starts, it worked. One day, toward the end of Mr. Bush’s term, the rubble of a centrifuge was spread out on the conference table in the Situation Room, proof of the potential power of a cyberweapon. The worm was declared ready to test against the real target: Iran’s underground enrichment plant.

“Previous cyberattacks had effects limited to other computers,” Michael V. Hayden, the former chief of the C.I.A., said, declining to describe what he knew of these attacks when he was in office. “This is the first attack of a major nature in which a cyberattack was used to effect physical destruction,” rather than just slow another computer, or hack into it to steal data.

“Somebody crossed the Rubicon,” he said.

Getting the worm into Natanz, however, was no easy trick. The United States and Israel would have to rely on engineers, maintenance workers and others — both spies and unwitting accomplices — with physical access to the plant. “That was our holy grail,” one of the architects of the plan said. “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.”

In fact, thumb drives turned out to be critical in spreading the first variants of the computer worm; later, more sophisticated methods were developed to deliver the malicious code.

The first attacks were small, and when the centrifuges began spinning out of control in 2008, the Iranians were mystified about the cause, according to intercepts that the United States later picked up. “The thinking was that the Iranians would blame bad parts, or bad engineering, or just incompetence,” one of the architects of the early attack said.

The Iranians were confused partly because no two attacks were exactly alike. Moreover, the code would lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the Natanz control room indicating that everything downstairs was operating normally. “This may have been the most brilliant part of the code,” one American official said.

Later, word circulated through the International Atomic Energy Agency, the Vienna-based nuclear watchdog, that the Iranians had grown so distrustful of their own instruments that they had assigned people to sit in the plant and radio back what they saw.

“The intent was that the failures should make them feel they were stupid, which is what happened,” the participant in the attacks said. When a few centrifuges failed, the Iranians would close down whole “stands” that linked 164 machines, looking for signs of sabotage in all of them. “They overreacted,” one official said. “We soon discovered they fired people.”

Imagery recovered by nuclear inspectors from cameras at Natanz — which the nuclear agency uses to keep track of what happens between visits — showed the results. There was some evidence of wreckage, but it was clear that the Iranians had also carted away centrifuges that had previously appeared to be working well.

But by the time Mr. Bush left office, no wholesale destruction had been accomplished. Meeting with Mr. Obama in the White House days before his inauguration, Mr. Bush urged him to preserve two classified programs, Olympic Games and the drone program in Pakistan. Mr. Obama took Mr. Bush’s advice.

The Stuxnet Surprise

Mr. Obama came to office with an interest in cyberissues, but he had discussed them during the campaign mostly in terms of threats to personal privacy and the risks to infrastructure like the electrical grid and the air traffic control system. He commissioned a major study on how to improve America’s defenses and announced it with great fanfare in the East Room.

What he did not say then was that he was also learning the arts of cyberwar. The architects of Olympic Games would meet him in the Situation Room, often with what they called the “horse blanket,” a giant foldout schematic diagram of Iran’s nuclear production facilities. Mr. Obama authorized the attacks to continue, and every few weeks — certainly after a major attack — he would get updates and authorize the next step. Sometimes it was a strike riskier and bolder than what had been tried previously.

“From his first days in office, he was deep into every step in slowing the Iranian program — the diplomacy, the sanctions, every major decision,” a senior administration official said. “And it’s safe to say that whatever other activity might have been under way was no exception to that rule.”

But the good luck did not last. In the summer of 2010, shortly after a new variant of the worm had been sent into Natanz, it became clear that the worm, which was never supposed to leave the Natanz machines, had broken free, like a zoo animal that found the keys to the cage. It fell to Mr. Panetta and two other crucial players in Olympic Games — General Cartwright, the vice chairman of the Joint Chiefs of Staff, and Michael J. Morell, the deputy director of the C.I.A. — to break the news to Mr. Obama and Mr. Biden.

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to ordinary computer users.

“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”

Mr. Obama, according to officials in the room, asked a series of questions, fearful that the code could do damage outside the plant. The answers came back in hedged terms. Mr. Biden fumed. “It’s got to be the Israelis,” he said. “They went too far.”

In fact, both the Israelis and the Americans had been aiming for a particular part of the centrifuge plant, a critical area whose loss, they had concluded, would set the Iranians back considerably. It is unclear who introduced the programming error.

The question facing Mr. Obama was whether the rest of Olympic Games was in jeopardy, now that a variant of the bug was replicating itself “in the wild,” where computer security experts can dissect it and figure out its purpose.

“I don’t think we have enough information,” Mr. Obama told the group that day, according to the officials. But in the meantime, he ordered that the cyberattacks continue. They were his best hope of disrupting the Iranian nuclear program unless economic sanctions began to bite harder and reduced Iran’s oil revenues.

Within a week, another version of the bug brought down just under 1,000 centrifuges. Olympic Games was still on.

A Weapon’s Uncertain Future

American cyberattacks are not limited to Iran, but the focus of attention, as one administration official put it, “has been overwhelmingly on one country.” There is no reason to believe that will remain the case for long. Some officials question why the same techniques have not been used more aggressively against North Korea. Others see chances to disrupt Chinese military plans, forces in Syria on the way to suppress the uprising there, and Qaeda operations around the world. “We’ve considered a lot more attacks than we have gone ahead with,” one former intelligence official said.

Mr. Obama has repeatedly told his aides that there are risks to using — and particularly to overusing — the weapon. In fact, no country’s infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.

This article is adapted from “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power,” to be published by Crown on Tuesday.

A version of this article appeared in print on June 1, 2012, on page A1 of the New York edition with the headline: Obama Order Sped Up Wave Of Cyberattacks Against Iran.

From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: